How to Choose a CMMC Partner
December 22, 2020
With the latest updates by the Department of Defense (DoD), a Cybersecurity Maturity Model Certification (CMMC) has to be obtained to be able to do any business with the DoD. With the DoD moving away from self-certification models, vendors who service the DoD now have new issues facing them if they choose to continue supplying the Defense Industry Base (DIB). The CMMC is now a prerequisite for all DoD contractors. Since there are different levels of cybersecurity maturity levels, the one you wish to achieve will help you decide which type of assistance you will need.
Choosing a Cybersecurity Maturity Model Certification partner does not have to be an intimidating task. There are a few important things that your organization should be looking out for when going through the hiring procedure:
CERTIFIED THIRD-PARTY ASSESSMENT ORGANIZATION
The assessing authorization should be a certified third-party assessment organization. Your CMMC partner must have C3PAO, without this they are not equipped to provide cybersecurity maturity model certification.
STRONG BACKGROUND AND EXPERIENCE
Look for a C3PAO that has a solid background and experience in cybersecurity over an organization that might just offer cybersecurity as a secondary or tertiary service. As C3PAO isn’t only confined to one industry, anyone who pays the fees and meets the specification can acquire C3PAO. This does not always mean they are the best fit for you, or that they can effectively deliver the services. For example, if company A is an IT services company and company B is a cybersecurity specialist business, even though they both more or less fall under the IT industry and are also C3PAO, company B has the capability and expertise to provide the certification efficiently. This is because company B has professional knowledge of the extensive implementation of cybersecurity not only for CMMC, but for your business as well.
PREVIOUS KNOWLEDGE OF NIST-171 AND DFARS
Look for providers with knowledge of the NIST 800-171 framework and DFARS. It is best to take on an associate who has previous experience with the structure that the CMMC model is based on. The two main frameworks that the cybersecurity maturity model builds upon are the NIST 800-171 and Defense Federal Acquisition Regulation (DFARS). So when finding and choosing a partner for certification, be sure to check if they have previous experience, specifically with the NIST 800-171 framework. This is the framework that the DoD currently requires an organization to adhere to if they want to engage the DoD supply chain. Even though it is possible to self certify, many organizations still employ a specialist to ensure that the process was done explicitly and effectively. The only difference with the release of CMMC is that certification from a C3PAO has become a legal requirement for any contractor that does business with the DoD.
SureShield offers compliance assessments for applicable controls, provides audit support and allows maintenance of a state of continued readiness. Using SureShield, you will be able to perform activities required to achieve and maintain CMMC compliance. Your organization can work with us by contracting with us for our ComplyShield solution for CMMC or through one of our MSP partners. After the basic assessment, we provide your team with guidance to achieve compliance based on the completion of “Action Plans”. Check out our website for more information. Read our blog for everything you need to know about CMMC and opportunities and challenges with CMMC. For any questions, reach out to us on Twitter and Linkedin.