The Cybersecurity Maturity Model Certification (CMMC) framework is a new and evolving compliance standard for contractors working with agencies under the Department of Defense (DoD) or select Executive Branch functions.
Much of this framework focuses on the readiness of a contractor to manage risk and security in their IT systems, and the capabilities they have to handle Controlled Unclassified Information (CUI). Since this is such a new framework, however, there is a push to train cybersecurity auditors and managed service providers who can successfully audit contractors in the upcoming years. Accordingly, there are plenty of companies out there advertising that they can provide training for CMMC audits and implementation.
You must vet any organization that claims they can provide authorized instruction or assessments for CMMC authorization.
What is CMMC Assessment?
CMMC derives much of its ground rules and recommendations from other security documents, namely NIST Special Publications 800-171 and 800-53 as well as ISO/IEC 17020. The latter is most important when it comes to Certified Third-Party Assessment Organizations, or C3PAOs.
C3PAOs are responsible primarily for preparing and assessing contractors in the Defense Industrial Base (DIB) for CMMC certification. These organizations are a necessary part of the compliance process and navigate their partner contractors through areas like certification and continuous maintenance.
The assessors within a C3PAO fall under two general categories:
- Registered Practitioner: A Registered Practitioner is trained in CMMC rules and regulations, and often has experience in other areas of government cybersecurity compliance. They are not, however, certified to actually perform audits. They can only provide non-certified consulting services and advice to their clients.
- Certified Assessor: A Certified Assessor is someone who has undergone the required training, operating under the supervision of the CMMC Accreditation Body (CMMC-AB). Only a certified assessor can provide certified assessments for CMMC certification.
Under the “Certified Assessor” umbrella, there are an additional set of levels that determine what a certified assessor can do:
- Certified Professional: Professionals aren’t assessors in and of themselves. Instead, they are authorized to perform assessments under an established assessor running their team, somewhat like an apprenticeship. Certified Professionals are eligible to become Certified Assessors once they complete examinations.
- Certified CMMC Assessor Level 1: Level 1 assessors can complete Maturity Level 1 (ML-1) assessments and can manage teams conducting ML-1 assessments.
- Certified CMMC Assessor Level 2: Level 2 assessors can complete Maturity Level 1, 2 and 3 assessments and manage teams conducting these assessments. After 15 completed assessments, Level 2 assessors can complete examinations to become Level 3 assessors.
- Certified CMMC Assessor Level 3: Can conduct and direct assessments at any maturity level.
Each stage of assessment requires a specific examination and accreditation by the CMC-AB.
What is the Problem with Unauthorized Trainers?
Currently, the CMMC-AB is finalizing its series of training exams for each training level, called CCA-1, CCA-2 and CCA 3 (for Assessor Levels 1, 2 and 3, respectively). Registered Professionals likewise complete basic CMMC-AB training and registration before becoming fully registered professionals.
That being said, many fly-by-night “security” operations are claiming that they provide both assessment services and training for CMMC assessors. This raises significant problems, both for potential 3PAOs (and their assessors) and the firms relying on those C3PAOs for certification.
Understandably, the problems begin to trickle down to the contractor:
- An unauthorized trainer provides “instruction” to a security company that wants to become a C3PAO and get listed on the marketplace. Most likely this occurs because the security firm doesn’t understand the process (since it is so new) or the fraudulent trainer represents themselves as something they are not.
- This same company might advertise itself as capable of conducting CMMC assessments to DIB contractors. Again, through misunderstanding and misrepresentation, this agency pushes their clients through unauthorized assessments.
- A contractor, either through an unauthorized C3PAO or unauthorized CMMC trainer and assessor is out thousands of dollars.
Cost is a major issue. One of the stated goals of the CMMC framework is to make it accessible to enterprise companies and SMBs alike. Since CMMC is relatively new, it’s hard to determine just how much it will cost to get an assessment with a remediation plan. Prepared agencies familiar with, and adhering to, NIST 800-171 regulations might see their consultation and gap analysis range between $25,000 and $45,000. If your company isn’t as mature, costs can rise to $100,000 for a complete overhaul. And that doesn’t include further consulting and implementation costs for technologies like compliant cloud platforms or office suites (like moving to a 100% compliant Office 356 or Google Workplace setup).
Working with an unauthorized organization can set your company back severely if you are paying these costs with nothing to show for it. An organization that conducts an assessment or training without the proper credentials isn’t licensed to do so, and any further application for CMMC certification will ultimately be rejected on these grounds.
Work with Lazarus Alliance for Proactive Audits and Consulting
Lazarus Alliance is currently undergoing CMMC ML-3 examination and will shortly be one of the first agencies in the country to provide critical CMMC assessments for IT companies in the DoD supply chain.
More importantly, we are a veteran-owned and operated cybersecurity company with decades of collective experience in several regulated industries, including serving as a certified 3PAO guiding CSPs to their ATO status under FedRAMP guidelines.
If you are a company that wants to enter the federal or DoD contracting space, call 1-888-896-7580 to discuss your organization’s compliance needs.