Last year, the DoD announced that it was developing a CMMC framework under which all defense contractors would be required to obtain certification. The DoD explained that Certified Third Party Assessment Organizations (C3PAOs) will independently verify whether defense contractors have the appropriate levels of cybersecurity controls and processes to protect controlled unclassified information (CUI) housed on contractor systems. The CMMC framework will assess and enhance the cybersecurity posture of the Defense Industrial Base, because it will require demonstrated contractor capabilities across a number of technical areas. The C3PAO evaluators will assess and measure each company’s cybersecurity practices and processes and assign a corresponding level of CMMC certification using a scale of levels 1–5. We first discussed the CMMC framework in a blog post back in September 2019 and followed up with a podcast in March 2020.
Memorandum of understanding
On June 1, 2020, DoD issued a press release announcing that the Under Secretary of Defense for Acquisition and Sustainment Ellen Lord and CMMC Accreditation Body Chairman Ty Schieber signed a Memorandum of Understanding (MOU) establishing the roles, responsibilities, and authorities of each organization. Importantly, the MOU provides that the DoD will only accept certifications from accredited organizations that the Accreditation Body (AB) has approved to make assessments. The MOU confirmed that the CMMC Accreditation Body will provide approve for private C3PAOs, which will then hire CMMC AB-certified assessors trained by CMMC AB-certified instructors. Companies that receive assessments from non-accredited (i.e., non-certified) organizations will not meet the standards for receiving a contract award once CMMC accreditation is required. While some companies have started to advertise themselves as valid CMMC auditors, contractors should be wary of such organizations if they have not yet been approved by the CMMC AB as C3PAOs.