Don't Fall for CMMC Offers Quite Yet!
The Cybersecurity Maturity Model (CMMC) version 1.0 was published a little less than two weeks ago and already companies are offering assessments, certifications, and solutions. Funny, when you ask the CMMC Accreditation Body (CMMC-AB) none of these things should be available. Why? Because as of 11 February none of it exists yet.
I’ve seen ads from companies claiming to be Certified Third Party Assessors (C3PAO) but according to the CMMC-AB (www.cmmcab.org) they don't know when you will be able to register to become an official C3PAO. They don't know the rules for what it takes to become a C3PAO in good standing. And they don't know the fees or details associated with the process.
C3PAOs will provide trained Assessors to certify companies. According to the CMMC-AB, Assessors will receive a license at a level that matches the assessments they are permitted to conduct from the CMMC-AB after completing the required training. As for the training, the content, structure, levels etc. have not yet been determined. Since training does not yet exist, there are no locations approved to provide certified CMMC Assessor Training.
If you have a DoD contract you should definitely be thinking about what CMMC certification Level you will need to achieve, and you should start reviewing the controls published in the CMMC v1.0 Appendices. But don't fall for would be C3PAOs and Assessors sales pitches quite yet. They don’t exist!