The CMMC Accreditation Body (CMMC-AB) has approved just over 20 CMMC Third-Party Assessor Organizations (C3PAOs) and nearly 100 Provisional Assessors. While this development is a positive step towards getting organizations CMMC certified, it is not clear if the approved C3PAOs are currently performing CMMC certification assessments.
The Department of Defense (DoD) estimates that in 2021 only 15 DoD contracts will contain the requirement for a CMMC certification. The DoD believes that every prime contract is supported by 100 DoD contractors. This means in 2021, no less than 1,500 CMMC assessments need to be successfully completed. If all organizations who put in a bid for a contract with the CMMC requirement also need a CMMC, that demand will be far greater. If just five prime contractors bid on each of the 15 contracts containing the CMMC requirement, each of the 100 existing Provisional Assessors will need to complete at least 75 assessments this year to meet industry demand.
For organizations bidding on the 15 impacted contracts, there is currently no mechanism to be front-loaded for CMMC certification by C3PAOs. This can create a problem for those companies that would like to bid on a contract but have no way of knowing if they can achieve the certification at the time of contract award.
The approval of the initial 100 Provisional Assessors is certainly a step in the right direction getting the DIB CMMC certified, however, demand is sure to exceed supply in short order.
