In the early months of 2020, the U.S. Department of Defense (DoD) began implementation for a new Cybersecurity Framework. The Cybersecurity Maturity Model Certification (CMMC) framework is the cybersecurity standard for the Defense Industrial Base (DIB). However, CMMC version 1 was put on hold at the end of 2021 pending the release of version 2. The Defense Industrial Base (DIB) consists of the supply chain companies needed to improve the efficiency of the U.S. military. This involves research, manufacturing, advancements, and improvements. CMMC is the standard for cybersecurity for the DIB based on the level of data the company must handle.
There are 3 Levels of CMMC version 2 starting with the basic cybersecurity needs of Level 1 and ending with the highest level of cybersecurity Level 3. These maturity levels provide security for the FCI, Controlled Unclassified Information (CUI), as well as fending off malicious attacks. For each level of cybersecurity a contractor must meet the standards of the previous levels as well. In all there are over 110 practices that must be implemented by Level 2. These required standards add operational complexity and confusion for organizations supporting the DoD. Which is why there are Registered Practitioner Organizations (RPO). RPOs offer advice and help to companies preparing for certification. Here are some important things to look at when selecting a Managed Service and Security Provider (MSSP) to help achieve CMMC self-attestation or C3PAO assessment.
Are they a CMMC-AB RPO & RP
The process to become a Registered Practitioner (RP) or RPO, while not overly complicated, vets organizations and individuals, enables them to understand the Maturity Levels, and help DIB organizations. It involves a web based training system that can be done at an individual’s own pace. After completing the training, the RP-in-training needs to pass a background check, then sign the CMMC Code of Professional Conduct. RPOs are vetted companies that have at least one RP on staff. Ensure that your partner is an RP and RPO before signing any agreement.
IT, Security, and Compliance
Due to the nature of CMMC, it is highly recommended, even required, that the chosen RP and parent RPO be well versed in IT, security, and compliance. Managed Service and Security providers with other backgrounds may not understand the ins and outs of the advanced cybersecurity directives required by the Department of Defense. If your RP does not have a foundation in technology and security, then how are they going to offer helpful and insightful advice for CMMC support?
An RP has to be associated with an RPO, so when looking at reliability it is not just the individual’s reliability but also the reliability of the company. Validate a company’s listing on the CMMC Accreditation Body (CMMC-AB) marketplace here. It is also recommended that at least a cursory internet search is done to look for reviews on google and feedback from previous clients. The reason for utilizing both of these options is that you can get a more complete image of the RPO that you are evaluating.
Since CMMC Certification is such a relatively new system it is important to review your options when choosing an MSP/MSSP. Failure to mitigate the risks outlined in the controls can be costly, result in the inability to compete on DoD contracts, and may have adverse effects on the company’s long term health. So, it is incredibly important that companies select an RPO that has been properly vetted, has a relevant background in IT, Security, and compliance, and maintains a reliable track record. These are just three important criteria to keep in mind when choosing the best partner for CMMC compliance.
Peter Frasco is the owner and CEO of Intelligent Integration Technologies and CMMC Registered Practitioner with over 30 years of experience in Information Technology and Cybersecurity including work for the US Army as a Chief Warrant Officer, Silicon Valley Startups, and BlackBerry during their pivot to a cybersecurity powerhouse.