How to become a CMMC auditor or certifier

Cybersecurity maturity model certification CMMC logo

This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.

How to become an accredited CMMC certifier or auditor?

*Updated June 24, 2020*

As of June 23, 2020, the CMMC Accreditation Body has opened registration for CMMC assessors!

Don’t get too excited though. Right now, it is literally just a questionnaire and a $200 non-refundable registration fee. There is no guarantee of any response to the application for quite a while.

The CMMC AB is taking registrations right now so that they can select a “provisional class” of highly qualified cybersecurity auditors. This class of 60 will go through initial training and exams (or maybe just training) and then they will be sent out to perform the initial audits in late 2020 / early 2021. Their initial work will be used to guide the development of training and exam programs.

If you aren’t chosen to be part of the provisional class, then you will need to wait for 1) CMMC training to be released (and take it) 2) CMMC exams to be available (and pass them), 3) background check or clearance to complete, 4) companies (C3PAOs) to be authorized to perform audits.

This breaking news article gives more details about the registration process and requirements for CMMC auditor / assessor and to become a C3PAO.

^^^ Seriously, if you want to apply for auditor / assessor, C3PAO, etc, this article is what you need to read next.

CMMC Training and Certification update

The CMMC Accreditation Body has released an update about their training and auditor certification plans. The webinar and summary notes can be found here.

Q. Where can I find training to be a CMMC auditor?

A. At this point (August 1, 2020), no training vendors have been approved by the CMMC Accreditation Body yet. I wouldn’t expect to see any recognized training to be released until at least November 2020 or later. But if you want to become an auditor, you can get started self-studying now.

See our article “CMMC Auditor Training Resources” for latest training program reviews and recommendations for ways to self-study to prepare.

Here is the summary of training (self study) resources available now:

Read through the glossary of terms and who’s who in CMMC: https://www.cmmcaudit.org/cmmc-glossary-terms-and-definitions-whos-who-in-cmmc/

Read the CMMC Appendix document, especially the sections prior to B.2. https://www.acq.osd.mil/cmmc/draft.html

Check each of the resources at our CMMC templates and tools page: https://www.cmmcaudit.org/policy-templates-and-tools-for-cmmc-and-800-171/

Understand DFARS 7012 and related documents: https://www.cmmcaudit.org/dfars-252-204-7012-controls-discussion/

Understand How to Read and Use the CMMC: https://www.cmmcaudit.org/cmmc-capabilities-controls-discussion-home/

Roadmap to full CMMC roll-out

Below you will find descriptions for the major milestones that are necessary before CMMC auditors can perform work. When this article was originally written, every item was “in-progress” or “future”. Now we are more than halfway through the progression.

RFI for CMMC Accreditation Body (complete)

The DoD released Request for Information (RFI) HQ0034SS10032019 seeking information on how to define the long-term implementation, execution, sustainment and growth of the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body.

The solicitation was released October 3, 2019. There was a Kick Off Meeting on November 19, 2019. The RFI is now inactive.

The focus of this RFI was to get advice from stakeholders about the role, duties, and form of a CMMC Accreditation Body. In other words, should it be for-profit, non-profit, a partnership of multiple organizations, a single existing organization, a single new organization, who should be on the board of directors, etc.

As part of the RFI process, new information about the CMMC was published in these documents:

CMMC Accreditation Body RFI document

Request for Information Cybersecurity Maturity Model Certification Accreditation Body OUSD(A&S) Amendment 1 (SAM.GOV)

Here is my summary of the RFI document…

The definitions page gives some great information. The following definitions are copied from the RFI (page 2).

  • CMMC Model – A capability-based maturity model that defines a progression of cybersecurity maturity. The model leverages multiple sources, including current law, regulations, commercial best practices, and threat profiles.
  • CMMC Accreditation Body – The organization responsible for managing, operating and sustaining the CMMC program, CMMC training, and evaluating and accrediting individual assessors and C3PAOs.
  • CMMC Assessments – Evidence-based, on-site evaluations of the capabilities, practices, and process maturity defined in the CMMC model and conducted by independent third-party assessment organizations. Not all CMMC assessments will require the same amount of effort, as lower levels defined in the CMMC model assess a smaller number of less challenging cybersecurity capabilities. Higher level assessments will be more involved.
  • CMMC Certification – The result of a CMMC assessment. The CMMC certification represents a company’s demonstration of cybersecurity capabilities and organization maturity as defined for a specific level of the CMMC model. CMMC certification will be used to qualify companies for DoD contracts.
  • CMMC Third PartyAssessment Organizations (C3PAOs) – Third party organizations accredited by the CMMC Accreditation Body and authorized to conduct CMMC assessments and grant CMMC certifications.

The CMMC Accreditation Body will conduct these activities (copied from the RFI page 4)

  • Accredit C3PAOs
  • Conduct CMMC Training for C3PAOs and Assessors
  • Implement individual assessor and C3PAO Quality Control Programs
  • Coordinate and report metrics with the CMMC PMO
  • Maintain the Reference Implementation Assessment Tool
  • Manage and maintain CMMC assessor training, and associated assessment guidance
  • Manage and maintain CMMC supporting systems and databases (records management, knowledge sharing and marketplace, artifact store)
  • Manage the dispute resolution process to adjudicate C3PAO technical appeals and complaints.

CMMC Assessment Body RFI Questions and Draft Responses document

CMMC Accreditation Body RFI Questions and Draft Responses (SAM.GOV)

Here is my summary of the questions and answers:

Many questions are about the auditors (called C3PAOs) and how they will be picked. The responses reiterate that the current focus is on creating an Accreditation Body (an organization), which would be responsible for figuring out how the auditors get trained, tested, and certified.

Question 31 has a good tidbit: “Will instructors and/or assessors require clearances for top secret facilities?” Answer: “The certified C3PAOs will only assess non-federal unclassified networks. It is anticipated that the Accreditation Body and/or certified C3PAOs will work with DIB contractors with respect to access requirements for credentialed CMMC assessors.”

Selection of CMMC Accreditation Body (completed)

The accreditation body is not fully functional yet. It is in the working group stage, where interested parties are collaborating to define and form it. Officers have been selected, but the base of full time employees has not been finalized yet.

They are solidifying their role as the private-sector organizing body for the CMMC. The DoD recognized the CMMC Accreditation Body formally in March 2020, with a memorandum of understanding which sets out each party’s roles and responsibilities. In general, the DoD is responsible for setting security requirements via writing the CMMC document and appendices. The CMMC Accreditation body is responsible for building the process to audit all DoD contractors (such as selecting C3PAOs, training auditors, and setting standards for the audit process).

The accreditation body has a website: https://cmmcab.org (Thanks to Chris Golden in the comments).

The AB website CMMCab.org is being updated daily and has a newsletter sign up. Go check it out!

I will update this article as new information becomes available. Also please sign up to our newsletter on the right for email notification when we release a new blog or things change.

The CMMC requirements need to stabilize (complete)

(Update 2/4/2020) The CMMC Model version 1.0 document and appendices have been released by the DoD. This is the first final version of the CMMC.

More information and links to version 1.0 can be found here: CMMC Version 1.0 Released – Analysis for DoD contractors

This document gives the requirements for levels 1-5, as well as clarifying descriptions and examples for each control. It also describes the expected maturity of processes for each level.

Auditors will use this document for guidance when reviewing each company’s cybersecurity program.

Requirements for C3PAOs need to be created (complete)

The CMMC Accreditation Body has identified initial requirements for C3PAOs

C3PAOs (the companies which are authorized to contract to perform assessments) are allowed to apply starting June 23, 2020.

They need to have at least one registered practitioner, assessor, or other CMMC-certified person on staff.

The C3PAOs need to be owned by U.S. citizens. Higher levels of assessment capabilities (such as CMMC Level 3) will require clearances for staff and CMMC Level 3 compliant information systems.

This breaking news article gives more details about the registration process and requirements for CMMC auditor / assessor and to become a C3PAO.

C3PAOs need to be authorized (future)

As of June 2020, it seems likely that the first C3PAOs will be recognized in August-September 2020, along with the provisional class of auditors.

CMMC certified auditors / assessors must be associated with a C3PAO to perform audits.

The first CMMC auditors need to be authorized (future)

As of June 2020, it seems likely that the first CMMC assessors will be recognized in September-October 2020, as part of the provisional class.

Expectations for a successful audit need to be set (future)

The Accrediting Body and/or DoD need to set expectations for what a successful audit looks like. This is a huge unknown, at least to me. The precedent set by NIST SP 800-171 is to have a system security plan, to meet minimum security requirements in Federal Acquisition Regulation (FAR) Clause 52.204-21, and to have a plan of action for the rest.

The intent of the CMMC is to get contractor networks to be fully secured, without exceptions, to the security level specified.

In practice, there will be problems with requiring full cybersecurity best practices.

A simple example is multi-factor authentication (MFA). Sure, you can set up MFA to trigger when you log on and when you open email, but what about the non-compliant manufacturing program that is required to perform the contract?

A more worrisome (because it happens to all of us) example is patching. If you can’t patch system X because it crashes, does that mean you can’t be certified? What about timeliness? How up-to-date do your systems need to be? Can your patch process include time for testing?

There will need to be an exception process. This could take the form of a temporary exception for X months or years, or an interim approval with new audits required every 6 months. To be determined.

Another huge question is whether contractors with Controlled Unclassified Information (CUI) in a secure enclave will need multiple CMMC audits. For example, for CMMC level 3, many contractors will use a highly secure network and computers just for the CUI contracts. This would be the scope for a CMMC level 3 audit, and let’s assume they pass. Will the contractor also need a CMMC level 1-2 audit for the rest of their network due to lower sensitivity DoD information (known as Federal Contract Information, FCI)? Or do we just ignore it?

There you go. That is how to become a CMMC auditor. At least for now!

Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for the newsletter (top right corner of website) so that I can send you news. Send me an email if you are an auditor or cybersecurity practitioner looking for referrals to C3PAOs or employment. Please connect with me on LinkedIn too!

30 thoughts on “How to become a CMMC auditor or certifier

  1. Scott Brady says:

    I have researched the internet, can you please share where we can get the training for move up the education ladder, to become an assessor. When you search the net, you just get companies trying to sell you a company assessment

  2. Don Kulp says:

    Please advise what agency is providing the CERTIFICATIONS FOR

    the CMMI AUDITORS AND ASSESERS – HOW DO YOU GET CERTIFIED TO CONDUCT THE AUDITS….

  3. John Masin says:

    I would like to determine the steps necessary for becoming a CMMC auditor or assessor. We are already a 3PAO, does that give us a head start on this process?

    • Tony Brunner says:

      How are you a 3PAO? I’m thinking you’re missing the A qualification there. So maybe you’re a C3PO?

  4. Wayne Salas says:

    Will they consider assessor companies that are already certified by other entities like PCI and or Hitrust.

    Experience is very important here. PCI ran into the same problem by having unqualified assessor/auditors certified, but not really understanding how to properly scope an environment and give good solid advise to remediate gaps. Experience and Certifications are always a great combinations. PCI now requires everyone certified to have at a minimum 5 years experience in any of the domains and a Security and Auditing certification just to apply for the PCI QSA certifications.

    Sincerely,

    Wayne Salas

    • Armando Seay says:

      I don’t speak for the CMMC AB, but from what I know because CMMC has additional domains and controls the CMMC AB will require training and accreditation. You can soon see webcasts that are being pre-recorded and once approved that may answer this question directly from a CMMC AB Board or working group lead. Stay tuned but monitor the CMMC AB and MISI websites for announcements.

  5. Wayne Salas says:

    Will they take into consideration Assessor Companies that are already certified by other entities like HiTrust and or PCI etc?

    Experience should be really considered when choosing a good Assessor Company and Auditor.

    Certifications are great, but from my experience certifications and experience are even better.

    Please let me know.

  6. Sean says:

    The issue I see early on is that the larger companies who provide training will continue to push pedestrian level training and stagnant off the shelf training labs and pass it off as cmmc compliant training.

    We don’t need novice professionals but seasoned Cyber Security professionals 5+ years to obtain the CMMC and this should be a requirement for assessors, trainers and proctoring.

  7. Samuel Jay Langham (CISSP) says:

    There should be a statement of Independence required for the Certifying organization. i.e. the person or even the company providing those Certifying actions must show their independence. This has been thorn to many large Auditing Firms. As after conducting the Audit they can not pick up the secondary work piece of corrections, and remain the auditor. Or work with that client in pre-assessment and aligning the target of test to requirements.
    On a more positive note this allows for more than one group to be involved and so the final certification has more weight to it.

  8. Greg Arnholt says:

    Will there be a conflict of interest constraing be placed on assessors and C3PAO’s? In other words, can an assessment be completed by an C3PAO that also provides any security services to the same entity that is being certified?

    • Tony Brunner says:

      This is a great question. The dual role could create a tempting trend for companies to “trade” services and compromise the integrity of the C3PAO model.

    • Ralph+DiCicco says:

      Greg,

      Exactly. There are firms who are currently performing to CUI requirements and have CISOs and staff.

      Yet these firms are not NIST 800-171 not DFARS compliant.

      Thus, I believe there would be a conflict of interest.

      Also, until these firms are adjudged to be CMMC ML3, they should recuse themselves.

    • Amira Armond says:

      Exciting times, thanks John!

      From the AB website:
      “Assessors will receive a license from the CMMC-AB after completing required training.
      Assessors will NOT work for the CMMC-AB but will work for C3PAO’s.
      Assessors will receive a license at a level that matches the assessments they are permitted to conduct. In the very near future, all contractors that do business with the DoD will need to meet at least Level 1 CMMC requirements. Experience requirements for higher-level assessors are not yet determined.
      Assessors are required to obtain a security clearance. The specific clearance levels are not yet determined.”

      • Melo says:

        Security clearance levels for CUI inspections… that’s interesting… but how are these security clearances supposed to be initially obtained or maintained?

        I wonder if the C3PAO’s have to maintain clearances for their assessors… I could be mistaken, but the C3PAO would then need to become a cleared contractor company tied to some gov. contract that has cleared work to be done. But from what I understand so far, a C3PAO wouldn’t really be tied to any contract… so, how would a C3PAO (or assessor) do this without being tied to a contract?

        I would think this would prevent many C3PAO’s from being formed for long if they can’t keep their assessors clearances going- so would the CMMC-AB have some kind of process/mechanism for C3PAO’s assessors or individual assessors to keep their clearances active?

  9. Michael Hammond says:

    Adavi,

    As of today, there is no way to be an auditor. The accreditation body is being formed and then will work to develop the training and accreditation requirements. Anyone who tells you they can do the “audit” or know exactly how become an auditor is not telling the truth. It is expected in Feb/Mar/Apr of 2020 for this info to be solidified.

    • Kazi Nazrul Islam says:

      Thanks for Information. I visited website and search google still I didn’t find the CMMC full framework documen. Can Any one help to find out the full framework document and share the Information How to be a assessor.

      Regards
      Kazi, Bangladesh
      Cybersecurity consultant

Leave a Reply

Your email address will not be published. Required fields are marked *