3PAOs or Third Party Assessment Organizations are entities certified to help cloud service providers and different government agencies meet the FedRAMP compliance regulations. 3PAO assessments are needed for making informed authorization decisions when it comes to cloud products and services. In this article, we are going to explain different levels of the 3PAO authorization.
The CMMC Accreditation Body has announced earlier this year that there are several different stages for third-party assessment organizations to pass through and that each stage represents a different status. Hence, C3PAOs can fall into one of the following four categories: applicants, candidates, authorized and accredited. Ever since the CMMC Accreditation Body made this announcement, the majority of the C3PAOs on the Marketplace were listed as candidates instead of fully-fledged C3PAOs. With these new rules in place, each organization was assigned a term to describe its status. Here’s a brief overview of those terms (stages of authorization).
The C3PAO applicants are those companies that paid a $1000 fee to the CMMC Accreditation Body and that way requested to become a C3PAO. This is the initial stage of the authorization process that includes evaluating the applicant for national conflicts of interest and doing a complete background check of the entire organization. All companies that fall into this initial category are not yet listed on the CMMC-AB marketplace.
Once a company that applied for the authorization passes their background and conflict checks, they are requested to pay an activation fee and sign an agreement with the CMMC-AB. This is a mandatory $2000 fee. Upon signing the agreement about the proper use of the C3PAO badge, the organization then gets to fill out a CMMC-AB marketplace listing and it gets listed in the candidate category. Keep in mind that candidates are not authorized to perform CMMC assessments for certification but they can provide consulting and gap analysis as a cybersecurity company.
In this transitory stage, DIBCAC or the Defense Industrial Base Cybersecurity Assessment Center performs a CMMC Maturity Level 3 assessment on the candidate to ensure their information system is secure enough to continue the authorization process.
This sub-stage comes after the DIBCAC assessment but it hasn’t been clarified publicly, meaning there is not much information we can give you about this. Although the assessment procedures at this stage remain unknown, it is necessary for the C3PAO to go through this step before proceeding to Stage 3.
Once a C3PAO reaches this stage, they move into the Authorized category on the CMMC-AB Marketplace. That means they are allowed to perform assessments and issue CMMC certificates for levels 1, 2, and 3.
At this stage, the C3PAO has to pass an ISO 17020 audit by the CMMC Accreditation Body in order to become Accredited and thus reach the highest stage in this process. This level of authorization validates that the organization can perform impartial assessments. In case the C3PAO had already passed the ISO 17020 audit for other accreditation bodies, they will just need to update their procedures to match those of the CMMC.
Lastly, you might be wondering why C3PAOs even bother to get to the fourth stage when they can perform assessments as authorized bodies at stage 3? It is because the certifications performed by accredited organizations will have more authority, meaning those companies will get to perform more assessments than those who are still at stage 3.