Oxebridge has announced it will offer ISO 17020 accreditation preparation for third party assessment organizations (“C3PAOs”) within the Cybersecurity Maturity Model Certification (CMMC) scheme.

Per a US Dept. of Defense mandate, all CMMC C3PAOs must not only be approved by the CMMC Accreditation Board, but also must obtain independent accreditation to ISO 17020, the standard for inspection bodies. Oxebridge provides consulting and implementation on this standard, and can get most C3PAOs ready for audit by an independent accreditation body in about 3 months.

One wrinkle is the fact that the CMMC-AB has yet to publish official procedures or requirements for C3PAOs, which has prompted some certification bodies to temporarily obtain ISO 17020 accreditation for inspection of systems based on NIST 800-171, instead of CMMC. The CMMC-AB has not given any indication when they might issue formal rules for C3PAOs, and to date there is little evidence to suggest they are working on those rules.

Oxebridge has emerged as an independent oversight body in the CMMC scheme, and is working to ensure both the CMMC-AB and C3PAOs operate in accordance with official rules and expected ethical requirements. Relative to work performed directly for C3PAOs, this will include robust identification of risks and conflicts of interest, and proven methods to mitigate those issues.

To request a quote for ISO 17020 implementation, click here.

To help potential C3PAOs understand their obligations, Oxebridge has released the following Explainer video:

ISO 17020 for CMMC C3PAOs

Surviving ISO 9001 Book