When you engage a consultant to guide you through CMMC compliance, you’re going to lessen your stress load as they walk you through the steps towards submitting your self-assessment and ultimately, prepare you for your audit.
That doesn’t mean, however, that it will be off of your plate entirely. On the contrary, your participation and ownership of the process are vital to your success.
Getting an idea of how you’ll work with a consultant who is also a CMMC Registered Practitioner will help you to set expectations for the role you play.
The key benefit you’ll receive from working with your consultant is that they’re going to remove the guesswork. Even though you’ll have work to do, you’ll save time and frustration whether you have no idea what to do, or if you just need another set of eyes to verify that what you’re doing will indeed meet regulations.
9 Tasks and Responsibilities You Can Expect To Fulfill When Working With a CMMC Consultant:
1. Identify the Controlled Unclassified Information (CUI)
The very first question your CMMC consultant will ask you is – where is the data that you need to protect?
This might be easy to pinpoint, but in many cases, it’s difficult because it hasn’t been properly marked by your customer. If that’s the case, you’re going to have to go back up the supply chain and ask your customer to identify the CUI.
2. Document Collection
The next thing that your Registered Practitioner will do is ask you to gather all of the documents you have that can support your security controls. This will include technical and non-technical security policies, network diagrams, process information, and even training materials.
What you come up with will set the context for everything else that follows.
3. Share Knowledge of Business Operations
CMMC compliance is not only concerned with where CUI is stored, but how it flows through your organization. Expect to inform your consultant about business processes and who touches the CUI in every phase – from order entry to shipping.
4. Provide Access to Your Systems
Your CMMC consultant is going to need to review your network using their tools. They’ll be doing visual checks to verify controls by logging into your system.
When you get to the Remediation Plan stage, they’ll need to know the layout of your network in order to give you recommendations for how to segment the system so that CMMC controlled information is isolated.
5. Provide Access to People
While you may be the main point of contact and source of information, your CMMC Registered Practitioner is going to need to talk to others in your organization to learn about business processes and how policies are implemented – or if they’re being implemented at all.
They’ll likely spend some time with HR or your training manager to find out how policies are trained and enforced.
6. Provide Access to Your Facility
Expect to have at least one onsite visit from your CMMC consultant.
They’ll do a walk-through to observe how the CUI moves through your organization. They’ll check any physical security components like locks, logs, and security cameras. They’ll assess how your policies for physical security are meeting requirements.
7. Make Decisions
As your Registered Practitioner takes you through the Remediation Plan phase, they’ll be compiling options for how you can close up security gaps. You’ll need to document two pieces of evidence that you’re meeting each control, and it will be up to you to pick which options you want to use.
When it comes to policies, your consultant can provide you with templates to get you started, but you’ll have to make the final decision on how the template will be customized to meet your unique business, or if you need to change your business operations to satisfy the control.
8. Manage and Monitor the Ongoing Compliance Process
While it might be tempting to set your sights solely on passing your CMMC assessment, compliance (and cyber security as a whole for that matter) is an ongoing process. You’ll need to make sure that your business is actually utilizing the practices and processes that you have documented for each security control.
When the day of your assessment comes, they’ll be looking to see if the control has been in place over time; they’re not just going to be looking at your evidences. They’ll have several different parameters that they’ll examine to determine the effectiveness of each control.
9. Submit the Self-Assessment and Interact with the Assessor
The role of your CMMC Registered Practitioner is to help you prepare for your assessment. They can’t submit your documents for the self-assessment, and they can’t act on your behalf when the assessor visits.
One exception would be if the company that your Registered Practitioner works for is also your IT support company. In that case, they could answer questions that have to do with the services they provide.
Ultimately, you'll be the representative for your company.
Need a CMMC Consultant to Guide the Process?
If you’re a company in the Department of Defense supply chain and you need help interpreting and complying with Cybersecurity Maturity Model Certification, we’re here to help.
VC3 is a Registered Provider Organization with several Registered Practitioners on staff. We help organizations across the nation navigate the intricacies of CMMC and create a path to successful compliance.