Author: V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC.
Jeff Dalton is a member of the CMMC-AB Board of Directors with the focus area of CAs / C3PAOs and is the CEO of Broadsword Solutions Corporation.
I am very excited and thankful to be able to share this second interview with Jeff Dalton (CMMC-AB Board of Directors) on CMMC professional topics. Thank you Jeff and CMMC-AB for providing this information to the community!
- How does the C3PAO manage their CA’s Tier 3 non-clearance suitability?
- C3PAO requirements for their information system. Note, see interview notes below video for additional cloud clarification from Regan Edens (CMMC-AB Board of Directors)
- Ethics and the Code of Professional Conduct. Note, here is the CMMC-AB website page with CoPC link.
- Formal associations between RPs and RPOs, CAs and C3PAOs
- Licensed Instructors, the route to become one, and if they need a Tier 3 investigation or not
- Updating our applications
- What CMMC training should OSC employees get?
There is some additional guidance provided in text form below the interview. I recommend checking the section “What are the requirements for in-scope cloud vendors?” for information about FedRAMP and C3PAO cloud use.
My notes on the conversation. These notes are paraphrased and may be wrong (I take full responsibility for mistakes). Please see the video for the most authoritative version.
Background checks for Certified Assessors
Q. According to previously released information on the CMMC-AB website, C3PAOs are expected to manage the background investigations for their CAs. How does this work?
A. Right now, the process isn’t mature, there aren’t C3PAOs ready to manage this. The CMMC-AB is managing the background checks for all Certified Assessors right now by helping them submit for a Tier 3 non-clearance suitability determination. At some point, there will be too many assessors for the CMMC-AB to manage, and the responsibility will move to the C3PAOs. But the Tier-3 suitability is held by the Certified Assessor, not the C3PAO. It can move with the CA if they perform work for different C3PAOs.
C3PAO Information System Requirements
Q. C3PAOs need CMMC Level 3 certification of their information system to perform work. When can we get this done?
A. The process is that the C3PAO needs to have multiple levels of background reviews performed first. Part of this process asks C3PAOs when they will be ready for a CMMC Level 3 assessment. So far the CMMC-AB has gotten replies that some C3PAOs will be ready now and some will be ready on later dates (6 months, etc). Based on the response (ready date), the C3PAOs are being added to the schedule for assessments. The assessments of C3PAO information systems will be done by DIBCAC assessors and can only be done as fast as they are available.
Q. That works for the provisional C3PAOs, but what about the rest of the C3PAOs?
A. The same process should work for all C3PAOs; it will be based on when you signal that your information system will be ready for assessment.
Q. I’ve talked to provisional assessors that feel most comfortable performing ML1 assessments. Can they and their C3PAO start doing ML1 assessments now without a CMMC Level 3 information system?
A. Because assessment results are considered CUI by the DoD, even for ML1 assessments, the requirement for a CMMC Level 3 information system will apply to all C3PAOs no matter what level assessment they perform.
What are the requirements for in-scope cloud vendors?
Q. For the C3PAOs working on their information system, there has been a lack of clarification about CMMC and use of clouds (since cloud use is discussed at the DFARS 7012 level, not in the CMMC and not in DFARS 7021). Is there a requirement for cloud security that can be used in a CMMC ML3 system?
A. The answer is that your environment needs to be CMMC Level 3. So if you use cloud providers to manage data or transmission of data in your environment, then those cloud service providers will need to be compliant with CMMC Level 3 for the things they provide. You need to, even if they are FedRAMP, show evidence of that compliance to the assessor.
Side note: On this topic, I asked for clarification because I was concerned that C3PAOs wouldn’t be able to get their information system certified due to a lack of evidence that their cloud provider is secure. While the CMMC Assessment Guide discusses inheriting practices, there are some CMMC practices that cannot be inherited because they don’t exist in FedRAMP or other compliance models.
Regan Edens (CMMC-AB Board of Directors) sent us more clarification on this topic. *Updated January 5, 2021*
The DoD Project Management Office for CMMC has identified these requirements for C3PAOs:
1) Require all C3PAO information systems (internal and external), including any assessment tools, that store, process, or transmit CUI, to be certified CMMC Level 3 by DCMA DIBCAC assessors before conducting assessments and receiving authorization or accreditation from the CMMC‐AB.
2) If a C3PAO uses an external cloud service provider to store, process, or transmit CUI, the C3PAO shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) High baseline.
3) If a C3PAO selects services from an external cloud service provider that has not been FedRAMP authorized, the C3PAO shall hire a Third Party Assessment Organization (3PAO) approved by the GSA FedRAMP Program Management Office to independently
assess the external cloud service provider using the same assessment methodology and criteria established by GSA FedRAMP Program Management Office for a FedRAMP HighBaseline approval. The C3PAO will provide this assessment result to the DIBCAC in support of the CMMC Level 3 assessment.
Source: This requirement for C3PAOs and cloud providers has been posted on the CMMC-AB website on the C3PAO page.
Source: Here is the announcement on LinkedIn.
Regan also references the DFARS Cybersecurity FAQ document which has several relevant questions and answers.
Q110: How can a contractor ensure that the cloud service provider can comply with requirements for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment (i.e., paragraphs (c) through (g) of DFARS clause 252.204-7012?
A110: While the (c)-(g) requirements are contractual requirements you must meet (e.g., reporting of cyber incidents), if you are using a cloud service, you’ll need to insure the cloud service provides you the necessary information/support to meet those requirements (e.g., report a cyber incident affecting your DoD CUI to you in a timely manner, so you can report the cyber incident to DoD within 72 hours of discovery). Each provider approaches these differently, with some providers explicitly stating they support the requirements (or not) while others may note that the customer can supplement their services to meet the requirements.
Q116: If a company is using an external Cloud Service Provider (CSP) to provide processing and storage of covered defense information, (i.e., DFARS clause 252.204-7012 requires that the CSP meet requirements equivalent of to the FedRAMP Moderate baseline), depending on the service provided (i.e., IaaS, PaaS or SaaS), some of these FedRAMP requirements are allocated to the client. In this case, does the client (the company contracting with the CSP) have to meet FedRAMP “Moderate” requirements that are NOT mapped to the NIST SP 800-171 requirements per Appendix D of NIST SP 800-171?
A116: No. The CSP has to meet all of the requirements equivalent to the FedRAMP Moderate Baseline, but if some of these (as is typical) are allocated to the client, the client does not need to meet FedRAMP requirements that are unrelated to the NIST SP 800-171 requirements. If the particular FedRAMP requirement (a control from NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations) is not mapped to a NIST SP 800-171 requirement in Appendix D of NIST SP 800-171, it need not be applied by the client. When the FedRAMP control is mapped to a NIST SP 800-171 requirement, only the actual NIST SP 800-171 requirement need be implemented, which may be somewhat different than its mapped NIST 800-53 control. Note that in some circumstance controls that must be implemented by the CSP may require a reciprocal implementation by the client for the CSP’s control to be effective.
Amira’s note: Remember, the requirements for FedRAMP High only apply to C3PAO information systems that will be used for assessments. Not to regular companies that need CMMC Level 3 unless they have data sovereignty requirements (like Export Controlled CUI). More information about regular companies and CMMC Level 3 cloud requirements can be found here: Interview with Regan Edens about DFARS 7012 and Cloud Service Providers.
Ethics and the code of conduct
Q: The Code of Professional Conduct (CoPC) that all C3PAOs and CAs are expected to abide by has not been made public. I can’t find it on the CMMC-AB website. Is it available anywhere?
A: Not sure. I will ask about it.
Q: The Code of Professional Conduct (CoPC) and ethics explanations that I’ve seen (as part of the Registered Practitioner process) say that a C3PAO is allowed to perform consulting (remediation) and assessment (certification) services, as long as the C3PAO does not perform both types of services to the same client.
A: Correct, neither the C3PAO or the assessor can do that. You can’t help build it and then assess it later. There can’t be a conflict of interest like that, it is a hard requirement.
Q: Understood, but… for example, my own company has been doing remediation and IT services for years. Our website advertises services relating to specific products such as “Microsoft cloud migrations”. From a Registered Practitioner standpoint, this is fine. But from a C3PAO standpoint, is there a conflict of interest if your website advertises remediation services that mention products or vendors?
A: That is a good question. There are a lot of models in the market that the CMMC-AB drew from (ISO, ITIL, CMMI, SOC, FedRAMP etc). All of them do consulting as well as assessments. They just don’t do consulting for the same companies that they assess. I don’t believe there is a preclusion from a C3PAO from saying that they do consulting too, as long as they don’t perform it for the same clients. If there is any possible conflict of interest, you will need to state this when you are preparing for an assessment. That conflict of interest (remediation and assessment for the same client) is a serious offense.
Q: What about relationships between companies in the CMMC ecosystem? C3PAOs and RPOs, for example. Is there a problem if a C3PAO recommends an RPO, or vice-versa?
A: There are obvious caveats in any recommendations like that. There is nothing in the Code of Professional Conduct that says you can’t recommend other companies. For example, you could recommend a certain training provider that you think is doing a good job. But there is a clause against “accepting a bribe”, for example. If your arrangement with other companies involves a kickback, that would be a clear violation of the CoPC.
Association questions (RPs to RPOs, CAs to C3PAOs)
Q: Are RPOs required to do anything special in terms of managing their RPs (such as insurance, background checking, information systems), like the C3PAOs have to do with CAs?
A: RPs have background checks and both RPs and RPOs are expected to follow the Code of Professional Conduct. But they are not expected to undergo a rigorous process like the C3PAOs and CAs are. There are some requirements but they are fairly light-weight compared to the C3PAO.
Candidates associating themselves with RPOs and C3PAOs without permission
Q: I have noticed that there is no notification to the RPO or C3PAO when a candidate associates themselves with your company. Is there any liability for the C3PAO or RPO if someone associates themselves without permission?
A: There is no liability in this case because you never gave permission. The marketplace was designed to be flexible, to allow people to pick their own associations. As a result, a very small amount of people randomly picked companies. It is getting cleaned up over time, and ultimately there will be a better, tighter, linkage between professionals and organizations in the system.
Q: If a CA or RP or C3PAO or RPO wish to de-associate from each other, or want to change association, how do they do it?
A: At this point, just send an email to support. When the self-service portal is finished, it will be possible to do this yourself. Messages will be sent to notify companies when someone picks them.
Q: The training says that instructors will need to meet the CA-level that they are teaching before they can become an instructor.
A: Yes this is correct
Q: So my thought was that anyone who wants to be an instructor should pursue Certified Assessor first.
A: This is correct, the idea is for all instructors to be certified assessors first. The instructor program will be started after the assessor program is rolled out. But we do have a plan for some provisional instructors which will roll out in the next months.
Q: Do you have advice for the people who want to become instructors? Should they send an email to the AB stating that they are interested in instructing? Or should they focus on CA and there will be notification to everyone at some point?
A: There will be notification when Instructor is available. You will need to have completed the CP and CA before you can start the CI track. I do have advice for people who want to be instructors. My advice is to become a Certified Assessor for Level 1 since this is the first one with the lowest cost and lowest test requirement, then become an instructor for Level 1. Because the DoD is saying that the majority (more than half) of assessments will be at Level 1, there will be a large need for Level 1 Assessors.
Update (December 18, 2020): Per the recent CMMC-AB Town Hall… If you are interested in being a provisional instructor, send an email to email@example.com, mention you are applying to be an instructor, and attach your resume. Registration is open. They are looking for people with experience doing assessments AND training.
Clearance requirements for Licensed Instructors
Q: Will you still need a Tier 3 non-clearance suitability determination if you just want to be an instructor?
A. Yes, because you would need to be a CA first, to be an instructor.
Bottleneck for instructors (and thus classes)?
Q. I’ve heard from Licensed Partner Publishers that they are trying to have training ready by the end of December 2020 or January. At this point, I’m expecting training to be available in 60 days. Is the CMMC-AB planning to speed up the process to get the licensed instructors moving?
A. Understand the question, but at this point I don’t have an answer. We are still moving through the provisional program, which is meant to be a pilot, not a production system.
Questions about our applications and updating them
Q. We put in our applications months ago. Things have changed since then. Our answers to some of the questions have changed. How do we update our applications? If we send an email in, does a central database get updated, or is our information literally kept in an email thread?
A. At this point the back-end of the CMMC-AB website is built out to track all registrations and entities. So at this point, when we get an update we are entering the new information into the database. So yes, all your information is being tracked centrally and updated.
What about CMMC training for OSC internal employees?
Q. Should OSCs (DoD contractors that are seeking certification) send their employees through CMMC training? I’ve heard from some that started the process, but got stuck when they were required to associated with an RPO or a C3PAO. What should they be doing?
A. The training available for CMMC professionals (such as CA, CPs) will be a great opportunity for companies to train their workforce. To the specific question about the process, whether these people should go through formal CA training or offer a different certification for internal employees, the CMMC-AB hasn’t had that discussion yet and there isn’t a right answer identified yet.
I hope you found this useful! The instinct is to be competitive against each other but there are so many clients and so few CMMC professionals at this point I don’t think we need to be. In 2021, there will be some huge clients that need assessments in a hurry.
Let’s start thinking about actually performing work: How will we do assessments? How will we handle client complaints? What level of documentation do you want to see for each practice? Have you started building your ISO 17020 processes?
Thanks again to the CMMC-AB for authorizing this interview and helping the ecosystem stay on track.
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC.
Kieri Solutions LLC is in progress to become a CMMC assessment organization and has several Registered Practitioners and Certified Assessor candidates on staff. Amira is also the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification.