The Accreditation Board (CMMC-AB) for the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) has approved the first Certified Third-Party Assessment Organization (C3PAO) in the Defense Industrial Base (DIB), the CMMC-AB announced today.
Cybersecurity firm Redspin achieved a CMMC Level 3 accreditation, passed the administrative tasks, and is now the first C3PAO in the DIB marketplace. Redspin is now able to go out into the DIB and assess the CMMC readiness of other contractors.
“Reaching this step in getting the CMMC ecosystem up and running is a significant milestone, and we look forward to authorizing additional C3PAOs in the coming days and weeks,” CMMC-AB CEO Matthew Travis said in the release. “As recent events emphasize how aggressively cyber threat actors are targeting our nation, the role of CMMC is more vital than ever as we take a united approach to protecting critical assets and information within the Defense Industrial Base.”
The CMMC program is designed to assess the cybersecurity readiness of contractors in the DIB. The program is still in its pilot phase, but an internal review was recently completed. While the results of that review have not yet been made public, Sen. Joe Manchin, D-W.V., said “significant changes” are on the way.
The CMMC assessments are expected to begin later this summer, once all of the program materials are finalized, the CMMC-AB said. The program is in the process of being rolled out to all DoD contracts by fiscal year 2026.