Kratos named CMMC C3PAO
On June 15, San Diego, CA-based Kratos Defense & Security Solutions, Inc. announced that it has been named by the federal government as one of the first two CMMC Third Party Assessment Organizations (C3PAO). As a C3PAO, Kratos will be able to conduct CMMC Level 1-3 assessments once the government completes certain preparatory and authorization steps.
The CMMC is a new unified security standard and a certification process developed by the U.S. Department of Defense (DoD) to protect the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). In accordance with recent updates to DFARS 252.204, the Office of the Under Secretary of Defense (OUSD) will begin a phased rollout requiring contractors to achieve CMMC certification. Once the rollout is complete, nearly all companies seeking to respond to DoD proposal requests will require CMMC certification.
Kratos has years of robust experience in compliance and certification, risk management and cyber operations, defense and engineering. Services include vulnerability assessments, enterprise security architecture design, application security testing and risk management processes. Kratos cybersecurity services support the development and operation of proactive cybersecurity programs, the development of enterprise cloud security strategies, and the establishment of sound and practical information security architectures tailored to organizational needs.
Mark Williams, vice president, Kratos Cybersecurity Services, explained, “As a member of the DIB Kratos underwent a rigorous assessment by the Defense Industrial Base Cybersecurity Assessment Center, which was a key factor in its early C3PAO authorization by the CMMC AB.”
Once authorized to begin conducting assessments. Kratos’ Provisional Assessor-led teams will conduct the CMMC assessments that consist of up to four phases. The Planning phase includes assessment plan development and an assessment readiness review. The Assessment phase includes collecting and validating the required Objective Evidence (OE) and generating final results. Presentation of the results occurs in the Report Findings phase. If issues are identified in the Report Findings phase, the Remediation phase is dedicated to evaluating remedial actions taken. Depending on the assessment complexity Kratos estimates that most assessments will be completed in four to six weeks.
Phil Carrai, president of Kratos’ Space, Training and Cyber Division, highlighted the importance of a robust CMMC program. “The recent spate of data breaches affecting both government and commercial organizations underscores the need for more robust security measures to protect critical information. For DoD this means increased protection of FCI and CUI data. CMMC will be a critical component of heightened security as all companies will need to pass strict CMMC security assessments before being awarded DoD contracts. Kratos is proud to be named one of the first C3PAOs. Our extensive experience in providing advisory and assessment services for compliance frameworks such as FedRAMP and others position us well to support CMMC.”