.jpg?ext=.jpg)
11 Things to Know About C3PAOs and CMMC Assessments
As the Defense Industrial Base edges closer to seeing CMMC requirements in contracts, here are twelve quick pointers regarding what to look for when seeking a C3PAO company and what to expect (or look out for) when discussing your CMMC assessment.
C3PAOs
1. If a person offers consultation to your organization regarding CMMC compliance, that same person cannot conduct your assessment.2. Make sure your C3PAO is listed on the CyberAB marketplace. If the company is not listed as a C3PAO in this location, they are not yet an authorized C3PAO.
3. You should begin speaking with a C3PAO several months before you are assessment ready. This is to ensure you can schedule your assessment on your desired timeline instead of being added to a long line of waiting organizations.
4. Pricing is based on a number of factors ranging from scope, the number of employees, the number of sites, and the complexity of the scope, to name a few. Be wary of companies that do not ask detailed questions before quoting your assessment.
Assessments
1. If you are working with an MSP to help with your compliance, you need to determine how much access to your CUI data do they need to do their job. If they have access to the CUI data, the CSP, its people, and their processes become part of the assessment scope.
2. Make sure you and your MSP have a Customer Responsibility Matrix (CRM) in relation to the 320 NIST SP 800-171r2 objectives. This will help ensure nothing slips through the cracks.
3. Documentation is key. Screen captures should be able to be recreated in real time (or at least close approximations).4. Setting your assessment scope is perhaps the most important step in preparing for a CMMC assessment. The smaller the scope, the less time it will take to complete the assessment. However, the scope must include all people and devices who process,store, or transmit Controlled Unclassified Information (CUI).
5. If you are using a cloud service provider (CSP) to process, store, or transmit CUI, they must be either FedRAMP moderate (or higher) authorized or equivalent.
6. If you are not sure you are ready for your assessment, proceed with an internal assessment first. Ask your C3PAO about conducting a pre-assessment, which will take the temperature of your organization while not completing the official assessment process.
7. Most importantly, remember that the world of C3PAO services is quite new and competition is high. If a company offers you something either in terms of pricing or timing that sounds too good to be true, it probably is. Due diligence and asking questions will go a long way to ensuring the success of your assessment.
CMMC Questions?
Learn more about our C3PAO services and feel free to contact us with any questions.