C3PAO candidate status

Smithers Nears CMMC Certified Third-Party Assessor Organization Status

The Cybersecurity Maturity Model Certification Accreditation Body has granted Smithers Information Security Services certified third-party assessment organization candidate status.

The designation puts Smithers one step closer to performing assessments on defense contractors seeking compliance with the CMMC.

Final C3PAO status is given by the CMMC-AB to organizations that have secured clearance from the Defense Contract Management Agency, Smithers said. The DCMA performs initial CMMC Level 3 assessments on aspiring C3PAOs.

In a statement, Aaron Troschinetz, general manager for Smithers’ quality assessments division in North America, assured that the company is implementing all the necessary controls to ensure on-time provision of secure and accurate assessments.

“As we await our final approval status as a C3PAO, we continue to help organizations with our gap analysis type activities, which can be tailored to any number of different CMMC level requirements,” Troschinetz said.

Once certified, Smithers will join Redspin and Kratos Defense & Security Solutions in the CMMC marketplace.

Redspin, a division of CynergisTek, received inaugural C3PAO status on June 9. Kratos received the same designation the following week. Both companies were cleared to audit companies seeking CMMC certification at maturity levels 1 through 3.

The Department of Defense started implementing CMMC in December 2020, intending to fully require all contractors within the defense industrial base to achieve compliance by the beginning of fiscal year 2026.

CMMC certifications are a prerequisite for renewing or winning contracts with the DOD. The program has five certification levels that contractors need to comply with depending on the security that a DOD contract requires.