[Webinar]  
How to Prepare a CMMC RFP

When Defense Industrial Base (DIB) contractors rely on the wrong partner to guide them through Cybersecurity Maturity Model Certification (CMMC), it is among the top reasons that they struggle through, or fail, assessments from the Department of War (DoW).

The problem is that organizations struggle to set criteria to vet their prospective partners. Customers think their partner is ready to bring their IT and security up-to-par, but they ultimately find that the partner exaggerated or overestimated their own ability. If you do get certified with a sub-par partner, you’re looking at an added three-year commitment, or undergoing reassessment under significant change while switching to a new vendor.

So, how do you really know which Managed Service Provider (MSP/MSSP/MGRC), or as CMMC calls them External Service Providers (ESP)is the right one for you? That’s where RFPs and our free RFP template come in.

What's a CMMC RFP?

In the DIB, many of us follow the DoW’s lead in sending out RFPs to three vendors before selecting one. An RFP helps an organization understand all the factors that would go into using a given provider, including their ability to execute to your organizational standards as well as cost, scope, and timeline.

Let’s explore how to create an RFP to determine which CMMC compliance service provider is best for your business. To start you off, we’ve developed an RFP template. Use this as-is (just adding your basic company information) or change it and add criteria as needed.

Using these 6 RFP elements and our RFP template, you’ll be able to find the right provider for your unique needs, minimizing the risk of choosing the wrong provider.

1. Introduction and Scope 
2. Technical Requirements 
3. Vendor Qualifications 
4. Documentation Needs 
5. Pricing Structure 
6. Timeline and Deliverables

1. Introduction and Scope

 Many are looking for CMMC compliance, but there are other regulations that may have an impact on which provider you choose such as Federal Acquisition Regulation (FAR) Controlled Unclassified Information (CUI) and U.S. General Services Administration (GSA) CUI, which require faster incident response times. Your provider should not be prepared for only what’s required now but also be prepared to adjust as requirements continue to develop.  

Scope

 Prior to releasing an RFP, you must understand your compliance boundary. Would an enclave protecting your CUI be sufficient, or does your company need to go all-in? An enclave is the standard solution for a company with less than 15% of staff working with CUI. Be sure to involve both technical staff and end-users in conversations around scope. End users can tell you how they work and what resources they need in-scope to do their jobs effectively (think mobile access to emails, use of printers, etc.).

2. Technical Requirements

Tech Stack

What tech stack do they use? Summit 7, for example, uses primarily Microsoft 365 Government Community Cloud High (GCCH) and GCC clouds, backed by Azure Government and Azure Commercial respectively. Additional software we use for managed services also meet Federal Risk and Authorization Management Program (FedRAMP) Moderate or High Baseline and export control requirements.

It’s important to understand your provider’s tech stack to determine whether it meets all of your regulatory needs. Are they meeting CMMC and export control requirements for International Traffic in Arms Regulation (ITAR) and Export Administration Regulations (EAR) data handling? You may also find that there are additional subscriptions you have to bring to the table.

General Support Needs

Ask what other forms of technical support these potential partners offer. A few examples from Summit 7’s offerings include:

Guardian, Summit 7’s managed services solution:

• 24/7 user support
• Change control board management
• Network management
• Identity management
• Microsoft 365 GCC High management
• Mobile device management
• 24/7 security monitoring and remediation
• Full Microsoft Defender stack
• Attack surface assessments
• Cyber threat intelligence feeds
• Security operations center
• Incident response and management
• Summit 7 takes the lead on all CMMC practices
• CMMC audit support
• CMMC gap assessment
• Evidence collection
• Continuous monitoring
• Policy and procedure creation and management

Vigilance, Summit 7’s managed security services solution:

• 24/7 security monitoring and remediation
• Full Microsoft Defender stack
• Attack surface assessments
• Cyber threat intelligence feeds
• Security operations center
• Incident response and management

 Commander, Summit 7’s managed Governance, Risk Management, and Compliance (GRC) solution:

• Summit 7 takes the lead on all CMMC practices
• CMMC audit support
• CMMC gap assessment
• Evidence collection
• Continuous monitoring
• Policy and procedure creation and management

3. Vendor Qualifications

What CMMC certifications does the partner have?

Determine what expertise the provider has through certifications awarded by the Cyber Accreditation Body (Cyber-AB).

Experience and Track Record

Prioritize companies with a track record of CMMC success. You should set standards for the number of:

• Completed CMMC L2 assessments, minimum 5
• Years of CMMC experience, minimum 2 years
• GCC High tenants deployed, minimum 10
• Azure government implementations, minimum 5
• Available client references, 3 recent
• Average time to certification, 9-12 months
• Assessment success rate, minimum 80% first attempt
• Industry diversity, serves 2+ industries

Personnel and Operational Requirements

Consider additional requirements revolving around company operations. High employee turnover may result in key members of your external team dropping off your project, impacting plans and knowledge. Foreign subcontractors can result in ITAR violations and data sovereignty issues. You should set standards for:

• U.S. Personship (required for ITAR/EAR without a license for non-U.S. persons)
• Background screening process
• Dedicated CMMC team
• No foreign subcontractors
• Low staff turnover rate
• Staff training and development programs

4. Documentation Needs

Ensure your compliance provider can create adequate documentation including:

• System Security Plan (SSP)
  • Average is between 200-300 pages
  • Some organizations are content to make 20 slides and call it a day (watch out for these!).
• Plan of Action and Milestones (POA&M)
  • Standard Operating Procedures (SOPs)
  • Policies and Procedures to support the CMMC Level 2 Controls
• Shared Responsibility Matrix/Customer Responsibility Matrix (SRM) also called a Customer Responsibility Matrix
  • Must be broken down by assessment objectives
  • Matrix is required to even begin a CMMC assessment

5. Pricing Structure

Of course, we can’t leave pricing out of the equation. Some vendors artificially lower their prices by leaving core components. For example, Azure Government subscriptions are typically consumption based. Rather than being listed with an accurate estimate of $2-3K a month, a company not showing the full picture will leave it at $0. This alone could lead you to spend $36K a year more than you expected. If there is no line item for cloud spending, that is an immediate red flag.

When comparing quotes, make sure to compare and scrutinize them line-by-line. If provider “A” is significantly lower cost than providers “B” and “C”, check that all the same expenses are represented, or risk paying for hidden costs.

6. Timeline and Deliverables

Consider how quickly you need a CMMC certification. Many wait until they see a solicitation they want to pursue; however, you must be certified before the contract is awarded. The time between solicitation and contract, called Procurement Administrative Lead Time (PALT), is often not long enough to pursue CMMC from start to finish.

Typically, CMMC timelines vary from 6-18 months depending on an organization’s security baseline. If an organization is promising you certification in 30 days, unfortunately, it is too good to be true.

Scoring Criteria

Once you have all of your RFP questions answered, you’ll have to score the organizations. While these answers are all important to have, some are more important than others. Generally, this is how organizations weigh RFP requirements:

For more details and to claim your free RFP template, register for Daniel Akridge’s and Jacob Horne’s RFP webinar. Have questions this webinar doesn’t answer? Reach out to an expert.