First set of CMMC certification orgs emerge
- By Lauren C. Williams
- Apr 06, 2021
The Defense Department's unified cybersecurity program is making gains with its first tranche of certifying organizations, but assessments for defense contractors are a ways off.
The Cybersecurity Maturity Model Certification Accreditation Body, which governs the implementation of the program, has begun selecting the first organizations that will be charged with assessing defense contractors' cyber readiness -- CMMC Third Party Assessment Organizations (C3PAOs).
Karlton Johnson, the AB's chairman, said the C3PAOs, which are licensed to conduct the assessments using independent contractors or employees as assessors, must still achieve CMMC Level 3 certification and be recognized by the AB and DOD. They are the point of contact between the organization being assessed and the certified assessor, he said.
"That's an important part of it. So [C3PAOs] can meet all our prerequisites but until they've been certified at CMMC Level 3, they can't conduct assessments," Johnson said during a March 30 virtual town hall.
Johnson said some of the organizations selected to be C3PAOs have started their own assessment process through the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center. But only one C3PAO assessment has been completed, so far.
Ben Tchoubineh, chair for the training committee, said there are 109 approved C3PAOs with 332 pending applicants. Additionally, there are 100 approved provisional assessors with 43 pending applicants.
Tchoubineh said that "approved" organizations can't do CMMC assessments until they are certified at CMMC Level 3, which can take time.
The AB has also begun training provisional instructors, and the first class will start the first full week of April. Each class will have about 25 students with a new class each month.
Tchoubineh said those provisional instructors will also become provisional assessors used on the first CMMC pilots that are expected to kick off later this year. There are currently about 160 applicants, he said.
This article first appeared on FCW, a Defense Systems partner site.
Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.
Click here for previous articles by Wiliams.