CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
Your IT Provider: The Keystone to Passing CMMC – or the Hidden Risk That Could Cost You Everything
Submit any questions you would like answered on the podcast!
In this episode of The CMMC Compliance Guide Podcast, Brooke and Stacey reveal a critical factor that could make or break your compliance journey: your IT provider.
✅ Discover why your IT provider plays a crucial role in your CMMC assessment.
✅ Learn the risks of working with an unqualified IT provider — and how they could cost you contracts.
✅ Find out what a qualified IT provider should bring to the table to simplify your compliance process.
✅ Get actionable tips on how to vet an IT provider to ensure they’re an asset — not a liability.
🎯 Don’t leave your compliance journey to chance. Tune in to learn how to make your IT provider your strongest ally.
🔗 For more resources, visit https://cmmccomplianceguide.com/
❗Get past all the CMMC jargon by downloading our CMMC Glossary: https://cmmccomplianceguide.com/glossary
Hey there, welcome to the CMMC Compliance Guide podcast. I'm Stacey.
Brooke:And I'm Brooke.
Stacey:From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today, we're discussing a major factor that could make or break your CMMC compliance journey, your IT provider. Are they setting you up for success or putting your entire business at risk? A lot of organizations assume that if they hire an IT provider, compliance is handled, but that's not always the case. Today, we'll break down why your IT provider plays a critical role in your assessment and how to ensure they're an asset rather than a liability. Most companies don't realize that their IT provider is actually a part of their CMMC assessment. Brooke, can you help break this down?
Brooke:Yeah, absolutely. When you go through an assessment, Anything that an IT provider does in securing any of your FCI or CUI or helping you do that, as well as any... dealing with any CUI, like backups maybe, stuff like that, then they're going to be in scope. And so they're going to be part of that assessment, whether they like it or not, and whether you like it or not.
Stacey:What are the biggest risks companies face when working with an unqualified IT provider?
Brooke:The biggest risks that companies could face would be noncompliance, the assessment or planning preparation and implementation, either one, taking much longer than expected, failing one of those compliance assessments. Those are the risks.
Stacey:Brooke, could you tell us what a qualified IT provider brings to the table that makes CMMC compliance easier? So
Brooke:a qualified IT provider... can help you, uh, work with you during your assessment, uh, help that process go smoother. They'll be part of that and they'll, they'll know, they'll make sure they're compliant as well. So when you go through this and they get, uh, their, the portions that are, uh, in scope, uh, that get assessed will be, will, uh, flow through just fine. Um, It should make the whole process easier.
Stacey:Could you tell us what should companies look for when choosing an IT provider?
Brooke:When you're looking for an IT provider, one of the things you look for is certifications. CCA, CCP, an RP, although that's technically registration and not a certification, but RP, RPO for the organization. And to step back a little bit, just in case y'all don't know what all the acronyms stand for, CCA is a CMMC Certified Assessor, which probably fewer straight IT providers are going to have because it's a little bit of a high bar. And if you're not doing assessments properly, You probably don't necessarily want to go through that. CCP, which is a CMMC certified professional. There's the IT providers that are serious about this. Make sure that they have some staff that have CCPs. Definitely an RP, which is a registered practitioner. Believe it or not, actually, that's a pretty low bar. I would not put a lot of stock in somebody that just has their RP. It's okay if they don't. have anything else, but if they just have their RP, then you've got to check other things as well. But RP is registered practitioner. RPO is for the organization. So for the IT provider, it's a registered practitioner organization. Another thing that would be good when you're looking for an IT provider is one that has some relationships or however you want to phrase it, but relationships or has met C3PAOs and assessors, CCAs. They're going to be doing the assess Because it really, really helps to know how the assessments are going to go and not just how, you know, me as an IT guy thinks this control should be put in place. So it really helps out a lot.
Stacey:So for the business owners that are trying to pick the right IT provider, what are the must ask questions that they should ask when they're vetting out providers?
Brooke:You or any of your staff have any certifications, CCP, CCA, RPs, RPO, your organization would be an RPO. Do you have any... vetted relationships with any C3PAOs? Have you gone through any of these assessments already? There's not going to be very many that have, but that would be a good question to ask. At least at this point, there's not going to be that many that have. Do you keep up with, do you attend the town halls? The CyberAB town halls, do you attend those? Really, that is a key place to get lots of great information and get it in a good structured form rather than just trying to read through tons and tons of documentation. We offer compliance-focused, CMMC compliance-focused solutions. And again, I talked about other compliance solutions. Other compliance solutions don't necessarily fit in the CMMC space. So it's good to ask if they have CMMC compliance-focused solutions or just general good cybersecurity that won't necessarily A
Stacey:provider stumbles on those questions, should that be considered a deal breaker?
Brooke:Earlier we talked
Stacey:about credentials like CCP, RP, and RPO. What do these actually mean for businesses choosing an IT provider?
Brooke:So those certifications really indicate an IT provider's depth of knowledge about CMMC and about NIST 800-171 and the whole CMMC ecosystem, really. The Starting at the bottom would be the RP. They have some knowledge. CCPs have a good deal of knowledge. CCAs would have plenty of knowledge. Again, the CCAs, for a straight IT provider, there's going to be very few of those that actually have CCAs on staff because most of those are going to be doing assessments. But Those certifications, and being an RP and RPO, those certifications and registrations would mean that they have taken time to go through the process, learn quite a bit, and try to stay up in the ecosystem, CMMC ecosystem.
Stacey:Stepping a little bit beyond certifications, how does industry involvement, like attending Cyber AB events, impact and improve? IT providers' ability to help with compliance.
Brooke:Seems like the CMMC space is much like the IT industry in general because if you don't keep up with it, you lose out and you... your knowledge doesn't grow because CMMC has always changed. Well, it has changed quite, put it this way, CMMC has changed quite a bit from the beginning back in, you know, well, we'll just start at 2017. It's changed quite a bit. So if you don't keep up with all these changes, keep up with understanding what products work, what products don't, you need to keep up with all that. And the way to keep up with it is be engaged in these industry events, attend the Cyber AB, maybe go on some of these CMMC conferences, conferences, stuff like that.
Stacey:If you have any questions about what we covered, reach out to us and we're here to help fast track your compliance journey. You can text, email, or call us and we'll answer your questions for free here on the podcast. Find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure. Like, subscribe, and share.
.jpg)
