To Perform Assessments at
C3PAO CMMC Maturity Certification
Maturity Level 2 (ML-2) and above
Assessment Data Storage Infrastructure
- C3PAOs shall not be accredited to conduct CMMC assessments at Level 2 or higher until achieving CMMC Level 3 certification themselves.
C3PAOs will not be allowed to store, process, handle, or transmit CUI, until the information systems (internal and external) utilized by the C3PAO are certified by Government assessors from the DCMA to be CMMC ML-3.
Assessment Team Composition
- If a C3PAO uses an external cloud service provider to store, process, or transmit CUI, the C3PAO shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) High baseline and in particular, Impact Level (IL4).
- If a C3PAO uses an external cloud service provider, the C3PAO is responsible for addressing cybersecurity gaps that exist between the FedRAMP High baseline and CMMC Level 3.
- If a C3PAO selects services from an external cloud service provider that have not been FedRAMP authorized, the C3PAO is responsible for the independent assessment of the cloud service provider and providing this assessment information to DCMA as part of the CMMC Level 3 assessment.
- Provide assessment team members with active NAC, DHS Suitability or Other DoD Accepted Clearance
The CMMC-AB will be authorized to sponsor clearances for those organizations that do not currently contract with the U.S. government. Details will be announced when available.