CMMC-AB Frequently Asked Questions – Updated May 26, 2021
About the CMMC-AB
Is the CMMC-AB a not-for-profit corporation?
The Cybersecurity Maturity Model Certification Accreditation Body, Inc. (CMMC-AB) is a not-for-profit Maryland corporation founded in January of 2020. We applied for 501(c)(3) non-profit status with the IRS as of February 2021, as the IRS requires one year of trailing financials and a minimum of two years of projections to complete IRS Form 1023. Our not-for-profit status has never been rejected and is currently pending. 501c3 applications take between 2 and 12 months to process, and an application can be submitted within 27 months of a corporation’s formation. Once approved, the status will be applied retroactively. Until approval, we, as the applicant, are required to manage our finances as if we were a 501(c)(3) non-profit. The CMMC-AB board of directors are not compensated for their service and have never taken dividends or profits out of the organization. The CMMC-AB recently completed a financial audit conducted by an independent, third-party accounting firm and was found to be in compliance with all applicable accounting standards.
What gives the CMMC-AB the authority to operate the CMMC accreditation program?
The CMMC-AB operates under an exclusive contract with the U.S. Department of Defense (DoD) that charges and authorizes the CMMC-AB to serve as the sole provider of CMMC licensing and certification for C3PAOs, Training Providers, Instructors, and Assessors. Our authority derives from that contract.
What is the difference between the CMMC-AB and other organizations with “CMMC” in their name, such as the CMMC Information Institute and the CMMC-CoE?
The CMMC-AB is the sole, authorized accreditation and certification partner of DoD in its CMMC program. The CMMC-AB is responsible for building, accrediting, certifying, and managing the CMMC ecosystem on behalf of DoD. All other organizations, including those mentioned in the question, that use CMMC in their name or marketing materials are independent companies and organizations that are not officially endorsed CMMC entities and do not operate under contract with DoD in support of the CMMC initiative.
Is the CMMC Accreditation Body an ISO Accreditation Body like ANAB or A2LA?
No, not yet. The CMMC-AB currently operates under DoD Requirements and is not presently an International Standards Organization (ISO) accreditation body. We have a formal plan in place to achieve ISO 17011 accreditation by the end of FY2022, and once that occurs, we will operate under both DoD and ISO 17011 requirements.
Why is it taking two years for the CMMC-AB to become ISO 17011?
For one, attaining ISO 17011 accreditation is not a trivial endeavor. As essentially a start-up organization, the CMMC-AB needs to develop and implement those processes and controls required by ISO before formally presenting itself for accreditation. In addition, attaining ISO 17011 accreditation is formal deliverable of our contract with DOD and one that is due at the end of FY2022. Moreover, the CMMC-AB aspires to attain 17011 status for a very different purpose than other ISO bodies with which some may be familiar (e.g, ANAB, A2LA, etc.)―to accredit C3PAOs to perform CMMC assessments. For that to occur, C3PAOs themselves must first undergo an ISO 17020 assessment that complies not only with ISO/IEC 17020, but also with a set of DoD requirements-based “schema” that is still under development. Per the terms of our contract, we have been granted 24 months from the date of signing to meet that requirement. C3PAOs also have 27 months from the day they are approved as C3PAOs to do so. Other ISO accreditation bodies may have a single set of requirements that enable them to accredit inspection or certification bodies (“registrars") that perform ISO audits (e.g., ISO 9001, ISO 20000, etc.).
When is the CMMC-AB going to start hiring staff?
We already have! The first CMMC-AB staff members onboarded at the beginning of May. Along with our CEO, we have hired a vice president of training and development, a director of operations, a curricula manager, and an operations specialist. We are actively recruiting to bring aboard a chief financial officer, an IT administrator, a security and compliance officer, credentialing personnel, and others. As professional staff continue to transition in, the volunteer Board of Directors will move to a purely governance and advisory role.
There are 10 “employees” connected with the CMMC-AB on LinkedIn, many of whom do not accept connections. What gives?
According to LinkedIn, as of May 21, 2021 there are ten (10) people who have added the CMMC-AB to their employment history. Four (4) are Registered Practitioners (not CMMC-AB employees), two (2) are CMMC-AB professional staff, and four (4) are existing volunteer Board members. While the CMMC-AB maintains an active organizational presence on LinkedIn, we do not compel participation on the platform by our employees or Board members.
When will CMMC Certified Assessor Training begin?
We expect formal CMMC Certified Assessor training to begin mid-to-late summer 2021.
What is the process for becoming a C3PAO?
A CMMC Third Party Assessment Organization (C3PAO) is licensed by the CMMC-AB to contract and manage CMMC assessments. The first step to becoming a C3PAO is for a representative of the company to fill out the application form at cmmcab.org. Applicants are then screened in multiple steps. The CMMC-AB has partnered with Dunn and Bradstreet (D&N) to provide a risk assessment of each applicant which includes analysis and scoring of up to 15 factors. An overall risk score of “medium” or better is required to move to the next step in the process. Applicants that score higher than a medium risk are referred to CMMC-AB leadership for further review. Next, a Foreign Ownership, Control, or Influence (FOCI) analysis is conducted to evaluate the risk of foreign influence. As part of the FOCI review, an interview is conducted with senior management of the company and the US citizenship of company ownership is confirmed. If the applicant is an Employee Stock Ownership Plan (ESOP) organization, global partnership, or public company that is headquartered in the US, an enhanced FOCI analysis is performed. If all of the analysis is favorable, the C3PAO applicant becomes a C3PAO Candidate, and their information is forwarded to the DoD CMMC PMO, who is responsible for scheduling the CMMC ML3 Assessment by DIBCAC. C3PAOs become authorized to conduct assessments upon achieving CMMC ML3, meeting the various administrative requirements (e.g., proof of insurance, dispute resolution process, etc.), and, ultimately, receiving their “Authorized C3PAO badge” from the CMMC-AB.
I applied to become a Certified Assessor in 2020…why have I not been accepted yet?
The classes required to become a CMMC Certified Professional and Certified Assessor have still not been authorized. We expect those classes to start becoming available mid-to-late summer 2021, and interested parties will be able to sign up at that time. Successful completion of those classes and the exam will certify you to be an Assessor.
What is a Provisional Assessor?
A CMMC Provisional Assessor is an individual who was randomly selected from the Assessor applicant pool to participate in the CMMC pilots. They are intended to provide feedback to the CMMC-AB on their experience in order to improve the assessment guide and methodology. The CMMC-AB was originally authorized to randomly select 40 Provisional Assessors, but we have expanded that pool to 150+ assessors (about 25 of whom were dedicated to support the DIBCAC teams). Provisional Assessors are authorized to conduct assessments “for score” for up to six months after the formal Certified Assessor classes are available.
Will Provisional Assessors be required to go through the new training when it becomes available?
Yes. All Provisional Assessors were informed when they were accepted into the program that they would have to take the new training and exams within six months after they are launched. There have been many changes to the assessment method and approach, and re-training to the updated protocols is a requirement.
What is the “Provisional Period” being discussed in various circles regarding CMMC Assessments? (i.e. when does it begin and end; what is different during this period)
The “Provisional Period” refers to the validity period of Provisional Assessors, which started in July 2020 and will stretch to six months after formal certified training is available.
Will you be posting the C3PAOs online once they are approved by the AB?
Yes. Candidate C3PAOs that have been approved by the CMMC-AB will be posted on the Marketplace as “Authorized C3PAOs.” Only Authorized C3PAOs can conduct CMMC assessments for certification.
To become a C3PAO, must our company comply with NIST 800-171, and what is the threshold score to complete our DIBCAC Assessment?
C3PAOs will be assessed against CMMC, which is a “super-set” of NIST 800-171. There is no threshold score, per se, as 100% of CMMC controls and practices must be successfully assessed.
For C3PAO applicants, why isn’t the CMMC-AB giving priority to those who are already ISO 17020 accredited?
ISO 17020 is one of the many requirements for C3PAOs, but it is not a pre-requisite. C3PAO applicants have 27 months after acceptance by the CMMC-AB to achieve this milestone. In addition, existing 17020 accreditations will have to be supplemented with the DoD’s schema for CMMC and CMMC assessments, and applicants will need to be assessed within that framework.
Are assessors able to affiliate with multiple C3PAOs within the CMMC marketplace portal?
Assessors can affiliate with as many C3PAOs as they like, but the current functionality of the portal only allows one affiliation. That will be changing with the new version of the CMMC Marketplace scheduled to be rolled out later this year.
How does a C3PAO schedule a DIBCAC assessment?
Once a C3PAO has completed their application and acceptance process with the AB, they become a Candidate C3PAO. Candidates C3PAO provide the CMMC-AB with an assessment “ready” date, which is forwarded along with the application material to the DoD CMMC PMO office. The PMO prioritizes the C3PAO based on this ready date, and the DIBCAC team contacts the C3PAO directly to schedule the assessment.
Will all Assessor applicants be required to take the Certified Professional training and exams as well?
Yes. The Certified Professional (CP) class is a “gateway” class. It is about the CMMC model, the assessment guides, and how to interpret the model in a practical way. It is not a “cyber” training class, but a model-specific class, and it is required for all Assessor and Instructor applicants.
We paid an application fee to become a C3PAO, and we haven’t heard anything. When can we expect to have our application processed?
The CMMC-AB received thousands of applications in a very short period of time. We have been working to review and process them as fast as possible. To date, we have processed approximately 40% of the C3PAOs that have applied, and now that we have professional staff on board we will be getting through them more rapidly. We need to do better on this front and thank you for your continued patience.
Can a DIBCAC-approved C3PAO assess a C3PAO candidate?
No, all candidate C3PAOs must be assessed by the DIBCAC.
When will non-US owned companies become eligible to be C3PAOs?
To confirm, presently only US companies can qualify to become a C3PAO. There is currently no plan for non-US owned companies to be eligible to become C3PAOs. Some governments of other nations, however, have expressed interest in potentially incorporating the CMMC model into their own cybersecurity regimes. Such discussions are in the very preliminary stages, but is conceivable that were the CMMC model to expand to other countries, then non-US companies could become eligible to become C3PAOs.
For purposes of an individual’s application, is a naturalized citizen born abroad considered a foreign national?
No, a US Naturalized Citizen is a citizen of the United States.
Registered Practitioners and Registered Providers
Why is the CMMC-AB implementing the Registered Practitioner and Registered Provider programs? Is that also in your contract with the DoD?
While our contract with DoD is focused on CMMC C3PAOs, Assessors, Instructors, and associated training materials, we are also charged with managing and supporting the CMMC ecosystem in ways that we believe will enhance the effectiveness of the CMMC initiative as well as the preparedness of the Defense Industrial Base to succeed in a CMMC environment.
What is a Registered Practitioner (RP)?
A Registered Practitioner is an individual who has attended a CMMC-AB sponsored training class, completed a CMMC test, signed the CMMC Code of Professional Conduct (CoPC), and passed a criminal background check. Once that process is complete, they are listed (as “registered”) on the CMMC-AB Marketplace. Please note that these individuals and organizations are not “certified” by the CMMC-AB, cannot lead CMMC Certified Assessments, or conduct CMMC Certified Training. Where they may provide value is in assisting Organizations Seeking Certification (OSCs) better understand CMMC requirements, implement CMMC controls and processes, and prepare for CMMC assessments.
Do I have to become a Registered Practitioner to deliver CMMC consulting to my clients?
No. The CMMC-AB does not regulate the CMMC consulting market and has no authority to do so. Any person with the requisite skills can provide CMMC consulting services in the open market without authorization by the AB. Becoming a Registered Practitioner says that you have a recognized level of IT expertise, that you have a basic level of CMMC training and awareness, and that you agree to be held to a higher standard via both the CMMC Code of Professional Conduct (CoPC) and by agreeing to a background check. Additionally, RPs (and RPOs) earn the benefit of being listed on the CMMC Marketplace with others who have completed the same requirements.
Can RPs take C3PAO training in order to better advise their clients?
The CMMC-AB does not offer “C3PAO Training,” but there is no reason an RP could not sign up for Certified Professional Training once it becomes available.
I'm an RP and planning on consulting with an Organization Seeking Certification (OSC). On the day of the assessment, will I be allowed to be onsite with the OSC and facilitate their responses for documentary evidence requested by the assessor? What level of engagement with the assessor will we as the RP be allowed?
The precise details and nuance contained in this answer are important to note. If you are an RP that is working as a contractor with an OSC, and you are a de facto staff member of their IT or cybersecurity organization, then you should be able to participate in an assessment. If, however, as an RP you are purely serving as a consultant in a consulting role, without any formal role or responsibilities within the OSC, but you helped create the OSC’s processes and controls, wrote policy and process documentation, and coached your client on how to pass an assessment, then engaging with the assessor or answering questions during that assessment would be considered inappropriate and unethical behavior by the RP.
What is a Registered Provider Organization (RPO)?
Registered Provider Organizations are organizations and companies, often consulting firms, that have made a strategic decision to become part of the CMMC ecosystem by completing a background investigation, signing the Code of Professional Conduct (CoPC), and signing an agreement with the CMMC-AB. Once the process is completed, their company logo and information is listed (as “registered”) on the CMMC-AB Marketplace. RPOs are not certified by the CMMC-AB and cannot contract or manage CMMC Certified Assessments or Training.
Can an RP be associated with more than one RPO?
An independent RP can work with one or multiple RPOs upon mutual agreement, but the RP can currently only be associated with one (1) RPO in the CMMC Marketplace. If an RP’s Marketplace affiliation changes from one RPO to another RPO, that change will need to be reflected in the system. For now, please submit a help-desk ticket at cmmcab.org. We are working to have a self-service feature in place in the near future to make such changes.
Does the CMMC-AB certify consultants to perform CMMC services?
No. The CMMC-AB cannot certify consultants, and a Registered Practitioner is not “certified.” An RP agrees to a background check and takes a short class so they can be listed in the CMMC Marketplace directory, but there is no certification process.
Licensed Software Providers
When will the Licensed Software Provider program start?
The LSP program is under development and we expect to roll it out in late 2021.
How much does a CMMC assessment cost?
Cost is determined by assessment model scope (level of certification sought), organizational scope and size, and complexity. Maturity Level 1 assessments with small organizations will be less costly than Maturity Level 5 assessments with large manufacturers, where multiple assessors may be required, and analysis could span several weeks. Because of this, there can be no standard pricing for CMMC assessments. Organizations Seeking Assessments are advised to follow standard procurement processes by asking for multiple proposals and comparing pricing, quality, and value before making a decision on a C3PAO and Assessor.
Are there any certified C3PAOs conducting assessments right now?
Not yet. C3PAOs are just now starting to complete DIBCAC CMMC ML3 assessments and should be entering the Marketplace soon.
I’m already an experienced cyber professional, why should I have to take the training? I don’t need to take the training to earn other certifications.
Those other certifications are likely personal credentials that do not authorize you to make consequential decisions for other businesses that could, potentially, block them from bidding on DoD contracts. That level of responsibility requires standardization of approach. We need to know that all CMMC Assessors are following the same assessment process and have a common understanding of the CMMC controls and practices. CMMC is more about model interpretation than it is about cyber, and that is what the training will be about.
When will C3PAOs be able to conduct their DIBCAC CMMC ML3 Assessments?
The CMMC-AB does not control the schedule for DIBCAC ML3 assessments for candidate C3PAOs. DIBCAC is a DoD entity within the Defense Contract Management Agency (DCMA) that manages their own schedule in collaboration with the CMMC PMO. Once candidate C3PAOs are cleared by the CMMC-AB, the PMO has responsibility for scheduling those that have signaled their readiness to conduct an assessment with the DIBCAC assessment team.
Can C3PAOs and Assessors conduct “commercial” assessments in addition to the 10 pilots?
The priority is the 10 pilot contracts. But once those assessments commence, and if they are proceeding satisfactorily with no backlog, C3PAOs and Assessors will be likely be authorized to conduct assessments with other OSCs.
How is Level 1 CMMC proven in an assessment or audit without the compliance documentation (aka policies and procedures) required in CMMC Level 2?
The presence of a policy or procedure does not necessarily verify that a practice is being performed or that a control is in place. CMMC examines evidence for each control/practice through Interview, Examine, or Test (or all three). Even at ML1, Assessors will examine each control without the presence of policy documentation.
How many days does a CMMC ML1 Assessment take to complete?
A certified CMMC ML1 assessment has not yet been conducted. But several notional pilots were completed over the past few months, and the ML1 assessments were completed in 1-3 days, with one day or less of planning needed prior to the assessment.
When will the CMMC-AB release an updated CMMC Assessment Guide for ML3, and new guides for ML5?
The CMMC-AB will not be releasing the Assessment Guides as that is the responsibility of the DoD’s CMMC PMO.
Why are so many companies failing their DIBCAC assessments?
The premise of that question is false. No company has yet “failed” a DIBCAC ML3 assessment. As of May 26th, 2021, one Candidate C3PAO has been successfully assessed at ML3 and several more are in process for being assessed.
Will the CMMC-AB be issuing any assessment duration guidance and/or rules for use by the C3PAOs with regard to: 1) assessment team construct, 2) assessment durations?
DoD will be releasing assessment team construct guidelines, including size and qualifications. There is no assessment duration guidance, as OSCs will vary in size and complexity. Assessments are projects, and each needs to be scoped according to size, complexity, goals, and state of readiness.
What organization issues the CMMC “certification” to an OSC?
C3PAOs will issue the CMMC Certificate of Compliance to OSCs upon a successful assessment.
Who is responsible for dispute resolution if an OSC does not agree with the outcome of its assessment?
If the disagreement is related to readiness, evidence, or model interpretation, then the C3PAO is required to resolve that dispute. C3PAOs are required to have an established dispute resolution process that is reviewed by the CMMC-AB. If the dispute, however, involves an Assessor’s professional conduct, the CMMC-AB is responsible for investigating their performance vis-à-vis the CMMC Code of Professional Conduct, and to take action if required.
If weaknesses are found during an assessment, what is the time window to correct them so the company can “pass” their assessment?
All OSCs are granted a 90-day remediation period to correct weakness discovered during their assessment. The assessment team must agree that the weaknesses uncovered can be closed in 90 days to proceed with a remediation assessment.
Does a joint venture or a partner to my company have to be assessed if my company needs to be assessed?
Yes, all legal entities (i.e., corporations, LLCs, JVs, partnerships, etc.) that participate in a contract with CMMC requirements must be assessed at the requisite level. It is possible to assess a joint venture as a single unit, but it will include all parties to the JV.
How granular are procedures expected to be? Should there be an overarching procedure for a given domain that covers all practices at an enterprise common implementation? Or should there be a procedure that covers each practice of each domain for every individual system in scope of the assessment?
Procedures and policies need to be based on your business processes, not the CMMC model domains and practices. They should ACCOUNT for the domains and their operational requirements, but there is no requirement to have them for each control, practice, or domain.
Policy and procedure documentation is killing small businesses. It is hard enough to get them technically savvy let alone write up a bunch of documents. Please look into reducing the documentation burden on small business going forward.
There is no requirement in the CMMC for “a bunch of documents.” There is a requirement to document your business approach and expectations for team members. If you own a small business, then the documentation of how you run your business should not be overly complex. Policy and process documents are simply a way of describing your business environment and the expectations for working in it. Naturally, a 10-person company will not resemble a large enterprise. Policy and process requirements in CMMC are flexible and scalable.
CMMC-AB Policies and Operations
What was the criteria for selecting participants in the Industry Advisory Council? I’m concerned that there are no small businesses members.
IAC membership comes from a very broad range of industries and companies. They are all businesses with a critical interest in cyber security. There are several small businesses as members.
Why hasn’t the CMMC-AB released Scoping and Reciprocity information to the community?
The CMMC-AB is a licensing and operations organization. We do not set CMMC policy. Questions regarding scoping, reciprocity, model interpretation, or any other policy questions belong to DoD and cannot be determined by the CMMC-AB.
Will Assessment and Pre-Assessment Reports be CUI?
Formal Assessment Reports are to be treated as CUI, per DoD’s requirement. Pre-Assessment reports are not in scope for this requirement.
When will the Marketplace be functional? There does not seem to be any way to market myself on it.
There is currently a preliminary Marketplace (accessible through the CMMC-AB website) that is functional, and gives RPs, RPOs, C3PAOs, and Provisional Assessors a place to list their companies. Later this year, we plan to introduce the permanent CMMC Marketplace to provide more functionality for the registered and authorized members of the CMMC ecosystem.
CMMC-AB Conduct and Ethics
Are CMMC-AB Board members permitted to own a C3PAO, become assessors, or start a CMMC Training Company?
No. All Board Directors signed a CMMC-AB code of professional conduct as a condition of appointment. While they are on the Board, and for one (1) year following their service, they may not participate in any of the regulated, certified, or licensed roles (C3PAO, Assessor, Instructor, LTP, LPP) that the CMMC-AB may have influence over approving, managing, or monitoring.
Is the CMMC-AB using companies’ pre-paid assessment fees to run its operation?
No. The CMMC-AB will only recognize revenue once a service has been delivered. For instance, if an RPO fee has been collected, we are able to access that revenue once the acceptance process is complete and the RPO has received their approval and badging. Application fees can be recognized when the application has been reviewed and accepted, or rejected. This is why we have split the application fee from the license fee. No funds can be used by us if the applicant did not receive the services they paid for.
Are there any CMMC-AB members that are Certified Assessors or Instructors?
No. As authors of the CMMC Assessment Process, CMMC-AB Board Directors have observed pilots and provided feedback, but no CMMC-AB member of the Board is a Provisional or Certified Assessor. For the first three Provisional Assessor classes, the three CMMC-AB Board Directors who authored the training materials and methods were temporarily authorized as Master Instructors, but that role is in the process of shifting to a set of Provisional Instructors.