While the CMMC framework is managed directly by the DoD, the ecosystem is managed by the CMMC Accreditation Body (CMMC-AB). The CMMC A-B provides the structure, entities, training, and assessments necessary for compliance. The CMMC ecosystem was built to implement the framework and provide assurance to the Department of Defense regarding the security of the defense supply chain.
What is CMMC-AB?
Within the Cybersecurity Maturity Model Certification (CMMC) Program, the CMMC-AB is a non-profit organization, separate from the DoD, that facilitates the relationship between cybersecurity service providers, assessors, and contractors through the various steps to compliance. Chiefly, the CMMC-AB establishes and oversees a qualified community of assessors (C3PAOs) who can deliver assessments to contractors against the defined set of controls or best practices.
The entities within the CMMC ecosystem include C3PAOs, contractors (or organizations seeking certification), training providers, and more. The AB hosts seven entities on its website whose credentials range from C3PAO to Licensed Training Provider.
Certified Third Party Assessors (C3PAO)
A certified third-party assessor organization (C3PAO), is an authorized organization that conducts assessments to issue CMMC certificates to DoD contractors. CMMC 2.0 Level 3, and part of Level 2, require that the organization seeking compliance must have an assessment performed by a C3PAO.
As CMMC assessors, C3PAOs must themselves be CMMC certified in order to be authorized to certify contractors. C3PAOs must also pay an application fee, become certified with the inspection body accreditation ISO 17021, and various other requirements. The CMMC-AB Marketplace has the official list of authorized C3PAOs.
Assessors (CMMC Professionals and CMMC Assessors)
Within a C3PAO organization, individual people qualified to conduct an assessment are certified as assessors. CMMC-AB hosts two credentials in their Assessor category: Certified CMMC Professionals (CCP) and Certified CMMC Assessors (CCA).
As the entry-level position, a CCP is a trainee assessor who is learning the CMMC requirements for DoD suppliers. CMMC Professionals are eligible to complete training through a Licensed Training Provider to become Certified CMMC Assessors.
After a CCP has completed training and taken an exam, they become a Certified CMMC Assessor for Level 1 only. A CCA Level 1 is credentialed to conduct Level 1 assessments. Likewise, CCA Level 1 can become CCA Level 2 and CCA Level 3, each able to conduct assessments for their respective levels.
Registered Provider Organization (RPO)
A Registered Provider Organization (RPO) is a cybersecurity service provider that can offer consulting services, compliance services, and advice to contractors. With a vital role, these organizations are the “implementors” in the CMMC ecosystem. An RPO is useful in the beginning stages of compliance. They can give recommendations, help create a plan, or implement services to help a contractor remediate compliance gaps.
A cybersecurity service provider can both provide compliance consultation or remediation services and perform assessments as a C3PAO. However, due to conflict of interest, they cannot perform both functions for the same company.
Contractors may choose to consult a cybersecurity service provider that is not credentialed as an RPO. The credential serves to recognize trusted, trained provider options available for contractors.
Registered Practitioners (RP)
Similar to the relationship between CCAs and C3PAOs, a Registered Practitioner (RP) is a single person within an RPO. RPs can offer advice, consultations, and recommendations to DoD contractors, but can’t conduct assessments.
Organizations Seeking Certification (OSC)
The Organizations Seeking Certification (OSC) credential is used to identify contractors working towards certification. Government contracts require compliance with different CMMC Levels. Certification allows OSCs to bid on these contracts.
Licensed Partner Publisher (LPP)
To supplement cybersecurity education, Licensed Partner Publishers (LPP) develop CMMC-AB approved content. Education institutions or individual consumers can purchase these courses.
Licensed Training Providers (LTP)
The Licensed Training Providers (LPT) program is for educational or training service providers, like universities or corporate offices. This program maintains, develops, trains, and delivers educational content created by LPPs.
Each CMMC-AB program assists different parts of the compliance process. Contractors can shop for a cybersecurity service provider qualified as a C3PAO, CCP, RPO and more on the Marketplace page.
The following explains which organizations can help contractors during the different stages of compliance:
Understanding CMMC Requirements
Contractors may want to ask a cybersecurity service provider for advice at the beginning stages of compliance. Finding a consultant through the Marketplace isn’t required. Nonetheless, RPOs are credentialed consultants available for this purpose.
For contract consideration, most companies have to submit their original compliance score. There are free self-assessment tools available from cybersecurity service providers. However, a paid assessment from an outside cybersecurity service provider, an RPO, or a C3PAO may ensure a company’s self-calculated compliance score and plan for remediation are correct.
Unless a company already has a security program to remediate gaps in compliance, they may hire an outside service provider or RPO to help.
Note: Many cybersecurity service providers claim to offer comprehensive compliance, but only operate as advisory consultants, leaving clients to complete remediation largely on their own.
CyberSecure 360 is an all-in-one NIST SP 800-171 and CMMC compliance program at a fraction of the cost of DIY options. Choose from five cost-effective packages of 23 turnkey cybersecurity services, all including POA&M, SSP, and Policies & Standards.
Finding a C3PAO
Required for most CMMC Level 2 and all Level 3 contracts.
Importantly, the CMMC-AB Marketplace is the only place to find a C3PAO to perform an assessment. In order to obtain CMMC certification, some CMMC Level 2 and all Level 3 contracts must hire a C3PAO from the CMMC-AB Marketplace.
While the CMMC-AB facilitates many ways for contractors to receive help with compliance, the type of help available from service providers varies. Some providers offer consulting and advice, while others, like CyberSecure 360, offer the people, process, and technology necessary to become CMMC compliant. Learn more about CyberSecure 360 here.