Submit any questions you would like answered on the podcast!
In this episode of The CMMC Compliance Guide Podcast, Brooke and Stacey reveal a critical factor that could make or break your compliance journey: your IT provider.
✅ Discover why your IT provider plays a crucial role in your CMMC assessment.
✅ Learn the risks of working with an unqualified IT provider — and how they could cost you contracts.
✅ Find out what a qualified IT provider should bring to the table to simplify your compliance process.
✅ Get actionable tips on how to vet an IT provider to ensure they’re an asset — not a liability.
🎯 Don’t leave your compliance journey to chance. Tune in to learn how to make your IT provider your strongest ally.
🔗 For more resources, visit https://cmmccomplianceguide.com/
❗Get past all the CMMC jargon by downloading our CMMC Glossary: https://cmmccomplianceguide.com/glossary
Episode Transcript
Hey there, welcome to the CMMC Compliance Guide
podcast.
I'm Stacey.
Brooke (00:04):
And I'm Brooke.
Stacey (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on
(00:25):
track.
Today, we're discussing a majorfactor that could make or break
your CMMC compliance journey,your IT provider.
Are they setting you up forsuccess or putting your entire
business at risk?
A lot of organizations assumethat if they hire an IT
provider, compliance is handled,but that's not always the case.
Today, we'll break down whyyour IT provider plays a
(00:46):
critical role in your assessmentand how to ensure they're an
asset rather than a liability.
Most companies don't realizethat their IT provider is
actually a part of their CMMCassessment.
Brooke, can you help break thisdown?
Brooke (00:59):
Yeah, absolutely.
When you go through anassessment, Anything that an IT
provider does in securing any ofyour FCI or CUI or helping you
do that, as well as any...
dealing with any CUI, likebackups maybe, stuff like that,
then they're going to be inscope.
(01:20):
And so they're going to be partof that assessment, whether
they like it or not, and whetheryou like it or not.
Stacey (01:28):
What are the biggest risks companies face when
working with an unqualified ITprovider?
Brooke (01:33):
The biggest risks that companies could face would be
noncompliance, the assessment orplanning preparation and
implementation, either one,taking much longer than
expected, failing one of thosecompliance assessments.
Those are the risks.
Stacey (01:52):
Brooke, could you tell us what a qualified IT provider
brings to the table that makesCMMC compliance easier?
So
Brooke (01:58):
a qualified IT provider...
can help you, uh, work with youduring your assessment, uh,
help that process go smoother.
They'll be part of that andthey'll, they'll know, they'll
make sure they're compliant aswell.
So when you go through this andthey get, uh, their, the
portions that are, uh, in scope,uh, that get assessed will be,
will, uh, flow through justfine.
(02:19):
Um, It should make the wholeprocess easier.
Stacey (02:23):
Could you tell us what should companies look for when
choosing an IT provider?
Brooke (02:27):
When you're looking for an IT provider, one of the
things you look for iscertifications.
CCA, CCP, an RP, althoughthat's technically registration
and not a certification, but RP,RPO for the organization.
And to step back a little bit,just in case y'all don't know
what all the acronyms stand for,CCA is a CMMC Certified
(02:52):
Assessor, which probably fewerstraight IT providers are going
to have because it's a littlebit of a high bar.
And if you're not doingassessments properly, You
probably don't necessarily wantto go through that.
CCP, which is a CMMC certifiedprofessional.
There's the IT providers thatare serious about this.
(03:16):
Make sure that they have somestaff that have CCPs.
Definitely an RP, which is aregistered practitioner.
Believe it or not, actually,that's a pretty low bar.
I would not put a lot of stockin somebody that just has their
RP.
It's okay if they don't.
have anything else, but if theyjust have their RP, then you've
(03:40):
got to check other things aswell.
But RP is registeredpractitioner.
RPO is for the organization.
So for the IT provider, it's aregistered practitioner
organization.
Another thing that would begood when you're looking for an
IT provider is one that has somerelationships or however you
want to phrase it, butrelationships or has met C3PAOs
(04:02):
and assessors, CCAs.
They're going to be doing theassess Because it really, really
helps to know how theassessments are going to go and
not just how, you know, me as anIT guy thinks this control
should be put in place.
So it really helps out a lot.
Stacey (04:17):
So for the business owners that are trying to pick
the right IT provider, what arethe must ask questions that they
should ask when they're vettingout providers?
Brooke (04:26):
You or any of your staff have any certifications, CCP,
CCA, RPs, RPO, your organizationwould be an RPO.
Do you have any...
vetted relationships with anyC3PAOs?
Have you gone through any ofthese assessments already?
There's not going to be verymany that have, but that would
(04:47):
be a good question to ask.
At least at this point, there'snot going to be that many that
have.
Do you keep up with, do youattend the town halls?
The CyberAB town halls, do youattend those?
Really, that is a key place toget lots of great information
and get it in a good structuredform rather than just trying to
(05:09):
read through tons and tons ofdocumentation.
We offer compliance-focused,CMMC compliance-focused
solutions.
And again, I talked about othercompliance solutions.
Other compliance solutionsdon't necessarily fit in the
CMMC space.
So it's good to ask if theyhave CMMC compliance-focused
(05:31):
solutions or just general goodcybersecurity that won't
necessarily A
Stacey (05:39):
provider stumbles on those questions, should that be
considered a deal breaker?
Brooke (05:44):
Earlier we talked
Stacey (05:56):
about credentials like CCP, RP, and RPO.
What do these actually mean forbusinesses choosing an IT
provider?
Brooke (06:04):
So those certifications really indicate an IT provider's
depth of knowledge about CMMCand about NIST 800-171 and the
whole CMMC ecosystem, really.
The Starting at the bottomwould be the RP.
They have some knowledge.
CCPs have a good deal ofknowledge.
(06:26):
CCAs would have plenty ofknowledge.
Again, the CCAs, for a straightIT provider, there's going to
be very few of those thatactually have CCAs on staff
because most of those are goingto be doing assessments.
But Those certifications, andbeing an RP and RPO, those
(06:47):
certifications and registrationswould mean that they have taken
time to go through the process,learn quite a bit, and try to
stay up in the ecosystem, CMMCecosystem.
Stacey (06:58):
Stepping a little bit beyond certifications, how does
industry involvement, likeattending Cyber AB events,
impact and improve?
IT providers' ability to helpwith compliance.
Brooke (07:09):
Seems like the CMMC space is much like the IT
industry in general because ifyou don't keep up with it, you
lose out and you...
your knowledge doesn't growbecause CMMC has always changed.
Well, it has changed quite, putit this way, CMMC has changed
quite a bit from the beginningback in, you know, well, we'll
(07:30):
just start at 2017.
It's changed quite a bit.
So if you don't keep up withall these changes, keep up with
understanding what productswork, what products don't, you
need to keep up with all that.
And the way to keep up with itis be engaged in these industry
events, attend the Cyber AB,maybe go on some of these CMMC
conferences, conferences, stufflike that.
Stacey (07:51):
If you have any questions about what we covered,
reach out to us and we're hereto help fast track your
compliance journey.
You can text, email, or call usand we'll answer your questions
for free here on the podcast.
Find our contact information atcmmccomplianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!