5 Key Considerations When Working with a CMMC Partner

While regulations like Cybersecurity Maturity Model Certification (CMMC) 2.0 have expanded in size and scope in the past several years, my experience with CMMC actually dates back to early 2017.  

At the time, I was working with a client who was a contractor for the U.S. Department of Defense. They were looking to jump into the deep end and start implementing the NIST Cybersecurity Framework, which CMMC is based upon. It became apparent to me then that as a managed service provider, Network Coverage needed to continue to have a pulse on the rapidly-evolving cybersecurity industry.

Recently, I had the pleasure of joining Egnyte’s Cybersecurity Evangelist, Neil Jones, in a webinar where we discussed the top questions to ask your CMMC compliance partner. While every organization’s CMMC compliance journey is unique, the following are key factors that all companies should keep in mind when selecting and working with a CMMC partner.

A Proactive Cybersecurity Posture

IT security is foundational to any organization’s compliance journey. With CMMC in particular, we anticipate increased scrutiny of IT security processes by CMMC assessors. Recent high-profile data breaches that have impacted government infrastructure remind us that we also need to continue to validate the security practices of our supply chains, including third-party providers’ practices. With that in mind, it’s crucial that you work with a partner who is not only well-regarded in the industry but also familiar with cybersecurity standards like NIST SP 800-171. Furthermore, you should view the provider as a trusted advisor who can help you navigate the current compliance landscape amid increasing cyber threats.

Expertise in Your Respective Industry

When considering a potential CMMC partner, you want to begin by thinking about the business applications that you utilize day to day. If a provider has a footprint in your industry, there is a good chance they already have a wealth of knowledge around those applications, as well as if they are compliant with CMMC. For example, Network Coverage works with many clients in the Architecture, Engineering, and Construction (AEC) industry, so we have a solid understanding of applications in project management, estimating, etc. In addition, be sure to ask the provider if they have current clients who are willing to share their experiences working with the application providers around CMMC. 

Ability to Identify FCI and CUI Across Your Entire Business

With businesses generating a much higher volume of data than ever before, it can be difficult to identify sensitive data, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). On top of that, sensitive information may inadvertently be distributed across several different repositories. Therefore, technology providers must be able to provide a comprehensive view of sensitive data across your entire organization. For CMMC 2.0, the protection of this data is a critical requirement for Level 1 (FCI only) and Level 2 (FCI and CUI).

The Importance of Strict Encryption Standards

This standard is particularly noteworthy, given that the NIST SP 800-171 controls were developed pre-pandemic when most people were still working in physical offices. In today’s hybrid work environment, CMMC partners must understand the importance of end-to-end encryption to protect business-critical content, especially if you manage a remote workforce. This goes back to the idea of the provider as a trusted advisor. Do they understand where your employees are working? Can they provide tailored suggestions based on your infrastructure, deployment scenario, and current situation (with full realization that action plans can change in the future as organizations make decisions around employees’ return to work)? 

Willingness to Be There for You in the Long Run

Finally, you need to work with a partner who is there for you in the long term, from the initial scoping process all the way to the third-party assessment. It’s also important to remember that CMMC 2.0 compliance is not a one-time event; it must be viewed as an ongoing initiative. The partner will need to be there with you as CMMC undergoes future changes and its requirements are refined over time.

Learn More

To learn more, watch and share the webinar replay. I also encourage you to join our upcoming security webinar series where we will cover IT security, governance and compliance topics. You can register at the link below and session replays will be available after the live events.