October 5, 2020
Rimstorm has some exciting news to share. If you’ve received our press release or our latest newsletter, then you know by now that we recently achieved a very important accreditation in Cybersecurity. Ben Gerenstein, our CEO, is now a CMMC Provisional Assessor under the CMMC-AB (CMMC Accreditation Board), and Rimstorm has applied to become a C3PAO (Certified Third-Party Assessment Organization).
In today’s blog, we’re going to talk a little bit about what exactly all this means. What is CMMC-AB and C3PAO, and how does it impact DoD contractors?
What is CMMC-AB?
As you should know by now, Cybersecurity Maturity Model Certification is designed to help businesses protect sensitive information from malicious cyber activity — such as intellectual property theft, espionage by foreign governments and cyberattacks. This certification framework is the latest requirement for businesses fulfilling or seeking to fulfill any type of Department of Defense contract. The entire CMMC ecosystem is designed to provide assurance to the DoD of the cybersecurity posture of the Defense Supply Chain.
Meanwhile, CMMC-AB itself refers to the CMMC Accreditation Body. This body implements the Cybersecurity Maturity Model Certification first published by the U.S. Department of Defense in January of 2020. The CMMC-AB provides certifications for C3PAOs — private Certified Third-Party Assessment Organizations — who hire CMMC-AB Certified assessors. They in turn are trained by CMMC-AB Certified Instructors.
What is a C3PAO?
As stated above, A C3PAO is a third-party organization who has received accreditation by the CMMC Accreditation Body. As a result, they are officially authorized to conduct CMMC assessments and grant CMMC certifications.
What is a CMMC Assessment?
Actual CMMC assessment consists of evidence-based, on-site evaluations of the capabilities, practices and process maturity defined in the CMMC model. These assessments are conducted by independent third-party assessment organizations. It’s important to note that not all CMMC assessments will require the same amount of effort, as lower levels defined in the CMMC model assess a smaller number of less challenging cybersecurity capabilities. Meanwhile, higher-level assessments will be much more involved.
What is CMMC Certification?
This is the final result that everyone needs to achieve after a CMMC assessment has been completed. The CMMC certification represents a company’s clear demonstration of cybersecurity capabilities and organization maturity as defined for a specific level of the CMMC model. Most importantly, CMMC certification will be used to qualify companies for DoD contracts.
DoD contractors who are pursuing CMMC accreditation in order to maintain/gain government contracts have to reach out to a C3PAO. While currently there have been no official C3PAO requirements put into place just yet, and no companies have obtained CMMC accreditation at the time of writing, companies should begin this careful planning immediately.
As of now, DoD contractors are the main target for CMMC certification, but eventually we can assume that this will expand throughout the government. Rimstorm is currently at the forefront of all of this, and it’s important for you to know that we officially have assessors who can assist you with becoming compliant with CMMC. Contact us today for CMMC preparation and assessment, and stay ahead of the curve.