Know Your Role when Swimming in CMMC Alphabet Soup

Humans get drawn to to thinking in threes. Holy Trinity, Three Little Pigs, Zelda Triforce, A kid, his Dad, and a Ghost (Star Wars…already mentioned Christianity).

Examples exist in our culture, thinking, and governance.

In writing we call it the Rule of Three. Think your five paragraph essay with three supporting details. Three baby ducks buttressed by their parents at the intro and conclusion.

In statistics we use the three sigma rule as shorthand to remember the intervals in normal distributions. In Government we use Three Branches.. Music grows through melody, harmony, and rhythm.

The Cybersecurity Maturity Model Certification Accredidation Board makes the CMMC ecosystem sing using a similar framework of three: authorities, organizations, and individuals.


When it comes to securing sensitive data you hane to know where the buck stops. Who owns the risk? Who authorizes the systems? In the CMMC ecosystem we have to authorities: Office of the Undersecretary of Defense and the CMMC-AB.

Office of the Undersecretary of Defense

In the end CMMC provides the Department of Defense an avenue for to meet the Federal Information Security Modernization Act (2002/2014). All federal agencies must account for how they secure Controlled Unclassified Information. Out of all federal agencies DoD has reached closest to a goal line.

Currently Greogry Krausner is performing the duties of the Under Secretary of Defense for Acquisition & Sustainment while awaiting Senate Confirmation. CMMC falls under the auspices of the offices of the Deputy Assistant Secretary of Industrial Policy who laid out, you guessed it three goals for CMMC:

1. To incorporate a unified set of cybersecurity requirements into acquisition processes and contracting language. Recognizing that cybersecurity should not be “one-size-fits-all ,” the program includes several levels of cyber requirements, that allow flexibility to apply requirements appropriate to the defined sensitivity level of information at issue.

2. To provide the Department assurance, via external assessment, that all contractors and subcontractors participating in a given award meet mandatory cybersecurity requirements. The certification framework also facilitates the Department’s ability to hold prime contractors accountable for ensuring that their suppliers are, in fact, implementing appropriate cybersecurity requirements.

3. To develop supporting resources, information, and training to help contractors improve cyber readiness and comply with the Department’s requirements.

In the past the CMMC program has sat under the OUSD CISO and the Director of Cybersecurity Maturity Model Certification (CMMC) Policy. Recently John J. Garstka was appointed Director for Cyber within the Office of the Chief Information Security Officer.

Office of the Undersecretary of Defense Responsibilities

The Department of Defense maintains the CMMC standard, approves all curriculum, and controls all timeline for information such as scoping guidance. They also have approval over the assessment process,

The CMMC-AB can change very little about the CMMC requirements, most of those fall to the DoD who have a requriement to meet federal regulations beyond their control.

Cybersecurity Maturity Model Certification Accreditation Board

The CMMC-AB has a no-cost contract with the Department of Defense. The Board has gone through a maturation process transitioning to having full time staff and acting as Directors rather than having to stand up a program. Some found Early decisions during this statup period questionable.

The CMMC-AB now has a new CEO on board, Matt Travis. Travis served as former deputy director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and thus brings years of experience to the AB.

Cybersecurity Maturity Model Certification Accreditation Board Responsibilities

As a contract holder the Department of Defense determines the CMMC-AB responsibilities. Currently the AB authorizes C3PAOs to conduct CMMC assessments; accredit C3PAO’s in accordance with ISO/IEC 17020 and DoD requirements; authorize the CAICO to certify CMMC Assessors and Instructors; accredit the CAICO in accordance with ISO/IEC 17024; establish, maintain, and manage CMMC marketplace, and oversee the CMMC Code of Professional Conduct.


These two authorities then oversee the organizations that make up the ecosystem

Organization Seeking Certification (OSC)

OSCs make up the defense contractors and the the thiird party providers who fall in scope of holding, transmitting, or securing FCI and CUI.

Only the OSC would need a certification every three years but I find it hard to imagine a world where OSCS use cloud service providers (CSPs) and managed service providers MSPs who do not have a -171, FedRAMP moderate equivalent, or working towards CMMC level three themselves.

Organization Seeking Certification (OSC) Responsibilities

Certified Third Party Assesment Organization (C3PAO)

The C3PAO contracts with the Organzization Seeking Certification the (OSC). They hire and build an assessment team. The C3PAO schedules and manages assessments.They upload the CMMC assessment data to a government system called CMMC eMASS. C3PAOs. If a remediation process is required the C#PAO leads this as well. They then upload any updates from remediation to CMMC eMASS.

The C3PAO contracts with the Organization Seeking Certification (OSC). They then hire the assessors for the team. The C3PAO schedule and manages the assessments.

The Certified Third Party Organization also owns, handles, and transmits the assessment data. This begins at the planning phase of an assessment. The C3PAO will geta request from the OSC. The C3PAO then chooses a lead assessor. The C3PAO develops the assessment plan. They then verify the readiness to conduct an assessment. After the planning phase the C3PAO will upload all the information to CMMC eMASS. This includes information on how Conflicts of Interest were handled.

The C3PAO then conducts the assessment. They attend a briefing with the OSC. If any changes need to nbe made to the assessment plan the C3PAo will add updates to eMASSS. They then determine initial practice and process scores. They then validate these results and determing if the practice was met or not met.

The C3PAO then delivers the assessment results and handles the adjudication. If the C3PAO determines a remediation is warranted. They handle all the data and communicate with the AB. After remediation the final CMMC level gets determined and results uploaded to CMMC eMASS.

Certified Third Party Assesment Organization Responsibilities(C3PAO)

Licensed Partner Publisher

Licensed Partner Publishers develop approved curriculum. The Department of Defense capped the number of publishing partners to twenty. Currently 16 LPPs exist in the marketplace.

The LPPs design all of the curriculum in the ecosystem. They then send this curriculum off to ProCert, a third party company the AB uses to check for curriculum alignment. The Department of Defense has ultimate approval of all LPP curriculum

Licensed Partner Publisher

Licensed Training Partner

Licensed training providers deliver certified trainings. LTPs can only use curriculum from a Licensed Partner Publisher. The Licensed Training Partner will host the curriculum, schedule the venues, and run online classes. They will work with CMMC eMASS and the CMMC-AB to record learner data.</p<

Licensed Training Partner

Registered Professional Organization

Registered Professional Organizations offer consulting not assessments. The RPOs represent registered professionals and the CMMC-AB seal means they have a business focused on CMMC and took a class provided by the CMMC-AB to have a basic understanding of the model.

Registered Professional Organization’s Responsibilities


The final grouping of players in the ecosystem get grouped as individuals. The people that make up the organizations.

Provisional Assessors

Provisional Assessors provide C

Provisional Assessor Prerequisites

Provisional Instructor

Provisional Instructor will teach classes deliverd by the LTPs. All classes must utilize a PI. At this time only the CMMC-AB can run classes to train Provisional Instructors.

Provisional Instructor Pre-requisites

Certified CMMC Professional

The Certified CMMC Professional (CCP) targets two career pathways. Folks who want to go down the assessment pathway and according to the AB, “Consultants who wish to advertise their deep knowledge and familiarity with the CMMC Standard when providing consulting services.”

Once training programs begin you should not engage any consultant without a CCP minimum. Plenty of talented 171 consultants exist outside of the ecosystem. You can utilize any of this talent for CMMC readiness. Yet the CCP provides a marker that the consultant got training from LTP using DoD approved curriculum developed by an LPP.

Certified CMMC Professional Pre-requisites

Complete Certified CMMC Professional Class (CMMC model training) from an LTP (Licensed Training Provider)

Assessment Team Member

An assessment team member joins a C3PAO and a lead assessor. All assessment team members .must have an active NAC, DHS Suitability or Other DoD Accepted Clearance. You also must have

Assessment team members need to have a CCA certification for their level. So a level one CA can do level one assessments and a level three can do level one, two (nobody wants a two), or three.

Certified Assessor Level One (CCA-1) Prerequisites

Certified Assessor Level Three (CCA-3) Prerequisites

Certified Assessor Level Five (CCA-5) Prerequisites

Registered Practitioner

A registered practitioner signed an agreement and took a class delivered by the AB. Much has changed since the launch of the program. Once trainings begin you should only engage with consultants that have a CCP or a trusted member of the assessment community who may have no letters at all.

Certified Assessor Level Five (CCA-5) Prerequisites

Leave a comment

Your email address will not be published. Required fields are marked *