If you’re not familiar with the Cybersecurity Maturity Model Certification (CMMC), welcome aboard, and read all about it here.
If you do business with the U.S. Department of Defense (DoD) chances are that you have been called, emailed, or directly messaged on LinkedIn, about CMMC by now. Not all these communications are presented in good faith. Those after a quick buck are looking to take advantage of the ecosystem’s infancy and the vast array of messaging coming through all channels. Organization’s seeking certification (OSCs) should conduct their own thorough due diligence before engaging a CMMC services provider.
Qualified CMMC vendors are listed through the CMMC’s Accreditation Body, conveniently centralized on their marketplace (https://cmmcab.org/marketplace/). All certification assessments (Level 2) must be performed by a CMMC Third-Party Assessment Organization (C3PAO). Note: These have not started yet. The only other credible contact would be for a Readiness Assessment performed by a Registered Practitioner (RP) employed by a Registered Provider Organization (RPO) OR a C3PAO.
We here at Monarch ISC, the 7th C3PAO out of 8 (at time of publication), have had the privilege to work with more than a few proactive OSCs that have been working on CMMC-readiness from very early on. Their desire to become early adopters is commendable. Whether or not an early adopter, opportunities in this new “green field” of cybersecurity regulations have seen a predictable arising of opportunists. We have seen first-hand the types of marketing that is circulating frequently.
Scare tactics, facades of expertise, and bloated authority attempt to persuade DoD contractors that they are at risk of being out of compliance. One such message, detailed below, highlights the smarmy tactics frequently landing in the inboxes of our partners, and all organizations in the Defense Industrial Base (DIB) supply chain.
One line reads, “…to inform you of the newest update to the CMMC 2.0 where it is now obligatory for a third-party company to test your standard.” This pitch is problematic on many levels, and is simply not true. Yes, there will soon be an obligation for OSCs seeking Level 2 Certification to be assessed by a C3PAO. However, OSCs seeking Level 1 certification in CMMC Version 2 will self-attest. Again, it is very important to note that there are only 8 C3PAOs currently and not one of them has performed a certification assessment. In fact, the voluntary period for early adopters seeking to be certified before the DoD completes rule making, is still several months away. The email continues, “[company x] provides a highly professional service with competitive prices where we can test your current standard and help you receive your CMMC 2.0 update.” Where to begin? OSC’s will be assessed for compliance, and they will receive a certification, not an “update.” Read carefully before engaging these charlatans.
It is important to restate that any OSC’s search for a partner to help get ready for CMMC certification should begin at the CMMC-AB’s marketplace. Vendors like this example will not be found there.
Everybody, take a breath. There is time to research and select qualified and certified vendors to help with CMMC readiness and/or get on a list for a legitimate Certification Assessment. Pay no head to those attempting to use fear and a false sense of urgency to take advantage of the uncertainty.
If you’re looking to get up to speed relatively quickly about all that’s happening, learn the language of the CMMC, and avoid the fraudsters, we strongly recommend OSCs find a Licensed Training Partner, and send a representative through the official Certified CMMC Professional (CCP) course.
Ultimately, the CCP helps maximize the OSC’s homefield advantage. Speaking the CMMC native language and anticipating perquisites can minimize the cost for your organization in achieving compliance and/or certification. The course will strengthen your due diligence superpowers, and better enable your ability to spot something sketchy from a mile away.
The Certified CMMC Professional (CCP) certification empowers OSC to navigate the CMMC ecosystem. The certification also provides the knowledge to manage the internal side of a certification assessment. Training ensures the organization’s assessment goes smoothly because the 110 required security practices are demonstrably performed, documented, and managed (at Level 2).
The Certified CMMC Professional (CCP) training program through Monarch ISC (CMMC Registered Practitioner Organization (RPO), Licensed Training Partner (LTP), and C3PAO, leverages decades of field experience merged with the accredited curriculum authorized through the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB). This one-week instructor-led live online training will empower students to prepare for their CCP exam, to be released in October.
John H Rogers, CISSP, CMMC-Provisional Instructor, CMMC-Registered Practitioner, and candidate Provisional Assessor (pending suitability check) has been a technical trainer since 2002, with information and cybersecurity subject matter the focus of training and curricula development. Rogers has conducted hundreds of training sessions, including end-user awareness training, technical training for IT Professionals, leadership and board-level education, and public presentations to a wide audience across the country. Consistently rated excellent in student evaluations, Rogers brings humor, extensive subject matter expertise, and 22 years of field experience as a Senior Cybersecurity Advisor into the classroom to every session.
Read Also: 5 Observations About CMMC 2.0 (monarchisc.com)