It’s been more than a year since the federal government released its first version of the Cybersecurity Maturity Model Certification (CMMC), a new requirement for DoD contractors and subcontractors that brings together a number of older cybersecurity requirements to better protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Now, the CMMC Accreditation Body (CMMC-AB) has finally approved the first Certified Third-Party Assessor Organization (C3PAO) in the Defense Industrial Base (DIB), Redspin, Inc.
“Reaching this step in getting the CMMC ecosystem up and running is a significant milestone, and we look forward to authorizing additional C3PAOs in the coming days and weeks,” commented CMMC-AB chief executive Matthew Travis. “As recent events emphasize how aggressively cyber threat actors are targeting our nation, the role of CMMC is more vital than ever as we take a united approach to protecting critical assets and information within the Defense Industrial Base.”
Shortly after placing Redspin, Inc. into the DIB marketplace, CMMC-AB approved the second C3PAO, Kratos Defense & Security Solutions, Inc.
“As a member of the DIB Kratos underwent a rigorous assessment by the Defense Industrial Base Cybersecurity Assessment Center, which was a key factor in its early C3PAO authorization by the CMMC AB,” explained Mark Williams, Vice President, Kratos Defense & Security Solutions, Inc.
Both Redspin and Kratos have successfully passed the CMMC Maturity Level 3 (ML3) assessment and met the remaining C3PAO administrative and personnel requirements. Once the government completes certain preparatory and authorization steps, they will be able to conduct CMMC Level 1-3 assessments.
Overview of CMMC levels:
- CMMC Level 1: Focuses on basic cybersecurity requirements to protect FCI, such as using an up-to-date antivirus software application and adhering to basic password best practices. This CMMC level covers approximately 15% of the NIST SP-800-171 CUI controls.
- CMMC Level 2: Introducing CUI, this level is often described as a transition step toward Level 3, and it covers more than half of the NIST SP-800-171 CUI controls.
- CMMC Level 3: At this level, contractors are required to demonstrate good cyber hygiene and have the controls necessary to protect CUI. All 110 NIST SP-800-171 CUI controls are covered.
- CMMC Level 4: Starting with level 4, contractors are required to adopt a proactive approach to cybersecurity to address the changing tactics, techniques, and procedures used by APTs.
- CMMC Level 5: Achieving the highest CMMC level isn’t possible without cybersecurity standardization and optimization across the organization.
For more information about CMMC and the five certification levels, we recommend you read our CMMC eBook for better compliance.
CMMC Assessments Should Begin This Summer
The ultimate goal of the CMMC program is to strengthen the cybersecurity posture of the Defense Industrial Base by abolishing the current unreliable self-certification model. Instead, contractors will be required to pay an assessor to test their compliance with one of the five above-described CMMC levels.
CMMC assessments should commence as soon as all supporting CMMC program materials are finalized, most likely later this summer. By 2026, CMMC certification will become a requirement for all contractors doing business with the DoD.
Most contractors won’t be required to go beyond CMMC Level 3, but they should still begin preparations for their CMMC assessment as soon as possible because the road to compliance can be long, depending on the current cybersecurity readiness.
At OSIbeyond, we are authorized as a Registered Provider Organization (RPO) to provide consulting services to defense contractors seeking to become audit-ready for the CMMC certification. Our compliance services include Risk Assessment, GAP analysis, technical solutions, and documentation development.
“We are thrilled to be one of the pioneer organizations to receive the Registered Provider Organization status from the CMMC-AB and to be listed on the CMMC Marketplace,” said Payam Pourkhomami, President & CEO at OSIbeyond. “Our team of cybersecurity experts, including CMMC Registered Practitioners (RP), is ready to guide defense contractors through their CMMC certification journey.”
You can find us listed on the CMMC Marketplace, or you can contact us using the contact information published on this website. In addition to our CMMC consulting services, we provide a broad range of managed IT and cybersecurity services, so you can let us take care of your IT needs while you focus on what you do best.
DoD Contractors Guide to CMMC Certification.