Organizations Seeking Certification (OSC) face a technically rigorous process. Selecting an assessor with the necessary domain, IT, and cybersecurity experience to understand the unique factors of your environment, your security controls, and your business processes is critical to achieving Cybersecurity Maturity Model Certification (CMMC) in an efficient and timely manner.

That kind of knowledge and ability is why organizations across the Defense Industrial Base (DIB) rely on Coalfire Federal, one of the first CMMC Third Party Assessment Organization (C3PAO) candidates.

Contact Us

Why choose Coalfire Federal to be your C3PAO?

  • Experience. We are a Defense Industrial Base (DIB) organization with over 20 years of experience working with other organizations across the DIB to assess security posture and support NIST 800-171, ITAR, and EAR compliance programs.
  • IT, cybersecurity, and risk management expertise. While we have an established methodology, we don’t operate off a checklist. We are able to understand your environment, your security controls and business processes. Where others without the same frame of reference and capabilities may not understand your business and operational requirements, we are able to leverage our experience to determine how your environment meets the intent of a practice and demonstrates the necessary level of fidelity.
  • For us, the mission is what is most important. As a leading cybersecurity services provider to the federal government and Defense Industrial Base, Coalfire Federal is committed to protecting the mission of the DoD and its supply chain.
  • We know how to conduct assessments. Coalfire is the largest and most experienced FedRAMP Third Party Assessment Organization (3PAO), having conducted over 100 FedRAMP assessments (40% of the marketplace), more than twice the amount of any other 3PAO.
  • We know your time is valuable. Coalfire Federal will understand your environment and the security tools, controls, and policies you’ve put into place to protect it. We will complete the assessment process quickly and efficiently, ensuring the legitimacy of the results while minimizing the impact on your team and the overall cost of the assessment.
  • Resource Capacity. We have built one of the largest, most qualified, most experienced teams of certified professionals.

What is the CMMC Assessment Process?

A C3PAO is an independent service provider that audits defense contractors to verify their CMMC compliance efforts. The C3PAO forwards its findings to the DoD, which then issues the certification. 

All prospective C3PAOs must receive authorization from the CMMC Accreditation Body (CMMC-AB), a not-for-profit organization serving as the DoD’s certification partner. 

Step 1:

OSCs begin the assessment process by selecting a C3PAO to conduct their assessment.

Step 2:

The C3PAO assigns a Certified Assessor (CA) who works with the OSC’s sponsor and other key points of contact to review the scope of the assessment, complete a contract, and schedule the assessment

Step 3:

The assessment begins with a kick-off session followed by one or more days during which the assessment team conducts interviews and reviews documentation and evidence. The number of days depends on the desired certification level.

Step 4:

The assessment team evaluates each practice, following guidelines and criteria established by the CMMC-AB and grades it either pass or fail.

Step 5:

The assessment team then summarizes its findings and prepares a recommendation report that is reviewed with the OSC.

Step 6:

The C3PAO then reviews the CA’s recommendation and forwards it to the CMMC-AB for approval.

What Are the Benefits of Working With a CMMC C3PAO?

While a primary function of a C3PAO is to serve as a CMMC auditor, it can also provide a host of additional services for defense contractors. Because the program is brand new, most contracting businesses are unfamiliar with the compliance requirements, which can leave them unprepared for an audit. A qualified CMMC third-party assessor organization can provide training to educate clients on the framework. 

An assessor can also conduct a gap analysis to provide their clients with an objective review of their organization’s compliance in one or more of the five certification levels. It can then develop and implement a comprehensive strategy for closing the gap by taking appropriate remediation steps. Additionally, the C3PAO can perform a readiness review to ensure the client has the mandated controls in place and that they work correctly. Finally, it can conduct the assessment and report the findings to the DoD. 

How to Determine if Your Organization is CMMC Certification Ready

Being CMMC certification-ready means your organization has satisfied all CMMC practice and process requirements at the required maturity level for the portion of your environment subject to CMMC. It also means that you have developed evidence and documentation to demonstrate process maturity. Start by seeing if you can respond “yes” to each of the following statements:

  • My organization has a clearly defined FCI/CUI boundary.
  • My organization has a centrally managed/tracked inventory.
  • My organization has a formerly approved System Security Plan (SSP).
  • My organization has formerly approved plans, policies, and procedures.
  • My organization conducts vulnerability scans and remediation on a scheduled basis.
  • My organization has identified and satisfied all CMMC practice and process requirements for the maturity level at which I am seeking certification.
  • My organization has identified a preferred 3CPAO.

How Do I Prepare for the Certification Assessment?

Readiness review
A readiness review conducted by a C3PAO can help you prepare for the CMMC assessment. During the readiness review, the C3PAO will explain the certification assessment process and describe necessary documentation, level of detail, and time period. At the conclusion of the readiness review, the C3PAO will provide an opinion: “Prepared” or “Not Prepared.”

Mock assessment
Organizations can also request a C3PAO to conduct a mock assessment, which mimics an actual CMMC assessment. At the conclusion, the C3PAO provides an assessment report with their recommended findings regarding the existence of any discrepancies. The C3PAO provides no advice, simply communicates their findings.

Coalfire Federal assessment Service Offerings

Coalfire Federal offers three CMMC assessment services, and each is available for maturity levels 1 and 3.  Service offerings for maturity levels 4 and 5 will be added once the CMMC-AB authorizes C3PAOs to provide services at those levels.

  • CMMC Readiness Review A readiness review helps an organization prepare for the actual CMMC assessment and assists in determining whether or not the organization is ready. The CMMC assessment process will be explained, and the C3PAO will describe necessary evidence and documentation to have available, as well as the time period and  level of detail required. At the conclusion of the readiness review, a “Prepared” or “Not Prepared” opinion will be provided.
  • CMMC Mock Assessment The mock assessment is conducted as if it is an actual CMMC assessment. Each practice and process will be assessed applying the CMMC evaluation criteria to determine whether it is satisfied and demonstrates process maturity. At the conclusion, an assessment report is provided with recommended findings regarding any discrepancies.
  • CMMC Certification assessment Coalfire Federal is not yet authorized to conduct CMMC Certification Assessments – we anticipate becoming an Authorized C3PAO in early 2022.

The CMMC assessment strictly follows the CMMC-AB Assessment Guide to apply the CMMC verification criteria for each practice and process to determine whether it is satisfied and whether it demonstrates process maturity. At the conclusion, an assessment report will be provided, and if no discrepancies are determined, the appropriate CMMC certificate will be issued. A copy of the assessment report and CMMC certificate are also submitted to the DoD.

Protect the Mission: Contact Coalfire Federal Today

To learn more about CMMC C3PAO services, call us at 877-224-8077 today. You can also complete and return our online contact form for additional information.