CMMC AB Takes New Steps for Assessors

The group charged with overseeing implementation of new cybersecurity standards for Department of Defense (DoD) supply chain companies has released its requirements for third-party assessors – the next step in a multi-year process designed to better secure the defense industrial base.

The Cybersecurity Maturity Model Certification (CMMC) Accreditation Body (AB) posted eight main requirements for organizations hoping to become Certified Third-Party Assessor Organizations (C3PAOs). These requirements include: signing a license agreement; providing verification of insurance; paying an immediate $1,000 application fee; paying a $2,000 activation fee upon acceptance; submitting to an organizational background check through Dun & Bradstreet; maintaining an association with at least one registered practitioner, certified professional, or certified assessor; providing a required commercial background check for assessment team members; and being a business 100 percent owned by U.S. citizens.

The position of registered practitioner – which are non-certified CMMC consultants – also is a new addition to the CMMC AB website. For an initial fee of $500, these registered practitioners undergo an online CMMC-AB training and then can provide consulting services to companies seeking accreditation.

Requirements for certified professionals and certified assessors, who perform the cybersecurity assessments, are also posted. A CMMC AB timeline of the assessment ecosystem projects commercial assessments will be available in the Winter/Spring of 2021.