For contractors within the Defense Industry Base (DIB), 2021 is a pivotal year. The DoD (Department of Defense) is moving from self-certification models and adopting the Cybersecurity Maturity Model Certification (CMMC). To be eligible to service DoD contracts, contractors must comply with CMMC requirements in full and become certified. The first step requires a self-assessment against NIST 800-171, however to get CMMC certification, you must enlist the support of one or more CMMC-AB recognized organizations. Read on to find out everything you need to know when selecting a CMMC partner.
In essence, the CMMC brings together the NIST SP framework as well as other cybersecurity frameworks to create a robust one. Along with eliminating the self-certification model, it also comes with a different approach towards integrating cybersecurity processes and practices. Instead of a simple checklist of requirements, CMMC assesses how cybersecurity processes are assimilated within an organization’s culture.
One of the biggest concerns among vendors and contractors is the need for certification from a Certified Third-Party Assessment Organization (C3PAO). In the past year, there has been a meteoric rise in the number of companies offering CMMC assessments. Though some are now registered as C3PAOs, provisional assessors, and Registered Provider Organizations, we are still in the provisional stage at this point.
Nonetheless, CMMC compliance is non-negotiable. It is essential to work with a CMMC partner to attain as well as maintain compliance. However, with many unauthorized organizations advertising such services, you must choose wisely.
Understanding the Risk of Choosing a Non-Certified CMMC Partner
Ultimately, you will not secure any contracts with the Department of Defense and its vendors without CMMC certification. By working with a non-certified partner, you jeopardize your chances of winning such contracts as it comes with risks such as:
1. Failing Your Audit
The US government’s proposed budget for cybersecurity for the year 2021 is $18.78 billion. This is due to the increasing rate of cyberattacks as well as the associated costs. In 2018 alone, the cost of cyberattacks on the government totaled $13.7 billion.
Therefore, once CMMC is fully in place, you will be locked out of all DoD contracts unless you are certified. Considering the magnitude of the matter, CMMC requirements are comprehensive and will take time to implement. As such, you should begin the process early enough to ensure you are successful. If your CMMC consultants are not conversant with all the regulations, you are likely to fail your assessment.
Should this happen, you will have to find another CMMC partner and start the process again. Considering that there are over 350,000 DoD contractors and all will need certification, such a setback can lock you out of bidding for contracts for months.
2. False Claims Act
All organizations that are CMMC-AB registered are bound by a code of professional conduct. If a consultant is offering services without the required CMMC training, it is possible they will provide incomplete services ore evidence. Worse, they might doctor evidence to allow you to pass an audit under false pretense. Even if this delivers on your short-term needs, it will have more significant long-term consequences.
Presenting false evidence to secure certification is a serious offense and can expose you to serious legal recourse in the future. Rather than working towards compliance or servicing contracts, it will leave you trying to clear your company’s reputation.
3. Exposes You to Cyberthreats
The primary objective of the CMMC framework is to ensure that the defense supply chain is secure by maintaining high-security standards at an organizational level. Should you choose to work with a non-certified CMMC partner, achieving full compliance will be difficult. As such, you can still be vulnerable to attacks, compromising the Department of Defense’s security.
If such a breach occurs, you may not only lose your contracts but also face non-compliance fines.
Validating a CMMC Partner
The CMMC partner you choose will be a crucial element in your ability to bid for DoD contracts. As such, you must take the necessary measures to not only ensure that they are certified but that they are competent. Some of the steps you should take include:
1. Check the CMMC Marketplace
For any institution to display the CMMC badge, they must successfully complete CCMC-AB training. This provides necessary guidance on the best practices of assessment readiness, ethical guidelines, and how the assessment process works. Upon successful completion of their assessment, they will be added to the CMMC-AB Marketplace.
Do not just take a consultant’s word. Search for them in the marketplace to confirm that CMMC indeed recognizes them. On the marketplace listing, you can search for both companies as well as individual practitioners.
2. Customer References
CMMC compliance is not an event but a journey. It’s something that you will need to work on continuously to maintain. Along the way, new threats may emerge, necessitating new security measures. Beyond competence and certification, your CMMC consultant must possess a lot more qualities for them to offer adequate support.
Rather than just issue instructions, they must be willing to guide your team as well as help them understand what it takes to remain compliant. This requires interpersonal as well as communication skills, accompanied by a desire to deliver the best results to clients. Determining this from the first few interactions is challenging.
Instead, ask them to provide you with customer references. Your objective should be to find out:
- They have sufficient experience in the defense space
- How they’ve worked with companies similar to yours
- Whether they maintain relationships with technology providers
- Their professionalism as well as commitment to customer satisfaction
3. Understands Ethical Boundaries
Any CMMC affiliated organization is required to follow the CMMC-COE Codes of Conduct. These are basic principles aimed at promoting ethics, standards, as well as values during decision-making and execution of business processes to safeguard the welfare of clients and other parties that could be affected.
All organizations should ensure that their personnel, partners, as well as contractors, are aware of and compliant with such requirements. The CMMC-COE Codes of Conduct put emphasis on the following areas:
- Professional representation
- Promotion of good practices
- Client interests
- Responsible reporting
Select a CMMC partner that strives to adhere to such standards.
4. Their Relationship with Assessors and Practitioners
CMMC regulations bar assessors and practitioners from discussing a client they are working with at the same time. However, collaboration between these groups is essential. This is because the cybersecurity space is expansive, dynamic, and continuously evolving. To share such information and remain updated on developments in the sector, assessors and practitioners are creating networking groups.
Enquire from your CMMC partner about such memberships as well as affiliations. With this, you can be sure that you will learn about new requirements or changes as soon as they occur.
Types of CMMC Partner Organizations
Depending on your needs, there are different types of CMMC organizations that you may need to partner with. Each specializes in a different aspect of CMMC compliance. They include:
1. CMMC Third-Party Assessor Organization
These are organizations that conduct CMMC assessments on DoD contracted companies. They also offer advisory services to other Organizations Seeking Certification (OCS).
2. Registered Provider Organization (RPO)
An RPO is an institution that offers CMMC consultative services to clients and assists with implementation. They may present themselves as a “non-certified” service provider inferring that they do not conduct assessments.
3. Licensed Training Providers
Licensed Training Providers are organizations recognized under the CMMC-AB LTP program. They offer CMMC education as well as training services and include online schools, colleges, universities, internal corporate training departments, professional schools, and direct-to-consumer learning providers. Licensed Training providers are also required to develop curriculums in line with CMMC-AB and deliver certification exams.
4. Licensed Partner Publisher
Under the CMMC-AB LPP program are Licensed Partner Publishers that are responsible for publishing and distributing CMMC educational materials to Licensed Training Providers.
Types of CMMC Individuals
In your bid to attain CMMC compliance and certification, you will interact with two key professionals; Registered Practitioners and Certified CMMC Assessors. However, in the near future, this list will also include Licensed Instructors.
1. Registered Practitioners
Registered Practitioners are individuals authorized by CMMC to offer consulting services as well as compliance support to their clients. They offer their services via Registered Practitioner Organizations to deliver non-certified advice and basic training.
2. Certified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP)
Certified CMMC Assessors and Certified CMMC Professionals are authorized and certified to perform DoD contractors’ assessments.
Kick Start Your CMMC Compliance with a Microsoft Focused Recovery Point Objective (RPO)
As a Department of Defense contractor, you only have two options with CMMC. You either comply and continue bidding for projects or delay and get left behind. One of the best ways to speed up your CMMC compliance is to work with a CMMC-AM Registered Provider Organization.
Are you looking for a 100% Microsoft-focused RPO to help lead your CMMC compliance efforts? Agile IT is a company dedicated to offering IT solutions that help align business and technical objectives. Contact us today to find out how you can leverage your existing Microsoft products to meet CMMC compliance.