Kratos Named 1 of the 1st Cybersecurity Maturity Model Certification (CMMC) 3rd Party Assessment Organizations (C3PAO)

June 15, 2021


Kratos Defense & Security Solutions, Inc. (Nasdaq: KTOS), a leading National Security Solutions provider, announced today that it has been named by the federal government as one of the first two CMMC Third Party Assessment Organizations (C3PAO). As a C3PAO, Kratos will be able to conduct CMMC Level 1-3 assessments once the government completes certain preparatory and authorization steps.

The CMMC is a new unified security standard and a certification process developed by the U.S. Department of Defense (DoD) to protect the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). In accordance with recent updates to DFARS 252.204, the Office of the Under Secretary of Defense (OUSD) will begin a phased rollout requiring contractors to achieve CMMC certification. Once the rollout is complete, nearly all companies seeking to respond to DoD proposal requests will require CMMC certification.

Kratos has years of robust experience in compliance and certification, risk management and cyber operations, defense and engineering. Services include vulnerability assessments, enterprise security architecture design, application security testing and risk management processes. Kratos cybersecurity services support the development and operation of proactive cybersecurity programs, the development of enterprise cloud security strategies, and the establishment of sound and practical information security architectures tailored to organizational needs.

Mark Williams, Vice President, Kratos Cybersecurity Services explained: “As a member of the DIB Kratos underwent a rigorous assessment by the Defense Industrial Base Cybersecurity Assessment Center, which was a key factor in its early C3PAO authorization by the CMMC AB.” Once authorized to begin conducting assessments. Kratos’ Provisional Assessor-led teams will conduct the CMMC assessments that consist of up to four phases. The Planning phase includes assessment plan development and an assessment readiness review. The Assessment phase includes collecting and validating the required Objective Evidence (OE) and generating final results. Presentation of the results occurs in the Report Findings phase. If issues are identified in the Report Findings phase, the Remediation phase is dedicated to evaluating remedial actions taken. Depending on the assessment complexity Kratos estimates that most assessments will be completed in four to six weeks.

Phil Carrai, President of Kratos Space, Training and Cyber Division highlighted the importance of a robust CMMC program. “The recent spate of data breaches affecting both government and commercial organizations underscores the need for more robust security measures to protect critical information. For DoD this means increased protection of FCI and CUI data. CMMC will be a critical component of heightened security as all companies will need to pass strict CMMC security assessments before being awarded DoD contracts. Kratos is proud to be named one of the first C3PAOs. Our extensive experience in providing advisory and assessment services for compliance frameworks such as FedRAMP and others position us well to support CMMC.”

Source : Kratos Defense & Security Solutions

Kratos Named 1 of the 1st Cybersecurity Maturity Model Certification (CMMC) 3rd Party Assessment Organizations (C3PAO)