Senior Consultant, Information Security Services
United StatesContact Robert
With CMMC rulemaking progressing, there is an increasingly large pool of C3PAOs (CMMC Third Party Assessment Organizations) and NIST SP 800-171 assessors. While C3PAOs are not yet authorized to certify for CMMC, companies definitely will be requiring NIST assessments this year. Why choose Smithers as your assessor out of all of the other possibilities?
The biggest difference between Smithers and other assessment firms is the continuous assessment process. What does that mean, exactly?
Most assessment companies will assess your NIST SP 800-171 compliance, certify your business if appropriate, and then will not return for a recertification for three years. During the two years in between, your company will have to conduct a self-assessment and report your score using the SPRS database. Remember, if there is an inaccuracy in the SPRS self-assessment reporting, the person who signed the document is held personally responsible. He or she will be fined, not the company as a whole.
Smithers believes the self-assessments are just as important as the certification assessments for this reason. The continuous assessment process means Smithers will conduct the full assessment for certification, then return the next two years to execute a “surveillance” assessment. Smithers will look at a fraction of the NIST SP 800-171 controls and certify continuing compliance. The company still needs to submit a SPRS score, but now that submission is validated and supported by a reputable third party. With evergreen pricing, your business will be able to avoid spikes of investment every three years and will prevent damaging financial penalties for non-compliance or inaccurate self-assessments.
ISO 27001 is an internationally recognized standard focused on ISMS (Information Security Management Systems). It is a robust system that parallels ISO 9001 in many ways and also expands well beyond the ISO 9001 structure with 93 additional controls.
Because Smithers has over three decades of experience assessing against ISO and other standards, it is seamless to incorporate ISO 27001 certification into the NIST/CMMC process. The continuous assessment process makes this possible for less money than it would take to use two different firms. Essentially, every time Smithers returns to your facility, you will be able to complete either a certification or a surveillance assessment. ISO 27001 requires surveillance audits on an annual basis, so this can coincide with the NIST surveillance assessments described above. Every year your business will move forward on two different certification fronts with the same trusted assessment company with transparent pricing in place.
Beyond the continuous assessment process, Smithers has decades of experience in auditing management systems against recognized standards, building those relationships over time, and offering the best client service possible. Many NIST/CMMC assessors will not be able bring ISO experience to the table, and some may only have been established a few years ago. Longevity can be difficult to find when there is a new rule, but Smithers offers peace of mind as a well-established and successful company.
If you are interested in learning more about the continuous assessment process, NIST SP 800-171, or ISO 27001, contact us today. We would be happy to speak with you in regard to your organization.