Blog | September 28, 2020 | 4 MINS

Identifying a CMMC Auditor, ​3 Things to Know About RPO vs. C3PAO

Featured Image

Now that the U.S. Department of Defense (DoD) has launched the Cybersecurity Maturity Model Certification (CMMC), many organizations seeking certification (OSCs) are looking for more information on CMMC auditors: who they are, where they can be found, and the next steps for my organization? 

The CMMC is among the latest initiatives to improve cybersecurity standards in the federal defense acquisition program. The CMMC replaces previous measures where DoD contractors could self-attest using criteria outlined in Defense Federal Acquisition Regulation Supplement (DFARS). Updated standards under the CMMC are evaluated and issued by specially trained CMMC auditors and accredited organizations. The initial rollout of the CMMC with new DoD request for proposals (RFPs) began in June 2020. The CMMC Accreditation Body (CMMCAB) has formed and organized a group of industry professionals to develop guidelines, provide training, and evaluate audit candidates. There are various accreditation levels for both individuals and organizations – in this blog, we’ll focus on the organizational level. 

Two designations for organizations include: 

  • CMMC Third-Party Assessor Organization (C3PAO) 
  • Registered Provider Organization (RPO) 

You can learn more about the individual auditor certifications on the CMMCAB website, including: 

  • CMMC-AB Certified Professional 
  • CMMC-AB Certified Assessor  

1. What are the differences between the two types of organizational authorizations ? 

C3PAOs and RPOs are sponsored and trained as CMMC auditors by the CMMCAB, but only C3PAOs have additional distinction levels. The extra level of distinction authorizes CMMC auditors to issue the actual certification for the CMMC. RPOs, on the other hand, can still provide expertise on the CMMC. You may consider leveraging an RPO as an independent, external resource to evaluate your cybersecurity program and identify gaps that may hold you back from achieving a higher-level certification. 

2. What are the restrictions between C3PAO consulting audits and certification audits? 

A C3PAO cannot consult on program performance AND perform your CMMC Audit for certification. This restriction is an intentional control to avoid any conflict of interest and ensure that the CMMC audit is an independent evaluation program. Similar to how audited organizations will receive a score of one to five designating their program’s maturity, CMMC auditors will also have an established score of one to five, which directly correlates the level of maturity they are authorized to assess. Therefore, a C3PAO with an auditor score of three cannot certify a program higher than their associated level. 

3. What type of RPO and C3PAO resources will be available in the marketplace? 

The DoD and CMMC AB have capped the amount of C3PAOs that they plan on onboarding for the time being. There are only 60 designated spots for applicants to qualify. The number of C3PAO auditors who can designate the official CMMC is significantly limited, considering the existing DoD marketplace’s size 300,000+. Once evaluated by a C3PAO CMMC Auditor, the current guidance only allows 90 days for vendors to rectify any gaps. OSCs should be clear on both the limited number of C3PAOs available in the market and the required timeline to address gaps in evaluating when they should look engage with a C3PAO.  

One of the latest updates in the CMMC auditor training program is that their Provisional Assessor Program is officially in motion. This program is designed to test and refine the current CMMC audit process. These individuals will mix both C3PAO associated assessors and industry professionals to collect feedback and insights from various perspectives and auditing backgrounds. 

Once CMMC auditors have completed training, company information and designation will be available in an authorized marketplace where OSCs can find consultants, authorized auditors, etc. 

OneTrust has readiness templates available today for organizations to evaluate their program in line with CMMC requirements. To learn more, contact our team or request a demo today! For further guidance on CMMC auditors or how you can work toward certification at your organization, please visit the CMMCAB’s official website

Onetrust All Rights Reserved