The Cybersecurity Maturity Model Certification (CMMC) is an accreditation issued by the United States Department of Defense (DoD) for organizations within the Defense Industrial Base (DIB)’s that achieve a comprehensive and scalable cybersecurity program. Defense contracts necessitating CMMC compliance require CMMC certification from the prime contractor and all subcontractors.
The CMMC Compliance Challenge
Historically, the DoD required defense contractors’ compliance with the requirements of NIST 800-171. However, compliance was limited to self-certification, and no audit of compliance was required. Interpretation of NIST 800-171 by the self-auditors and lack of enforcement lead to non-compliance with the regulation. In 2019, research by Sera-Brynn found that on average companies implemented 39% of the required security controls.
CMMC 2.0 defines three levels of compliance, ranging from “Foundational” to “Advanced.” Level 2 CMMC 2.0 compliance equates to full compliance with NIST SP 800-171, and a long-term goal is for DIB contractors to reach this level. Some contractors may be required to achieve Level 3 compliance, which adds the requirements of NIST SP 800-172 to those of NIST SP 800-171.
CMMC also introduces the need for third-party audits for compliance. While annual self-certification is required for all levels, some Level 2 and all Level 3 contractors must undergo triennial audits by a third party or the government.
Why You Need Two Providers
To help defense contractors achieve CMMC compliance, the CMMC Accreditation Body (CMMC-AB) provides two different accreditations to service providers. These include:
- Registered Provider Organizations (RPOs): RPOs house Registered Practitioners (RPs) who have undergone CMMC training. An RPO is authorized to provide support, advice, and implementation assistance to companies seeking CMMC compliance.
- Certified Third-Party Assessment Organizations (C3PAOs): A C3PAO is an organization authorized to perform CMMC audits.
Working with an RPO helps ensure the success of a defense contractor aspiring to achieve CMMC compliance. RPOs perform gap assessments and offer advice (from a deep CMMC understanding) on achieving and maintaining compliance.
However, under the CMMC Code of Ethics, a company’s RPO cannot also act as its C3PO, even if the provider is certified to fulfill both roles. To ensure the integrity of the audit, both roles must remain completely distinct, which is why many defense contractors that require third-party audits will choose to partner with an RPO and a separate C3PAO to achieve compliance. This will ensure there are no conflicts of interest.
How MorganFranklin Can Help With CMMC
MorganFranklin is a CMMC-AB Certified RPO. No matter where your organization is in the CMMC certification process, our team can provide hands-on support and expertise. This includes everything from the initial planning stages and gap assessment, to long-term support for critical functions required for CMMC compliance.
Additionally, MorganFranklin is currently in the process of becoming a C3PAO. Upon application approval, we will also be able to offer CMMC audits up to CMMC 2.0 Level 3 (Expert).