Read Time: 4 Minutes
CMMC requirements are set to appear in contracts in Spring 2023; companies in the Defense Industrial Base (DIB) are searching for Registered Provider Organizations (RPO) that can help with CMMC assessment preparation. An RPO's role is to advise companies on how to implement CMMC practices to meet the requirements that the Department of Defense (DoD) will establish.
A full CMMC 2.0 Level 2 implementation and adoption takes around 8-12 months for an organization between 50-100 people and choosing the right RPO to help can make your compliance journey much more successful. This blog will provide six questions you need to ask before choosing a Cyber-AB accredited RPO.
1. Do they have a Shared Responsibility Matrix mapped to the NIST 800-171A Assessment Objective Level for their services?
CMMC 2.0 Level 2 requires DoD contractors and those handling sensitive data (CUI/CDI/CTI/ITAR) on behalf of the DoD to define obligations and responsibilities when using external service providers. A Shared Responsibility Matrix (SRM) helps explain the responsibilities of external service providers, like Summit 7, and organizations seeking certification (OSCs) for successful CMMC assessments.
Ensure the SRM is mapped to NIST 800-171A to identify complete responsibility mapping.
2. Are they planning to get a CMMC 2.0 Level 2 certification?
A CMMC 2.0 Level 2 certification will prove that an RPO has gone through the same process you will have to go through at the assessment time, which helps them know what questions assessors will ask. Which, in turn, better prepares them to pass the CMMC L2 assessment. Although not required of an RPO, it speaks to their willingness to understand every aspect of the CMMC process, which will help prepare your business for this assessment.
*CMMC Assessments are not currently available at the time of this writing.
3. Do they have any experience walking customers through DoD DIBCAC Assessments based on NIST 800-171A requirements?
As we wait for CMMC Assessments to officially open, the next best thing is to ask your RPO if they've gone through DIBCAC assessments with their current customer base. This is the DoD's assessment against NIST 800-171A, which are the exact requirements of CMMC 2.0 Level 2. An RPO's team must be able to speak to an assessor/auditor from the DoD or a CMMC C3PAO about how their environment is configured for the services they provide for you as a customer. Suppose they do not have experience with keeping documents and gathering artifacts for these assessors/auditors. In that case, they open you up to more risk of not being able to pass an assessment.
4. Do they have a Cyber Insurance Policy? If so, is the coverage amount acceptable to your business?
External Service Providers (ex. MSP, MSSP) are prime targets for cybercriminals. Having cyber insurance with appropriate coverage ($15M+) allows for your protection against incidents that may cause the ESP financial harm. Additionally, having an ESP that is insured is invaluable if an incident were to occur.
5. Are the RPO's administrators US Persons located inside the United States?
This is a critical component of an RPO with access to specified Controlled Unclassified Information (ITAR/NOFORN/etc.) Your business could be in danger of having unauthorized access and must file a breach report, which could result in fines or even jail time. Having administrators that are U.S. persons and located in the United States limits the risk of specified CUI being exposed to non-authorized individuals.
6. Do they have customer references they would be willing to share that have gone through similar services?
Customer references give an RPO more credibility in the marketplace. Being able to validate a company's past performance with a similar OSC will provide you with the proper due diligence to move forward with your decision. Conversely, if an RPO cannot provide you with past customer references, it might indicate they do not have the experience needed and can put your company at risk of failing an assessment.
These six questions focus on a few major themes that you can keep in mind while searching for a Registered Provider Organization:
- Experience: Rulemaking for CMMC requirements is projected to be completed in March 2023. This means these requirements could start showing up as soon as Q1/Q2 of 2023. You must be careful of "get compliant quick" schemes that several organizations are promising and failing to meet. Asking these questions will help you identify the RPOs that are just trying to make a quick buck. If you chose the wrong RPO, it could lead to the failure of your CMMC assessment and potentially eliminate your future business opportunities in the DoD Contracting space.
- Compliance: You want to make sure you are working with an RPO that not only "talks the talk" but also "walks the walk." Since there aren't required assessments for RPOs, only C3PAOs, they need to be able to demonstrate their current compliance state to you. A great way to assess this is to ask if they've submitted to SPRS via DFARS requirements, or have an active SSP/POAM.
- Risk Mitigation: Due to the sensitive nature of Controlled Unclassified Information, especially concerning NOFORN / Export Control, it's essential to ensure background checks and U.S. Citizenship validation is considered in your RPOs organization. Even more so if they will be directly working on your project; on top of that, you'll want to ensure they have an active and tested Incident Response Plan. That, paired with a Cyber Insurance Policy, mitigates a significant risk for your organization when partnering with a CMMC RPO.
To discuss CMMC Compliance in greater detail about how your organization can leverage Summit 7's CMMC security and compliance solutions, or to speak with a member of the Summit 7 team, you can contact us here.