Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Do You Need A Third Party CMMC Assessor?
Quick Take
On this episode of Compliance Unfiltered, Adam gives you the inside track on which organizations will need a third party CMMC assessor. If you’re still getting your arms around CMMC, this conversation will give you a good understanding of the term CP3AO and why it matters.
Curious if C3PAO is for you? Wondering how long a CMMC Assessment will should take? All those answers and more, on this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the high to your compliance five, Mr. Adam Goslin. How the heck are you, sir? I’m doing great, Todd. How about yourself? Man, I cannot complain. I cannot complain at all. And today we’re going to talk about something that I know a lot of the listeners out there probably have some questions about if they play in a particular space. And that is today we’re going to talk about whether or not you need a third-party CMMC assessor. So tell me just at a high level about the decision on whether or not you can self-assess or you need an assessor.
So in the CMMC space, it has made life interesting for government suppliers and contractors, trying to get their arms around the standard. There’s a lot of ways it’s not like other certs. And there’s all sorts of things, weird scoring systems and three levels of maturity. There’s self-assessment, third-party possible paths you can go down. So which one do you need? Well, the answer is it depends. You might need one or the other. You likely would need to do both, certainly to prepare for your assessment. And on top of that, at the end of the day, DOD may have their own questions, you know, that they want to gain validation, affirmation on, etc, you know, as you’ve gone through the process. So, you know, it sounds pretty confusing, but, you know, the question of self-assessment or third-party assessment is well-defined once you get into the specifics of the contract that you’re actively bidding on is really where the, you know, where the information is going to end up originating from.
Now, for those listening that don’t already know, what exactly is the C3PAO? And no, it’s not a shiny gold guy. You broke out a little bit on that, but the C3PAO, and agreed, not the shiny gold guy. Although there’s a lot of people that mess this one up go figure You know, you know what? You want to know it would be amazing Todd if in the security and compliance base We could get even more acronyms.
I think that would be outstanding No, my gosh, yeah, I hear it’s, it’s actually funny. You’ll hear people griping and you know griping and bitching about you know, how many acronyms there are below a block it’s like hey listen, you want to you want to you want to know about the pain of acronyms, you know then you know just be, be in the in the position having to you know constantly be faced with new certs and new industry standards and new realms and new things getting added and dah, dah, dah, dah. You know, the, the only consolation I suppose is that for many organizations they’ll need to get their arms around the acronyms related to one two three five, you know different certifications but yeah gets a lot more entertaining when you’re when you’re exposed to a ton of them, but anyway the, the third-party assessor in the CMMC space must be a CMMC third, third party assessment organization aka C3PAO. So that’s where the acronym comes from so to qualify as a third-party assessor the organization needs to be authorized by the CMMC Accreditation body or AB, and so many of the organizations that are you know, kind of seeking compliance would also benefit from some type of a consultant. The consultants in the space are known as registered provider organizations or RPOs. So the RPO helps you prepare for the third-party assessment and the C3PAO Actually conducts the assessment. So the C3PAO may also be an RPO But they can’t act as both the C3PAO and RPO for the same client due to obvious conflicts of interest, if you will. Yeah, that makes sense. So there’s actually a directory of authorized C3PAOs on the cyber AB marketplace that folks can go to. We actually have this particular topic we’ve got also as a blog entry. So if you go in and do a search, you’ll see there. And we’ve got links to a lot of these, a lot of these various organizations and things that we’re talking about on here. There’s a bunch of links within that blog article as well. So if you’re interested in getting ahold of the links, just head over to the TCT website at gettct.com and then go to the blog section and look for things related to CMMC and specifically where they have to self-assess or go through a third party audit. But yeah, they’ll be able to go ahead and get those links there.
Okay, so I guess maybe one common question that we should answer is, do all organizations need a C3PAO? Well, the question of a self-assess or third party is based on the requirements as defined in the contracting process with the Department of Defense. So it really comes down to the sensitivity of the data that the bidding organization is going to have access to. The more sensitive the data, then the greater the chances you’re gonna have to go through a third party assessment with the C3PAO. So if you aren’t touching sensitive data at all, then the chances are greater that you’ll be able to go through a self-assessment for CMMC. But really, whether you go down one path or the other, it’s really driven by the contracting requirements as set by DOD. They’ll spell it out in there, whether or not you need to head down one route or another. And in addition, it’s another thing for organizations to keep in mind is that they could be going through and bidding on multiple contracts simultaneously. And so, if I’m bidding on one contract that only requires a self-assessment, but I’m bidding on other contracts that are requiring that I’ve gone through the audit, really what I would encourage organizations to do is look across the kind of the compendium of both services that they’re provisioning. as well as the various contracts that they’re bidding on, kind of figure out what is at the top of that food chain. Because if there’s a certain, if there’s a higher level requirement, if there’s the third party assessment requirement, those are things that you’re gonna want to kind of look across the spectrum of what all you’re bidding on so that you can make sure that you are appropriately prepared. Certainly, an organization that needs to, an organization that has gone through the assessment process to get CMMC certified. If they’ve already gone down that path and they’re bidding on something that is requiring, finger air quotes, only a self-assessment, then, by all means, they can go ahead and use that as justification or validation of their current stance, if you will, and be able to use that as part of the bidding process, and it certainly would facilitate part of the bidding process. But you’re screwed if you haven’t gone down the road of the audit, but need to. That’s where folks will run into that brick wall, if you will, is when they get it the wrong way around, if you will.
What does an organization need to adhere to if they self-assess versus a third-party audit? This is the portion where organizations will run afoul, if you will. They think, all I have to do is this self-assessment type of deal. Well, yeah, you’re going in, you’re doing a self-assessment, but the list of the requirements that you need to go through as a self-assessment versus those that have to go through the full-scale audit, it’s still the same list of requirements. If you’re a level two, but you’re self-assessing versus a level two that went through an audit, you’re required to be compliant with the exact same list of stuff. The only difference is that you are self-assessing when it comes to the validation versus having a third party coming in. Thank you. Thank you. affirming that, yes, all of this stuff is in place. But either way, even for those organizations that are doing the self-assessment, they’re held to the same standard as somebody that goes through the audit. And better yet, they’re required to chew off their fingertips, sign in blood that, yep, we’re doing everything that we’re supposed to do. So kind of the gravity of the, in many ways, the gravity of it is enhanced when the organization has to go through a self-assessment. Because now, it’s really up to the target organization to appropriately make the call about, do we really have this stuff in place or are we really addressing these items and whatnot? It puts a lot more, in my mind’s eye, it puts a lot more pressure on the organization to make damn sure that they get it right as they’re walking down that path versus having the advantage of a consultant or an assessor to go in and validate that they’re going through that process.
Especially with the way that DOD is looking at the SPUR score, you can’t just go in there and pencil up it anymore. Yeah, well, and if you think about it, right? In the grand scheme of things, DOD can ask whatever they’d like as you’re going through the process. But the likelihood that their Q&A questions, etc, are going to increase is definitively of a higher likelihood if you’re self-assessing than it is when you’ve gone through a third-party assessment or audit, especially as the DOD continues to get more and more familiar with the organizations doing the assessments and knowing their, everybody’s supposed to adhere to the same standard, but the reality is with any two assessment firms, it’s not the same process. It’s not the same process, same rigger when I go one organization over the other. And you know with any industry it’s probably gonna be a lot closer out of the gate just because the whole CMMC space is finger quotes new but as time goes along we’ll start to see some you know we’ll start to see some disparity there of you know oh I you know these people did the these people did the did the assessment well I know they put them through the rigger you know type of thing versus oh these people did the assessment I’m gonna ask a couple of additional questions and just kind of make sure validate it. I’ve seen that you know kind of reality go down in in almost every industry as it as it gains you know kind of market level maturity it’s just it’s just the way that it works. You know you end up with folks that are you know that gain a reputation in the space as being as being amazingly thorough and in the same sense your organizations will gain the gain the reputation of not being particularly thorough you know they and there’s rules and regulations that’ll you know kind of govern that and, and address it in the long run but you’re always going to have people that are on the you know kind of the top end of you know kind of well I don’t know perfection in terms of how they do what they do validation and you know rigor and things along those lines. And you’re gonna have people that aren’t at that same level it’s just a kind of a natural process if you will.
I mean that makes sense now I guess folks out there if they don’t, don’t already know and I’m gonna ask you to, to look into your crystal ball a little bit on this one to be fair but how long does an assessment typically take? Well you know if you’ve got if you got the there’s several factors coming into play, long story short. If DOD ends up wanting to put their nose into it, etc, and ask some questions and whatnot, then yeah, it’s gonna take a little bit longer. But every assessment’s different. There’s different coverage, different inclusions, different scales of scope and all that fun stuff. But what I tell clients in general is with any, I’m gonna put it this way, with any industry standard certification that’s of relative, I’m gonna call it relative complexity, I’ll typically tell organizations that in terms of prep for your assessment or your audit, in terms of prep time, eyeball about six to nine months on average for how long should you expect it’s gonna take to go from, hey, let’s get… CMMC, let’s go down the CMMC path to basically being ready to head through the audit. In some cases, I have seen it go faster. In many cases, I’ve seen it go longer. It really depends on where is that target organization in the grand scheme of things, you know, how well prepared are they, you know, is really what it comes down to. For those organizations that are already going up against a series of different industry, you know, I’ll call it strong or prescriptive industry standard certifications and now they’re just layering on CMMC. The path is honestly going to be faster. If the organization has never really gone down, you know, never really implemented some type of an internal framework for, you know, kind of proactive management of their security program and CMMC becomes the first, you know, kind of official third-party assessment that they’ve needed to go down, then I would honestly expect that it takes a little bit longer in that case. You know, the CMMC, that was all talk about the, you know, kind of the prep for get through the assessment. The actual audit itself, I’d say typically it’s going to be a four to 12 weeks. You know, it depends on that, depends on several factors. You know, certainly how well prepared you are, you know, is one element, the size and scale of the scope of the, you know, of the assessment or audit that’s needed. You know, it’s a, those are factors that will really swing things, but you know, really the prep for the prep for the audit is usually one of the, you know, one of the biggest difference makers, if you will.
Makes a ton of sense. Parting thoughts and shots for the folks this week. Well regardless whether you’re going down the self-assessment or third-party assessment you know one of the one of the big things to get your arms around is your current situation.
You know there’s a you know the difference between you know being completely prepared being completely prepared. So apparently say that 10 times fast. So the difference between being completely prepared versus being unprepared is that it is really the you know the starting point for whether you’re going to have a smooth assessment process or some various seven dimensions of living hell. So you know when it comes to you know, when it comes to being able to get through this, you know, organization should, especially those that are, you know, CMMC has got their first, first trip to the rodeo, you know, get to know those requirements, get a sense of what it’s going to take, you know, by various folks within your organization, doing your due diligence, knowing what will be required, you know,
of your personnel, you know, get some planning in place for kind of the marathon that’s ahead. Because that way you’ll have, you know, you’ll make sure that you’ve got, you know, everything, you know, in place and ready for, you know, for a good, good CMMC audit.
You know, certainly, you know, one of the, one of the big things that I recommend to organizations strongly is that they go up against, you know, when they’re going up against a compliance standard, you know, making sure that they own their own data. What I mean by that is that it is really, really important, you know, for organizations to have their own system for managing their own compliance information. You know, getting compliant with any industry standard certification, it’s not about going in and getting compliant one time. But, you know, it’s about getting, gaining compliance and then managing it year over year, you know, building a culture of compliance. That, and really being able to succinctly, you know, go back to your own repository or compendium of compliance knowledge. It’s huge, absolutely huge for organizations. And if you think about it, you know, if you’re blowing a whole bunch of time internally and manually managing all of this stuff, that’s a complete and utter waste of freaking time. If you are, I’ve seen more organizations that I can count, where they will depend exclusively on, you know, all the yes, the assessor is going to go ahead and store this in their system, so we’ll always have it there. Well, guess what, man? I don’t know what to tell you, but things change. I’m certainly not going to be naming names here, but there was an assessment organization that had really gained a lot of steam in the assessment space. And they built that over a period of time, but as organizations grow, things change. They started becoming less effective. They started to hire in a whole bunch of noobs type of thing into the organization. There were a lot of modifications that occurred within that company. And, you know, and really there were a number of organizations that ended up switching assessors. I’ve had other organizations where they, whatever, somebody on the board happens to know somebody at such and such an organization. So they want to consolidate, you know, consolidate the assessment into, you know, into the, you know, and go in a different direction for the assessor. Sometimes, you know, when I started this process, the, we have another assessment firm in here and they’re not a C3PAO, but, you know, it now three years have passed and now they are, okay, now I want to consolidate my assessor. I’m going to switch from this one to that one. You know, if you don’t own, you know, the repository for your compliance data, then you end up having to rebuild it. And for many organizations, I’ve seen them make these, make the mistake of depending on their assessor systems and then, and then having to continuously sink in time, effort, energy, resources into, you know, basically recreating what they’ve already got if they just owned it themselves. You know, I just, I look at it as sad when I see that, when I see that waste of time again, right? I don’t think there’s many organizations out there that are, that are sitting around right now and going, gosh, you know, I’ve got so many resources on my hands that, you know, everybody’s sitting around and eating bonbons and, you know, and, and, and having social hours and da, da, da, you know, resources are tight. So you need to take as best advantage as you can of them, you know, and certainly, you know, going back to that kind of guiding principle of own, your own data and certainly using your own compliance management system to ensure that you’re staying on track with the, the requirements and, and regulations and, and standards that the organization has chosen to adopt. Um, that’s absolutely huge for the, you know, kind of the peace of mind of the overall organization, um, you know, certainly, uh, we’ve got, you know, some, uh, we’ve got some, uh, capabilities, you know, a number of different assets on the, uh, you know, at TCT regarding CMMC.
Uh, I would certainly encourage listeners to, you know, go get over to the site, take a, you know, take a gander at, at many of the other elements that we put together, uh, in relation to the CMMC space, we’ve got kind of a lot of, a lot of helpful information over there, uh, that the listeners would, uh, what I’m sure be able to take great advantage of.
Most assuredly. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of compliance unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
