Redspin, Another First

August 1, 2022 Robert J. Teague

In another first, Redspin, the first authorized CMMC Third-Party Assessment Organization (C3PAO), was selected to conduct one of the first certification assessments under the Joint Surveillance Program.

The Joint Surveillance Program is the equivalent of a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High certification. Department of Defense (DoD) lawyers have stated that assessments cannot be called CMMC until the rule-making phase is complete, which is expected to be in place by March of 2023. Thus, the DoD has come up with a “work-around” solution to begin assessments now, rather than later. Currently, Organizations Seeking Certification (OSC) must volunteer to participate in the joint assessment program that is conducted via the DIBCAC and an authorized C3PAO and involves the 110 practices from NIST 800-171 Revision 2. OSCs that pass the assessment will be issued a DIBCAC High certificate until the interim rule is in place, then the certificate will be replaced with a CMMC Certificate. The Cyber AB announced at their July Townhall, that the first four OSCs were selected by DIBCAC and will start the joint program in August 2022. This program aims to validate C3PAO processes during the certifications, so the C3PAOs can continue to conduct certifications throughout the year.

Redspin, along with three additional authorized C3PAOs, will be conducting the first four assessments with DIBCAC starting in August of 2022. The four-phased approach includes documentation review, interviews with the OSC’s information technology (IT) teams, review of artifacts/configurations, and inclusion of a Plan of Actions & Milestones (POA&M) if required. Upon completion of the initial four assessments, DIBCAC will move on to work with the rest of the authorized C3PAO ecosystem. Matt Travis, the CEO of Cyber AB, commented that “A lot of hard work has been going on over the past year and we are excited that these assessments are finally getting underway.” Once the initial assessment is complete, Redspin will continue conducting certification assessments, on their own, going forward.

The Cybersecurity Model Certification (CMMC) is a Department of Defense (DoD) initiative to verify proper cybersecurity practices/processes are in place to adequately protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB) networks. CMMC incorporates 110 practices from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171r2. C3PAOs will conduct CMMC assessments of current/potential DoD Contractors to identify cybersecurity risks prior to awarding DoD contracts.


If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, click here.


Additional CMMC resources can be found on our website.

The Redspin Team

About the Author

Robert J. Teague

Robert is an Information security consultant and certified Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) with over 30 years of operational and strategic leadership experience in information technology and cybersecurity operations with the U.S. Army. An advisor who travels globally to assist clients in network security risk assessments and preparation for level 1-3 CMMC certifications in order to obtain Department of Defense contracts.

Follow on Linkedin More Content by Robert J. Teague

No Previous Articles

Next Article
CMMC Level 2 Bifurcation Rule
CMMC Level 2 Bifurcation Rule

Certain changes to the CMMC model caused some controversy, but made sense in the larger picture of Cybersec...