The CMMC landscape is very new and can be difficult to maneuver. There are different CMMC providers that offer various services, and it can be confusing to differentiate what your organization may need. Two of the most important things to understand is the difference between a CMMC Readiness Assessment and an Official CMMC Assessment and which CMMC Providers can offer services for each. Below we discuss the difference between the two assessment types as well as what key terms such as, RPOs and C3PAOs, mean and why you need to understand them and how they benefit your organization.
CMMC Readiness Assessment
A CMMC Readiness Assessment is considered a pre-check before the official assessment. It is important to get a readiness assessment for your organization to ensure you understand what you need to do to pass an Official CMMC assessment, so your organization can receive CMMC certification. The goal of a CMMC readiness assessment is to collect and catalog all objective evidence needed to demonstrate that the company has the all the necessary practices and processes in place. It is meant to help the organization understand what requirements they have met and unmet, and what they are able to do to successfully meet all necessary requirements. There are 3 ways to get a readiness assessment:
Self-assessment
Your organization can opt to do a self-assessment for CMMC readiness. This includes researching and self-studying your organization to see what requirements you have met and unmet. It is recommended that you invite a third-party consultant in for consulting about the best ways to meet these conditions, but this is not required.
C3PAO
A CMMC Third Party Assessor Organization (C3PAO) can also complete a pre-assessment readiness check. Although they can perform a basic readiness check, they cannot perform any consulting based on what has been found within your organization if they plan on conducting the official CMMC Assessment. In short, they will assess and provide a score sheet showing what has been met and unmet. Consulting is not an option for a C3PAO that is hired to perform the official CMMC assessment as it would be indirect conflict with CMMC protocols. Consulting services and providing an official CMMC assessment is a conflict of interest and is strictly prohibited.
Hire a third-party consultant (RPOS)
Your organization can hire a Registered Provider Organization (RPO) to do a readiness assessment as well. RPOs can be seen as the most beneficial option as they not only can they perform a readiness assessment, but they are also able to provide consulting services along with it. This type of CMMC provider can make it easy for any business to understand exactly what they need to do to meet all CMMC requirements. RPOs are better qualified as they have gone through training and have a much deeper understanding of the CMMC requirements. All RPOs also must have a Registered Practitioner on staff in order to provide consulting services. These registered practitioners have gone through CMMC training to be able to understand exactly what is needed for CMMC requirements. When looking toward a readiness assessment, it is important to find a reliable and legitimate CMMC providers. To find an RPO for your organization you can go on the CMMC-AB marketplace and look through all RPOs in your area.
CompuData recently received an RPO certification with many registered practitioners on staff. For more information click here.
Official CMMC Assessment
An official CMMC assessment is an assessment based on the CMMC level your organization must comply with. For a more in-depth look on what each CMMC level looks like and the technical requirements for them, please check out our recently published blog, “What You Need to Know to Prove Maturity for CMMC Levels 1-3” The official CMMC assessment is a much larger undertaking than the readiness assessment. It usually requires a team, and may require the group to be present on-site while executing the assessment. This will include doing things like interviews, on-site evaluations to see the facility, asking for documentation and policy, and many other tasks depending on which level they are assessing for. This assessment will be more direct in a sense and will involve something along the lines of a scoresheet that the assessors will fill out. Only one type of CMMC provider is able to do an official CMMC assessment, which is a CMMC Third Party Assessor Organization (C3PAO).
C3PAO
A C3PAO is a company that has gone through training and gotten the certification to achieve this level. 3CPAOs are comprised of Certified Professionals (CP) and Certified Assessors (CA). CPs and CAs are the people who will complete an organization’s official CMMC assessment. A CP is a CA in training and must have a CA present at all times during an official assessment. All CPs and CAs also must get certified to a specific CMMC level and are only able to perform assessments for that level and below (since all levels are cumulative). For more information about official C3PAO CMMC providers, you can check out the CMMC AB Marketplace.
The CMMC landscape is new, and more information is coming out daily. It is important to understand the difference between CMMC providers and what each provider is able to offer. A CMMC readiness assessment is arguably the most important step in the CMMC process because it prepares you for the official CMMC assessment. Deciding to get a readiness assessment with a certified RPO can be the difference between your organization passing or failing the official assessment. A certified RPO can evaluate your current business as well as provide consulting services to ensure you know exactly what is needed or what needs to be completed in the future.
For more information about CMMC providers or if you are interested in getting a readiness assessment from CompuData, a certified RPO, please email us!