How to become a CMMC auditor or certifier

Cybersecurity maturity model certification CMMC logo

This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.

How to become an accredited CMMC certifier or auditor?

Unfortunately, at this time, there is no way to become an auditor or certifier for CMMC. The following things need to happen first.

RFI for CMMC Accreditation Body (complete)

The DoD released Request for Information (RFI) HQ0034SS10032019 seeking information on how to define the long-term implementation, execution, sustainment and growth of the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body.

The solicitation was released October 3, 2019. There was a Kick Off Meeting on November 19, 2019. The RFI is now inactive.

The focus of this RFI was to get advice from stakeholders about the role, duties, and form of a CMMC Accreditation Body. In other words, should it be for-profit, non-profit, a partnership of multiple organizations, a single existing organization, a single new organization, who should be on the board of directors, etc.

As part of the RFI process, new information about the CMMC was published in these documents:

CMMC Accreditation Body RFI document

Request for Information Cybersecurity Maturity Model Certification Accreditation Body OUSD(A&S) Amendment 1 (SAM.GOV)

Here is my summary of the RFI document…

The definitions page gives some great information. The following definitions are copied from the RFI (page 2).

  • CMMC Model – A capability-based maturity model that defines a progression of cybersecurity maturity. The model leverages multiple sources, including current law, regulations, commercial best practices, and threat profiles.
  • CMMC Accreditation Body – The organization responsible for managing, operating and sustaining the CMMC program, CMMC training, and evaluating and accrediting individual assessors and C3PAOs.
  • CMMC Assessments – Evidence-based, on-site evaluations of the capabilities, practices, and process maturity defined in the CMMC model and conducted by independent third-party assessment organizations. Not all CMMC assessments will require the same amount of effort, as lower levels defined in the CMMC model assess a smaller number of less challenging cybersecurity capabilities. Higher level assessments will be more involved.
  • CMMC Certification – The result of a CMMC assessment. The CMMC certification represents a company’s demonstration of cybersecurity capabilities and organization maturity as defined for a specific level of the CMMC model. CMMC certification will be used to qualify companies for DoD contracts.
  • CMMC Third PartyAssessment Organizations (C3PAOs) – Third party organizations accredited by the CMMC Accreditation Body and authorized to conduct CMMC assessments and grant CMMC certifications.

The CMMC Accreditation Body will conduct these activities (copied from the RFI page 4)

  • Accredit C3PAOs
  • Conduct CMMC Training for C3PAOs and Assessors
  • Implement individual assessor and C3PAO Quality Control Programs
  • Coordinate and report metrics with the CMMC PMO
  • Maintain the Reference Implementation Assessment Tool
  • Manage and maintain CMMC assessor training, and associated assessment guidance
  • Manage and maintain CMMC supporting systems and databases (records management, knowledge sharing and marketplace, artifact store)
  • Manage the dispute resolution process to adjudicate C3PAO technical appeals and complaints.

CMMC Assessment Body RFI Questions and Draft Responses document

CMMC Accreditation Body RFI Questions and Draft Responses (SAM.GOV)

Here is my summary of the questions and answers:

Many questions are about the auditors (called C3PAOs) and how they will be picked. The responses reiterate that the current focus is on creating an Accreditation Body (an organization), which would be responsible for figuring out how the auditors get trained, tested, and certified.

Question 31 has a good tidbit: “Will instructors and/or assessors require clearances for top secret facilities?” Answer: “The certified C3PAOs will only assess non-federal unclassified networks. It is anticipated that the Accreditation Body and/or certified C3PAOs will work with DIB contractors with respect to access requirements for credentialed CMMC assessors.”

Selection of CMMC Accreditation Body (in progress)

The accreditation body is not fully functional yet. It is in the working group stage, where interested parties are collaborating to define and form it. Officers have been selected, but the base of full time employees has not been hired yet.

They are still hashing out questions like where the money to operate the organization should come from, whether the body should play a heavy role in evaluating risk to companies or expect the DoD to set standards, etc.

The accreditation body DOES have a website: https://cmmcab.org (Thanks to Chris Golden in the comments).

The AB website CMMCab.org is being updated daily and has a newsletter sign up. Go check it out!

I will update this article as new information becomes available. Also please sign up to our newsletter on the right for email notification when we release a new blog or things change.

Requirements for C3PAOs need to be created (future)

The CMMC Accreditation Body needs to develop a process for selecting C3PAOs

I expect there will be some combination of requirements for auditors. For example, auditors may need to:

  • show specific credentials such as an (ISC)² or ISACA certification.
  • show cybersecurity and compliance experience.
  • pass a test specific to the CMMC best practices.
  • pass a background check.
  • be sponsored by others in the industry.
  • complete training provided by the accreditation body.

This is also not done yet.

The CMMC requirements need to stabilize (complete)

(Update 2/4/2020) The CMMC Model version 1.0 document and appendices have been released. This is the first final version of the CMMC.

More information and links to version 1.0 can be found here: CMMC Version 1.0 Released – Analysis for DoD contractors

This document gives the requirements for levels 1-5, as well as clarifying descriptions and examples for each control. It also describes the expected maturity of processes for each level.

Auditors will use this document for guidance when reviewing each company’s cybersecurity program.

Expectations for a successful audit need to be set (future)

The Accrediting Body and/or DoD need to set expectations for what a successful audit looks like. This is a huge unknown, at least to me. The precedent set by NIST SP 800-171 is to have a system security plan, to meet minimum security requirements in Federal Acquisition Regulation (FAR) Clause 52.204-21, and to have a plan of action for the rest.

The intent of the CMMC is to get contractor networks to be fully secured, without exceptions, to the security level specified.

In practice, there will be problems with requiring full cybersecurity best practices.

A simple example is multi-factor authentication (MFA). Sure, you can set up MFA to trigger when you log on and when you open email, but what about the non-compliant manufacturing program that is required to perform the contract?

A more worrisome (because it happens to all of us) example is patching. If you can’t patch system X because it crashes, does that mean you can’t be certified? What about timeliness? How up-to-date do your systems need to be? Can your patch process include time for testing?

There will need to be an exception process. This could take the form of a temporary exception for X months or years, or an interim approval with new audits required every 6 months. To be determined.

There you go. That is how to become a CMMC auditor. At least for now!

Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for our newsletter so that I can send you news and employment opportunities. Please connect with me on LinkedIn too!

10 thoughts on “How to become a CMMC auditor or certifier

  1. Michael Hammond says:

    Adavi,

    As of today, there is no way to be an auditor. The accreditation body is being formed and then will work to develop the training and accreditation requirements. Anyone who tells you they can do the “audit” or know exactly how become an auditor is not telling the truth. It is expected in Feb/Mar/Apr of 2020 for this info to be solidified.

    • Amira Armond says:

      Exciting times, thanks John!

      From the AB website:
      “Assessors will receive a license from the CMMC-AB after completing required training.
      Assessors will NOT work for the CMMC-AB but will work for C3PAO’s.
      Assessors will receive a license at a level that matches the assessments they are permitted to conduct. In the very near future, all contractors that do business with the DoD will need to meet at least Level 1 CMMC requirements. Experience requirements for higher-level assessors are not yet determined.
      Assessors are required to obtain a security clearance. The specific clearance levels are not yet determined.”

      • Melo says:

        Security clearance levels for CUI inspections… that’s interesting… but how are these security clearances supposed to be initially obtained or maintained?

        I wonder if the C3PAO’s have to maintain clearances for their assessors… I could be mistaken, but the C3PAO would then need to become a cleared contractor company tied to some gov. contract that has cleared work to be done. But from what I understand so far, a C3PAO wouldn’t really be tied to any contract… so, how would a C3PAO (or assessor) do this without being tied to a contract?

        I would think this would prevent many C3PAO’s from being formed for long if they can’t keep their assessors clearances going- so would the CMMC-AB have some kind of process/mechanism for C3PAO’s assessors or individual assessors to keep their clearances active?

  2. Greg Arnholt says:

    Will there be a conflict of interest constraing be placed on assessors and C3PAO’s? In other words, can an assessment be completed by an C3PAO that also provides any security services to the same entity that is being certified?

    • Tony Brunner says:

      This is a great question. The dual role could create a tempting trend for companies to “trade” services and compromise the integrity of the C3PAO model.

  3. Samuel Jay Langham (CISSP) says:

    There should be a statement of Independence required for the Certifying organization. i.e. the person or even the company providing those Certifying actions must show their independence. This has been thorn to many large Auditing Firms. As after conducting the Audit they can not pick up the secondary work piece of corrections, and remain the auditor. Or work with that client in pre-assessment and aligning the target of test to requirements.
    On a more positive note this allows for more than one group to be involved and so the final certification has more weight to it.

Leave a Reply

Your email address will not be published. Required fields are marked *