With the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) moving full steam ahead, many small and medium businesses are struggling to become compliant.
You may be asking yourself: how do I become compliant? Where should I even begin? Do I have the in-house expertise to become compliant? Do my in-house experts have the time to work on this, or is there time spent better elsewhere?
Depending on your answer to those questions, you may have reached the conclusion that you could use some outside help to assist you with preparing for a CMMC audit. In other words, you are looking for a CMMC consultant.
As you begin speaking with potential consultants or companies that provide consulting services, you may be noticing that not all providers are created equal. Unfortunately, there are companies out there who are less scrupulous and will take advantage of customers who may not know any better.
Interested in some tips that may help you find a consultant that is the right fit for your organization? Here is what we will cover in this article:
Table of Contents
- Where to Start
- Qualities to Look For
- How Does TestPros Measure Up?
Where to Start
Prior to seeking out a CMMC consultant, make sure you understand your own requirements, limitations, and non-negotiables. It will be much easier for someone to sell you something that does not fit your organization's needs.
It would be like walking into a car dealership and buying a sports car, when you actually needed a minivan with enough seats for three kids and trunk space for their never-ending accumulation of "things".
The car looks nice, but it does not do what you needed it to, you regretted the purchase, and you spent twice as much as you could afford.
What is the best way to avoid that happening? Thinking through the following may help:
Understand Your Requirements
Using the car dealership example again, think about what type of car you need and what is practical for you.
In the case of CMMC, your requirement could be anywhere from having a second set of eyes look at the work you already did, all the way to fully managing your efforts to become and remain compliant.
You should also have a clear understanding of what level of CMMC compliance you are you are seeking to achieve.
Check Your Motivations
Nobody likes spending thousands, tens of thousands, or more dollars on meeting compliance requirements. However, seeking out a rubber stamp or someone who tells you what you want to hear is the wrong approach.
While a rubber stamp may give you a report that says you are compliant and ready for an assessment - as is required by CMMC - a third-party auditor is unlikely to be much more critical of security control implementation.
Do Your Research
If you already knew everything about CMMC compliance, you probably would not be seeking out a consultant. However, it is important to have a working knowledge of CMMC's requirements and how to meet those requirements. If you are unable to do so on your own, ask a friend or colleague to help out!
Determine Consultant’s Role
Taking some time to think through the desired role of a consultant will help control costs and even help you determine whether a consultant is needed at all. If you do determine some additional support is needed, know what the scope of that support is and make sure that scope is clearly defined in any future agreement(s). Define achievable and measurable outcomes and hold your provider to those goals!
Know Your Budget
Knowing what your budget is will not only help prevent you from spending more than you can afford, but help the consultant design a solution which meets your budget. Most car salesman will not try to sell you on a $50,000.00 vehicle if they know you can only obtain a loan for $25,000.00. Further, you may be able to eliminate possible providers (and them, a potential customer) sooner as opposed to later so no one spends more time than necessary.
Establish a Timeline
Make sure that you establish a timeline which addresses how quickly the consulting engagement needs to begin, as well as when it will need to be completed by.
Doing so will not only help you meet your timelines, but also help the prospective consultant determine the staffing and resourcing necessary for the project. A project that takes one person two months might only take one month with two people dedicated to it.
Keep Expectations Realistic
Just because you want a $75,000.00 sports car for $50,000.00, it does not mean you will be able to get it for that price. Ensure that you are being realistic with not only your goals, but also your budget/what you can afford, and the aggressiveness of your timeline.
Ask for Recommendations
Referrals are one of a businesses' best and least expensive forms of customer acquisition. They are also one of the best ways for you to find a provider that has already been used by someone you trust/know. Use your professional network, peer group, and even social media (e.g., LinkedIn) to find a provider you can trust.
Obtain Multiple Quotes
While it can be time consuming and exhausting to find and contact multiple vendors, listen to sales pitches, and review proposals from multiple companies, it may be worth it. Remember, you may be working with a particular consultant for months or years, so make sure you date a couple of potential partners prior to getting married.
While you do not want someone that is going to be unreasonable or overly nitpicky in their assessment, you also do not need someone that will tell you what you want to hear instead of what you need to hear. If that were the case, you probably would not need a consultant in the first place.
Qualities to Look For
There are a number of factors to evaluate once you begin meeting with prospective CMMC consultants and considering proposals. Some of the top qualities to look for in a CMMC consultant includes, but is not limited to:
Everyone has to start somewhere, and any business owner understands the challenges with obtaining that first client. However, complying with CMMC is important for your organization’s ability to do business with DoD in the future. Now may not be the best time or use case to use an untested resource and an organization without demonstrable experience or past performance successfully delivering services is a risky bet.
Years in Business
CMMC is a fairly new initiative, so few companies/consultants will have been dedicated to CMMC services for much time. However, within the last year hundreds of companies have popped up seemingly overnight marketing CMMC compliance services.
Look for companies that have experience conducting independent IT assessments and/or security control assessments, as well as specific experience with NIST 800-53, NIST 800-171, and/or FedRAMP.
Relevancy of Experience
Perhaps the company has been in business for a substantial period of time and they have solid past performance. However, is this a new sector they are attempting to jump into? Or is this something they have been doing for decades? Is their experience and past performance relevant to your goals?
Again, CMMC is still new and few providers have been performing that work for more than six to twelve months. Even for those that have been around for a while, many have not ever conducted IT assessments or audits and see this as – ahem - a unique business opportunity.
Consultants you meet with should be willing and able to provide references who can vouch for them (or not). I recommend asking for and contacting two to three references to vet the provider.
If the consultant is hesitant to provide this or unable to because they do not have any references (positive or negative), that could be a sign something is amiss.
Competitiveness of Quote
Pricing projects is a unique business skill that is largely a combination of experience and clear understanding of the project’s requirements. However, be wary of quotes that are outliers on both ends of the spectrum (e.g., too high, or too low).
If a quote seems too high, perhaps they do not fit within your budget and their services are a premium based on capabilities, experience, etc. For example, using companies such as McKinsey or FireEye will almost certainly be more expensive than “Frank’s CMMC Consulting LLC”.
On the other hand, you may receive quotes which are significantly lower than others. As the saying goes, if something sounds too good to be true it probably is and could end up costing you more in the long run.
While other factors could explain this, it could be a sign the consultant is underbidding the work to upsell you in the future, or worse, that they do not have the experience necessary to properly budget the project or successfully deliver on it. Regardless, this is one of those cases where the lowest price is not necessarily the best one (LPTA, anyone?).
Try to look for a quote that is within your budget and somewhere in between the extremes you receive.
Best Interests In Mind
While both parties should derive value from a business relationship, each party should have each other’s interests in mind as well. A good CMMC consultant will be conscientious of not only addressing your requirements but doing so in a cost-effective manner.
Even if a potential partnership does not work out, they should be happy you found a provider that best meets your needs. In many cases, they may even provide references or help you find another provider if working together is not a good fit.
Use of Pressure
Pressure can be an effective means for persuading someone to make impulsive decisions, especially when they are already feeling stressed and exhausted.
Interactions with potential consultants should be low pressure and consultative. If you are feeling as though you are being pressured to make a decision you are not ready or comfortable with making, there may be more at play.
Panacea Without Substance
Many companies offering consulting services and/or products are framing their solution as panacea, or an ultimate solution to all your CMMC needs/worries.
Unfortunately, compliance typically not that simple and companies who market one-size-fits-all solutions either are not taking the time to understand your requirements, or worse, may be misleading you.
At the very least, if the prospective service provider is claiming panacea they should be pressed for specific details on how their solution works. It may be a red flag if their answers to your questions are vague, evasive, or non-existent.
While protecting intellectual property and novel solutions in a competitive environment is important, there should be some level of transparency between parties to a business transaction and should go both ways.
Consultants should be transparent about their conflicts of interest, limitations, competencies, pricing, and their solution for satisfying your requirements. You should be transparent with the prospective CMMC consultant when it comes to your needs, motivations, budget, expectations, and concerns.
Consultants making guarantees of compliance are a major red flag. As of the date of this article, no one has been successfully CMMC accredited as of yet. In addition, the initiative is still in its very early phases and subject to changes in the future.
How does one guarantee something they have no control over and have not actually done before? From my view, this could be a sign of a provider that is misleading customers or is a bit too comfortable with risk.
How Does TestPros Measure Up?
I encourage you to use some or all of advice described in this article, even with us! We are more than happy/willing to tell you about our past performance, decades of relevant experience, provide you with references, and work with you to earn your trust and partner with your organization.
However, at the end of the day we want you to achieve your goals and achieve success, so even if you do not work with us, hopefully the tips above will help you find the provider that is right for your organization. Trust your gut, unique personal experiences, and you are unlikely to go wrong. At the very least, you will make a decision you can live with.
Contact us today and tell us about your needs! If nothing else, we can offer some additional advice that helps you out.
About Tom Busillo
Tom brings over 13 years of experience working in leadership roles within the military, special operations, intelligence community, and commercial sector(s). Tom has a broad range of expertise and excels with information technology, cybersecurity, software development, regulatory compliance, risk management, cloud services, program management, and more.