In Progress: CMMC Third-Party Assessor Accreditation by C3PAO

Author Picture

AWA International Group is a division of I.S. Partners focused entirely on IT cybersecurity services. This branch of our company provides specialized security assessments, advisory services, and compliance solutions. It’s also one of the country’s few Qualified Security Assessor firms.

Now, the AWA team is working to add one more accreditation to its toolkit.

Because the Department of Defense plans to implement a new Cybersecurity Model Certification (CMMC 2.0) regulation, companies contracting with the DoD will need independent auditors to certify that they meet CMMC Level 2 standards for protecting sensitive information. So, they are working towards this tough accreditation process in order to help companies achieve CMMC compliance before the deadline.

Key Takeaways

1. CMMC 2.0 includes strengthened security frameworks, stricter compliance requirements, and more comprehensive assessments.

2. A CMMC-accredited third-party assessor is a certified CMMC assessor who understands how to implement the new framework efficiently.

3. AWA is a C3PAO candidate, allowing the company to perform assessments for CMMC compliance.

Why Is a CMMC Third-Party Assessor Accreditation Needed?

A CMMC-certified assessor accurately understands and knows the amendments that the first CMMC framework has undergone. CMMC-certified assessors can guide organizations throughout the certification process and provide the necessary federal contract information.

CMMC 2.0 regulations represent a major shift in cybersecurity expectations for Department of Defense (DoD) contractors. Compared to previous security frameworks, CMMC Level 2 compliance requires much more rigorous preparation and investment.

Specifically, the controls and documentation standards under CMMC are more advanced than other common frameworks, like ISO 27001, PCI, and HIPAA. Additionally, independent third-party audits will now be explicitly necessary to certify compliance and perform site inspections rather than self-assessments.

By making CMMC certification mandatory for DoD contractors, the government is compelling private sector companies to adopt sophisticated best practices. Meeting the elevated compliance bar set by CMMC 2.0 will demand substantial time, resources, and organizational maturity compared to cybersecurity expectations in the past.

All contractors aiming to work with the DoD must understand the heightened stringency of these new cybersecurity regulations. This undertaking will require the help of certified CMMC assessors.

“This obligation is going to be a requirement for anyone working with the DoD. This is going to be an absolutely mandatory requirement that’s explicitly required in their contract language.” – Ian Terry, SO/IEC 27001 LA, PCI-DSS QSA, CISSP, and Director of Cybersecurity Services at AWA. 


We Are Now a C3PAO Candidate!

AWA is a candidate for CMMC Third Party Assessment Organization (C3PAO) accreditation. This would allow AWA to officially assess defense contractors for CMMC compliance. The group has applied with the C3PAO Accreditation Body and is working on the next steps.

However, the CMMC 2.0 release has been delayed. As the initial CMMC 2.0 rules come out, AWA is updating to meet new requirements, with the goal of getting full C3PAO accreditation by July-August 2024.

Once the release of CMMC 2.0 is complete and AWA becomes a certified CMMC assessor, AWA can conduct CMMC assessment services. The company can help guide organizations through the CMMC assessment process and secure a CMMC certification based on the new requirements.

What Is the Process for Becoming a CMMC-Certified Third-Party Assessor?

To ensure these audits are reliable, the CMMC Accreditation Body oversees the certification of third-party assessment organizations. Companies wanting to become certified C3PAOs must apply, undergo background checks, and demonstrate strong security practices.

The application process to become a C3PAO auditor is rigorous because these auditors will play an important role in verifying cybersecurity standards. Interested companies must submit applications and complete qualification steps overseen by the CMMC Accreditation Body.

Below is the simplified process of becoming a CMMC-certified CMMC assessor:

  1. A company representative fills out the C3PAO application form on
  2. The company goes through a risk assessment conducted by Dunn & Bradstreet and must achieve a “Moderate” or better risk score to proceed.
  3. A Foreign Ownership, Control, or Influence (FOCI) analysis is conducted, including an interview with senior management and confirmation of US citizenship of company ownership. Enhanced analysis for certain organizational structures.
  4. If the FOCI analysis is favorable, the company becomes a C3PAO Candidate.
  5. The Cyber AB confirms the Candidate C3PAO is ready, then forwards their information to the DoD CMMC PMO to schedule a CMMC Level 2 assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
  6. Upon achieving CMMC Level 2, meeting administrative requirements, and receiving an “Authorized C3PAO” badge from the Cyber AB, the company is authorized to conduct CMMC assessments.

What Is Cyber AB?

The Cyber AB is the centralized accreditation body that oversees the licensing and certification of all third-party organizations and individuals involved in providing CMMC assessments, training, and instruction.

It operates on contract with the DoD to serve this role across the CMMC ecosystem.

cmmc assessor

How Can AWA Help You With CMMC Compliance?

As a C3PAO candidate, AWA is qualified to help contractors prepare for the new CMMC requirements. This tells you that AWA is well-versed with the new CMMC requirements and can help you achieve compliance more efficiently.

They are skilled at running any CMMC assessment, documenting strategies, standards, and policies, and adjusting them specifically to align with the CMMC criteria. AWA can help organizations seeking certification in the most efficient way possible.

About The Author

CISSP - Certified Information Systems Security Professional
CEH - Certified Ethical Hacker
CISM - Certified Information Security Manager

Request a Quote

Contact AWA International to discuss the cybersecurity solutions that would best fit your organization's compliance goals.

Scroll to Top