Lazarus Alliance Receives C3PAO Designation: A CMMC 2.0 Primer

In an era where cyber threats are constantly evolving, the importance of robust cybersecurity practices in the Department of Defense (DoD) supply chain can never be underestimated. The DoD relies on a vast network of defense contractors to support its mission, making protecting sensitive information in the supply chain a critical concern. In response to this need, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC) as a comprehensive framework to enhance the security posture of defense contractors and minimize the risk of cyber threats and data breaches.

The original CMMC framework, while effective, raised concerns among industry stakeholders, particularly regarding its accessibility for small and medium-sized businesses that work with the DoD. As a result, the DoD revised and updated the framework, introducing CMMC 2.0 to address these concerns and streamline the certification process.?

We're discussing this critical security framework to mark the Lazarus Alliance receiving our CMMC Third-Party Assessment Organization (C3PAO) accreditation. This article will provide an in-depth look at the key changes introduced in CMMC 2.0, how defense contractors can benefit from the updated framework, and guidance on preparing for CMMC 2.0 certification.

What Is CMMC 2.0?

CMMC version 2.0 is a revised version of the original CMMC framework released in November 2021 to address industry stakeholders' concerns and make it more accessible for small and medium-sized businesses that work with the DoD. The revised version simplifies the certification process, reduces costs, and streamlines compliance requirements for companies in the defense industrial base (DIB).

Version 2.0 retains the core mission of version one–namely, defining requirements to protect Controlled Unclassified Information (CUI) in contractor systems.?

Key changes in CMMC 2.0 include:

• Consolidation of Maturity Levels: The original CMMC had five levels of maturity. CMMC 2.0 consolidates these into three levels: Foundational, Advanced, and Expert, with each level tied explicitly to NIST Special Publications 800-171 and 800-172. This simplification makes it easier for organizations to identify the appropriate level of cybersecurity required for their specific contracts and work with the DoD.?
• Permitted Self-Assessment: Unlike the original CMMC, which required third-party assessments for all levels, CMMC 2.0 allows organizations at the Foundational level to self-assess their cybersecurity practices, reducing costs and administrative burden. Self-assessments can lower the cost of compliance for small and medium-sized businesses that may need more resources to spend on third-party assessments.?
• Continuous Monitoring: CMMC 2.0 emphasizes continuous monitoring of cybersecurity practices rather than relying solely on point-in-time assessments. This helps ensure that organizations maintain robust security practices throughout their contracts with the DoD.
• Alignment with NIST SP 800-171 and ISO 27001: Aligning CMMC 2.0 with other well-established standards makes it easier for organizations that already adhere to these standards to demonstrate their compliance with CMMC requirements. This means simplified documentation and compliance work without sacrificing security or accountability.

What Does a C3PAO Do?

A C3PAO is an organization authorized by the CMMC Accreditation Body (CMMC-AB) to conduct independent assessments of defense contractors' cybersecurity practices against the requirements of the CMMC framework. These organizations ensure that defense contractors within the DoD supply chain adhere to the appropriate cybersecurity standards.

C3PAOs are responsible for the following tasks:

• Performing Assessments: C3PAOs conduct assessments of defense contractors' cybersecurity practices and controls based on the relevant CMMC maturity level. These assessments help determine if a contractor's security posture meets minimum CMMC requirements for handling CUI.
• Providing Assessment Reports: After completing an assessment, the C3PAO prepares a detailed report outlining the findings, including any identified gaps or weaknesses in the contractor's cybersecurity practices.
• Recommending Certification: If a contractor successfully meets the requirements of their target CMMC maturity level, the C3PAO will recommend that the CMMC-AB grant the contractor the appropriate certification.

To become a C3PAO, an organization must undergo a rigorous application and vetting process, including meeting specific requirements and demonstrating competence in assessing cybersecurity practices. Additionally, they must adhere to the CMMC-AB's Code of Professional Conduct and maintain accreditation through ongoing professional development and adherence to the evolving CMMC framework.

A C3PAO, however, must maintain strict standards of objectivity. For example, a C3PAO cannot provide consulting services to a client they are assessing for CMMC certification. This restriction is in place to ensure that the C3PAO maintains impartiality, objectivity, and independence during the assessment process, avoiding any potential conflicts of interest.

However, defense contractors seeking consulting services to help prepare for CMMC certification can engage with Registered Provider Organizations (RPOs) not part of the C3PAO conducting their assessment. The CMMC Accreditation Body (CMMC-AB) authorizes these organizations and individuals to provide consulting services. They can help contractors understand the CMMC requirements, identify gaps in their cybersecurity practices, and develop plans to achieve compliance.

An organization can function as RPOs and C3PAOs but for different clients.

How Can Contractors Prepare for CMMC 2.0 Authorization?

Contractors can prepare for CMMC 2.0 by taking several key steps to ensure their cybersecurity practices meet the requirements. Here are some recommendations:

• Familiarize Yourself with CMMC Requirements: Start by thoroughly reviewing the CMMC 2.0 framework and its guidelines. Understand the differences between the three maturity levels (Foundational, Advanced, and Expert) and determine which level is appropriate for your organization based on the contracts you have or plan to pursue with the DoD.
• Assess Current Security Practices: Conduct a comprehensive assessment of your organization's cybersecurity practices to identify any gaps or weaknesses that must be addressed. This process may include reviewing policies and procedures, evaluating security controls' effectiveness, and identifying improvement areas.
• Create a Compliance Plan: Develop a detailed plan outlining your organization's steps to achieve and maintain compliance with CMMC 2.0 requirements. This plan should include timelines, resources, and responsibilities for implementing necessary changes and improvements to your cybersecurity practices.
• Seek Assistance from an RPO: If you need clarification on any aspect of CMMC 2.0 compliance, consider seeking help from external experts, such as cybersecurity consultants or managed security service providers that function as RPOs. These professionals can guide best practices and help you navigate the complexities of achieving and maintaining compliance.
• Prepare for Third-Party Assessment: For organizations seeking Advanced or Expert certification, identify a qualified C3PAO and coordinate the assessment process with them. Note that this can be a different company that provides consulting support. Further note that the CMMC-AB maintains an online, up-to-date directory of authentic C3PAOs.

By following these steps, defense contractors can better prepare themselves for the certification process and ensure they are well-equipped to protect sensitive information and maintain robust cybersecurity practices.

Lazarus Alliance Has Received C3PAO Status

Alongside our extensive certification body status, and authorizations for services like StateRAMP, FedRAMP, and NIST 800-53 to name just a few, we have now achieved CMMC C3PAO status–one of only 38 security providers in the world to do so.?

As more service and cloud providers move to support the defense supply chain, they'll find that they must meet the stringent requirements of CMMC. That will require a trustworthy C3PAO to conduct your CMMC audit.