Contact us Client area Consultant area Careers Newsletter sign up
Global Certification Body
Phone Created with Sketch.

(800) 649-5289
0
menu Created with Sketch. close Created with Sketch.
Home Resources News
NQA’s C3PAO CMMC Accreditation Update

NQA’s C3PAO CMMC Accreditation Update

24 March 2021
NQA USA has received application approval to be a C3PAO within the DoD’s CMMC Marketplace.

We stand ready to provide the required 3rd party CMMC Assessment Services that are projected to be needed by up to 300,000 DIB suppliers in the coming years as this program continues to ramp up towards official launch. 

The NQA team has been working diligently for months to build up our CMMC offering in order to meet the anticipated demand of existing customers in the Defense Industrial Base.

What is CMMC?

For those that are not familiar with it, CMMC is short for the Cybersecurity Maturity Model Certification program which was developed by and for the US DoD beginning in 2019. The goal of CMMC is to tighten up the Defense Industrial Base (DIB) cybersecurity through a defined set of controls to be implemented and then assessed and confirmed by an independent 3rd party.

CMMC follows on the heels of the DFARs Clause 252.204-7012 which required suppliers to self-assess to the NIST SP 800-171 controls. CMMC uses many of the very same NIST SP 800-171 controls, but will require independent assessment by a certification body (to be known as a C3PAO) such as NQA.

The CMMC “standard” is known as the CMMC Model, which currently is at version 1.02 published in January 2020. The CMMC Model, and associated Assessment Guides are freely available here from the DoD Office of the Undersecretary of Defense for Acquisition & Sustainment OUSD(A&S).

As a maturity model, the CMMC program will have 5 different levels of certification:

  • Level 1 (ML1):  Basic Cyber Hygiene

  • Level 2 (ML2):  Intermediate Cyber Hygiene

  • Level 3 (ML3):  Good Cyber Hygiene

  • Level 4 (ML4):  Proactive

  • Level 5 (ML5):  Advanced/Progressive

The CMMC program focuses on the identification and protection of Confidential Unclassified Information (CUI) and Federal Contract Information (FCI). The CMMC structure is predicated on the delineation of those two classifications of information – organizations with only FCI will likely be required to have CMMC ML1, whereas organizations with CUI will need to have CMMC ML3 (at a minimum).

This graphic shows the progression of the number of practices required at each maturity level of CMMC:

NQA Customer Impacts

NQA customers that work within the DIB have likely heard about CMMC over the past year or so. Many prime contractors have already begun to flow-down NIST/CMMC expectations to their supply chain partners. 

Originally it was thought that the first RFP’s invoking CMMC would be released in late 2020, but it now appears that the first CMMC RFP’s will be forthcoming in the next few months, or in the latter half of FY 2021. 

Specifically, DoD has called out the following acquisitions for CMMC requirements:

  • U.S. Navy

    • Integrated Common Processor

    • F/A-18E/F Full Mod of the SBAR and Shut off Valve

    • DDG-51 Lead Yard Services / Follow Yard Services

  • U.S. Air Force

    • Mobility Air Force Tactical Data Links

    • Consolidated Broadband Global Area Network Follow-On

    • Azure Cloud Solution

  • Missile Defense Agency

    • Technical Advisory and Assistance Contract

CMMC certification will be required at time of award; however, the process to obtain CMMC certification will not be instantaneous. As such, many DIB contractors are preparing now for this eventuality. At present, no official CMMC assessments have occurred and as a result no organization has achieved the ensuing CMMC certification at this time. Once the program goes live, it is expected that there will be high demand for assessments by proactive suppliers looking to ensure their continued viability within the DoD supply chain; demand for assessments in 2021 (and perhaps 2022) will likely outpace availability.  

DIB contractors are encouraged to get prepared for CMMC sooner than later, even if they may not need or be able to schedule an assessment immediately. The CMMC-AB encourages a six month readiness plan, which for many organizations will be appropriate assuming proper resources are deployed.

NQA is able to help organizations get a sense of where they stand with regard to CMMC compliance though an NQA CMMC Gap Assessment. NQA’s CMMC Gap Assessment will provide a detailed review of the organization’s status of implementation and maturity of the controls required for the given level of CMMC compliance and leave the organization with a documented list of the met and un-met controls.

Summary

Organizations won’t need to go far to look for a trusted partner in CMMC compliance and certification – as an accredited CMMC C3PAO, NQA will be able to answer many questions and offer assessments to organizations needing CMMC certification to remain in good-standing with DIB customers and the DoD.

As this program continues to evolve and roll-out, look for more information to be shared with customers to ensure that NQA continues to prepare and support the DIB for these new and important challenges in keeping the US Defense Industry secure. If you have any questions feel free to contact us