We're Now an Authorized CMMC 3rd Party Assessor Organization (C3PAO)
Schellman becomes the first compliance services firm authorized by the CMMC AB and the 5th C3PAO Overall
October 19, 2021 (Tampa, FL) – Schellman is pleased to announce that we are now an authorized Cybersecurity Maturity Model Certification (CMMC) Third Party Assessment Organization (C3PAO). Overseen by the Department of Defense (DoD) alongside the CMMC Accreditation Body (CMMC AB), the CMMC program is designed to enforce consistent cybersecurity practices across the hundreds of thousands of defense contractors that participate in and make up the Defense Industrial Base (DIB). A group that now includes Schellman, C3PAOs are the independent assessment organizations that work alongside advisory and training providers to improve cybersecurity practices and protect the sensitive information maintained by the DIB participants.
Though just the fifth firm to be authorized overall within this program, Schellman is actually the first organization who is focused solely on compliance. CMMC now joins an extensive set of offerings that already included FedRAMP 3PAO assessments, SOC 2 and SOC 1 examinations, globally accredited PCI assessment services, ISO 27001, ISO 27701, ISO 9001, and ISO 22301 certifications, as well as HITRUST CSF assessments and CSA STAR certifications and attestations.
“We are thrilled to join the first four authorized C3PAOs to help pave the way forward for CMMC,” said Doug Barbin, managing principal and chief growth officer for Schellman. “Our experience and reputation as a leading FedRAMP assessor, as well as our multiple trained CMMC provisional assessors on staff and our expertise in ISO and other security and privacy domains, provided a sound basis to be the first 100% assessment firm to join the authorized ranks. Now that we are here, we also look forward to continuing to support CMMC AB, other C3PAOs, consultants, trainers, and other members of the CMMC community.”
Currently, there are more than 180 listed “candidate C3PAOs” undergoing the same process that Schellman has now completed to receive authorization—a process that required extensive assessment by the audit team at the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center, who reviewed Schellman’s policies, procedures, and technical controls for protecting CMMC assessment related data based on the same CMMC level 3 controls. But with that review complete and the authorization now active, Schellman is in a better position to serve its clients.
“Schellman’s history is not in government contracting, but in performing complex technology-enabled assessment services for clients who work in federal, healthcare, and other regulated industries,” said Avani Desai, chief executive officer of Schellman. “That experience, our acute attention to quality and our new status as an authorized C3PAO will allow us to continue helping our clients convey trust to their customers, regulators, and stakeholders—now in a new way.”
Though as of this date, the CMMC program is still awaiting formal launch by the Department of Defense for inclusion in DoD contracts, such is expected in the coming months. As we currently only offer assessment services, Schellman welcomes organizations who are working to build out their compliance programs to reach out to contact Schellman via our website.
Schellman & Company, LLC along with Schellman Compliance, LLC (Schellman) is a leading provider of attestation and compliance services. Schellman is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an authorized C3PAO. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.