The group charged with overseeing implementation of new cybersecurity standards for Department of Defense (DoD) supply chain companies has released its requirements for third-party assessors – the next step in a multi-year process designed to better secure the defense industrial base.
The Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) posted eight main requirements for organizations hoping to become Certified Third-Party Assessor Organizations (C3PAOs). These requirements include: signing a license agreement; providing verification of insurance; paying an immediate $1,000 application fee; paying a $2,000 activation fee upon acceptance; submitting to an organizational background check through Dun & Bradstreet; maintaining an association with at least one registered practitioner, certified professional, or certified assessor; providing a required commercial background check for assessment team members; and being a business 100 percent owned by U.S. citizens.
The position of registered practitioner – which are non-certified CMMC consultants – also is a new addition to the CMMC AB website. For an initial fee of $500, these registered practitioners undergo an online CMMC-AB training and then can provide consulting services to companies seeking accreditation.
Requirements for certified professionals and certified assessors, who perform the cybersecurity assessments, are also posted. A CMMC AB timeline of the assessment ecosystem projects commercial assessments will be available in the Winter/Spring of 2021.
