CMMC is a third-party accreditation that must be delivered by a CMMC Third-Party Assessment Organization (C3PAO). These organizations can be verified on the CMMC-AB.
Registered Provider Organizations (RPOs) and Registered Practitioners (RPs) are trained resources that have been registered to provide non-certified consultative services. This means that the RPO and RP are not allowed to perform the official CMMC Certification, as this process must be completed by a third party free from any conflict of interest. Silotech recommends verifying C3PAO organizations before selecting, performing, and paying for a certification audit.
RPOs are organizations that have been reviewed and verified, and they operate in accordance with a code of ethics set forth by the CMMC-AB. RPOs can be verified at CMMC-AB and should display the RPO badge on their website, email, or other social media platforms.
Who is CMMC for?
Cybersecurity Maturity Model Certification (CMMC) is for any and all DoD contractors (Prime or Sub) who are in support of the Defense Industrial Base (DIB) that transmit CUI. If your organization does not transmit CUI but possesses FCI, the organization is required to comply with FAR clause 52.204-21 and must be certified at least CMMC Maturity Level (ML) 1.
Companies that solely produce Commercial-Off-The-Shelf (COTS) products are exempt from requiring CMMC certification.
Why is it important? How will it impact my business?
It is estimated that cybercrime costs over 600 billion dollars annually from the global GDP. According to statista.com, the Federal Government lost over 13.74 billion dollars in 2018 due to cybercrime. This impact has driven the DoD to rethink the way it manages its cybersecurity risk. Their response is the CMMC regulation, which requires Prime and Subcontractors to become independently certified by C3PAO assessors.
CMMC certification is a third-party verification of controls, policies, and processes performed within your organization. Each ML has different controls that must be performed. It is imperative to know that any control that is required and not supported via evidence to the auditors constitutes a failure and will not be certified. Each ML also has its own process, so be sure your organization knows the ML level required, is prepared for that ML assessment, and has evidence in order to prove the process or control is in place and operating as expected.
Many organizations are still trying to understand the CMMC process. Trying to defog all the smoke around this regulation can be a hassle. It is imperative that your organization does not wait to start their CMMC journey. Delaying your certification can impact your ability to compete for Government projects. In 2020, 15 contracts are projected to require CMMC and identified MLs. This requirement will apply to both prime contractors and subcontractors. Do not let the lack of this certification be the reason your organization does not grow once CMMC is implemented. Lastly, CMMC suggests operating at your ML for 6 months before scheduling your assessment. This will allow your organization the best chance to have all the evidence necessary to comply with your specific ML.
The CMMC lifecycle begins with the understanding that organizations require expert assistance to facilitate their journey through CMMC certification.
Best practice for organizations is to start by visiting the CMMC-AB at CMMC-AB to select a CMMC provider in your local area. You can search by name, city, or state. CMMC-AB provides this tool to help organizations ensure they are working with companies that are properly trained. Organizations should reach out to RPOs and ensure they have RPs attached to their profile. This can also be done at CMMC-AB.
CMMC-AB requires that RPOs have been vetted, verified, and confirmed by CMMC-AB as an organization that has been trained to perform self-assessments, has RPs attached to their organization, and has been provided with all the latest information on CMMC regulations as they pertain to obtaining independent certification.
What do I do?
Find a trusted RPO advisor who can provide advice on your next steps
Perform research at CMMC-AB to ensure your trusted advisor has met the criteria to be an RPO and is listed within the marketplace
RPO should have an RP who has been trained by CMMC-AB and is attached to your chosen RPO
Method ensures you're working with trained resources who have been trained by the CMMC-AB
What can Silotech do to help?
Silotech is an RPO and can be found in the CMMC-AB marketplace at: CMMC-AB Marketplace
Our RPs follow these basic steps:
Self-assessments
Remediation (POA&M)
Schedule C3PAO Assessment (as needed)
Audit preparation
As an RPO, we will assist and support your organization in identifying gaps within your necessary maturity level. Silotech can:
Help you understand which capabilities are currently being met, which capabilities are planned, what needs to be prepared for, and which capabilities are currently not applicable
Assist in identifying gaps, creating a Plan of Action and Milestones (POA&M) to help manage the remediation process
Manage and provide hands-on remediation for any deficiencies documented in our self-assessment
Want to learn more?
Cybersecurity Maturity Model Certification (CMMC) is a new framework developed by the Under Secretary of Defense for Acquisition and Sustainment to help protect the DoD supply chain which is currently experiencing significant cybersecurity risk.
CMMC Essential Knowledge
Previously, NIST 800-171 has been used to reduce the risk of cybercrime across the Defense Industrial Base. This approach is flawed as it tries to put cybersecurity in a one-size-fits-all solution. Cybersecurity is not a one-size-fits-all solution and therefore should not be managed as such. Data must be protected in accordance with the risk posed by Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).CMMC outlines three levels that are centered around NIST SP 800-171, NIST SP 800-172, and practices with the specific sensitivity of the data (FCI or CUI).