The Department of Defense has failed to effectively implement the process by which third-party organizations are authorized to carry out Level 2 assessments under Cybersecurity Maturity Model Certification 2.0.
This is the conclusion that the DOD Office of Inspector General said it had reached on Tuesday, following an audit where it reviewed the application packages of 11 of the 48 CMMC third-party assessment organizations, or C3PAOs, authorized as of Sept. 21, 2023.
Lack of Signed Code of Professional Conduct
According to the audit report, the process implementation failure was demonstrated by three findings. First, of the 11 C3PAOs reviewed, two were given authorization even though they did not have a signed C3PAO Agreement and Code of Professional Conduct. This document details the terms, conditions and expectations of C3PAOs, including their adherence to the principles of professionalism, objectivity, confidentiality, proper use of methods and information integrity.
Professional Certification Not Verified
Second, authorizing officials did not verify whether the quality control leads, or QCLs, of four of the 11 C3PAOs possessed the requisite certification. An individual must undergo trainings and examinations to become a CMMC certified professional and then a CMMC certified assessor, or CCA, before the person can be designated as QCL. These trainings work to ensure that a QCL possesses the ability to perform a CMMC Level 2 assessment and evaluate the members of an assessment team.
Possible Lack of Quality Control Leads on Staff
Third, all 11 C3PAOs received authorization even if it was not adequately verified that they had CCAs and QCLs on staff or under contract.
Quality Assurance Process
DOD OIG attributed the issues to a lack of a quality assurance process that would verify C3PAO compliance with the requirements for authorization. The agency consequently offered 10 recommendations, including the development and implementation of a quality assurance process for C3PAO authorization.
