.jpg?ext=.jpg)
11 Things to Know About C3PAOs and CMMC Assessments
As the Defense Industrial Base edges closer to seeing CMMC requirements in contracts, here are twelve quick pointers regarding what to look for when seeking a C3PAO company and what to expect (or look out for) when discussing your CMMC assessment.
C3PAOs
1. If a company or person offers consultation to your organization regarding CMMC compliance, that same company or person cannot conduct your assessment. Similarly, the same person or company cannot offer remediation services if they have conducted or will conduct your assessment.2. Make sure your C3PAO is listed on the CyberAB marketplace. If the company is not listed as a C3PAO in this location, they are not yet an authorized C3PAO.
3. You should begin speaking with a C3PAO several months before you are assessment ready. This is to ensure you can schedule your assessment on your desired timeline instead of being added to a long line of waiting organizations.
4. Flat pricing is typically not feasible in this space. Pricing is based on a number of factors ranging from scope, the number of employees, the number of sites, and the complexity of the scope, to name a few. Exercise caution if a company says they offer flat pricing and ask a lot of questions.
Assessments
1. If you are working with an MSP to help with your compliance, they do need to also be part of the assessment. If you are working on a level 2 CMMC certification, your MSP also needs to be certified to the level 2 specifications.
2. Make sure you and your MSP have a shared responsibility matrix in relation to the 320 NIST SP 800-171r2 objectives. This will help ensure nothing slips through the cracks.
3. Documentation is key. Screen captures made a month or two previous to the assessment will not be beneficial. Part of the assessment is showing that the documentation exists and is readily accessible.4. Setting your assessment scope is perhaps the most important step in preparing for a CMMC assessment. The smaller the scope, the less time it will take to complete the assessment. However, the scope must include all people and devices who handle, store, or transmit Controlled Unclassified Information (CUI).
5. Make sure the tools you are using are properly certified. For example, any cloud-based tools should be FedRAMP certified or FedRAMP equivalent.
6. If you are not sure you are ready for your assessment, proceed with an internal assessment first. Ask your C3PAO about conducting a pre-assessment, which will take the temperature of your organization while not completing the official assessment process.
7. Most importantly, remember that the world of C3PAO services is quite new and competition is high. If a company offers you something either in terms of pricing or timing that sounds too good to be true, it probably is. Due diligence and asking questions will go a long way to ensuring the success of your assessment.
CMMC Questions?
Learn more about our C3PAO services and feel free to contact us with any questions.