Defense ISAC releases 'shopping guide' to assist small businesses with selecting assessor for CMMC certification

By Sara Friedman  / March 28, 2024

The National Defense Information Sharing and Analysis Center has published a “shopping guide” to help small and medium-sized businesses pick an assessor who meets their needs to reach compliance with the Pentagon’s Cybersecurity Maturity Model Certification program.

The guide is designed to “address the challenges presented to an SMB when vetting an assessor for Cybersecurity Maturity Model Certification (CMMC),” and was developed by SMBs across the defense industrial base and feedback from CMMC third-party assessment organizations.

“It is important to note that this document is to be used as guidance and considerations as you, the Organization Seeking Assessment (OSA), tackle the goal of finding an assessor that best fits is your organization,” the guide says.

It continues, “Unfortunately, there is incentive to find the ‘easiest’ assessor. That should not be the goal. [An] SMB should seek out an assessor that is knowledgeable in CMMC, willing to understand their unique SMB environment, and provide a reasonable assessment to provide risk mitigation assurances to the DIB.”

The guide provides a list of 11 categories with specific questions addressing various aspects.

The categories are intake/quote process, cost, availability, reasonableness, responsiveness, quality, technical aptitude and experience, business/government contracting aptitude and experience, experience in CMMC, experience in other cyber frameworks and experience in similar environments.

The guide is accompanied by a “Scoring Tool” in Excel that allows SMBs to compare C3PAOs in each category. The scores are weighted in the spreadsheet based on importance to the SMB.

The principal authors are Win-Tech CEO Allison Giddens, Terry Hebert of Centurum and Sentinel Blue CEO Andy Sauer.

Giddens noted, “SMBs have to sort through a blizzard of commercials about CMMC and impending assessments. The ND-ISAC assessor shopping guide has the credibility of being provided by peer SMB leaders who distilled their hard won knowledge with the sole motivation that others may better succeed on their experience.”

There are currently 50 authorized C3PAOs on the Cyber Accreditation Body’s marketplace. Organizations seeking assessment can receive a joint surveillance voluntary assessment from an authorized C3PAO and DCMA’s Defense Industrial Base Cybersecurity Assessment Center that will convert into a CMMC certification once the program is finalized.

The CMMC program is in the rulemaking process. DOD issued the first proposed rule on Dec. 26 to implement the program and a second proposed rule making changes to defense acquisition rules is expected this year.

The ND-ISAC’s SMB working group released a supply chain handbook in 2023 for small business manufacturing designed to help companies address “specific and common challenges” by offering use cases and ideas to address them.