Written By: Troy Fine, CPA/CITP, and Ken Tysiac
CPAs have a new opportunity to act as third-party assessors of the cybersecurity maturity of U.S. defense contractors as they work to comply with new regulations that have been created to combat cyberthreats.
CPAs currently providing System and Organization Controls (SOC) services, cybersecurity or IT security services, or third-party assessment services for other organizations (such as HiTrust or FedRamp) may have the skills and competencies to perform this work, which may offer huge opportunities for revenue growth. Providing these services also helps strengthen CPAs’ professional reputation as quality providers of cybersecurity and IT security services.
Under requirements issued by the Office of the Undersecretary for Acquisition and Sustainment within the Department of Defense, by fiscal year 2026 the 300,000 prime contractors and subcontractors (defense contractors) that make up the Defense Industrial Base will be required to demonstrate compliance with Cybersecurity Maturity Model Certification (CMMC) practices and policies.
The CMMC certification model is designed to provide assurance that a contractor is equipped to safeguard information in a manner commensurate with the complexity of the contractor’s work with the Department of Defense. Defense contractors will also be required to obtain a CMMC certification from an accredited third-party assessor.
There are a number of ways in which CPAs and firms can become involved with the CMMC certification program:
Individual CPAs can become credentialed to serve as independent third-party assessors.
CPA firms can also become third-party assessor organizations (C3PAOs), which are organizations accredited to manage the assessment process, schedule assessments, and hire and train certified assessors and certified consultants. (A business cannot receive assessment and consulting services from the same C3PAO.)
A CPA firm can elect to become a Registered Provider Organization (RPO), and an individual CPA can elect to become a Registered Practitioner (RP). RPOs and RPs provide advice, consulting, and recommendations to their clients. They are the “implementers” and consultants but do not conduct certified assessments. Rather, those programs were designed for CPAs and firms that would like to serve as advisers to the Defense Industrial Base. RPs are required to complete basic training on the CMMC framework.
When considering whether to become a C3PAO or RPO, firms should determine if they have clients within the Defense Industrial Base. If any of your current clients are defense contractors, and you decide to apply to become a C3PAO or RPO, applications may be completed at cmmcab.org.
In addition to completing the application and paying the application fees, CPAs and firms will be required to, among other things, pass background checks, sign agreements with the body providing accreditation, and obtain a level of CMMC accreditation themselves.
Depending on the level of involvement, a CPA firm has to plan accordingly to ensure it obtains the desired accreditation before it begins providing CMMC services to its clients. For example, although becoming an RPO takes only a few months, becoming a C3PAO takes much longer. One reason for that is that preparing for and obtaining firm CMMC certification could easily take six to 12 months.
The AICPA Assurance Services Executive Committee believes it is in the public interest for CPAs to perform third-party assessments such as those that are newly required of defense contractors. A recently issued AICPA technical question and answer (TQA) provides guidance to CPAs on the professional standards that they may need to follow to perform such third-party assessments.
The TQA clarifies that AICPA members can perform third-party assessment engagements by complying with the requirements or instructions in the third-party assessment program and the AICPA Code of Professional Conduct.
More information on emerging assurance and advisory opportunities for CPAs is available on the AICPA website.
— Troy Fine, CPA/CITP, is senior manager, risk advisory services, for Schneider Downs in Pittsburgh and is a CMMC provisional assessor. Ken Tysiac is the JofA’s editorial director. To comment on this article or to suggest an idea for another article, contact him at Kenneth.Tysiac@aicpa-cima.com.