DoD Issues Accreditation Body RFI


DoD Issues Accreditation Body RFI


Oct. 7th, 2019

An RFI has been issued to gather information on establishing a non-profit to act as the Accreditation Body for the Cybersecurity Maturity Model Certification.

(And it’s cleared up some of the process for us)

The Office of the Undersecretary of Defense (Acquisition & Sustainment) (OUSD(A&S)) in the Department of Defense has issued an RFI (Request for Information), found here, to determine if a non-profit entity could successfully function as the Accreditation Body for CMMC. Some of the RFI key points follow:

• The Accreditation Body Will be a Non-Profit Organization.

The Government’s goal is for a non-profit organization to become the Accreditation Body that will handle a number of activities within CMMC and do so using revenue generated through dues, fees, partner relationships, conferences, etc. The Government will not be funding or providing resources to the Accreditation Body.

The figure depicts the program relationships
among the major components of the CMMC Program.

CMMC Organizational Relationships

• Auditors Now Have an Official Title: C3PAOs (CMMC Third Party Assessment Organizations).

Auditors that become accredited will be referred to as CMMC Third Party Assessment Organizations (C3PAOs). After accreditation they will conduct CMMC assessments and grant CMMC certifications to eligible contractors.

• Assessments for Certification Will be Conducted On-Site.

CMMC Assessments will be evidence-based, on-site evaluations of the capabilities, practices, and process maturity defined in the CMMC model. They will be conducted by C3PAOs. The estimated number of organizations requiring CMMC certifications is 300,000 with a high majority of those being micro-, small- and mid-sized. Each assessment will be conducted by a credentialed independent assessor working for an accredited C3PAO.

• The CMMC Accreditation Body Will be Responsible for Managing, Operating and Sustaining the CMMC program.

The CMMC Accreditation Body will conduct, but is not limited to, the following ongoing activities:

– Accredit C3PAOs

– Conduct CMMC Training for C3PAOs and Assessors

– Implement Individual Assessor and C3PAO Quality Control Programs

– Coordinate and report metrics with the CMMC PMO

– Maintain the Reference Implementation Assessment Tool

– Manage and maintain CMMC assessor training and associated assessment guidance

– Manage and maintain CMMC supporting systems and databases (records management, knowledge sharing and marketplace, artifact store)

– Manage the dispute resolution process to adjudicate C3PAO technical appeals and complaints.

The figure below is a notional functional decomposition that describes potential areas of work associated with the CMMC Accreditation Body Activities.

CMMC Accreditation Body Functional Decomposition

• OUSD (A&S) is Seeking Input from Industry on the Following:

• Approaches that meet the Government’s intent for the Accreditation Body.

• Potential CMMC Accreditation Body organizational structure.

• Potential CMMC Accreditation Body financial arrangements (i.e. business model).

• Extent of interest a non-profit has in performing one or more of the functions of the Accreditation Body.

• Areas where the CMMC Accreditation Body can leverage established organizations, standards, tools and automation opportunities.

Responses to this RFI are due by 10/21/19. To learn more about the CMMC, visit our CMMC page.