Hello all,
The CMMC Accreditation Body has opened new pages on their website to give information about registering as a C3PAO (Certified Third Party Assessor Organization) and as an Assessor. They also have information about becoming a ‘registered practitioner’ or a ‘registered provider organization’ (these can be team members but not lead audits).
You can find the source information on the front page of CMMC AB website: https://cmmcab.org
Here are my quick notes from reviewing the information. Please remember that I’m not a representative of the CMMC Accreditation Body and to always double-check the source.
To be a certified CA-3 Assessor, you need:
(This gives you the ability to lead CMMC Level 3 audits.)
- Certified CA-1 already
- U.S. Citizenship
- 4+ years cyber or information technology experience
- Complete CMMC AB-provided training and pass the exam for CMMC Certified CA-3 Assessor
- Have a National Agency Check (NAC), DHS Suitability credential, or other DoD accepted clearance. *
The clearance FAQ says that if your employees or potential contractors do not currently have a clearance, “the CMMC-AB will provide a mechanism for clearance applications through the Accreditation Body. The details are not yet finalized…”
To be a certified CA-1 Assessor, you need:
(This gives you the ability to lead CMMC Level 1 audits.)
- U.S. Person (green card OK)
- Pass the CMMC AB-provided training and exam for CMMC Certified CA-1 Assessor
- Pass a commercial background check (or have a clearance like CA-3)
Application fees for Assessors – expect $3000 minimum
Non-refundable application: $200. The exams cost between $275-450 per test. Your first assessment costs $2500 because it must be observed / quality-checked by the CMMC AB.
Assessor application process
You will be asked for the following information:
- Personal identification details (name, address, phone, email)
- What C3PAO you are affiliated with. As of right now, there aren’t any. You have an option to pick “Other” and write in a name, but I don’t know if that is appropriate when no organizations have been certified yet.
- Qualifiers: Are you a U.S. Citizen? Are you willing to get a background check? Have you had a felony conviction? What education levels have you reached?
- What region(s) of the U.S. do you want to perform audits in?
- You will be asked to upload your current resume and pick which certifications you have achieved. The form lists DIBCAC Assessor, ISO Auditor (external), CMMI Lead Appraiser, ISO 20000 Lead Auditor (external), ISO 27001 Lead Auditor (external), FedRAMP Assessor, and RMM CERT. You can pick “Other” which allows you to type in several words. You will be asked to upload “evidence” for each credential you checked. The “other” box only lets you upload one file.
- Finally, you pick the $200 registration or add a “bundle”. The bundles add vouchers for the exams needed to reach that level. So the CA-3 bundle includes exams for certified professional, certified assessor-1, and certified assessor 3.
- You will be asked for payment details. At that point the form completes and a receipt is mailed to you.
**Amira’s note: When I put in my application, I had validation errors. I was able to resolve them by adding my state of residence to the payment page (it wasn’t copied over with the rest of fields) *
To be a certified C3PAO, you need:
(This gives your organization the ability to host certified assessors to perform audits.)
- General Liability, Errors & Omissions, and Cybersecurity Breach insurances with the CMMC AB as a named insured.
- Have an organizational background check through Dun & Bradstreet, and have a DUNS number
- Have at least one registered practititoner, certified professional, or certified assessor (30-day grace period applies), and perform background checks for ML-1 assessment team members.
- Be 100% U.S. Citizen owned
- Sign the C3PAO license agreement and pay activation fees.
C3PAO and ISO 17021
There is mention of the ISO 17021 certification, but the website says not to get the ISO 17021 certification until more information is posted by the CMMC AB.
**Amira’s thoughts: According to my research, the ISO 17021 standard provides a set of requirements for management systems auditing. Essentially, it is meant for organizations that perform audits (such as our C3PAOs), which helps prove that the organization is competent to evaluate management systems.**
C3PAOs need to get their information systems CMMC certified?
Because higher levels of audits will deal with CUI and vulnerability data for CUI networks, C3PAOs will need to get their information system certified at CMMC Level 3 before they can perform audits for CMMC level 2+.
**Amira’s thoughts: Ouch. This sounds like an incredible bottleneck. Potential C3PAOs will be fighting with industry companies trying to get certified for their contracts from a very small base of auditors**.
C3PAO – Serious applications only
The initial application fee (non-refundable) is $1,000. First year activation is $2,000 and each year after is another $2,000. There are “per-assessment fees” which appear to be a fee that goes to CMMC AB for any audits that you perform. Level 1 $300, Level 2 $500, Level 3 $750.
C3PAO registration process
The registration for C3PAO will ask for the following information:
- Contact information for you and business details such as business name, address, type of entity.
- DUNS number (it allows you to not have one)
- Are all owners US citizens? Have any owners been convicted of a felony?
- What is the business focus? Cyber security, capability assessments, information technology, management consulting, software development, other
- Do you currently have ISO 17021 certification?
- Do you have ISO 9001 , ISO 270001 (typo), CMMI Maturity Level 2 or 3 as an organization cert?
- Do you have any employees with the following certs… DIBCAC Assessor, ISO Auditor (external), CMMC Lead Appraiser, ISO 20000 Lead Auditor (external), ISO 27001 Lead Auditor (external), FedRAMP Assessor, RMM CERT, or “other”
- Questions about whether you understand the requirement for background checks for level 1 and clearances for level 2+ assessors / professionals.
- Infrastructure questions: Do you use an IL4 (see FedRAMP High) cloud application for assessments? Do you plan to use a CMMC level 3 compliant environment or plan to use IL4 cloud? Or you can say that your organization will only perform CMMC level 1 assessments. * Amira’s note: This part of the registration is less scary than the information pages on CMMC AB made it seem. The information pages made it sound like you’d need to get a CMMC Level 3 certification. This registration page just asks if you have a secure document management system. Much much easier.*
- You now have the option to pay your application fee and buy optional assessment packs.
Alright folks, that is all I’ve got. Go check out the CMMC AB website to see all the information and register. https://www.cmmcab.org
Good luck! Please send me a connection on LinkedIn (Amira Armond) and comment with your thoughts and tips.
I was a federal IT employee for 20 years, but have no certs. My company is considering paying my fee, is it worthwhile to pursue this?
Thank you so much for posting this, it’s the first time I’ve seen everything laid out in one place and in an order that is easily digestible. One thing I was looking for that is left unclear is what the cost of the training classes is, unless it’s included in the exam cost. Can you clarify?
Where do I go from here-having inadvertently missing the invite e-mail sent to me to be part of 1st 71 Assessors……??? C3PAO’s have not been trained themselves nor approved so far. The classes being created by the approved 11 training providers are not ready till 1Q21. What do you suggest? Where can I get a list of the potential C3PAO’s that have applied so I can seek them out ?
Hi Amira,
I registered to become a CA-1, that is I filled out the application and paid my $200. I am CISSP/ CCSP so I hope that helps me qualify as inherent in those certifications is 5+ years of cybersecurity experience.
Now that I registered, how do I pass the first exam? There seems to a bit a bit of “chicken and egg” aspect to this whole process.
OK – I applied as a “Registered Practitioner” and don’t even see that on the chart?! I have started thinking that they are collecting money 1st and considering what is what 2nd!
The inherent problem is that the AB hasn’t had any source of decent funding until last month. Hopefully they are hiring some people with the money they’ve collected. Wouldn’t be surprised if they have $1 mill or more from registrations, but this is a one-time surge until the audits start happening. Money goes quick when you are paying salaries for employees. I’m wondering if the DoD is trying to give them some stability and funding with the SOW, make the AB less dependent on the commercial side.
I have not achieved any security certifications prior to my involvement in the CMMC preparation project. I have been told I should get my CA-3 certification. Can I still pursue the certification without any prior security certifications?
Hi Robert,
From reading the requirements posted on CMMCAB.org for CA-3, there is not a security certification requirement other than the CMMC-specific exams. I believe that the application asks about those audit-specific certs because they want to hand-pick a group of highly qualified people for the “provisional class”, and are using the certifications and experience to do so. So if you don’t have a listed cert, perhaps don’t plan on being in that first class of auditors.