The Department of Defense (DOD) has approved cybersecurity company Redspin as the first certified third party assessor for its Cybersecurity Maturity Model Certification (CMMC).
Redspin will now be able to undertake security inspections on behalf of DOD contractors that are required under the recently-introduced protocol.
CMMC is the DOD’s new set of cybersecurity standards for contractors, which requires them to prove compliance through third-party inspections. Based largely on previous security practices, the most significant change in the new policy is that contractors must pay an assessor to test their compliance, whereas before they simply needed to self-verify.
All 300,000 contractors serving the department will eventually need to be assessed, which has led to concerns over potential bottlenecks.
Redspin became the first certified third party assessor after months of training, assessments and oversight from both the DOD and the CMMC Accreditation Body (AB), the third-party organization that is implementing the DOD’s Cybersecurity Maturity Model Certification (CMMC).
In a statement, CMMC-AB chief executive Matthew Travis said: “Reaching this step in getting the CMMC ecosystem up and running is a significant milestone and we look forward to authorizing additional C3PAOs in the coming days and weeks.”
As recent events emphasize how aggressively cyber threat actors are targeting our nation, the role of CMMC is more vital than ever as we take a united approach to protecting critical assets and information within the defense industrial base,” he added.
Contractors that handle the most sensitive controlled unclassified data will need a level five assessment — the highest level of CMMC clearance — to ensure they meet strict security controls. Many companies that handle benign data will only need a level one assessment to ensure they meet basic best practices.
Speaking to FedScoop, Redspin CEO Caleb Barlow said being first into the marketplace was the result of more than a year of intense work and focus within the company.
The company has had to pass a CMMC assessment of its own before it can assess others, a task some prospective C3PAOs have found difficult.