Jan 25th 2024

CMMC Assessment - C3PAO Selection Considerations

Note: This is a guest article by Cybersec Investments, a CMMC Third Party Assessment Organization (C3PAO).

You’ve spent untold hours over the past 12-24 months and thousands to tens of thousands of dollars to implement NIST 800-171 controls. You are now ready to find a C3PAO to perform a third-party assessment so you can earn your coveted status as being CMMC certified to use for marketing purposes and to get your Prime contractors off your back.

If you have experience with PCI DSS, SOX, SOC 2 or other 3rd party assessment schemes, you know first-hand that not all assessors/auditors are:

  1. Technically competent;
  2. Proficient in running a concise and efficient audit/assessment;
  3. Able to maintain objectivity due to Conflicts of Interest (COI); and/or
  4. Able to display the necessary professionalism by willing to listen to reason (e.g., understand your business practices).

Technical Competence Considerations

A “cybersecurity professional” can mean many things, since there are specialties within this profession and that means not all cybersecurity practitioners have the same skillsets. There is nothing wrong with generalists, except when it comes to scenarios where you need a specialist. A few examples include:

  • An assessment that includes the configuration of specialized technologies (e.g., SQL databases, load balancers, VPN concentrators, etc.) require someone with the competence and appropriate knowledge to determine “what right looks like” to perform a technical control review.
  • If your cloud service provider is Microsoft GCC-High, you need to make sure that the assessment team has specialists who have experience in GCC-High. The same goes for Amazon GovCloud, etc.

Questions to ask your C3PAO about technical competence:

  1. Does your assessment team have proven experience in the technology that will be assessed?
  2. Do members of the assessment team hold industry certifications to demonstrate their competence?
  3. How many similar technical environments has your team assessed?

Auditor / Assessor Experience

Within the CMMC ecosystem, it is not uncommon for the C3PAO to rely upon “hired guns” who are contracted CMMC Certified Assessors (CCAs) and CMMC Certified Professionals (CCPs) who make up the C3PAO’s assessment team. These are generally 1099 contractors who the C3PAO brings in for CMMC assessments. Where this can get into issues is with how the team functions. This arrangement of using 1099s is not a bad thing, unless there is no previous work with those assessment team members. You want to avoid a random assortment of assessors who have never worked with each other before, since that can spell disaster.

Questions to ask your C3PAO about the assessment team:

  1. From a technology perspective, what tool does your assessment team use? If they are just using an Excel spreadsheet, can you evaluate its quality (even if it is just a screen sharing review)?
  2. Are the CCAs & CCPs employees or contractors?
  3. How many CMMC assessments has this specific team performed together?
  4. Do your contractors have enforceable Non-Disclosure Agreements (NDAs) in place?
  5. How does the assessment team conduct it peer review process to ensure the findings are properly reviewed for legitimacy?

Objectivity / Conflict of Interest (COI) Concerns

All members of the C3PAO ecosystem must abide by the CMMC Code of Professional Conduct that states members must avoid the appearance of, or actual, conflicts of interest where possible. In 2024, the CMMC Proposed Rule added that the Cyber AB must require those in the C3PAO ecosystem to actively avoid in participating in any activity, practice, or transaction that could result in an actual or perceived conflict of interest. That is expected and should be unsurprising. However, several existing C3PAOs currently offer consulting services to help clients achieve CMMC readiness.

When it comes to selecting a C3PAO, it is necessary to identify COI scenarios that would preclude your preferred C3PAO from performing a CMMC assessment. Scenarios that may constitute COI include, but are not limited to:

  • Paid or Unpaid Advisory Services. If a C3PAO is providing advice or recommendations on improving the organization’s compliance, this is an advisory service (e.g., here’s how you should implement this control or here’s how to implement this control).
  • Consulting Services. If the C3PAO, or a member of the assessment team, was employed to perform consulting services for the Organization Seeking Assessment (OSA). This is where “hired guns” on the assessment team could be troublesome if there is a pre-existing business relationship (e.g., history of consulting with the OSA).
  • Utilizing C3PAO Products & Services. Some C3PAOs sell CMMC-specific products and services to help OSAs improve their compliance posture. For example, if a C3PAO sells documentation templates or “how-to” guides on how to configure your environment to meet compliance, then the C3PAO cannot assess that organization. Those products and services are a COI.

Questions to consider about conflicts of interest with your C3PAO:

  1. If the C3PAO offers advisory services, did you use their guidance to implement your CMMC program? This includes individual CCAs and CCPs, who may offer their own advisory services apart from the C3PAO.
  2. Did you ever leverage the C3PAO’s consulting services? This includes individual CCAs and CCPs, who may offer their own consulting services apart from the C3PAO.
  3. Did you leverage templates sold by the C3PAO (e.g., policies, standards, procedures, SSP, etc.)? This includes individual CCAs and CCPs, who may offer their own documentation services apart from the C3PAO.
  4. Did you leverage “how to guides” by the C3PAO (e.g., reference models, technology configuration guides, etc.)? This includes individual CCAs and CCPs, who may offer their own advisory services apart from the C3PAO

Common Sense Approach

You want to work with a C3PAO that you can feel comfortable with, which includes the CCAs and CCPs who are part of the assessment team. This is where you want to perform due diligence, such as:

  • Asking for references / referrals from other OSA that have used the C3PAO for CMMC assessment services.
  • Reading through their website to see if there is a specialization in being a C3PAO or if it is merely an added service it offers.
  • Reviewing articles and comments on LinkedIn by members of the assessment team.
  • Watching available online videos (e.g., YouTube) from members of the assessment team who may have served as speakers at CMMC conferences.
  • In writing, obtaining the actual procedures that exist for the OSA to challenge the CMMC assessment team to the leadership of the C3PAO.

Questions to consider about your C3PAO and assessment team:

  1. Do I agree with their reasoning (e.g., LinkedIn articles, videos, conference presentations)?
  2. Would their approach be in conflict with how the OSA approaches a specific topic?
  3. How does the C3PAO react to challenges during the assessment?

Those due diligence activities should provide you with a pretty clear understanding of who those CMMC practitioners are and if they appear to have a “common sense approach” towards CMMC and assessment services. You may find that you completely disagree with their understanding of certain topics, which should raise red flags. It is far better to find that out before you sign a contract that in the middle of the actual assessment process.