ECOSYSTEM OVERVIEW & GOVERNANCE
This nonprofit organization is authorized by the Department of Defense to oversee the training, accreditation, and certification of CMMC assessors and organizations seeking CMMC certification. It plays a central role in establishing and maintaining the integrity of the CMMC ecosystem and accredits C3PAOs to conduct official assessments.
What is the Cyber AB (Cybersecurity Maturity Model Certification Accreditation Body)?
According to the CMMC Assessment Process, this is the Defense Industrial Base company, organization, university or college, legal entity, or discrete business division or practice area that is pursuing CMMC Certification by contracting with a C3PAO and proceeding with a CMMC Assessment. These entities are responsible for implementing CMMC practices for their target certification level.
What is an OSC (Organization Seeking Certification)?
These organizations deliver non-certified advisory services through the employment of Registered Practitioners. They are consultative organizations or Managed Service Providers that help OSCs create cybersecurity programs in preparation to meet or exceed CMMC assessment requirements, but they do not conduct CMMC Certified Assessments or provide official training.
What are RPOs (Registered Practitioner Organizations)?
Official CMMC assessment teams must include at least one CMMC Certified Assessor (CCA) and may include CCPs in supporting roles. The team composition must follow Cyber AB standards for scope, objectivity, and consistency across assessments.
What are the defined composition requirements for CMMC assessment teams including CCP and CCA roles?
According to the Cyber AB, these are established training organizations that have been vetted by CAICO and approved to participate in the CMMC ecosystem. They are required to use CMMC Approved Training Materials curriculum for their courses and must utilize Provisional Instructors or Certified CMMC Instructors for the delivery of content to CCP and CCA candidates.
What are ATPs (Approved Training Providers)?
This publicly available online platform, established by the Cyber AB, allows Organizations Seeking Certification to identify authorized C3PAOs, RPOs, and ATPs that have been recognized and approved to operate within the CMMC ecosystem. It facilitates the procurement of CMMC assessments and certifications, providing a centralized resource for organizations to find qualified service providers.
Who is the Cyber AB Marketplace?
According to the CAP, the OSC is responsible for implementing CMMC practices for the target CMMC Level to which they aspire and providing this type of environment for the C3PAO to conduct the Assessment. This means the OSC must provide access to systems, personnel, and documentation, and designate an affirming official as the primary point of contact.
What is a cooperative environment?
These individuals are trained and tested against the CMMC framework levels to obtain their designation. They are implementers providing consultative preparation services to Organizations Seeking Certification, helping them understand the CMMC model, identify compliance gaps, and develop mitigation strategies. They work either as independent contractors or as members of a Registered Practitioner Organization.
What are RPs (Registered Practitioners)?
According to the Cyber AB, once a candidate passes the CCP examination and becomes a certified CCA, they are qualified to work on CMMC Level 2 assessments as part of a C3PAO assessment team. This credentialed individual can evaluate evidence, conduct interviews, map responses to CMMC practices, identify gaps, and make final determinations on practice compliance that CCPs cannot make.
Who is a CMMC Certified Assessor (CCA)?
According to the Cyber AB, these organizations are approved by CAICO to develop the CMMC certification curriculum that maps to certification exam objective blueprints. They are responsible for creating quality CMMC training curricula that are utilized by Approved Training Providers to train individuals pursuing official DoD recognized CMMC professional certifications as assessors or instructor-assessors.
What are APPs (Approved Publishing Partners)?
This organization was established as a wholly owned subsidiary of the Cyber AB in September 2022 to facilitate training, examination, and professional certification of individuals within the CMMC ecosystem. It ensures that assessors and instructors are prepared and ready to conduct assessments and trainings, and manages the professional certification programs for CCPs, CCAs, and CCIs.
What is CAICO (CMMC Assessors and Instructors Certification Organization)?
The Cyber AB board of directors must ensure that the organization makes prudent use of all things within their care through their Duty of Care. They must remain loyal and steadfast to the mission set before it by placing it first and foremost through their Duty of Loyalty. Finally, they must now and always obey all applicable laws, regulations, commitments, governance documents, and best practices in both actions and appearances through their Duty of Compliance.
What is the fiduciary responsibility of the Cyber AB board of directors?
This advanced designation builds on RP status and requires proof of having implemented at least 50+ cybersecurity framework controls that directly correlate to the 110 CMMC Level 2 practices. Candidates must already hold active RP status achieved within the allowable timeframe, complete additional training, and pass the Cyber AB RPA exam to earn this designation.
What is RPA (Registered Practitioner Advanced)?
According to the CMMC Assessment Process, these are authorized and independent conformity assessment bodies that contract with Organizations Seeking Certification to conduct CMMC Assessments and issue CMMC Certifications. They are accredited by the Cyber AB, must achieve ISO/IEC 17020 certification, and employ CMMC Certified Assessors to perform official assessments on behalf of the DoD.
What are C3PAOs (CMMC Third-Party Assessment Organizations)?
According to the Cyber AB, this acronym identifies the official curriculum designation that training materials must achieve after development by an APP and submission for third-party review. Only courses utilizing materials bearing this designation, delivered by approved instructors through ATPs, are valid for preparing candidates for CAICO certification programs and DoD recognition.
What is CATM (CMMC Approved Training Materials)?
The interconnected network of organizations, entities, and processes involved in the implementation, assessment, and certification of the Cybersecurity Maturity Model Certification (CMMC) framework.
What is the CMMC Ecosystem?
Once an OSC successfully passes a CMMC assessment and obtains certification, that certification remains valid for this period of time. Throughout this period, OSCs must submit annual affirmations attesting to continued compliance, and the certification may be required for exercising option periods on existing contracts with the Department of Defense.
What is three (3) years?
According to the Cyber AB fee schedule, this is the application fee for an organization to become a Registered Practitioner Organization. This fee includes application processing and membership registration, which are non-refundable. The annual renewal fee to maintain RPO designation is $5,000, and the organization must maintain association with at least one RP.
What is $6,000?
This entry-level CMMC certification is mandatory before pursuing advanced roles such as CMMC Certified Assessor (CCA) or CMMC Certified Instructor (CCI), ensuring a solid foundation in the CMMC framework and ecosystem.”
What is the prerequisite relationship of the CCP certification for advancing to CCA or CCI?
According to the Cyber AB, this individual certification authorizes teaching the CMMC framework to candidates seeking to become assessors. Currently offered as a Provisional Instructor program, individuals holding this credential must work for either an APP as a subject matter expert assisting in curriculum development, or an ATP assisting in development and delivery of certification courses.
What is CCI (CMMC Certified Instructor)?
This international standard provides requirements for the competence, consistent operation, and impartiality of bodies certifying persons. CAICO is required to achieve and maintain accreditation to this standard before it can certify individual assessors and instructors, ensuring that processes used to train and certify CMMC professionals meet globally recognized standards.
What is ISO/IEC 17024?
OSCs are initially responsible for performing this critical activity, which involves identifying all assets that process, store, or transmit FCI or CUI using the appropriate CMMC Assessment Scope Guide. Accurate performance of this activity prevents gaps and ensures every relevant system is included in the assessment, defining what must be protected and evaluated by the C3PAO.
What is scoping (determining the CMMC Assessment Scope)?
According to the Cyber AB, RPs and RPAs are granted this many attempts to pass the final exam required for their designation. If the applicant is NOT able to pass the exam by their final attempt, they will need to reapply after a 30-day cool-down period, losing any previously paid fees and starting the application process over.
What is two (2) attempts?
According to the Cyber AB, all CCP and CCA candidates must complete this mandatory DoD training course, available at securityawareness.dcsa.mil, which provides foundational knowledge about protecting sensitive government information. This training must be completed no earlier than three months prior to taking the certification exam.
What is DoD CUI Awareness Training (DoD Mandatory Controlled Unclassified Information Training)?
According to the Cyber AB, this is the type of financial review conducted by CAICO that both ATPs and APPs must pass as part of their vetting process. This review, conducted through a major credit reporting agency, verifies the financial stability and credibility of organizations seeking to develop curriculum or deliver training within the CMMC ecosystem.
What is an Experian financial review?
This international accreditation standard provides requirements for the competence, consistent operation, and impartiality of accreditation bodies assessing and accrediting conformity assessment bodies. The Cyber AB must achieve and maintain accreditation to this standard before it can accredit C3PAOs to conduct official CMMC assessments on behalf of the DoD.
What is ISO/IEC 17011?
After completing a Level 1 self-assessment, contractors must affirm compliance in this DoD database system. For Level 2 self-assessments involving non-critical CUI in non-prioritized acquisitions, organizations also submit their results and annual affirmations to this system, which tracks contractor cybersecurity compliance across the Defense Industrial Base.
What is SPRS (Supplier Performance Risk System)?
According to the Cyber AB fee schedule, this is the annual renewal fee for maintaining Registered Practitioner Advanced designation. If an individual holds both RP and RPA designations, they only need to pay this higher renewal fee rather than renewing both separately. The initial RPA application, training, and testing fee is $1,000.
What is $750?
According to the Cyber AB, this entry-level certification is for individuals seeking to become responsible for the assessment, examination, verification, and review of an organization for compliance to CMMC standards. As holders of this credential with a favorable Tier 3 determination, individuals can participate on CMMC Level 2 assessments but only to verify Level 1 practices under supervision of a CCA.
What is CCP (CMMC Certified Professional)?
According to the Cyber AB, it is important that individuals seeking assessor training understand that only training successfully completed with a Provisional Instructor through an ATP authorized by this organization is valid for preparing for the certification programs. The DoD and this organization use administrative tracking protocols between themselves and ATPs to validate trained and certified assessors.
What is CAICO?
This oversight mechanism within the Cyber AB organizational structure reviews assessment practices, evidence handling, assessor behavior, and compliance with procedural rules. It issues corrective actions and suspensions where necessary to protect the program's credibility and ensures that all C3PAOs and assessors maintain the standards required for consistent, unbiased assessments across the ecosystem.
What is the Cyber AB Quality Management System (QMS)?
Starting on this date, DoD contracting officers can begin including CMMC requirements in new solicitations. Organizations responding to these solicitations must meet the specified CMMC level to be eligible for contract award, and CMMC certification will be required at contract award for applicable contracts involving FCI or CUI.
What is November 10, 2025?
To qualify for the Registered Practitioner Advanced program, candidates must have achieved their RP status within a specific eligibility window. According to the Cyber AB, this window begins in September 2020 and extends to no greater than this timeframe from the current date of applying for RPA, ensuring candidates have recent and relevant RP experience.
What is two (2) months?
According to the Cyber AB requirements grid, this is the background investigation level required for CCPs and CCAs to participate on CMMC Level 2 or higher assessment teams. Candidates must achieve a favorable determination conducted by DCMA, or possess a NAC (National Agency Check), DHS Suitability credential, or other DoD accepted clearance to handle CUI during assessments.
What is Tier 3?
According to the Cyber AB requirements grid for CMMC Certified Instructors, candidates must achieve a favorable Tier 3 investigation determination or equivalent conducted by DCMA, or possess a NAC (National Agency Check) or other DoD accepted clearance. These requirements ensure instructors can handle sensitive CMMC information and maintain the security standards expected of those training future assessors.
What are the Background Investigation Requirements for a CMMC Certified Instructor?
The CMMC PMO operates under this office's authority and is responsible for monitoring Cyber AB performance, reviewing Cyber AB decisions as part of program oversight, and evaluating alleged conflicts of interest that may influence Cyber AB objectivity. This authority retains prerogative to address problems pertaining to effective Cyber AB performance of assigned roles within the ecosystem.
What is the DoD CIO(CS) (Department of Defense Chief Information Officer for Cybersecurity)?
According to the Cyber AB guidance for DIB Companies, prime contractors should take steps to prepare these entities for CMMC compliance, as the specific contract awarded will determine the required CMMC certification level for each organization in the supply chain. This ensures protection extends throughout multi-tier supply chains, accounting for information flow-down as required by the CMMC program and DFARS requirements.
What are subcontractors?
According to the Cyber AB, for candidates who reside outside the United States, this additional fee applies for international background checks. This amount is billed separately from the standard application, training, and testing fees, and must be paid in US dollars as part of the registration process for RP, RPA, or RPO designation.
What is $125 USD?
According to the CMMC Assessment Process, this is the CCA who oversees and manages a dedicated CMMC Assessment Team for the assessment of an OSC. This individual holds formal designation from the Cyber AB, facilitates coordination with the OSC, ensures assessment methods follow the CAP, and has the authority to make final scoring determinations for each practice before submitting results to the C3PAO for review.
Who is the Lead Assessor (Lead CCA)?
According to 32 CFR Part 170, the CAICO must maintain records for this period of time for all procedures, processes, and actions related to fulfillment of certification requirements. The CAICO must also provide the Accreditation Body access to those records, ensuring accountability and enabling oversight of the assessor and instructor certification programs
What is six (6) years?
During a Level 2 assessment, an OSC disputes the assessor’s interpretation of a control. The assessor cites the Assessment Guide, but the OSC insists the Model wording is ambiguous and claims the assessor is misapplying intent. The C3PAO escalates the issue, as it may affect multiple ongoing assessments. Only this authority can formally resolve conflicts between the CMMC Model, the CAP, and assessment interpretation to determine the official meaning.
What is the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S))?
CMMC is poised to be the largest and most ambitious cybersecurity conformance regime ever established, with this estimated range of companies within the Defense Industrial Base potentially subject to CMMC mandates. While not every DIB company will necessarily require certification, most eventually will need to demonstrate compliance to continue doing business with the DoD.
What is 200,000 to 300,000 companies?
According to the Cyber AB, all application submissions have this expiration period. If candidates do not take the next steps to complete the process, such as training and testing, their application will expire after this timeframe from the date of applying. Candidates will lose any fees paid and must re-apply to start the application process over from the beginning.
What is one (1) year?
According to the CMMC Assessment Process, this formally trained individual is responsible for ensuring assessment documentation completeness and accuracy. Each C3PAO is required to have at least one on staff for ensuring all assessment packages are reviewed and validated for procedural integrity prior to upload into eMASS or any other official CMMC repository system or application.
Who is the CQAP (CMMC Quality Assurance Professional)?
This is the temporary transitional instructor designation in CMMC 2.0. They are designated by CAICO to teach CCP and CCA courses during the phase-in of the new program, but their authority sunsets 18 months after December 16, 2024 (approximately mid-2026). After that date, only fully certified CMMC Certified Instructors (CCIs) may instruct.
What is a CMMC Provisional Instructor (PI)?
A contractor submits a high SPRS score but cannot produce sufficient evidence to support many claimed practices. The DoD decides to validate whether the contractor accurately represented its cybersecurity posture and whether enforcement action may be warranted. This responsibility falls on the DoD entity overseeing selfassessment oversight and compliance with NIST SP 800-171.
What is the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)?
The worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. It includes domestic and foreign entities, with private-sector companies ranging from small suppliers to large prime contractors, as well as government-owned or government-operated facilities and laboratories.
What is the Defense Industrial Base (DIB)?
According to the Cyber AB, this is the approximate registration duration for becoming a Registered Practitioner, Registered Practitioner Advanced, or Registered Practitioner Organization. This timeframe includes the processing of the required background check, whether commercial for individuals or organizational through Dun & Bradstreet for RPOs using their DUNS number.
What is approximately three (3) weeks?
According to the Cyber AB, this is an authorized CMMC Assessor who has the full authority of a CMMC Certified Assessor for a limited period and is listed on the CMMC Marketplace. Assessments conducted by these individuals prior to finalizing CMMC rule changes may require additional review before they will be certified by the Cyber AB.
What is PA (Provisional Assessor)?
These interim roles are subject to official sunset deadlines. Individuals must transition to fully certified CCP, CCA, or CCI status within the established timeline to remain active within the CMMC ecosystem.
What are the sunset requirements for Provisional Assessors and Instructors?