Answers about C3PAOs, Assessors, and other CMMC Professional questions

Interview with Jeff Dalton about Certified Assessor status, Provisional Assessor Status, C3PAO status

Author: V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC.

Kieri Solutions LLC is in progress to become a CMMC assessment organization and has several Registered Practitioners and Certified Assessor candidates on staff. Amira is also the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification. 


Q&A with Jeff Dalton about C3PAO, CA, Provisional Assessors

Hello all, this is very exciting! Jeff Dalton from the CMMC Accreditation Body Board of Directors was kind enough to provide answers to my burning questions about…

  • Requirement for formal training for CMMC Certified Professionals, Certified Assessors
  • Can a CA jump to the front of the line if they pre-pay exams or have other qualifications?
  • Can CAs operate under different C3PAOs if their chosen C3PAO gets bogged down in the process?
  • What is going on with the Provisional Assessors? Are they actually performing assessments?
  • What is going on with the CMMC Assessment Model?
  • Have any companies been granted C3PAO status? Where are the leaders in the process?
  • How can a C3PAO achieve the requirement for ISO 17021?
  • How can a C3PAO meet the clearance requirements for their staff?
  • What is the requirement for an “IL-4” cloud cloud system about?

We only got through half of the questions, so I’m hoping to have a second interview in the next week or so. Please comment below with your burning questions about CMMC Professional Programs like CA, RP, C3PAO, LTP, LPP, and RPO. Sign up for our newsletter to be notified when we have more information.

Thanks to Jeff Dalton for his time and the CMMC-AB for authorizing this release of information about the current status of their professional programs!

Do me a favor – if you saw this article in LinkedIn, please share it. If you saw it in a newsletter, please forward it. Let’s get this information out to the community. Thanks so much!

Here are my notes from the Q/A session

These notes are paraphrased and I (Amira Armond) take full responsibility if I got anything wrong. If you want the official version, watch the video above.

Introductions:

Amira Armond is the chief editor for CMMCaudit.org which is meant to be a community resource for CMMC preparation. She attended a conference in late 2019 on NIST SP 800-171 and was lucky enough to be in attendance during the first or second public introduction of the CMMC idea by Katie Arrington. Amira Armond is also a CMMC Registered Practitioner, a Certified Assessor candidate, and the owner of Kieri Solutions, which is a cybersecurity consulting company in Maryland which is a C3PAO candidate.

Jeff Dalton is on the CMMC-AB Board of Directors and focuses on the credentialing side of it, what it takes to be an assessor, and the processes for assessments.

Training requirements for Certified Assessors

Question: Are CA candidates required to go through a “CMMC-AB approved” training course or can they self-study and challenge the exam?

Answer:

The DoD requires that the CMMC-AB conducts training and exams for assessors. From a functional standpoint, it is very important that all assessors are on the same page with a common understanding of the practices and how to perform assessments. The best way to do this is with a CMMC-AB approved training course.

There will be multiple formats for training courses, from in-person boot camps to web-based training. The CMMC-AB is letting the Licensed Partner Publishers decide how to format their training so that students can choose what works best for them.

For cybersecurity professionals that went to help clients get ready for the CMMC, they are not required to go through any certification or formal training. The CMMC-AB doesn’t want to put any artificial barriers on internal cybersecurity efforts.

Does pre-paying for CA move you to the front of the line?

Question: Regarding the CAs that registered and pre-paid for exams, is there going to be any priority for the CAs that paid more (such as through CA-3) versus those who just paid the $200 registration fee?

Answer: There isn’t any policy about prioritizing CAs in this way. The intent is for all CAs to be able to proceed with minimal delay once the training become available. So there shouldn’t be a “front of the line” or a “backlog”. CAs will be processed in the order they apply.

About the C3PAO bottleneck

Question: The C3PAOs seem to be stalled on background checks and other requirements. If a CA associated themselves to a certain C3PAO which is stuck in the process, is the CA able to switch to a different C3PAO?

Answer: The intention is for C3PAOs and CAs to be in a free marketplace with the ability to form teams to handle large assessments. CAs will be allowed to switch C3PAOs depending on market needs.

The DoD has emphasized making the market available to small businesses and this is the intent of the CMMC-AB too. For example, the CMMC-AB purposefully chose half of the provisional assessors to be un-affiliated with C3PAOs, so that they could test the marketplace process.

For C3PAOs that are eager to get started, Jeff recommends performing test assessments against each other. He really recommends working together and building relationships between the companies.

Question: Amira hasn’t seen any evidence of provisional assessments being started yet. The suspicion is that none have been. What is the current status?

Answer: To perform an assessment, the contract has to go through a C3PAO. This is the only way to do it. The provisional assessors have been started but the C3PAOs are not ready yet. Forty provisional C3PAOs have been vetted (background check) and about half are ready for CMMC level 3 assessments of their information system now. Those that are ready are queued up for DIBCAC assessments of their information system. Once this is done (they get CMMC level 3 certification), the C3PAO will be allowed to perform assessments.

The CMMC-AB thought that assessments would be started in July, but this process has taken longer than expected. They understand the frustration. But once this process has moved forward, there will be plenty of work for everyone.

The CMMC Assessment Guide

Question: Has anyone (such as the provisional assessors) been provided the CMMC assessment guide? What is going on with it?

Answer: The CMMC-AB working groups originally built an assessment guide, but it became evident that the DoD needed to own this document. The DoD is building their assessment guide and should release it any day. [Update: The first versions of the Level 1 and Level 2-3 assessment guides have been released by the DoD]

Back to C3PAOs

Jeff pre-statement: To clarify, no C3PAOs have been authorized yet. The CMMC-AB has been reviewing the websites for C3PAO candidates and has found several are advertising services that they are against the code of professional conduct. When this is found, the CMMC-AB is reaching out to those C3PAOs to let them know they need to change what they are doing.

Question: The CMMC-AB website says that C3PAOs need to obtain an ISO-17021 certification, but “not to engage” until further clarification. According to discussions with ISO experts, this process takes roughly a year, $40,000, etc. If we aren’t supposed to start, but it takes a year to do this process, what do we do?

Answer: The requirement has shifted from ISO 17021 to ISO 17020 [update: The CMMC-AB website has updated to show this]. There will be a grace period for C3PAOs to achieve the ISO 17020 certification, there will not be a need to rush this process. This process is about policy and procedures for managing assessments.

Your small company will not take a year to get ready for ISO 17020. It is easier to establish policy and processes with few employees. A large company like Deloitte will probably need longer. The $40,000 figure is probably due to using consultants. If you have a smart person who can read books, you should be able to do this on your own without consultants.

The CMMC-AB is also required to obtain ISO certs with a grace period. They will need to get ISO 17011 and ISO 17024 themselves, so they are going through this transformation themselves.

Question: If you have multiple CA candidates associated with your C3PAO, does that bump up your priority? And a reminder that there has been basically no communication from the CMMC-AB to CAs or C3PAOs.

Answer: Your statement is true, there are a lot of people who have applied that haven’t been processed yet. The CMMC-AB has hired two staff who are helping move the applications now. The focus of the last months have been on provisional assessors. There is a lot going on – the CMMC-AB is teaching classes, vetting candidates, updating the website, building processes.

Regarding prioritization of C3PAOs: The policy is to prioritize C3PAOs that have trained candidates [provisional assessors]. Some C3PAOs that were also FedRAMP C3PAOs were prioritized. While this is happening, the staff is starting to vet certified professionals, certified assessors, and C3PAOs.

The CMMC-AB has just approved a huge group of RPs and RPOs, and 80 provisional assessors (they all got their badges). They expect to be reaching out to non-provisional C3PAOs in the next couple weeks.

Background check requirements

Question: For Registered Practitioner, the website lists 15 background checks that are required. As a C3PAO, I haven’t been able to figure out how to perform all of these checks. How is this supposed to be done?

Answer: The CMMC-AB got your feedback and agrees that several of the listed background checks don’t really apply to the job (such as driving history checks). The CMMC-AB has changed the policy to require basic background checks.

The AB got stuck on the background check process because of the laws requiring proof that background checking was authorized, plus collection and retention of personal information. The CMMC-AB just changed to a self-service background check process which is working and doesn’t require dealing with personal information. This is working.

Question: Regarding Certified Assessors – the website says that CA-2s need a clearance. It also says that assessments at ML2 or above require a clearance. This is confusing and contradictory.

Answer: Understood, the website needs to be updated. The provisional assessors have been told that in order to perform an ML2+ assessment, they need to go through a Tier 3 non-clearance suitability evaluation by the government. For ML1 assessments, they need a Tier 1 suitability evaluation. [Update, since this time, it appears that all assessors at ML1 or above will need a Tier 3 non-clearance suitability evaluation]

Question: If this is the case, how does a C3PAO get their staff through this process?

Answer: The DoD (and maybe the CMMC-AB) is the only entity that can perform the evaluation right now. The responsibility for performing this falls upon the Federal Government right now. There is a process in place, which is being performed for Provisional Assessors, and it will not be something the C3PAO needs to do.

Information system requirements

Question: During the C3PAO registration process, there is a question about whether the C3PAO is using an Impact Level 4 cloud system, or if they will have a CMMC level 3 certified information system. A third choice is that the C3PAO will only perform ML1 assessments.

Answer: The question about IL-4 was trying to gauge how ready the C3PAO is to perform work. Since then, the requirement has changed to each C3PAO has to have a CMMC ML3 certification. Impact levels of clouds is not considered.

Question: Is the data collected during an assessment (system security plan, vulnerability scans, etc, from DIB companies) considered CUI?

Answer: The policy of the DoD is that an assessor doesn’t take CUI offsite ever, with the exception of one item: The assessment result. The DoD has stated that the assessment result is CUI. The official recommendation is that no work products (network diagrams, etc) leave the client site. However, this is something that the C3PAO and the client should work out.

Question: What about information system requirements for ML-1 assessments?

Answer: Because the assessment result is CUI, even at ML1, it looks like CMMC ML3 certification will be required for all C3PAO assessments.

Question: Is there an information system requirement for RPOs, since they are dealing with sensitive client information?

Answer: Since RPOs are not authorized to conduct formal assessments, and are not certified by the CMMC-AB, are not submitting results to the CMMC-AB, there is no requirement against RPOs. They are not subject to the same stringent requirements as C3PAOs and assessors.

Any company or organization is allowed to perform CMMC remediation services. They don’t need to be an RPO or have RPs. The purpose of having RPs and RPOs is to have some consistency in their understanding of the model, and to build a pipeline for giving people experience so they can become assessors and instructors in the future.

Question: Regarding CMMC level 3 certification for C3PAOs, did you say only the DCMA is performing assessments right now? Is there any plan to set up a rolling assessment where C3PAOs that are approved can assess other C3PAOs to get this process started?

Answer: That is a great idea, right now it is in the DoD’s court. Their current position is that only DCMA / DIBCAC can perform assessments.

Wrap up

Amira: We’ve run out of time for this session and I still have half my questions remaining. Can we do another interview to finish?

Jeff: Absolutely.

Amira: The next session will have more questions on the topic of C3PAOs, Licensed Instructor Program, and miscellaneous questions about record keeping and managing people.

Thank you Jeff, thank you CMMC-AB for this information!


Kieri Solutions LLC is in progress to become a CMMC assessment organization and has several Registered Practitioners and Certified Assessor candidates on staff. Amira is also the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification. 

5 thoughts on “Answers about C3PAOs, Assessors, and other CMMC Professional questions

  1. Steve Slagle says:

    Hi Amira,

    When do they expect to nominate the C3PAO? Our application was submitted back in April and haven’t received any feedback yet? Do you expect the investment in dollars impacting small businesses seeking to attain C3PAO status?

    • Amira Armond says:

      Hi Steve,
      I’m in the same boat as you. No feedback on my C3PAO application.
      As a very small business, I’m hoping that the investment will be repaid by increased revenues, but who knows! Just crossing my fingers here.

  2. james newman says:

    Great interview! I am glad Jeff was given such a well framed approach toward some of the hard questions. The complexities and the mindsets behind the CMMC construct are so difficult to navigate and the world of Cyber is rapidly evolving, my hat is off the the CMMC AB teams for taking the unwarranted heat and continuing to keep making things happen. !

  3. Kurt Steeby says:

    Hi Amira,
    I have a couple of questions.
    1. I registered for the CMMC Level 1 CA and paid about $700. How much is training going to cost and how much is certification going to cost? I saw one cost was $2500 per day for assessing…which seems extremely high. So what is the total cost to become a CA?
    2. How much can a CA expect to earn for conducting various types of assessments.
    Thanks,
    Kurt

    • Amira Armond says:

      Hello Kurt,
      Good questions. I know that these have been asked before. I think the answer is that we won’t know until assessments have actually been performed. I believe the CMMC-AB will let the marketplace set their own rates for assessments (between C3PAOs and OSCs). If I remember correctly, that $2500 per day was from the CA registration area on the CMMC-AB website. That comes out to roughly $300/hr for a CMMC-AB Quality Assurance team member to attend an audit. I would certainly want to pick a very small target for my first (QA’d) audit to keep this cost down.

Leave a Reply

Your email address will not be published.