As the Department of Defense (DoD) continues to move forward with tightening regulations surrounding the Cybersecurity Maturity Model Certification, or CMMC, many small and medium size businesses are turning to consultants to help them become compliant.
Some may lack the in-house expertise needed to ensure compliance, while others would prefer to see their in-house experts devote their time to other pursuits. However, finding the right consultant can be challenging. Here is a look at how organizations can ensure they find the right consultant for this important aspect of business.
Preparing For The Search
Before embarking on a search for a CMMC consultant, it is important for the organization to understand its requirements and limitations. First, it is essential to determine the degree of assistance that is needed, whether it is simply another set of eyes looking over work that has already been done or someone to fully manage efforts to reach and maintain compliance.
Second, organizations should also be aware of which level of CMMC compliance they are looking to achieve. It is also useful to have a budget and timeline in mind before having discussions with consultants.
Qualities To Look For In CMMC Consultants
There are several factors that should be evaluated when meeting with prospective CMMC consultants. Outlined below are some of the top qualities that organizations should seek.
Years In Business
Because CMMC is a relatively new initiative, it will not be possible to find consultants who have solely specialized in CMMC services for many years. However, many companies have launched in a relatively short period marketing CMMC compliance services.
One way to narrow down the search is by focusing on companies that have previous experience carrying out other types of security control assessments and independent IT assessments. Those that have specific experience with NIST 800-171 and 800-53 or FedRAMP may be particularly good candidates.
Type Of Experience
Even if a company has been in business for many years and has an impressive record of past performance, it is prudent to find out whether CMMC is a new sector they are trying to jump into or they have been doing similar work for a number of years. Steer clear of those companies that have never conducted IT assessments in the past.
CMMC compliance is an essential component of your organization’s ability to work with the DoD, so giving an untested consultant a chance could threaten your ability to work with the DoD in the future. It is best to choose a consultant who has demonstrable experience in delivering services successfully.
DoD contracting is a very competitive environment and protecting intellectual property is vital, so it is important to seek consultants who are transparent about any potential conflicts of interest as well as their competencies, limitations, and pricing. At the same time, it is important for the organization to be transparent with the CMMC consultants they are considering in terms of their motivations, expectations, and budget.
Looking Out For The Organization’s Best Interests
Every business relationship needs to provide value to both parties, but it is also important that each party has the other’s best interests in mind. A quality CMMC consultant should be conscientious when it comes to addressing the organization’s requirements in the most cost-effective manner possible. If the partnership does not work out, a reputable consultant may even offer to help the organization find a provider who better meets their needs.
Pricing a consultancy project can be tricky and often requires a very clear understanding of the requirements of the project and past experience setting prices. It is important for organizations to be cautious when it comes to quotes that are significantly higher or lower than the average.
For example, a high quote may indicate a consultant who does not fit within the organization’s budget, while quotes that are too low could be a sign of a less competent consultant. Although it could be the case that a consultant is simply underbidding on the work in hopes of upselling in the future, it is still best to aim for quotes that are not outliers and instead fall easily within the organization’s budget.
Availability Of References
Any consultants that an organization is considering working with should be happy to provide references who will vouch for their services. Organizations should ask for at least two or three references your organization should contact. If a consultant seems hesitant to provide references or does not have any to offer, it is best to move on to a different prospect.
Discuss Your Needs With The Compliance Professionals
If you are looking for an experienced CMMC consultant, reach out to the IT security professionals at SeaGlass Technology. Our team can help companies of all sizes in the New York City area manage their IT systems and ensure compliance with all of the relevant regulations.