Finding the best CMMC consultant for your organization comes down to four steps:
- Determining if and when you need CMMC certification
- Identifying the appropriate CMMC Level and requirements
- Assessing your readiness with gap assessments
- Comparing various CMMC service providers
Step #1: Determine if You Need to Comply (and When)
First, you’ll need to understand whether you even need to achieve Cybersecurity Maturity Model Certification (CMMC). CMMC is designed to streamline several regulations from the National Institute of Standards and Technology (NIST) for Department of Defense (DoD) contractors.
Namely, CMMC exists to unify security controls for two protected kinds of data: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). If your organization currently processes or anticipates processing FCI or CUI, then you’ll likely need to become compliant.
Your current or future contracts from the DoD will specify as much, along with which CMMC Level you need to reach—and by when. Those factors should help you decide between CMMC consultants based on their capacity for assessments and proposed timeline to compliance.
Step #2: Understand Your CMMC Level Requirements
Once you’ve determined that you need to comply, you should also look into which Level will be required for your DoD contract. Organizations working with FCI exclusively will likely need Level 1, whereas those that come into contact with CUI will likely need to reach Level 2 or Level 3.
When selecting a partner, seek out one equipped to help you meet the requirements at:
- CMMC Level 1: Foundational – Focused on safeguards for FCI, Level 1 requires implementing 17 Practices from NIST SP 800-171 and annual self-assessments.
- CMMC Level 2: Advanced – Focused on both FCI and CUI, Level 2 requires 110 Practices, covering all of NIST SP 800-171, and triennial third-party assessments.
- CMMC Level 3: Expert – Focused on CUI, Level 3 requires implementing an as-yet undetermined set of practices from NIST SP 800-172 and triennial government audits.
Another factor here is determining which assets are in-scope for your Level. The DoD provides Level 1 and Level 2 scoping guidance, which focus on FCI and CUI, respectively. CMMC Level 3 scoping is undetermined, but it is likely to mirror that of Level 2 with a greater focus on threats.
Understanding what Level you need to achieve will help you target CMMC services catered to it.
Request a Consultation
Step #3: Perform Gap or Readiness Assessments
Next, your organization should determine how much help you’ll actually need to get to where you need to be for DoD compliance. Performing gap or readiness assessments that mirror certification audits will help you determine the scope of CMMC compliance support needed.
For example, consider the requirements of a CMMC Level 1 Self-Assessment:
- Level 1 Access Control (AC) –
-
-
- AC.L1-3.1.1: Authorized access control
- AC.L1-3.1.2: Transaction and function control
- AC.L1-3.1.20: Control external connections
- AC.L1-3.1.22: Control public information
-
- Level 1 Identification and Authentication (AU) –
-
-
- IA.L1-3.5.1: Identification controls
- IA.L1-3.5.2: Authentication controls
-
- Level 1 Media Protection (MP) –
-
-
- MP.L1-3.8.3: Secure media disposal
-
- Level 1 Physical Protection (PE) –
-
-
- PE.L1-3.10.1: Limit physical access
- PE.L1-3.10.3: Escort visitors securely
- PE.L1-3.10.4: Maintain access logs
- PE.L1-3.10.5: Manage physical access
-
- Level 1 System and Communications Protection (SC) –
-
-
- SC.L1-3.13.1: Maintain boundary protections
- SC.L1-3.13.5: Separate public access systems
-
- Level 1 System and Information Integrity (SI) –
-
- SI.L1-3.14.1: Remediate identified flaws
- SI.L1-3.14.2: Protect against malicious code
- SI.L1-3.14.4: Update malicious code protections
- SI.L1-3.14.5: Scan system and files regularly
If you have these in place already, you are well-positioned to achieve Level 1 certification. But Level 2 assessments add on 93 additional Practices, including several in new Domains not assessed at Level 1 (i.e., Incident Response, Maintenance, Security Assessment, etc.).
Understanding how many Practices you need to install will help you select between advisors who specialize in assessments and those that provide more comprehensive services.
Step #4: Compare CMMC Consultant Offerings
Finally, once you understand the full scope of CMMC compliance support needed, you can compare the offerings of compliance advisors and assessors. If you’re in the earlier stages of your compliance journey, it likely makes the most sense to seek out a comprehensive, full-suite CMMC partner. Although assessments are the official catalyst to certification, implementation is where the real challenge lies. Working with an advisor will help you install and maintain required controls, ensuring that the assessment proper (self, third-party, or government) is a breeze.
If you’re seeking out an assessment partner, the Cyber AB (formerly CMMC Accreditation Body) is an excellent resource. The Cyber AB is in charge of vetting and accrediting CMMC assessors and maintains a list of certified third-party assessor organizations (C3PAOs) to choose from.
Streamline Your CMMC Implementation
If you’re looking for a CMMC consulting partner, you should start by determining the scope of your compliance needs, beginning with if and when you need to comply—and at what level. A gap assessment will help you understand what kinds of support you need, which in turn allows you to compare different service providers’ offerings and select the best fit for your organization.
RSI Security is committed to serving DoD partner organizations. We believe that discipline creates freedom, allowing you to focus on what you do best—supporting the safety of all Americans. To learn more about our CMMC consultant services, contact RSI Security today!