February 1, 2021
Good morning, everyone!
Choosing the best people/organization(s) to help you achieve compliance
I’m sure most of you have been contacted – if not inundated – by people and organizations that want to help you achieve your CMMC certification. How do you choose? In this issue, I’ll discuss the CMMC-AB Code of Professional Conduct (CMMC-AB CoPC), which has a lot to say about what CMMC professionals can and cannot do.
First, let me state clearly: There are NO official CMMC assessments happening now, nor in the immediate future. While there are now 41 C3PAOs in the CMMC-AB Marketplace, none of them are certified yet. They must achieve their own CMMC Maturity Level 3 (ML3) certification before they can begin conducting assessments. Their official assessments will be peformed by DCMA DIBCAC, and those are expected to begin in March. The first asssessments will be conducted only on contractors chosen for the pilot contracts, not the general public.
The CMMC Accreditation Body (CMMC-AB) has developed identification badges for individuals and organizations who have become credentialed by the CMMC-AB, with specific rules for their use.
For example, I am a CMMC-AB Registered Practitioner (CMMC-RP) and I have the right to use this badge to identify myself as such. Any time I use this badge digitally, I must set a hotlink to my entry in the CMMC-AB Marketplace, so that my credentials and status may be immediately verified. When I use this badge on printed materials, they must state, in at least a 10pt font, “Visit cmmcab.org to validate”
My company, The Net Effect, is a a CMMC-AB Registered Provider Organization™ and that exact phrase must be included wherever the badge is used. When used digitally, the badge must hotlink to TNE’s entry in the CMMC-AB Marketplace, again, so that our credentials and status may be immediately verified.
Nothing can be free (not even super cheap)
I recently received an email from a fellow CMMC-RPO offering me a free CMMC Level 1 Gap Report. Oops! That looks like a violation of the CMMC-AB CoPC section 3.1.7:
"Do not misrepresent your organization, such as selling services for which you are not authorized to deliver, falsifying records or experience, or proposing fees that are far below the level of effort that is required. (emphasis added)
Free is definitely far below the level of effort needed to perform a gap analysis.
No guarantees are permitted
If someone promises you they can “guarantee” you will pass your CMMC assessment with their assistance, step away. Two reasons:
- Section 3.1.11 of the CMMC-AB CoPC states:
”Do not make guarantees of assessment results. This includes guarantees that an Organization will succeed in their assessment if they engage with a credentialed individual or authorized organization, or the offer of a 'money back' guarantee.”
- Certified Assessors (CA) have great leeway to interpret the requirements and how organizations have implemented them. It is impossible to guarantee that any CA will approve everything done in any organization.
Consulting & Assessing are mutually exclusive for any single OSC
For each Organization Seeking Certification (OSC – that’s you), any CA and C3PAO must decide whether they will help this OSC prepare for its official assessment, or whether they will perform this OSC’s official assessment. They cannot do both. “Consulting” even includes giving advice during the actual assessment, which is strictly forbidden. The CA and his/her team members may only comment on whether a requirement is MET or NOT MET, not how it could be met, nor any other advice on correcting deficiencies. The CMMC-AB has said repeatedly they will be very strict in reviewing assessment reports to be certain the C3PAOs and CAs are not crossing this line.
Do your homework
Finally, before engaging an RPO or C3PAO, do your homework! After verifying their CMMC-AB credentials, look at their website. Do they look serious? Professional? How is the CMMC mentioned on their website? Is it an afterthought, an extra service tacked on to their standard offerings, or does it align with their core business? Have they been around awhile? Do they seem experienced?
Ask for references. Even though the CMMC is brand new, any RP should have years of experiencing working with other compliance standards –- DFARS 7012 of course, but also PCI DSS, HIPAA, GLBA, ISO, etc. Ask them about their experience, their typical client, and ask to speak with a few that are similar to you.
PS -- If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!