NQA Enrolled in DoD CMMC

17 July 2020

NQA enrolled in DoD CMMC C3PAO Program; Steps organizations can take now to prepare for CMMC.

As the DoD’s CMMC (Cybersecurity Maturity Model Certification) Program continues to roll along and reach closer to the first DoD RFP’s calling out CMMC requirements, NQA continues to be heavily involved in this new program and has recently achieved preliminary approval as a CMMC C3PAO (Certified 3^rd Party Assessor Organization).

As of late June, NQA is listed on the CMMC-AB website as a C3PAO for assessors (and eventually organizations) to associate with for CMMC audits. This is the first step in the full accreditation process and as far as the CMMC Program has progressed at this time. NQA is internally preparing staff and operations to be ready for CMMC certification audits when they begin in late 2020. In the meantime, NQA is able to and has been conducting audits to NIST 800-171 and CMMC requirements as Gap Assessments in order to help DoD contractors prepare for the coming CMMC requirements.

In addition to NQA’s organizational status as a pending C3PAO, NQA also has had more than a dozen existing cybersecurity auditors in the queue for CMMC assessor approval. Applications for assessors opened in late June as well, with an initial provisional assessor program to begin within Q3 2020. NQA is focused on getting suitable assessors resources available to support the CMMC Program, with many of these auditors already gaining experience through CMMC Gap Assessments and NIST 800-171 Attestation Audits.

The full CMMC roll-out will span several years beginning in late 2020, but many proactive organizations are beginning preparations now. Steps organizations can take include:

Obtaining and reviewing both the CMMC Model (i.e. Requirements) and Appendices (i.e. Guidance)
- CMMC Model:
  https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
- CMMC Appendices:
  https://www.acq.osd.mil/cmmc/docs/CMMC_Appendices_V1.02_20200318.pdf
Bringing together Management System and IT personnel to discuss the 3^rd party certification process and internally assess readiness
Drafting, training and implementing required policies and procedures
Obtaining any necessary technology required to meet certain controls
Having an independent Gap Assessment to confirm preparations and identify any remaining gaps

Please contact your NQA Customer Service Representative if your organization would like more information on the DoD CMMC Program and how NQA can help with preparation and eventual certification.