Is the CMMC-AB a non-profit corporation?
The CMMC-AB is a not-for-profit Maryland corporation since its founding in January of 2020. We have applied for 501c3 non-profit status with the IRS as of February 2021 as it requires 1 yr of trailing financials and a minimum of 2 yrs of projections to complete IRS Form 1023. Our status is has never been rejected and is currently pending. 501c3 applications take between 2 and 12 months to process and an application can be submitted within 27 months of a corporation’s formation. Our application for non-profit status was submitted after the first years finances were finalized. Once approved, the status will be applied retroactively. Until approval, the applicant is required to manage their finances as if they were a 501c3 non-profit. The AB board of directors and its officers have never taken dividends or profits out of the business and do not compensate with board fees for its work. The AB recently completed a financial audit conducted by the accounting firm, CBIZ, and was found to be in compliance with all applicable requirements. Any claims on social media the AB being denied or rejected by the IRS are inaccurate.
Is the CMMC Accreditation Body an ISO Accreditation Body like ANAB or A2LA?
No. The DoD chose the term “Accreditation Body” to refer to the organization that operates under contract as the sole body that can certify and license CMMC C3PAOs, Assessors, and Instructors, and operate the CMMC Ecosystem on behalf of the DoD. The CMMC AB currently operates under DOD Requirements, not ISO requirements, and therefore the CMMC AB is not an ISO Accreditation Body. We have plans to achieve ISO 17011 within the next 20 months, and once that occurs, we will operate under both DOD and ISO 17011 Requirements.
Why is it taking two years for the CMMC AB to become ISO 17011?
ISO Accreditation Bodies such as ANAB and A2LA have a single set of requirements that enable them to accredit Inspection or Certification Bodies (“registrars") that perform ISO audits (ISO 9001, ISO 20000, etc). The AB is contractually responsbile to become accredited for a very different purpose - to accredit C3PAOs to perform CMMC Assessments. For that to occur, C3PAOs must undergo an ISO 17020 that complies not only with ISO/IEC 17020, but also a set of DOD requirements based on the DOD-provided “schema.” That schema is still under development by the DOD. Per the terms of our contract, we have been granted 24 months from the date of signing to achieve that requirement. C3PAOs also have a 27 month period from the day they are approved as C3PAOs.
What is the process for becoming a C3PAO?
A CMMC Third Party Assessment Organization (C3PAO) is licensed by the AB to contract and manage CMMC assessments. The first step to becoming a C3PAO is for a representative of the company to fill out the application form at cmmcab.org. Applicants are then screened in multiple steps. The AB has partnered with Dunn and Bradstreet (D&N) to provide a risk assessment of each applicant which includes analysis and scoring of up to 15 factors. An overall risk score of “medium” or better is required to move to the next step in the process. Applicants that score higher than a “medium” risk are referred to AB leadership for further review. Next, a Foreign Ownership, Control or Influence (FOCI) analysis is conducted to evaluate the risk of foreign influence, an interview is conducted with senior management, and the US citizenship of company ownership is confirmed. If the applicant is an Employee Stock Ownership Plan (ESOP) organization, global partnership, or public company that is headquartered in the US, an enhanced FOCI analysis is performed. If all of the analysis is favorable, the C3PAO applicant becomes a C3PAO Candidate, and their information is forwarded to the DOD CMMC PMO, who is responsible for scheduling the CMMC ML3 Assessment by DIBCAC. C3PAOs become authorized to conduct assessments upon achieving CMMC ML3.
I applied to become a Certified Assessor in 2020, why have I not been accepted yet?
The classes required to a Certified Professional and Certified Assessor have still not been authorized. We expect those classes to start becoming available mid-summer 2021, and you will be able to sign up at that time. Successful completion of those classes and the exam will “certify” you to be an assessor.
What is a Provisional Assessor?
A Provisional Assessor is an individual that was randomly selected from the Assessor applicant pool to participate in the pilots that are about to begin. We originally were authorized to randomly select 40 “provisional assessors,” but we have expanded that pool to 150+ assessors, and about 25 from the DIBCAC team. Provisional Assessors are authorized to conduct assessments “for score” for up to six months after the formal Certified Assessor classes are available, at which time they must take the new classes and exams like all other applicants.
Is there such a thing as a “Provisional C3PAO?”
No. Only Assessors and Instructors are included in the Provisional pool. The intention is for them to participate in pilots and provide feedback to the AB on their experience in order to improve the assessment guide and methodology.
What is a Registered Practitioner?
Registered Practitioners (RPs) are individuals who have attended a CMMC AB sponsored training classes, completed a test, signed the Code of Professional Conduct, and passed a criminal background check. Once that process is complete, they may be listed (“registered”) on the CMMC AB Marketplace. They are not certified by the AB, and cannot lead CMMC Certified Assessments or conduct CMMC Certified Training.
What is a Registered Provider Organization?
Registered Provider Organizations (RPOs) are organizations, often consulting firms, that have made a strategic decision to become part of the CMMC ecosystem by completing a background investigation, signing the Code of Professional Conduct (CoPC), and signing an agreement with the AB. Once the process is completed, their company logo and information is listed (“registered”) on the CMMC AB Marketplace. RPOs are not certified by the AB, and cannot contract or manage CMMC Certified Assessments or Training.
Do I have to become a Registered Practitioner to deliver CMMC consulting to my clients?
No. The CMMC AB does not regulate the CMMC Consulting market, and has no authority to do so. Any person with the requisite skills can provide CMMC consulting services in the open market without authorization by the AB. Becoming a Registered Practitioner says that you have a level of IT expertise, that you have a basic level of CMMC training and awareness, and that you agree to be held to a higher standard via both the CoPC and agreeing to a background check. Additionally, you get the benefit of being listed on a marketplace with others who completed the same requirements.
How many days does a CMMC ML1 Assessment take to complete?
A certified CMMC ML1 Assessment has never been conducted (yet), but several pilots were completed over the past few months, and the Maturity Level 1 Assessments were completed in 1-3 days, with 1 day or less of planning prior to the assessment.
How many days does a CMMC ML3 Assessment take to complete?
A certified CMMC ML3 Assessment has never been conducted (yet), but several pilots were completed over the past few months, and the Maturity Level 3 Assessments were completed in 5-7 days, with 3 days or less of planning prior to the assessment.
How much does a CMMC Assessment cost?
Cost is determined by Assessment Model scope (Level), Organizational scope and size, and complexity. Maturity Level 1 assessments with small organizations are much less costly than Maturity Level 5 Assessments with large manufacturers, where multiple assessors may be required, and analysis could span several weeks. Because of this, there can be no standard pricing for CMMC assessments. Organizations seeking assessments are advised to follow standard procurement processes by asking for multiple proposals and comparing pricing, quality, and value before making a decision an a C3PAO and Assessor.
When will CMMC Certified Assessor Training begin?
We expect formal CMMC Certified Assessor training to begin mid-summer 2021.
What is the difference between the CMMC-AB and other organizations with “CMMC” in their name, such as the CMMC Information Institute and the CMMC-CoE?
The CMMC-AB is an organization that is under contract with the DoD to be the sole provider of C3PAO, Assessor, and Instructor Certifications and Training. The CMMC-AB is responsible for building and operating the CMMC ecosystem on behalf of the DoD. The other organizations are independent companies that provide information and services on behalf of their customers and partners, and do not operate under contract with the DoD.
When will the AB release scoping and reciprocity guidance for C3PAOs and OSCs?
Scoping and Reciprocity are determined by DoD policy, and the CMMC AB is not authorized to define parameters for how these will be applied during assessments.
Are there any Certified C3PAOs conducting assessments right now?
No. As of March 2021, there have been 75+ C3PAOs cleared by the AB, but none have completed the required DIBCAC CMMC ML3 Assessment, so cannot conduct assessments. In addition, the DoD has not authorized that assessments can begin.
When will C3PAOs be able to conduct their DIBCAC CMMC ML3 Assessments?
The AB does not control the schedule for DIBCAC Assessments. They are a government entity that manages their own schedule in collaboration with the CMMC PMO. Once C3PAOs are cleared by the AB, the PMO has responsibility for scheduling those that have signaled their readiness to conduct an assessment with the DIBCAC assessment team.
Can C3PAOs and Assessor conduct “commercial” assessments in addition to the 10 pilots?
The DoD PMO has told the AB that the priority is the 10 pilot contracts, but that if, once they start, they are proceeding satisfactorily with no backlog, C3PAOs and Assessors are free to conduct assessments with other OSCs.
When will the AB release an updated CMMC Assessment Guide for ML3, and new guides for ML5?
The AB is not responsible for the development or management of the Assessment Guides. That responsibility belongs to the DOD’s CMMC PMO.
Are CMMC AB Board members permitted to own a C3PAO, become assessors, or start a CMMC Training Company?
No. All Board Directors signed a Professional Conduct code as a condition of membership, and while they are on the board, and for two years following their service, they may not participate in any of the regulated, certified, or licensed roles (C3PAO, Assessor, Instructor, LTP, LPP) that the AB may have influence over approving, managing, or monitoring for adherence to the Code of Professional Conduct or licensing agreement.
What gives the CMMC AB the authority to operate the CMMC program?
The AB operates under a contract with the DOD that defines operational requirements to be the sole provider of CMMC Licensing and Certification for C3PAOs, Training Providers, Instructors, and Assessors. Our authority emanates from our contract.
Why is the AB implementing the Registered Practitioner and Provider programs? Is that also in your contract?
Our contract with the DOD is focused on assessors, C3PAOs, and Instructors, but as an independent company we also support the CMMC ecosystem in other ways that we believe will enhance the market for the Defense Industrial Base.
Is the AB using our pre-paid fees to run their operation?
No. The AB will only recognize revenue once a service has been delivered. For instance, if an RPO fee has been collected, we are able to access that revenue once the acceptance process is complete and the RPO has received their approval and badging. Application fees can be recognized when the application has been reviewed and accepted or rejected. That’s why we split the applicant fees from the license fee. No funds can be used by us if the applicant did not receive the services they paid for.
Are there any AB members that are Certified Assessors or Instructors?
No. As authors of the Assessment Method, we have observed pilots and provided feedback, but no AB member is a provisional or certified assessor. For the first three Provisional Assessor classes, the three AB members who authored the training materials and methods volunteered for 15 days to conduct training in an “acting Master Instructor” capacity, but that role is in the process of shifting to a set of Provisional Instructors.
Why hasn’t the AB released Scoping and Reciprocity information to the community?
The AB is a licensing and operations organizations - we do not set policy. Questions regarding scoping, reciprocity, model interpretation, or any other policy questions belong to the DoD and cannot be addressed by the AB.