As a Level 2 contractor or subcontractor within the Defense Industrial Base (DIB), you’re well aware by now that you will likely need to get audited by an outside assessment company in order to achieve final CMMC certification.
Most Level 2 businesses will have to pass an audit performed by a certified third-party assessor organization (C3PAO); only a select few will be allowed to perform a self-assessment to get certified.
If you do need to hire an independent C3PAO, you may be wondering if you’ll be allowed to choose your auditor.
The answer is yes. You will be able to pick the C3PAO of your choice—as long as they’re on the government-approved list of authorized assessors.
That said, how do you find a C3PAO to conduct your CMMC audit?
Under CMMC 2.0 Final Rule, DIB businesses must prove they've implemented all of the necessary security controls to protect the federal contract information (FCI) and controlled unclassified information (CUI) they store, process, or transmit through an assessment.
A successful audit will allow you to get certified and continue doing business with the Department of Defense (DoD).
Related Article: Understanding Your CMMC Audit: Here's What You Can Expect
In this article, we'll outline six potential sources for finding a qualified CMMC assessor.
After reading this article, you'll know the available resources right at your fingertips or within your circle of contacts that can assist your C3PAO search and offer essential guidance in choosing the right CMMC auditor for your business.
You may have completed the early steps to become CMMC compliant, such as assessing your infrastructure and submitting your supplier performance risk system (SPRS) to determine your current security posture.
Related Article: Step 1 For CMMC Certification: Understanding Your CUI & CMMC Level
Or, perhaps you've started identifying and categorizing your CUI to scope your CUI boundary for your assessment.
Of course, performing a gap analysis and remediating identified security flaws, as well as creating a comprehensive system security plan (SSP) are other required parts of your compliance journey.
Regardless of how far along you are in becoming compliant, you understand that all of your efforts will culminate with your CMMC assessment.
You should also know that there are a limited number of approved assessors. So, it's not too soon to start researching and interviewing potential C3PAOs for your upcoming audit.
In fact, the sooner you can start the process, the better off you'll be in finding a qualified C3PAO that can meet your assessment timeline and stay within your certification budget.
Related Article: What Will The CMMC Certification Process Cost My Business?
Contractors and subcontractors looking for information about C3PAOs and related CMMC information have a reliable pool of readily available resources.
Here are 6 possible sources:
The best place to start your search for an approved C3PAO is to go to the official list of businesses maintained by The Cyber AB.
Maryland-based The Cyber AB, formerly known as the CMMC Accreditation Body (CMMC-AB), is the official accreditation body for the CMMC program.
The nonprofit organization was given sole responsibility by the DoD for authorizing and accrediting C3PAOs.
Currently, The Cyber AB’s website lists 250 authorized C3PAO companies in its national directory.
In searching their official C3PAO directory, you can get each assessor organization’s company overview, information about company leadership and CMMC experts, services offered, address, phone number, email, areas of expertise, and other pertinent information.
C3PAOs are often small and medium-sized businesses themselves. In fact, many are existing managed IT service providers that obtained C3PAO approval.
Your managed IT provider, which has a deep bench of IT professionals with specialized skills and industry knowledge, may be able to refer you to a trusted C3PAO.
Since C3PAOs often offer managed IT services, it's important to know that you can't use the same IT provider to both assist with your CMMC compliance readiness and conduct your CMMC assessment because of conflict of interest rules.
Related Article: Do I Need A Managed IT Service Provider To Meet CMMC Requirements?
All C3PAOs must successfully pass a rigorous application progress to become officially recognized by The Cyber AB. This multi-step process includes undergoing extensive staff background checks, an organizational risk assessment, and obtaining CMMC Level 2 certification.
Despite having to meet the same set of requirements, not all C3PAOs are the same.
Besides offering referrals, your MSP could also provide important insight on the criteria you should use when selecting a C3PAO.
The DoD CIO (Chief Information Officer) webpage, and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) contractor resource page are two federal sources you can go to get direct government information.
Level 3 contractors must undergo a triennial federal assessment through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The assessment for level 3 contractors is performed by a federal assessor within the Defense Contract Management Agency's (DCMA), which is part of the DoD.
The DIBCAC contractor resource page is a great source of CMMC information for DIB contractors.
It includes assessment logistical guidance, pre-assessment action items and suggested timelines, SPRS frequently asked questions, and links to many other federal resources.
The DoD CIO FAQ page answers a range of commonly asked questions, including:
Federal Risk and Authorization Management Program cloud service providers (FedRAMP CSPs are another possible resource.
FEDRAMP CSPs provide cloud services to the federal government. There are 427 authorized services currently listed in the FEDRAMP Marketplace.
Since they have to meet specific security controls and also undergo periodic C3PAO assessments, FedRAMP CSPs will likely be able to offer provider recommendations.
Although their assessments have a different focus, these businesses may also be able to answer questions you have about working with a C3PAO and the assessment process as a whole to give you a general idea of what you should expect.
Keep in mind that if you use cloud services, your assessment scope could also extend to your third-party cloud vendors if you store any CUI or FCI data in the cloud.
These businesses can also provide valuable insight and guidance for getting CMMC audited.
If you belong to an industry association, consortium, or other group, it can’t hurt to ask around.
Some of your contacts may be further along in the process, and could provide referrals for the C3PAO they used to conduct their CMMC audit.
At the same time, you could use the opportunity to gain valuable insight by picking their brains about their experience with the assessor, expense and budgeting tips, compliance strategy recommendations, or other relevant information.
Since they’re in the same boat you’re in, other contractors within the DIB could prove to be an invaluable resource for critical information that could smooth your compliance journey, saving you time and money.
There are several nonprofit organizations (some with paid memberships) that are made up of DIB businesses.
These organizations can also be another valuable resource and serve as a type of “buddy system” to offer needed support as you navigate the CMMC road to compliance.
One such organization is the National Defense-Information Sharing and Analysis Center (ND-ISAC).
The nonfederal organization offers its member “defense sector companies, their suppliers, and related interests a community and forum for sharing cyber and physical security threat indicators, best practices and mitigation strategies,” according to its website.
On its website, you can download its ND-ISAC Releases C3PAO Shopping Guide for Small & Medium-Sized Businesses - National Defense ISAC.
While the government is looking to increase the pool of C3PAOs, the training and certification process to become a government-approved assessor is both expensive and time-consuming.
It can take upwards of nine months to a year or more for a business to receive a final CMMC designation from The CyberAB.
So, for now at least, your choices are limited.
With C3PAOs expected to be in high demand, you can’t afford to risk not being able to get an assessment appointment by putting off getting started. This means that you shouldn’t procrastinate in scheduling an assessment since available slots are sure to fill up quickly with the limited C3PAOs available.
Waiting until the last minute, such as when your contract renewal date is approaching or when you’re ready to bid on a new DoD contract, is not the time to try to schedule your audit.
Doing so could leave you in the lurch if you can’t find an available C3PAO to conduct your assessment in time for you to achieve certification.
In addition, if you receive a score below the required threshold, you’ll need to develop a plan of action and milestones (POA&M). You’ll then have 180 days to correct those problems and schedule a POA&M assessment to review your remediation.
Related Article: CMMC Step 4: SSP Documentation–What’s Your CMMC Compliance Evidence?
These delays could push you past your certification deadline, jeopardizing your existing contracts or possibly cause you to lose out to your competitors in winning new contracts.
The key to sailing through the assessment process as smoothly as possible is all about planning and preparation.
If you haven’t started your compliance journey, or you’re still in the early stages, it’s important to get moving now.
After reading this article, you now understand the importance of scheduling your CMMC assessment well in advance to avoid last-minute scheduling problems, delaying your certification.
Of course, your audit scheduling considerations should be mapped out to align with your estimated time to plan and fully implement the cybersecurity policies, procedures, tools, and systems you need to meet CMMC compliance requirements.
An external MSP can offer strategic insight on the optimal time to schedule your assessment, depending on where you are in your compliance journey.
If you need expert guidance to help you prepare for your CMMC assessment, want to have a CMMC gap analysis performed with remediation guidance, or you have any other questions related to your cybersecurity defenses, we’re here to help.
At Kelser, we have an experienced team who can provide a clear roadmap to successfully navigate the complex CMMC compliance process.
Working together with your team, we can help ensure that you’re ready for your assessment, obtain your CMMC certification, and most importantly, keep or win new DoD contracts.