Happy New Year! Schellman is excited to announce that prior to the holidays, we were approved as one of the first CMMC 3rd Party Assessor Organizations (C3PAO) by the CMMC Accreditation Body (CMMC-AB). This service complements our leadership as the #2 provider of FedRAMP assessments and makes Schellman the first and only company in the world that is a licensed CPA firm, globally accredited Payment Card Industry Qualified Security Assessor (PCI QSA) company, ANAB and UKAS accredited ISO certification body, HITRUST assessor, FedRAMP 3PAO, and now CMMC C3PAO all under one single legal entity.
The CMMC program defines a standard set of practices and processes designed to protect controlled unclassified information (CUI) and federal contract information (FCI) within the DoD supply chain. The standard, published earlier this year and with the first assessment guide released earlier in December, takes a tiered approach to certification based on the type of information handled by the contractor or supplier and the risks presented to DoD systems and information.
See Schellman’s previous publications on CMMC
We expect many questions from our clients related to Schellman as a C3PAO. We have prepared information below for some of the initial anticipated questions:
Is it FedRAMP 2.0?
No, CMMC is not another FedRAMP with broader scope. The audit guide, recently published, reads that the focus of the assessors is on the practices and processes around protecting systems that house CUI. So in that respect, we expect that this assessment will have a more of an ISO 27001 flavor than a FedRAMP one.
When can we start and how fast can I get certified?
At this time, only the companies permitted to undergo CMMC certification are those that fall under the initial DoD pathfinder contracts. Those assessments are being prioritized by DoD and if you are a subcontractor on one of those contracts, the prime should inform you. Additionally, all C3PAOs still have to undergo assessments of themselves by DoD which as of this date has not occurred for any C3PAO.
At this point, we estimate late Q2 or early Q3 for those not in the pathfinder program. So, while we are as excited as you are about your certification, it is not something that can be completed until the DoD and CMMC-AB prioritize it. As a result, we can not fully commit to dates for certification at this time.
Can you help us prepare?
No. Similar to ISO and FedRAMP, Schellman will be an independent assessment only firm for CMMC. We have found that not providing an advisory service has allowed Schellman to perform high-quality assessments, without conflict of interest, and often working alongside our clients and their consultants. We are happy to point you in the direction of qualified consultants and RPOs.
How much does it cost?
The assessment guides were published just over a week ago and we are still getting updates and guidance from the CMMC-AB. There are levels of certification based on the type of information accessed or stored by the contractor. We expect that most of our clients will be either Level 1, which is for handling FCI, or Level 3 for handling CUI. Levels 4 and 5 are likely to be specified by the DoD contracts you may participate in. It is not correct to infer that one level is “better” than another as they have defined use-cases in the guidance.
Additionally - scope is critically important. The number of systems that handle CUI, persons, locations, and applications all play into what gets covered by the audit. A key role the RPO advisors are playing is to help define, if not limit, the scope of CUI and FCI in an environment.
In the meantime, please do not hesitate to reach out to us with questions. We are always happy to schedule a consultation to discuss where you are and where we can assist. Additionally, as we are actively involved with the CMMC-AB we will be sharing updates as we learn them.
Thank you for your continued support.
About the AuthorMore Content by Schellman Compliance