Home Compliance StandardsCMMC How to Find the Right CMMC Consulting Partner
CMMC

How to Find the Right CMMC Consulting Partner

by RSI Security
written by RSI Security

Finding the best CMMC consultant for your organization comes down to four steps:

  • Determining if and when you need CMMC certification
  • Identifying the appropriate CMMC Level and requirements
  • Assessing your readiness with gap assessments
  • Comparing various CMMC service providers

 

Step #1: Determine if You Need to Comply (and When)

First, you’ll need to understand whether you even need to achieve Cybersecurity Maturity Model Certification (CMMC). CMMC is designed to streamline several regulations from the National Institute of Standards and Technology (NIST) for Department of Defense (DoD) contractors.

Namely, CMMC exists to unify security controls for two protected kinds of data: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). If your organization currently processes or anticipates processing FCI or CUI, then you’ll likely need to become compliant.

Your current or future contracts from the DoD will specify as much, along with which CMMC Level you need to reach—and by when. Those factors should help you decide between CMMC consultants based on their capacity for assessments and proposed timeline to compliance.

 

Step #2: Understand Your CMMC Level Requirements

Once you’ve determined that you need to comply, you should also look into which Level will be required for your DoD contract. Organizations working with FCI exclusively will likely need Level 1, whereas those that come into contact with CUI will likely need to reach Level 2 or Level 3.

When selecting a partner, seek out one equipped to help you meet the requirements at:

  • CMMC Level 1: Foundational – Focused on safeguards for FCI, Level 1 requires implementing 17 Practices from NIST SP 800-171 and annual self-assessments.
  • CMMC Level 2: Advanced – Focused on both FCI and CUI, Level 2 requires 110 Practices, covering all of NIST SP 800-171, and triennial third-party assessments.
  • CMMC Level 3: Expert – Focused on CUI, Level 3 requires implementing an as-yet undetermined set of practices from NIST SP 800-172 and triennial government audits.

Another factor here is determining which assets are in-scope for your Level. The DoD provides Level 1 and Level 2 scoping guidance, which focus on FCI and CUI, respectively. CMMC Level 3 scoping is undetermined, but it is likely to mirror that of Level 2 with a greater focus on threats.

Understanding what Level you need to achieve will help you target CMMC services catered to it. 

 

Request a Consultation

 

Step #3: Perform Gap or Readiness Assessments

Next, your organization should determine how much help you’ll actually need to get to where you need to be for DoD compliance. Performing gap or readiness assessments that mirror certification audits will help you determine the scope of CMMC compliance support needed.

For example, consider the requirements of a CMMC Level 1 Self-Assessment:

  • Level 1 Access Control (AC) – 
      • AC.L1-3.1.1: Authorized access control
      • AC.L1-3.1.2: Transaction and function control
      • AC.L1-3.1.20: Control external connections
      • AC.L1-3.1.22: Control public information
  • Level 1 Identification and Authentication (AU) – 
      • IA.L1-3.5.1: Identification controls
      • IA.L1-3.5.2: Authentication controls
  • Level 1 Media Protection (MP) – 
      • MP.L1-3.8.3: Secure media disposal
  • Level 1 Physical Protection (PE) – 
      • PE.L1-3.10.1: Limit physical access
      • PE.L1-3.10.3: Escort visitors securely
      • PE.L1-3.10.4: Maintain access logs
      • PE.L1-3.10.5: Manage physical access
  • Level 1 System and Communications Protection (SC) – 
      • SC.L1-3.13.1: Maintain boundary protections
      • SC.L1-3.13.5: Separate public access systems
  • Level 1 System and Information Integrity (SI) – 
    • SI.L1-3.14.1: Remediate identified flaws
    • SI.L1-3.14.2: Protect against malicious code
    • SI.L1-3.14.4: Update malicious code protections
    • SI.L1-3.14.5: Scan system and files regularly

If you have these in place already, you are well-positioned to achieve Level 1 certification. But Level 2 assessments add on 93 additional Practices, including several in new Domains not assessed at Level 1 (i.e., Incident Response, Maintenance, Security Assessment, etc.).

Understanding how many Practices you need to install will help you select between advisors who specialize in assessments and those that provide more comprehensive services.

Step #4: Compare CMMC Consultant Offerings

Finally, once you understand the full scope of CMMC compliance support needed, you can compare the offerings of compliance advisors and assessors. If you’re in the earlier stages of your compliance journey, it likely makes the most sense to seek out a comprehensive, full-suite CMMC partner. Although assessments are the official catalyst to certification, implementation is where the real challenge lies. Working with an advisor will help you install and maintain required controls, ensuring that the assessment proper (self, third-party, or government) is a breeze.

If you’re seeking out an assessment partner, the Cyber AB (formerly CMMC Accreditation Body) is an excellent resource. The Cyber AB is in charge of vetting and accrediting CMMC assessors and maintains a list of certified third-party assessor organizations (C3PAOs) to choose from.

 

Streamline Your CMMC Implementation

If you’re looking for a CMMC consulting partner, you should start by determining the scope of your compliance needs, beginning with if and when you need to comply—and at what level. A gap assessment will help you understand what kinds of support you need, which in turn allows you to compare different service providers’ offerings and select the best fit for your organization.

RSI Security is committed to serving DoD partner organizations. We believe that discipline creates freedom, allowing you to focus on what you do best—supporting the safety of all Americans. To learn more about our CMMC consultant services, contact RSI Security today!

 

Request a Free Consultation

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

What CMMC Certification Level Do I Need?

October 8, 2021

What are the CMMC Level 1 Controls?

August 31, 2020

How to Respond to an Advanced Persistent Threat

April 1, 2021

The Basics of DoD Information Assurance Awareness Training

May 18, 2021

Who are the CMMC-AB and What do They...

May 10, 2021

How to Map NIST Cybersecurity Framework Controls

May 28, 2023

DoD Compliance, Explained: NIST 800-53 Rev 4, 800-171,...

August 10, 2022

Overview of CMMC Level 2 Requirements

December 11, 2020

The DFARS Interim Rule Explained Inside and Out

March 24, 2021

Q&A: The DoD’s Acquisition and Sustainment CISO Talks...

November 10, 2020

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More