Why Consult with a CMMC-Registered Practitioner

The Cybersecurity Maturity Model Certification (CMMC) is the major new security standard that companies in the defense industrial base (DIB)—and businesses that work with those companies—need to understand. The U.S. Department of Defense (DoD) has started rolling out requirements for defense contractors to meet some level of CMMC compliance to take on contracts where controlled unclassified information (CUI) is involved.

CMMC divides cybersecurity maturity into three distinct levels that ascend from level 1 to level 3 in order of security. However, many companies may struggle to meet the CMMC certification level that they need to in order to keep working on lucrative government contracts.

To help with this, many companies are turning to managed security service providers (MSSPs). However, not every MSSP is a CMMC-registered practitioner with the training, tools, and skills to help meet CMMC compliance requirements.

What is a CMMC-registered practitioner? What are the benefits of working with one? Why does CMMC compliance matter?

What Is a CMMC-Registered Practitioner?

A CMMC-registered practitioner (abbreviated CMMC RP) is someone who assists organizations in meeting CMMC compliance requirements. The CMMC Accreditation Body (CMMC-AB) states that a CMMC RP “delivers a non-certified advisory service informed by base training on the CMMC standard.”

This does not mean that their training or knowledge of CMMC is deficient. Instead, it means, as stated by CMMC-AB: “They are the ‘implementers’ and consultants, but do not conduct Certified CMMC Assessments. Any references to ‘non-certified’ services are only referring to the fact that an RPO is not authorized to conduct a certified CMMC assessment.”

To become a CMMC RP or registered provider organization (RPO), an individual or organization has to register on the CMMC-AB website and pass the organization’s requirements. A CMMC-registered practitioner must:

• Complete training in basic CMMC methodology;
• Agree to be bound by a professional code of conduct;
• Be able to pass a commercial background check from the CMMC-AB; and
• Possess CMMC awareness in service delivery (i.e. understand how CMMC fits into an organization’s processes for delivering goods/services to customers).

RELATED:  Does Your IT Support Provider Know NIST 800-171?

Why Does CMMC Compliance Matter?

For companies that work in the defense industry, CMMC compliance is a no-brainer. Whether they work directly with the DoD or with other defense contractors, following CMMC standards is a necessary part of business.

Even companies that don’t deal directly with the DoD may want to certify for CMMC cybersecurity maturity because of how it can help grow their business. Being able to demonstrate a certain level of cybersecurity maturity can be an effective way to earn trust from other organizations.

For example, if a security-conscious client is down to a choice of two vendors with similar products/services at a similar cost, the decision may come down to which one can provide more security. In such situations, being CMMC certified for a higher maturity level can be a priceless competitive advantage.

Why You Need CMMC-Registered Practitioner Partners

When looking for a managed service provider (MSP) or MSSP to support your DoD compliance efforts, it’s important to find a partner that is CMMC-registered. These partner organizations will have the knowledge about CMMC requirements to help you better identify any security or compliance gaps that you need to address.

More importantly, they can help you specifically address the 17 domains of CMMC certification so you can meet your desired certification level in the most efficient manner possible. They can also help explain to your company’s board, investors, and other key stakeholders why specific security measures are needed and how they can help.

Additionally, with a CMMC-registered practitioner, you have some assurance that the vendor will follow a professional code of ethics. Every CMMC RP signs and holds themselves to an ethics agreement with the CMMC-AB. If the CMMC-AB gets a complaint about an RP, the accreditation body reserves the right to revoke the RP’s approval—providing some peace of mind regarding the trustworthiness of the service provider.

Of course, you shouldn’t just take a company’s word for it that they have achieved CMMC RP status—anyone can slap a badge on their website and claim they’ve passed the CMMC-AB’s training (at least, until they’re told to take it down). So, it’s important to contact the CMMC accreditation body and verify a potential vendor’s qualifications!

Tips for Improving Your Cybersecurity Maturity

So, say that you want to improve your cybersecurity maturity level as soon as you can. What steps should you take to do this? Some tips for improving your cybersecurity maturity include:

• Checking the Requirements for Your Desired Security Maturity Level. What maturity level are you trying to achieve? For most companies, level 3 certification should be more than enough to work on most common DoD projects. Knowing what the requirements are for your desired maturity level is important for creating a roadmap for achieving that goal.
• Conduct a Gap Analysis. After verifying which level of cybersecurity maturity you need and what the requirements are for that goal, it’s time to assess your current security efforts. Take a look at what security processes, tools, and policies you have in place and see if they meet, exceed, or fall short of your desired cybersecurity maturity level. This gap analysis helps you fill in your compliance roadmap with distinct and achievable actions for every step of the way.

RELATED: How to Perform an IT Gap Analysis

• Document Your Processes and Improvements. If you haven’t already, create a plan of action and milestones (POA&M) document to record the steps you take to improve your cybersecurity maturity. In this document, you should have a list of all your existing security measures, your plans for improving them, and progress reports showing which improvements have been made, their impact on security and operations, and which items still need to be done.
• Schedule an Assessment with a Certified Third Party Assessment Organization (C3PAO). Reach out to the CMMC-AB about getting a C3PAO to come and assess your organization’s cybersecurity maturity. During the assessment, the C3PAO will highlight any outstanding issues that need to be fixed to achieve your desired maturity certification and give you a set time limit to address them.
• Work with an MSSP That’s a CMMC RP. An MSSP that is also a CMMC registered practitioner can be an invaluable resource for finding and fixing CMMC compliance issues in your organization. By combining the information from the CMMC-AB’s training with their experience in cybersecurity, an MSSP with RP qualifications can help you quickly identify key compliance issues and provide you with a plan for getting back on track for increased cybersecurity maturity.
  
  

Need Help with CMMC?

Contact Systems X today to get started! We have experience in helping companies meet critical government cybersecurity standards like NIST 800-171 and have done the training to be a CMMC RP. Are you ready for CMMC? Download the readiness roadmap at the link below: