The Department of Defense (DoD) published the Cybersecurity Maturity Model Certification (CMMC) framework last year. This certification was due, in part, to wide-scale issues and data protection challenges, which impacted over 300,000 third-party defense contractors and their information systems (IS). Many of these systems were attached to government networks, making this framework even more critical.

According to a recent news article, the Pentagon will need all DoD contracts to contain CMMC conditions within the next five years. While this framework has been well-received, firms are finding it challenging to hire a proper CMMC consultant to help them become compliant with the 130 controls (Level 3).

Below are five CMMC interview questions that a hiring committee should consider asking a potential CMMC consultant.

1. How Long Have You Been in the Field of Information Security?

While many consultants will have experience in information technology, not all will be well-versed in information security, which, while technical, involves a more specific and nuanced skill set. Given that CMMC is a security-based certification, it is vital to ensure that the consultant has the required proven expertise.

CMMC is more complex than most cyber frameworks, so a consultant must have a strong knowledge of data systems and data protection frameworks. It is also in the consultant's best interest to prove the firm's grasp of its own policies and corporate compliance procedures. A balance between IS and CMMC technical aptitude is the perfect skill set for a consultant to have.

> Learn more about our all-in-one security and compliance program

2. How Long Have You Been Performing 800-171 and CMMC Assessments?

The CMMC consultant should have proven expertise in DoD contracts. They should know how DoD contracts function around approvals and understand how to utilize the resources within the government space. The firm will then be able to move forward in confidence with a consultant who has worked in several DoD contract positions.

Verify that a potential partner has experience with DFARS 252.204-7012, NIST 800-171 and CMMC prior to signing an agreement. The consultant may be slightly unfamiliar with CMMC as it is new, but they will likely have had training specific to the new regulation. A combination of extensive NIST 800-171 experience and training in CMMC is ideal.

3. Will Being CMMC Compliant Make Our Company Secure?

The CMMC consultant should be able to assist an organization in ascertaining not only whether they meet the appropriate level of CMMC that the business needs (levels range from Level 1-5), but also how secure the organization is from a general cyber security posture.

Having a vision is important, but also having a consultant who is realistic to the firm's business needs is useful. Further, a CMMC consultant who has knowledge of running a successful business would be a great advantage. The role of the consultant and the firm is evolving, and both parties should know this - they will likely be expected to comment on any business process that touches on cyber security.

4. How Will Certification Affect Our Business and Culture?

If an organization is new to federal compliance, there will likely be changes necessary to the way they operate. However, these should be process-related and shouldn't affect the business culture significantly. The CMMC consultant should be able to outline specifically what to expect.

The consultant's references need to speak to their work ethic and skills in managing large-scale projects. Even if the company is not in the IT space, CMMC requirements are meant to protect valuable customer information. The consultant should understand what CMMC means for the business and be able to apply best practices to fit their unique process and culture.

5. How Important Is It That You (the Consultant) Understand Our Business?

While knowledge regarding a specific business isn’t as important as industry knowledge, by interviewing multiple candidates, a business can determine what level of knowledge the consultant should have about their company/industry to make a reliable decision in hiring them.

The consultant needs to understand the CMMC audit workflow and should be able to describe in detail the full scope of work, technical or otherwise. They should be able to explain different aspects of the audit process in full clarity. Also, this kind of insight would give the hiring committee a peek into how well the consultant plans, handles a problem statement and showcases their technical knowledge of the industry.

Achieve CMMC Compliance With a CMMC Consultant

As firms seek outside Cybersecurity Maturity Model Certification consultants, one of the first impressions is the interview. The CMMC framework requires both parties to take compliance with due diligence in mind. Both the firm and the contractor should be held to the same strict standard. For firms seeking to become leaders within their respective industries, this is the time to buckle down.

In this case, the hard work starts with the interview. Asking thoughtful questions is the first step in finding the right fit for the CMMC consultant position.

To streamline your process of achieving Cybersecurity Maturity Model Certification compliance efficiently and cost-effectively, schedule a call with InfoDefense and learn more.

Originally published May 7, 2021 , updated September 16, 2021


related posts: