Consulting Services: C3PAOs and RPOs

Most OSCs will require consulting services to prepare for CMMC assessment. A consultant can determine if your organization is ready for assessment or help discover and remediate any gaps. For these services, you can engage either a C3PAO or a Registered Practitioner Organization (RPO).

C3PAOs frequently provide precertification consulting. Their CMMC expertise makes them valuable in this capacity; however, a C3PAO cannot legally provide both consulting and assessment services to the same OSC. If you choose one C3PAO to help you prepare for an assessment, you will need to choose another to perform the assessment.

Alternatively, you could choose an RPO for consulting. RPOs are registered with The Cyber AB and are knowledgeable about CMMC but have not gone through the rigorous process to be authorized as a C3PAO. They cannot perform assessments, but they can provide preassessment consulting, remediation services, and other CMMC-related guidance. The requirements to become an RPO include ownership by a U.S. person (citizen or lawful resident noncitizen), organizational background check, and commitment to comply with The Cyber AB Code of Professional Conduct. The individuals working for them, Registered Practitioners (RPs) and Registered Practitioner Advanced (RPAs), provide these consulting services.

When looking for an RPO, as with a C3PAO, make sure they are listed in The Cyber AB Marketplace. Look for experience with NIST SP 800-171 and other regulatory frameworks. If you are aware of gaps in your own organization, you might want to partner with an RPO that has a strong background in those areas.

External Service Providers: MSPs and MSSPs

CMMC also has requirements for External Service Providers (ESPs), a category of business partners that has been defined in the new draft CMMC 32 CFR Part 170 rule. An ESP is a third party organization that provides services to a business. Two key types of ESPs relevant to CMMC are Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). An MSP manages a specific aspect of a customer’s business, such as website hosting and administration, routine and emergency maintenance and support, and billing or payroll functions. An MSSP is more specialized, providing cybersecurity services, including constant systems monitoring, firewall and VPN management, threat prevention and incident response, gap analyses and vulnerability assessments, and regulatory compliance support.

MSPs and MSSPs are often confused with C3PAOs and RPOs. Although individual MSPs and MSSPs can be authorized C3PAOs or RPOs, they are not necessarily so. Regardless, MSPs and MSSPs can be helpful in supporting your CMMC journey — as long as you choose your providers carefully. There are clear benefits to engaging MSPs and MSSPs; it can be far more cost-effective to have a third party handle functions that are necessary to your organization but not your core focus, allowing your own staff to concentrate on the product or service that you provide for your customers. However, working with these providers also presents some challenges.

MSPs and MSSPs may need Federal Risk and Authorization Management Program (FedRAMP) authorization if acting as a Cloud Service Provider (CSP). Not all MSPs and MSSPs are aware of these requirements, so be careful to find a provider whose security priorities match your own. For MSSPs in particular, you should engage an organization with NIST SP 800-171 expertise. They will understand the level of compliance you need and help you maintain it, and they can help you prepare for an assessment, especially if the MSSP is an authorized C3PAO or RPO.

When considering an MSP or MSSP, ask them for their Shared Responsibility Matrix (SRM). If they don’t know what that is then the best course should be to find one that has an SRM and is aware of the requirements to support a company needing to meet CMMC L2. They will need to support you both before and during the actual assessment. Ask for references or case studies from clients similar to your organization who have achieved CMMC compliance. Their Shared Responsibility Matrix should map to NIST SP 800-171 requirements at the Assessment Objective level. Aside from CMMC considerations, you will want a provider who understands your business and is a good fit for your organization.