NSF Granted Reauthorization as a CMMC Third-Party Assessment Organization

ANN ARBOR, Mich., January 9, 2025 – NSF, a global services organization, is excited to announce its reauthorization as a CMMC Third-Party Assessment Organization (C3PAO). The final authorization was awarded by The Cyber AB, the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) and the sole authorized non-governmental partner of the U.S. Department of Defense (DoD).

Reauthorization allows NSF and its certified assessment team to immediately begin conducting assessments and certifying DoD contractors to CMMC Level 2 in accordance with Title 32, part 170 of the Code of Federal Regulations (CFR) and the CMMC Assessment Process (CAP). NSF is listed on the CyberAB Marketplace with its Authorization Identification Number (AIN): C0125-NSF-015.

“Earning C3PAO reauthorization is a significant milestone for NSF, as it is a testimony to our dedication to helping protect the nation’s security,” says Tony Giles, Director of Information Security at NSF. “We are excited to begin offering CMMC assessments to DoD suppliers to support them in meeting the CMMC framework. Bolstering cybersecurity is critical to secure confidential information across the defense industrial base and improve our nation’s cyber resilience.”

The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework developed by the US DoD. The objective is to enhance the cybersecurity controls in place for organizations supplying the DoD, known as the Defense Industrial Base (DIB). The CMMC model aims to manage risk and verify that DoD contractors can safeguard information classified as Controlled Unclassified Information (CUI) and comply with NIST SP 800-171 DOD assessment requirements.

CMMC requirements will be included on contracts in a phased rollout which will eventually require all DoD contractors to comply with CMMC in order to bid on work by Phase 4 (likely Q2 2028) . It differs from other NIST security standards as it requires third-party verification, which authorized C3PAOs, like NSF, provide. NSF’s C3PAO reauthorization means it can support DoD suppliers in the certification process so they can be eligible to bid on DoD contracts.

For media inquiries, please contact Kara Nicolaides at [email protected].

About NSF

NSF is an independent, global services organization dedicated to improving human and planet health for more than 80 years by developing public health standards and providing world-class testing, inspection, certification, advisory services and digital solutions to the food, nutrition, water, life sciences and consumer goods industries. NSF serves 40,000 clients in 110 countries and is a World Health Organization (WHO) Collaborating Center on Food Safety, Water Quality and Medical Device Safety.

NSF provides information security services across key industries, including defense, manufacturing, water, food and health sciences. We offer certification assessments to globally recognized standards, including ISO/IEC 27001, ISO/IEC 20000-1, NIST 800-171, CSA Star and the Cybersecurity Maturity Model Certification (CMMC). NSF provides a professional and purpose-driven approach to assessment services, helping organizations safeguard physical and digital data, manage current and future cyber risks and meet rigorous compliance requirements.