The Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) framework last year. This certification was due, in part, to wide-scale issues and data protection challenges, which impacted over 300,000 third-party defense contractors and their information systems (IS). Many of these systems were attached to government networks, making this framework even more critical. Thus, experienced cybersecurity professionals acting as CMMC consultant is essential for helping contractors implement the framework.
According to a recent news article, the Pentagon will need all DoD contracts to contain CMMC conditions within the next five years. While this framework has been well-received, firms are finding it challenging to hire a proper CMMC consultant to help them become compliant with the 110 controls (Level 2).
Below are five CMMC interview questions that a hiring committee should consider asking a potential CMMC consultant.
1. How Long Have You Been in the Field of Information Security?
While many consultants will have experience in information technology, not all will be well-versed in information or cybersecurity, which, while technical, involves a more specific and nuanced skill set. Given that CMMC is a security-based certification, it is vital to ensure that the consultant has the required proven expertise.
The CMMC certification process is more complex than some cyber frameworks, but largely follows NIST SP 800-171 standards. So, a consultant must have a strong knowledge of data systems and data protection frameworks. It is also in the consultant’s best interest to prove the firm’s grasp of its own policies and corporate compliance procedures. The perfect skill set for a consultant is a balance between IS and CMMC technical aptitude.
2. How Long Have You Been Performing NIST800-171 and CMMC Assessments?
The CMMC consultant should have proven expertise in DoD contracts. They should know how DoD contracts function around approvals and understand how to utilize the resources within the government space. The firm will then be able to move forward in confidence with a consultant who has worked in several DoD contract positions.
Verify that a potential partner has experience with DFARS 252.204-7012, NIST 800-171 and CMMC prior to signing an agreement. The consultant may be slightly unfamiliar with CMMC as it is new. Although, they will likely have had training specific to the new DFARS Interim Rule assessment regulation. A combination of extensive NIST 800-171 experience and training in CMMC is ideal.
3. Will Being CMMC Compliant Make Our Company Secure?
The CMMC consultant should be able to assist an organization in ascertaining not only whether they meet the appropriate level of CMMC that the business needs (levels range from Level 1-3), but also how secure the organization is from a general cyber security posture.
Having a vision is important, but also having a consultant who is realistic to the firm’s business needs is useful. Further, a CMMC consultant who has knowledge of running a successful business would be a great advantage. The role of the consultant and the firm is evolving. Both parties should know that they will likely be expected to comment on any business process that touches on cybersecurity.
4. How Will Certification Affect Our Business and Culture?
If an organization is new to federal compliance, there will likely be changes necessary to the way they operate. However, these process-related changes shouldn’t affect the business culture significantly. The CMMC consultant should be able to outline specifically what to expect.
The consultant’s references need to speak to their work ethic and skills in managing large-scale projects. Even if the company is not in the IT space, CMMC requirements protect valuable customer information. The consultant should understand what CMMC means for the business and be able to apply best practices to fit their unique process and culture.
5. How Important Is It That You (the Consultant) Understand Our Business?
While knowledge regarding a specific business isn’t as important as industry knowledge, by interviewing multiple candidates, a business can determine what level of knowledge the consultant should have about their company/industry to make a reliable decision in hiring them.
The consultant needs to understand the CMMC audit workflow and should be able to describe in detail the full scope of work, technical or otherwise. They should be able to explain different aspects of the audit process in full clarity. Also, this kind of insight would give the hiring committee a peek into how well the consultant plans, handles a problem statement and showcases their technical knowledge of the industry.
Achieve CMMC Compliance With a CMMC Consultant
As firms seek outside Cybersecurity Maturity Model Certification consultants, one of the first impressions is the interview. The CMMC framework requires both parties to take compliance with due diligence in mind. Both the firm and the contractor should be held to the same strict standard. For firms seeking to become leaders within their respective industries, this is the time to buckle down.
In this case, the hard work starts with the interview. Asking thoughtful questions is the first step in finding the right fit for the CMMC consultant position.
To streamline your process of achieving Cybersecurity Maturity Model Certification compliance efficiently and cost-effectively, schedule a call with InfoDefense and learn more.