This post was originally published on the Edwards Performance Solutions blog, authored by Joy Beland.
Let’s face it, the skill and experience level required to become a registered practitioner (RP) and hang your registered provider organization (RPO) shingle on, is not a big leap from, say, an entry level IT role.
CMMC-AB established an ecosystem with the emphasis that RPOs, and the RPs they employ, will support Organizations Seeking Certification (OSCs) – ensuring qualified consultants assist OSCs in preparing for the formal CMMC certification assessment.
Let’s look at what has happened. The CMMC-AB Marketplace is full of RPOs who are approved to service the Defense Industrial Base, and many of them lack the robust expertise needed to effectively consult on CMMC practices and processes. Of course, there are some extremely qualified RPOs and RPs out there (we are one of them) and a benefit to having RPOs and RPs in the CMMC certification process. Be that as it may, a Certified CMMC Professional (CCP) is a better option to consult on CMMC practices and processes.
When I first saw the intended audience of the CCP, as outlined by the CMMC-AB, I was overjoyed. This accreditation and course is much more than an entry certification for those who want to go on to become a CMMC Assessor at Level 1 or Level 3 (CCA-1 or CCA-3, respectively). According to the CMMC-AB’s website, “The Certified CMMC Professional is a true resource to a consultancy providing CMMC preparation, a C3PAO providing certified assessor support, or an organization interested in having in-house CMMC trained resources.”
BAM; There’s your answer for qualified CMMC consultancy!
Why am I overjoyed? First, I come from the Managed Service Provider (MSP) world, where for 21 years I owned and operated my own MSP practice. Along with my team, I performed the cybersecurity assessments, gap analysis, and security implementation for upwards of 75 businesses in the greater Los Angeles area. I know first-hand the skill level of the average MSP in supporting a cybersecurity model like CMMC. Whether serving as a consultant for CMMC assessment preparation or as a representative OSC team member during the actual assessment, there is a great deal of misinformation and under appreciation for what these responsibilities encompass.
Second, at Edwards Performance Solutions, we consult day-in and day-out, to help OSCs get their 800-171 gap analysis completed and generate the POAM & SSP. OSCs, even with internal resources who are tackling CMMC readiness, are struggling to get their head around what this means. Not only is there a mismatch on the resources required to get the score up to 110 in the SPRS, the vision of what is necessary to get ready for CMMC Level 3 is overwhelming.
Simply put, we need an army of solid consultants out there! We need a resource that is meaningful for internal IT and IS in preparing their own OSC. And, the CMMC-AB has given us the method to get there with the CCP certification, but not enough consultants know about it and realize they should be registered for it!
One more thing about the CCP, if you’re still with me: the CCP is not for entry-level IT professionals.
It is not something you can navigate without a solid understanding of network infrastructure, network mapping, data flow mapping, IP address schema, DMZs, and subnetting, as well as working with scopes and gap analysis. We can teach you how all of the logical and physical boundaries are navigated as part of the 130 controls, what the assessment process itself will look like start-to-finish, and most importantly, how the maturity of your implementation is proven through the documentation. But you must walk in the door with good IT networking skills!
We want the bar to be higher for those who are preparing our Defense Industrial Base (DIB) for a successful CMMC assessment. We are here now and ready to support the DIB. Let’s do it right! After all, we are all in this together.