Joe Spritzer’s construction company would like to start doing business with the DoD.  The company has no cybersecurity policies or controls in place.  Where does Joe start?  The first thing is to understand the major players in the CMMC program:

Organizations Seeking Assessment

These are companies like Joe’s construction company that need to get third party assessments to certify that they meet the cybersecurity requirements of the CMMC program.  

Implementation Consultants

Consultants who specialize in CMMC implementation are generally a critical component for a certification effort.  They understand the detailed requirements and how they are interpreted by assessors.  They understand network architectures appropriate for implementing a compliant system. And they understand business processes and governance so that a CMMC compliance program can be weaved into solid management practices and quality control mechanisms and compliance frameworks such as ISO 9001.  Each company operates differently.  So, implementation is always a custom effort.  Implementation consultants can be Registered Providers (RPs) or even hold CMMC Certified Professional (CCP) or CMMC Certified Assessor (CCA) certifications.  Choosing the right implementation consultant is critical to an organization’s certification effort.  So, be careful.  Each of these choices has advantages and drawbacks.

Implementation consultants are not a requirement.  But few companies have the in-house expertise or budget to train people to fill this role.  Therefore, most companies should be using an implementation consultant.

Managed Service Provider (MSP) and Managed Security Service Provider (MSSP)

MSPs handle general IT management, ensuring the foundational systems are in place and operational. They purchase software licenses and configure the software and networks to meet the organization’s unique needs.  Configuration is complex, detailed, and time consuming.  So, it’s best to leave the job to specialists like MSPs.  

MSSPs focus on advanced security and compliance, providing expertise in detecting, preventing, and responding to cybersecurity threats.  Don’t kid yourself – doing this in-house is a time-consuming job for, at least, a dedicated specialist.  So, don’t expect MSSP services to be cheap, unfortunately.

In many cases, MSP and MSSP services are provided by the same company. Just like with consultants, CMMC does not require organizations to use an MSP/MSSP.  However, most organizations will find using an MSP/MSSP to be much less risky and usually cheaper overall. 

Certified Third-Party Assessor Organization (C3PAO)

This is the only group that Joe will need to engage from outside of his construction company.  C3PAOs are independent entities that assess organizations to ensure they meet the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) standards. 


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *