No, CMMC C3PAOs Will Not Be Allowed to Provide Level 1 Self-Assessments for Clients

In a recent interview with the Potomac Officers Club, CMMC Accreditation Body CEO Matt Travis announced that the AB would be supporting “self-assessments” currently required under the CMMC 2.0 Level 1 rewrite.

In assistance of the defense industrial base, Travis said the CMMC-AB will offer level 1 certifications, as a voluntary option, to provide companies an extra layer of assurance. He noted that the move will allow defense contractors to “self-attest with confidence.”

Travis appears to be trying to throw a bone to the C3PAOs, who are reeling after the release of CMMC 2.0 dramatically crippled their future business plans, by saying they will be allowed to conduct self-assessments for defense companies through unaccredited, 2nd party audits.

Revealing that neither Travis nor the CMMC-AB itself understands how accredited certification works, this arrangement is prohibited under the applicable ISO accreditation standards.

Per the Dept. of Defense contract which created it, the CMMC-AB will be required to obtain ISO 17011 accreditation for itself, to ensure it operates in accordance with international principles. The CMMC-AB will then be required to accredit “CMMC Third Party Assessment Organizations,” or “C3PAOs”, against ISO17021-1, the standard for certification bodies.

But, ISO 17021-1 specifically prohibits C3PAOs from offering contract internal audits, including self-attestation audits, on behalf of their clients. This is framed as a threat to impartiality, and actually earned an entire sub-clause (5.2.6)in ISO 17021-1 prohibiting the practice:

5.2.6 The carrying out of internal audits by the certification body and any part of the same legal entity to its certified clients is a significant threat to impartiality. Therefore, the certification body and any part of the same legal entity and any entity under the organizational control of the certification body shall not offer or provide internal audits to its certified clients. A recognized mitigation of this threat is that the certification body shall not certify a management system on which it provided internal audits for a minimum of two years following the completion of the internal audits.

In conformity assessment industry parlance, “2nd-party auditing” can be done by consultants all day long. But because it’s treated as a consulting service, a certification body (or C3PAO) cannot provide the service and later certify the same client; it’s considered certifying your own work. For example, if a standard requires the client to perform internal audits (as CMMC 2.0 does), and the C3PAO then goes in to assess the company’s compliance to the standard, at some point they will have to assess their own internal audits.

The ISO 17021-1 standard allows this only if there’s a two-year “cooling off” period between the time the C3PAO performs the auditing and when they later certify the system.

So, no…. unless they obey the two-year cooling-off rule, no accredited C3PAO will ever perform self-assessments on CMMC clients’ behalf.

I’ve — yet again — written to both DoD and the CMMC-AB leadership asking them to get informed advice on ISO accreditation standards, and to stop relying on their uninformed, in-house advisors.