This article delves into the benefits and drawbacks associated with hiring a Registered Practitioner (RP) / Registered Provider Organization (RPO), as well as questions that you can ask to interview a RP/RPO.
Make a cup of coffee and enjoy! (unless you are a RP/RPO)
What is the point of hiring a RP/RPO for CMMC compliance efforts?
For a lot of companies, they are looking for a Subject Matter Expert (SME) on CMMC-related matters who can bridge the gap between their current state and being able to successfully make it through a third-party CMMC assessment by a C3PAO. Some companies need a SME to provide business case-specific guidance on how to achieve compliance with a discrete number controls in the most efficient and cost-effective manner possible, without affecting other business practices. Other companies simply want to outsource the entire “CMMC compliance process” of implementing CMMC-related controls from start to finish. These are entirely different needs and therefore require different consultant skill sets.
In the scenario of the business case-specific guidance for a few controls, an Organization Seeking Certification (OSC) needs a “good idea fairy” who can leverage their proven subject matter expertise to provide a bespoke solution to a unique business case. In the case of tackling the “CMMC compliance process,” that essentially requires a Project Manager (PM) role to establish and run a project plan that covers the scope of pre-assessment consulting tasks all the way through the 3CPAO assessment. What do you need? A “good idea fairy,” a PM or both? Both are hired guns, but both have very different skill sets.
In a half-hearted attempted to help with this knowledge gap, the CMMC-AB created a “badging program” for consultants and organizations, allowing them to market their services on the official CMMC-AB Marketplace:
Registered Provider Organization (RPO)
Registered Practitioner (RP)
** It is very important to highlight the fact that any consultant can work with clients to implement cybersecurity practices associated with CMMC compliance. RPO and RP designations are purely a marketing avenue for consultants to be listed on the CMMC-AB’s Marketplace website. RPs and RPOs are not “certified” by the CMMC-AB and OSC are not obligated to use their services. As shocking as it may sound, we've even been told of MSPs getting RPO badges and then dramatically increasing their billable rates to take advantage of the new marketing badge.
What To Expect From A RP/RPO
Similar to the famous California gold rush in the mid 1800s that drew people from around the world to the gold fields of the Sierra Nevada mountains, CMMC is a modern gold rush for many IT/cybersecurity consultants that hope to strike it rich with CMMC. While competition is healthy and can serve to keep costs low, it also creates a “buyer beware” scenario where it is very important for OSC to perform due diligence to ensure the RP/RPO is worth the money they are asking. By itself, do not expect anything from an individual or business boasting RP/RPO badges, since those badges mean nothing about the practical ability and technical experience of the RP/RPO to help your organization with CMMC.
According to the CMMC-AB, RPOs & RPs exist to "provide advice, consulting, and recommendations to their clients." However, there is no professional competence expectation for RPs or RPOs. Essentially, RPs have signed the CMMC-AB Code of Professional Conduct and have passed a "commercial background check" and RPOs have an “organizational background check” by Dun & Bradstreet (e.g., they have a DUNS number). The CMMC AB officially defines an RP as a “consultant, coach, or implementer that completes basic CMMC training and testing, passes a criminal background check, signs the Code of Professional Conduct, and is listed on the CMMC Marketplace.” In the March CMMC AB Town Hall, CMMC-AB board member, Jeff Dalton, addresses RP/RPO at around the 11 minute mark.
Not all RP/RPOs are built the same and that is important to understand and remember as you interact with RP/RPOs. If you look through the CMMC AB Marketplace and evaluate the 400+ RPOs and 1,300+ RPs (at the time of writing this article) you’ll quickly realize that all of them offer very different services. Some of them are MSP/MSSPs, others offer vCISO services, etc. So how do you find the one that is right for you?
This is where the “Good Idea Fairy” vs PM understanding of your needs really comes into play. It’s on the OSC to understand and recognize their own needs with CMMC in order to find the RP/RPO or “non-badged” consultant best suited for their needs. This aspect of conducting due diligence is same as you would when making any other business decision. Are you looking to have someone come in and act as a project manager, who will direct your team on what to do? If so, a vCISO or consultant might be the right fit for you. On the other hand, if you are looking for specialized assistance on a specific project or control set, say GCC-High migration or SIEM setup, then you should find a consultant with that specific skillset you need.
Interview Questions You Should Ask Your RP/RPO Before Hiring Them
You need to focus on actual experience with NIST SP 800-171 and CMMC-related consulting activities. The following questions can help you identify warning signs that may leave you dissatisfied:
Q1 – How long has the RP/RPO been involved in DFARS-related compliance?
You want to find out if the RP/PRO is “new to the party” or is an industry veteran who knows their way around DFARS and its associated requirements. While DFARS interim rule -7021 just made CMMC a requirement, NIST SP 800-171 has been a requirement since 1 January 2018. The first version of NIST SP 800-171 was published in 2016. Experience counts.
Q2 – Are the RPs actual employees of the RPO or freelancers?
RPOs must have at least one RP. Since nearly anyone can become a RP, it is important to understand if the “talent” that the RPO is advertising is actually an employee of the RPO or if the RPs are merely freelancers who are subcontracting with the RPO. Do you have a primary and a backup RP, in case the primary RP leaves the RPO? These are good questions to keep in mind.
Q3 - Does the RP/RPO have the necessary experience and capabilities to meet YOUR specific needs?
Find out how many other customers the RP/RPO has that are subject to DFARS, NIST SP 800-171, ITAR and CMMC compliance. While CMMC may be a fairly new requirement it is still built off existing frameworks such as NIST SP 800-171, NIST SP 800-53 and ISO 27001. You want to make sure they have the understanding of both compliance regulations and appropriate technology solutions. This blend of understanding requirements and technology helps to accurately interpret the controls and implement them.
Q4 - Can the RP/RPO provide you a few references to businesses similar to yourself that they have worked with on CMMC?
You do not want to be a “trial run” or guinea pig experiment for your RP/PRO. Just like any other business decision, you should ALWAYS ask for references. Reach out to those companies to find out more information on what its actually like working with the RP/RPO and get some insight into their process and customer support.
Q5 - How familiar are they with technology environment(s) and businesses like yours?
You do not go to a dentist for a broken wrist – while a dentist and ER doctor are both medical professionals, they have an entirely different focus and skill set. As an example, if you are a manufacturer, you want to make sure they have the experience working with manufacturing-specific technologies and appreciate the complications and use cases that come with your specific industry. The same applies to skillsets associated with operating systems, applications, cloud environments, etc.
Q6 - Understanding the offering that the RP/RPO will be providing.
As we touched on earlier in this article, not all RP/RPOs are made the same and each will have their own offering. We're already seeing RPs who specialize in different needs that might not fit the needs an OSC has:
MSP/MSSPs do hands-on management and configuration of the client's networks along with monitoring and responding to alerts.
Compliance specialists / auditors often perform gap analysis and identify administrative, technical or physical solutions to address the gaps.
Virtual CISO generally help develop strategic plans for remediation and official CMMC assessment preparation.
Ensure that the RP/RPO you select is the right one for your needs.
Q7 - If the RP/RPO is an MSP/MSSP can they work with your existing IT infrastructure?
Most OSC have been picking away at NIST SP 800-171 for several years now and already have systems and technology in place. It is very important to keep an eye out for RP/RPO that have an agenda where they “highly encourage" you to rip out and replace your existing IT infrastructure for their recommended solution. Granted, there are going to be cases this is legitimate, but there are no conflict of interest restrictions for RP/RPO for assessing/recommending solutions that happen to meet what they are selling.
Q8 - Will the RP/RPO be there with you when it comes time for CMMC Certification?
Do you want to be alone in the room with the C3PAO assessor? If not, you need to make sure your RP/RPO is capable of answering your specific scenario questions as part of the assessment. You want to make sure that the RP/RPO that you elect to work with has the confidence and knowledge to back up their work when it comes time for you CMMC assessment by a C3PAO. You want to ensure that they will be there alongside you during your assessment helping to answer and explain the questions that your C3PAO will have. If they cannot do that, then the RP/RPO is a liability and you should find a different one.
In summary, we want you to select the best consultants for your specific needs and avoid consultants who merely want to set up camp and rack up billable hours. That just means you need to interview with tough questions and possibly even fire a RP/RPO you are working with if they are not meeting your specific needs. Good luck!
About The Guest Authors
If you have any questions about this, please feel free to reach out.
Tom Cornelius is the Senior Partner at ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the Secure Controls Framework (SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.
Levi Kapilevich is the Director of Business Development for NeQter Labs, a cybersecurity software company that focuses on helping DIB contractors navigate their DFARS, NIST SP 800-171, and CMMC compliance process. Focusing primarily on managing the Auditing and Accountability practices of standards.