If you haven’t already hired a CMMC Third Party Assessor Organization (C3PAO) to audit your organization for CMMC compliance, you need to get started — now. Even if your assessment is months away, you will want to start working with your C3PAO long before the audit.
Finding the right CMMC Assessor for your organization isn’t like choosing a phone plan. It’s much more like hiring an employee in a key role. You wouldn’t make any hiring decision lightly, and you shouldn’t make this one lightly either.
Your C3PAO isn’t a commodity, and it’s very important that you choose a firm that will be the right fit for your organization.
A good CMMC Assessor will be working with you throughout your engagement, likely for several months. They will communicate back and forth with you, learn about your organization, and work with you so that you can successfully gain CMMC compliance as smoothly as possible.
It’s essential to have a good working relationship that’s based on mutual respect and trust. Competence is essential and cost is a factor, but you also need to find a C3PAO that’s a good fit with your organization’s culture and mission.
Here are some valuable tips for finding the right CMMC Assessor for your company.
Can Your Existing Compliance Auditor Be Your CMMC Assessor?
You may already be going up against a myriad of other certification standards, such as PCI-DSS, SOC 2, or HIPAA. If you’re adding CMMC to the cybersecurity salad, first find out if any of your current Assessors is a C3PAO. If so, you’re golden — the fewer Assessors you have, the more efficiently you’ll be able to work with them and the more synergy you’ll gain from your existing assessments.
Your Assessor needs to be officially certified as a CMMC Third Party Assessor Organization. The CMMC Accreditation Body accredits C3PAOs. To become a C3PAO, an Assessment firm must be accredited by the CMMC Accreditation Body. C3PAOs must fulfill several prerequisites, including having trained staff and secure IT systems and cloud services.
If none of your current Assessors is a C3PAO, then you’ll have to find another one to fold into the mix. The CMMC Accreditation Body has a complete directory of C3PAOs, which you can use as a starting point for finding the right Assessor for your organization.
But that’s just the starting point. Not all Assessor organizations are created equal, and not every kick-ass firm is the right fit for your organization.
What should you look for when hiring C3PAO for your organization? Start with these considerations.
Related: What to Expect During Your First CMMC Assessment
Who Loves Their C3PAO?
The best place to start is with people you know and trust. Ask your colleagues and contacts for Assessor referrals. If you’re already using a compliance Consultant, tap them for input. Not only will they be well connected to dozens of Assessment firms, they already know your company inside and out. Who better to ask for a referral from?
Find a Culture Fit
I mentioned this a minute ago, but it’s worth expanding on. Anytime you hire key personnel in your organization, you naturally ask if they’ll be a good culture fit. Why wouldn’t you ask the same question when you’re hiring someone as important to your company as a CMMC Assessor?
Your C3PAO isn’t just a vendor, they’re a business partner. You would never do business with a partner who clashes with your company’s culture or values, and you shouldn’t settle for an Assessor who doesn’t get you. Find a C3PAO who understands what you’re all about.
Every Assessment firm has its own culture, its own values, and its own approach to compliance. It isn’t a one-size-fits-all kind of deal, and you should do your due diligence to understand what to expect from the C3PAO that you end up hiring.
Vet the Assessors Themselves
You’ve done your due diligence on the C3PAO organization, but what about the individual Assessors who may be assigned to your account? Just because you like the firm, that doesn’t mean your individual Assessor will be a good match for you. Each person has their own personalities, strengths, and weaknesses.
It’s worthwhile to meet as many Assessors as you can while vetting the firm, so you can get a sense of the personnel you may be working with.
Large CMMC Assessment organizations are more likely to hire young Assessors who could still be learning on the job. Don’t hesitate to request an Assessor with experience.
If you get paired with an Assessor who isn’t a good fit for any reason, you have the freedom to request someone else. Your Assessment firm is working for you, and there’s no reason you need to accept unsatisfactory service.
Look Everywhere for Your C3PAO
It’s a very real possibility that you won’t find any C3PAOs in your geographical area, especially while CMMC is still in its early days. Don’t let that disturb you. CMMC Assessors can easily work with their clients remotely, and they’re used to traveling for annual on-site reviews.
Yes, you’ll save some money on travel costs if you hire a local C3PAO, but the value of a good Assessor you trust is incalculable.
Don’t Hire Cheap — or Expensive — Firms
There’s a reason cheap C3PAOs are cheap. In order to turn a profit, they’ll have to cut back on quality. These firms usually have high client turnover rates and they tend to blitz through their client engagements as quickly as possible in order to keep margins low. Avoid these at all costs.
At the same time, expensive isn’t always better either. Just because a firm is priced at the top, that doesn’t mean you get what you pay for. High-end pricing often doesn’t translate into high-end service or results.
Instead, find a highly recommended firm that you trust who is priced reasonably.
Don’t Get Locked into an Assessor’s System
One thing to consider as you look for a CMMC Assessor is whether or not you will control your data. Some Assessment firms require you to organize all of your data in their compliance management system. Others are willing to use your system. In either case, always be sure that you have your own compliance system for organizing and managing your data and evidence — one that you own and control.
You can use your Assessor’s system as well your own, but never rely solely on their system. (CAUTION: Maintaining two systems is astronomically more work.)
At some point in the life of your company, you’ll probably switch firms. Your particular Assessor moves on and you don’t like the new guy, or the firm gets acquired, or they unload a portion of their clients and you’re one of them.
In those cases, you’ll need your data back, and you’ll need it in a format that’s easy to import to the next system you use. If your C3PAO has their own proprietary system, that data won’t play well with other platforms. Now you’ve got data you can’t work with, and it’s essentially lost information.
TCT Portal is an exception to the rule. If your Assessment firm uses our compliance software, you aren’t left in the lurch. You can easily pick up your own license and retain all of the data and historical knowledge, and continue to leverage TCT Portal on your own or preferably with your new Assessor, with no interruption.
Don’t Wait to Hire Your C3PAO
The sooner you hire your C3PAO, the better your entire CMMC engagement will go for you — especially if you make a wise hiring decision. Don’t wait to get started. And if you hire a firm that turns out to be a poor fit, there’s no reason to stick with them. You wouldn’t keep employees that aren’t working out, so you shouldn’t keep a C3PAO that isn’t a good match for your company.
If you need a good place to find recommendations, TCT has many relationships with Assessment firms and Consultants, and we’re happy to refer your company to Assessors we trust and respect.
Hiring the right C3PAO is only one small piece of successfully navigating the Cybersecurity Maturity Model Certification. Get fully equipped with TCT’s online guide to CMMC.
