This is the main content of the page.
The Cybersecurity Maturity Model Certification Accreditation Body, Inc. (CMMC-AB), DBA the Cyber AB, is a 501(c)(3) not-for-profit Maryland corporation founded in January of 2020.
The Cyber AB operates under an exclusive contract with the U.S. Department of Defense (DoD) that charges and authorizes the Cyber AB to serve as the sole provider of CMMC licensing and certification for C3PAOs, Training Providers, Instructors, and Assessors. Our authority derives from that contract.
The Cyber AB is the sole, authorized accreditation and certification partner of DoD in its CMMC program. The Cyber AB is responsible for building, accrediting, certifying, and managing the CMMC ecosystem on behalf of DoD. All other organizations, including those mentioned in the question, that use CMMC in their name or marketing materials are independent companies and organizations that are not officially endorsed CMMC entities and do not operate under contract with DoD in support of the CMMC initiative.
No, not yet. The Cyber AB currently operates under DoD Requirements and is not presently an International Standards Organization (ISO) accreditation body. We have a formal plan in place to achieve ISO 17011 accreditation by the end of FY2023, and once that occurs, we will operate under both DoD and ISO 17011 requirements.
For one, attaining ISO 17011 accreditation is not a trivial endeavor. As essentially a start-up organization, the Cyber AB needs to develop and implement those processes and controls required by ISO before formally presenting itself for accreditation. In addition, attaining ISO 17011 accreditation is formal deliverable of our contract with DOD and one that is due at the end of FY2023. Moreover, the Cyber AB aspires to attain 17011 status for a very different purpose than other ISO bodies with which some may be familiar (e.g, ANAB, A2LA, etc.)―to accredit C3PAOs to perform CMMC assessments. For that to occur, C3PAOs themselves must first undergo an ISO 17020 assessment that complies not only with ISO/IEC 17020, but also with a set of DoD requirements-based “schema” that is still under development. C3PAOs have 27 months from the day they are authorized as C3PAOs to do so. Other ISO accreditation bodies may have a single set of requirements that enable them to accredit inspection or certification bodies (“registrars") that perform ISO audits (e.g., ISO 9001, ISO 20000, etc.).
Formal Certified CMMC Professional (CCP) training is currently being offered by LTPs. CCP exams are due to be available in October 2022. We expect formal CMMC Certified Assessor (CCA)training to released in fall 2022 with CCA exams planned to be released in spring 2023.
The class required to become a CMMC Certified Assessor has not yet been authorized. We expect these classes to start becoming available fall 2023, and interested parties will be able to sign up at that time. Successful completion of the CCP and CCA classes and their respective exams will certify you to be an Assessor.
A CMMC Provisional Assessor is an individual who was randomly selected from the Assessor applicant pool to participate in the CMMC pilots. They are intended to provide feedback to the Cyber AB on their experience in order to improve the assessment guide and methodology. The Cyber AB was originally authorized to randomly select 40 Provisional Assessors, but we have expanded that pool to 150+ assessors (about 35 of whom were dedicated to support the DIBCAC teams). Provisional Assessors are authorized to conduct assessments “for score” for up to six months after the formal Certified Assessor classes are available.
Yes. All Provisional Assessors were informed when they were accepted into the program that they would have to take the new training and exams within six months after they are launched. There have been many changes to the assessment method and approach, and re-training to the updated protocols is a requirement.
Assessors can affiliate with as many C3PAOs as they like.
A CMMC Third Party Assessment Organization (C3PAO) is authorized (and in the future accredited) by the Cyber AB to contract and manage CMMC assessments. The first step to becoming a C3PAO is for a representative of the company to fill out the application form at cyberab.org. Applicants are then screened in multiple steps. The Cyber AB has partnered with Dunn and Bradstreet (D&N) to provide a risk assessment of each applicant which includes analysis and scoring of up to 15 factors. An overall risk score of “Moderate” or better is required to move to the next step in the process. Applicants that score higher than a Moderate risk are referred to CMMC-AB leadership for further review. Next, a Foreign Ownership, Control, or Influence (FOCI) analysis is conducted to evaluate the risk of foreign influence by submitting both the FOCI form included in their applicaiton as well as the SF-328 form. As part of the FOCI review, an interview is conducted with senior management of the company and the US citizenship of company ownership is confirmed. If the applicant is an Employee Stock Ownership Plan (ESOP) organization, global partnership, or public company that is headquartered in the US, an enhanced FOCI analysis is performed. If all of the analysis is favorable, the C3PAO applicant becomes a C3PAO Candidate, Once the Cyber AB confirms the Candidate C3PAO is ready to be assessed by the DIBCAC, their information is forwarded to the DoD CMMC PMO, who is responsible for scheduling the CMMC L2 Assessment by DIBCAC. C3PAOs become authorized to conduct assessments upon achieving CMMC L2, meeting the various administrative requirements (e.g., proof of insurance, dispute resolution process, etc.), and, ultimately, receiving their “Authorized C3PAO badge” from the Cyber AB.
The “Interim Voluntary Period” refers to the period between when assessments begin this summer and when rulemaking is completed, which is expected to be completed by May 2023.
Yes. Candidate C3PAOs that have been Authorized by the Cyber AB will be posted on the Marketplace as “Authorized C3PAOs.” Only Authorized C3PAOs can conduct CMMC assessments for certification.
C3PAOs will be assessed against CMMC L2, which is closely aligns with NIST 800-171. There is no threshold score, per se, as 100% of CMMC controls and practices must be successfully assessed. In order to be assessed by the DIBCAC a C3PAO must confirm the meet all CMMC L2 practice requirements or score a 110 if they elect to conduct an 800-171 self-assessment in lieu of a CMMC L2 self-assessment.
The Cyber AB is NOT giving priority to those who already have ISO 17020 accreditation. ISO 17020 is one of the many requirements for C3PAOs, but it is not a pre-requisite. C3PAO applicants have 27 months after the Cyber AB completes its ISO 17011 accreditation to achieve this milestone. In addition, existing 17020 accreditations will have to be supplemented with the DoD’s schema for CMMC and CMMC assessments, and applicants will need to be assessed within that framework.
Once a C3PAO has completed their application and acceptance process with the AB, they become a Candidate C3PAO. Candidate C3PAOs provide the Cyber AB with an assessment “ready” date. Once readiness is confirmed by the Cyber AB, they will forward the requisite information to the DoD CMMC PMO office. The PMO prioritizes the C3PAO based on this ready date, and the DIBCAC team contacts the C3PAO directly to schedule the assessment.