Authority and Regulatory Framework
The CMMC PMO operates under DoD CIO(CS) authority and is responsible for monitoring CMMC-AB performance, reviewing CMMC-AB decisions as part of program oversight, evaluating alleged conflicts of interest that may influence CMMC-AB objectivity, and retaining prerogative to address problems pertaining to effective CMMC-AB performance of assigned roles.
What are the CMMC PMO's comprehensive oversight responsibilities including CMMC-AB performance monitoring, decision review authority, conflict of interest evaluation, and corrective action prerogatives?
This organization is the sole authorized accreditation and certification partner of DoD in its CMMC program and manages the CMMC ecosystem on behalf of DoD.
What is the Cyber Accreditation Body (Cyber AB)?
These organizations are authorized by the Cyber AB to enter into contracts to deliver CMMC Assessment services and must maintain ISO 17020 certification, pass a CMMC Level 2 assessment themselves, and employ at least one Certified CMMC Assessor.
What are CMMC Third-Party Assessment Organizations (C3PAOs)?
Official CMMC assessment teams must include at least one Certified CMMC Assessor (CCA) and may include CCPs in supporting roles. The team composition must follow Cyber AB standards for scope, objectivity, and consistency across assessments.
What are the defined composition requirements for CMMC assessment teams including CCP and CCA roles?
These two institutions were engaged by the Office of the Under Secretary of Defense (OUSD) in 2019 to develop the CMMC model using their expertise in resilience, process maturity, and cybersecurity.
What are the Carnegie Mellon University Software Engineering Institute (SEI) and the Johns Hopkins Applied Physics Laboratory (APL)?
These consulting organizations are listed on the Cyber AB Marketplace and provide CMMC readiness support to OSCs, but cannot perform official assessments or issue certifications.
What is a Registered Provider Organization (RPO)?
This document guides a C3PAO's evaluation of a contractor's implementation of CMMC Level 2 requirements across 14 domains and 110 practices.
What is the CMMC Assessment Guide Level 2?
This is the temporary transitional instructor designation in CMMC 2.0. PIs are designated by the CAICO to teach CCP/CCA courses during the phase-in of the new program, but their authority sunsets 18 months after Dec. 16, 2024 (approximately mid-2026). After that date only fully certified CCIs may instruct.
What is a CMMC Provisional Instructor (PI)?
This U.S. legislation defines a framework of guidelines and security standards to protect government information and operations, which CMMC builds upon.
What is the Federal Information Security Management Act (FISMA)?
This accreditation standard must be achieved and maintained by the Cyber AB before it can accredit C3PAOs.
What is ISO/IEC 17011?
This CMMC level requires 17 practices from NIST SP 800-171, allows self-assessment by the DoD supplier, and focuses on foundational cyber hygiene to protect Federal Contract Information.
What is CMMC Level 1?
These interim roles are subject to official sunset deadlines. Individuals must transition to fully certified CCP, CCA, or CCI status within the established timeline to remain active within the CMMC ecosystem.
What are the sunset requirements for Provisional Assessors and Instructors?
In the DoD's acquisition strategy, cybersecurity is now recognized as the fourth co-equal pillar alongside these three traditional considerations.
What are cost, schedule, and performance?
This publicly available resource allows OSCs to find authorized C3PAOs, RPOs, and training providers recognized by the Cyber AB.
What is the Cyber AB Marketplace?
Organizations seeking C3PAO status must first achieve a CMMC Level 2 certification (typically via a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)–conducted audit aligned with NIST SP 800-171) and satisfy all Cyber AB’s administrative eligibility criteria (e.g. liability insurance, formal dispute-resolution processes, quality management policies). Only after achieving Level 2 and meeting these requirements do they receive authorization to conduct official CMMC assessments.
What are the requirements for a C3PAO to become authorized to conduct CMMC assessments?
This entry-level certification is mandatory before pursuing advanced roles such as Certified CMMC Assessor (CCA) or Certified CMMC Instructor (CCI), ensuring foundational knowledge of the CMMC framework and ecosystem.
What is the prerequisite relationship of the CCP certification for advancing to CCA or CCI?
This regulation, effective in 2017, required contractors to provide adequate security of covered defense information by implementing the 110 security requirements in NIST SP 800-171, laying the groundwork for the CMMC program that launched in 2019.
What is DFARS 252.204-7012?
This organization within the Cyber AB oversees certification of CCPs, CCAs, and CCIs, ensuring they meet instructional and assessment requirements through exam development, credentialing, and performance management.
What is the CMMC Assessment and Instructional Certification Organization (CAICO)?
Beyond technical knowledge, C3PAOs must implement robust organizational and quality controls. Cyber AB requires comprehensive business operations standards (liability insurance, contracts, documented processes), formal conflict-of-interest mitigation (per the CMMC Code of Professional Conduct), and a recognized quality management system (e.g. ISO/IEC 17020 accreditation under the DoD CMMC schema). Additionally, C3PAOs must maintain ongoing personnel training and certification renewal programs to keep assessor teams competent and compliant throughout their authorization period.
What are the administrative and quality management requirements for C3PAOs?
These individuals lead CMMC assessment teams and are responsible for final assessment determinations and certification recommendations. They must demonstrate strong leadership, deep technical knowledge, and a full understanding of DoD cybersecurity standards, beyond holding a CCA credential.
What are the additional qualifications and responsibilities of CMMC Lead CCA?