Redspin First Authorized C3PAO
Redspin was the second organization to ever pass a full CMMC Level 3 assessment. The first company to pass their assessment has not been named in public and they have not yet been authorized by the DoD.
What are the authorization levels for C3PAO?
You might be asking, what is special about the “authorized” title for Redspin?
The CMMC Accreditation Body clarified in May that there are multiple stages for C3PAOs to pass through and that specific words should be used to describe their status. C3PAOs can be “applicants”, “candidates”, “authorized”, or “accredited”.
Explanation of the stages of C3PAO
This spring, the ~100 C3PAOs listed on the Marketplace learned that they were now considered “candidate” C3PAOs. Prior to May 2021, if a C3PAO was listed on the CMMC-AB Marketplace, they thought they were full fledged C3PAOs and just needed to get their information system assessed to start work. On May 1st, the CMMC-AB sent a letter to C3PAOs clarifying what terms can be used to describe their status.
Stage 1: C3PAO Applicant
These are companies that paid a $1000 fee to the CMMC-AB and requested to become a C3PAO. During this stage, the C3PAO organization is evaluated for national conflicts of interest (such as being owned or influenced by non-US persons). They also go through an organizational background check. Applicants are not listed on the CMMC-AB Marketplace.
Stage 2: C3PAO Candidate
These companies have passed their conflict of interest and credit checks. They paid a $2000 ‘activation’ fee and signed an agreement with the CMMC-AB. This agreement is primarily about proper usage of the “C3PAO badge”. At this point, the C3PAO is invited to fill out a CMMC-AB Marketplace listing and can be found in the “Candidate C3PAO” category. Candidates are not authorized to perform CMMC assessments for certification yet. They are allowed to provide consulting and gap analysis like any other cybersecurity company.
Stage 2.5: DIBCAC assessment
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a division of the DCMA, is tasked with performing CMMC Maturity Level 3 assessments on Candidate C3PAOs. Passing a CMMC Maturity Level 3 assessment of their information system is a requirement for C3PAOs to become authorized. C3PAOs are given questionnaires about whether they are ready for a CMMC Maturity Level 3 assessment. They are also asked how many assessors they could field. A small portion of Candidate C3PAOs have been contacted by DIBCAC to pre-screen them and schedule a CMMC assessment. C3PAOs reach this unofficial sub-stage when they pass the CMMC assessment of their information system.
Stage 2.8: Capability check
After passing a CMMC Maturity Level assessment, there appears to be another sub-stage which needs to be passed. This stage hasn’t been discussed publicly, so details are not known. The C3PAO that was the first to pass their CMMC assessment but has not yet been “authorized” must be at this sub-stage. My guess is that the DoD or CMMC-AB wants the C3PAO to show that they have procedures and personnel available to perform assessments.
Based on public statements by DoD A&S earlier this year, the expectations for personnel are to have at least 4 provisional assessors (3 to perform a single assessment and 1 to be an independent quality reviewer). I don’t know of any situations where multiple provisional assessors were chosen from a single organization, and many C3PAOs do not have any in-house provisional assessors at all, so this probably means that the C3PAO is expected to search out and engage new staff at this point.
A second complication for personnel is that each assessor, quality, and anyone else from the organization dealing with assessments (such as managers and IT) need to have a Tier 3 Background Adjudication by the DoD. This is roughly equivalent to the investigation for a SECRET clearance. The process for submitting personnel for these background checks is not defined except for provisional assessors. I don’t know of the CMMC-AB or DoD allowing any IT, management, or back-office staff to be submitted for Tier 3 background checks.
It is unknown whether assessment procedures are provided to C3PAOs at this point, if they are expected to create their own, or if a provisional assessor is expected to provide their NDA’d classroom procedures to the C3PAO.
Stage 3: Authorized C3PAO
At this point, the C3PAO shows up on the CMMC-AB Marketplace under Authorized C3PAOs. This should mean that the Authorized C3PAOs are allowed to schedule, perform assessments, and issue CMMC certificates for levels 1-3. As mentioned at the top of this article, only one company is listed as an Authorized C3PAO at this time (June 13, 2021).
Stage 3.1: Assessment process guidance from DoD / CMMC-AB?
C3PAOs have not yet been given guidance on how they are supposed to report assessments (before or after). This probably needs to be figured out before assessments for certification are conducted. Are C3PAOs supposed to send an email to the DoD? Purchase an assessment voucher?
According to the February 2021 CMMC-AB Town Hall, assessment results are supposed to be entered into a CMMC-specific eMASS program by C3PAOs using an excel-formatted spreadsheet. eMASS is a program used by the Department of Defense to track cybersecurity compliance for each of their departments. This capability probably needs to exist before assessments are performed. There has not been a public update about CMMC-specific eMASS since the February Town Hall.
Stage 3.2: Scoping and escalation guidance
C3PAOs as well as the general public have not yet been given scoping guidance for CMMC.
Very simple yet extremely impactful questions (like whether FCI needs to be included in a CMMC Level 3 assessment scope) have not been answered.
The DoD should also provide a method for C3PAOs to get authoritative answers about whether specific solutions are acceptable. There are many situations which are simply not addressed in the CMMC model. Can C3PAOs ask DoD CIO for guidance? Can this guidance be used for other clients with the same situation? This topic has not been addressed yet.
What does this mean for the Authorized C3PAO(s)?
Even after the fees, information system costs, and effort required to become an Authorized C3PAO, the first authorized assessment organizations and their clients will be playing the role of alpha testers. Hopefully the DoD will work hand-in-hand with these C3PAOs to debug assessments at the organizational process level.
Stage 4: Accredited C3PAO
A C3PAO which has performed all previous steps as well as passing an ISO 17020 audit by the CMMC Accreditation Body would be a Accredited C3PAO. The ISO 17020 audit is a well known standard for inspection organizations. It validates that an organization has procedures and appropriate governance in place to perform impartial assessments. Many of the larger candidate C3PAOs have already passed ISO 17020 audits for other accreditation bodies and would just need to update their procedures to reflect the specific guidance provided by CMMC-AB and DoD.
Why even bother with Accredited when C3PAOs can perform certifications at Authorized?
This is a good question. The CMMC-AB website states that ISO 17020 certification is required 27 months after “date of registration” for C3PAOs. What is the “date of registration”? Not sure. Most likely either the “applicant” or “candidate” C3PAO stage. If it refers to the application, then many C3PAOs are already more than a year into their grace period.
In general, certifications performed by “accredited” C3PAOs will have more authority. In the future, it is possible that the DoD or CMMC-AB will require certain certifications to be performed only by “accredited” C3PAOs, or simply set a date where all C3PAOs must be accredited.
Are you a candidate C3PAO or applicant C3PAO? Please join the C3PAO Stakeholders Forum for the latest news, to advocate for C3PAOs between the CMMC-AB and DoD, and to help build the procedures and standards that we desperately need to do our job consistently.