Positions

The Department of Defense, and where delegated, the CMMC Accreditation Body, are the authoritative sources in regard to CMMC. Their guidance must be followed by all members of the CMMC ecosystem. Early versions of guides and training have been released by both parties.

With that said, there are many gray areas in CMMC which haven’t been addressed yet. CMMC is a complicated topic. There are requirements which come into direct conflict with other requirements. And at a program level, there are things which could be done better in order to build a functional CMMC ecosystem which achieves the goal of cybersecurity for defense contractors.

C3PAOs and assessors need to have a standard understanding and approach to CMMC in order to build confidence in the assessment process. Organizations Seeking Certification need transparency regarding technical interpretations. The DoD and CMMC-AB need feedback and industry recommendations to resolve pain points and identify possible ways forward. The goal of this positions page is to help meet these needs.

We formally request that the DoD and CMMC-AB review these positions and adopt the recommendations within.

Assessment interpretations

These technical interpretations are posted here in the interest of standardization of assessment by C3PAOs and assessors.

FIPS Validated vs Vulnerability RemediationDownload
Evaluating Inheritable Practices by Service ProvidersDownload
Appendix B: Shared Responsibility Matrix TemplateDownload
  • Future positions will be listed here

Policy positions

These positions are submitted to the CMMC Program Management Office and CMMC-Accreditation Body as suggestions for resolving problems with the CMMC rollout.

Assign Responsibility For Technical ClarificationsDownload
Identify third party assessment based on criticality of data & authorize interim C3PAOsDownload
CMMC Delta 20 recommendations for next version of NIST SP 800-171Download
Gradually tighten cybersecurity expectations for contractorsDownload
Feedback on the CMMC Assessment Process (CAP)Download
  • Future positions will be listed here

How does the C3PAO Stakeholder Forum identify positions?

  1. Members of the C3PAO Stakeholder Forum submit topics that need clarification to the forum. For example, a member company might have just assessed a client with a specific situation that is not addressed by existing official CMMC guidance.  Submission of a topic may be via posting on the forum or during a meeting.
  2. One or more members of the C3PAO Stakeholder Forum write a position on the topic. Collaboration and discussion with other C3PAOs to get their experience and thoughts is encouraged.  A position is a recommended course of action for a specific situation or recommended prioritization between two conflicting requirements.
  3. The authors post the position to the C3PAO Stakeholder Forum for review, typically in a channel for that topic (such as the “scoping and boundaries” channel).
  4. An Advisor (volunteer position) will create a post in the “action items” channel to request review and voting for the position.  An due date of 2 weeks from that day will be assigned.  “Yes” and “No” voting buttons will be assigned to the position so that general members can click the button to vote for the position.
  5. The weekly C3PAO Forum meeting will review and discuss positions verbally until the due date arrives (two meetings).  Members are reminded to vote on the position.
  6. At the due date, votes are counted by an Advisor. If at least 80% of the votes are “Yes”, the position is considered endorsed by the C3PAO Stakeholder Forum.  
  7. The position is reviewed and packaged for public release (standard template applied, disclaimers applied).
  8. The position will be listed on the c3paoforum.org website and released publicly to the CMMC ecosystem (DoD, CMMC-AB, all C3PAOs, CMMC IAC, etc) by the C3PAO Stakeholder Forum.

DISCLAIMER

The C3PAO Stakeholder Forum is an industry group of C3PAOs.  The group is formed from C3PAOs and aspiring C3PAOs; it is open to all CMMC-AB Marketplace C3PAOs and confirmed C3PAO applicants.  The mission is to advance the CMMC assessor and C3PAO input, participation, and consensus within the CMMC ecosystem.  This include advocating for policies, sharing perspectives and working alongside the DoD, CMMC-AB, Organizations seeking certification and other stakeholders to advance the mission of CMMC, which broadly is to increase the cyber posture of the Defense Industrial Base.  The C3PAO Stakeholder Forum’s participation is voluntary and those individuals that participate do so of their own volition and without compensation.  The views of the board and the C3PAO Stakeholder Forum are not necessarily those of each member or their respective companies.  The DoD, and where delegated by the DoD to the CMMC-AB, are the ultimate authority with regard to CMMC.  Any guidance contained within is not authoritative and if found in conflict with DoD guidance should be considered subordinate.  We simply seek to share this guidance to help advance the conversations and drive consistency among the industry.  To the extent that subsequent guidance is published by the DoD or similar authorities, this document will be revised. 

The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought.