C3PAO
Kompleye
Specialized CPA firm delivering assurance and regulatory compliance services to cloud providers, SaaS companies, healthcare entities, and federal contractors.
Kompleye WebsiteRead transcript Hide transcript
Andrew Lynch: Thank you everyone for checking out this edition of Virtru's CMMC Assessor Spotlight. For this episode, we are joined by Pat Garcia, the CEO of Kompleye. So thanks for joining, Pat. Why don't I kick it off to you? We'd love to hear a little bit about yourself and Kompleye.
Pat Garcia: Thank you, Andrew, and thank you for inviting me. Kompleye is a cyber assurance firm that provides multi-certification services, including FedRAMP, as well as StateRAMP or GovRAMP, and now CMMC, and many other cybersecurity assurance and standards for security like ISO 27001 and SOC 2. We are specialized in cyber assurance and compliance for multiple DOD contractors, as well as commercial enterprises.
Andrew Lynch: Wow. And so how long have you all been doing this?
Pat Garcia: Well, if I count my years, I'm going to date myself. But we've been doing this for more than fifteen years now, helping all types of businesses, sizes, and industries to meet their compliance and cybersecurity requirements.
Andrew Lynch: Great. Well, so being a firm that has assessed and consulted organizations in things prior to CMMC, I'm curious, what is your take on CMMC, and how does it relate to maybe other compliances that organizations have had to meet before?
Pat Garcia: Well, CMMC is a more strict and formal program. I see other certifications like SOC 2 and ISO 27001 having a lower level of assurance in that sense, not because the auditor is wrong or because the processes or what is required from organizations is bad, but just because the risk profile of those organizations is lower compared to the ones we are dealing with in CMMC, because we are talking about national security within the CMMC ecosystem and FedRAMP itself. So the level of risk is lower in that sense; CMMC raises the bar in terms of compliance as a whole.
Andrew Lynch: Okay, great. Well, and can you share a little bit about what is it like for an organization to work with Kompleye?
Pat Garcia: Absolutely. We engage closely with customers. We believe this is a long-term partnership, and this is based on my experience as well with DIBCAC and our JSVAs, as well as the assessments they perform on us. DIBCAC is not looking to get companies out of the space. They want to bring more companies into the space while protecting the information and the department's mission. Working with Kompleye is establishing a long-term partnership, understanding that we are here to protect and to fulfill the mission of protecting our nation.
Andrew Lynch: That's great. And what are some of the services that Kompleye offers around CMMC? Are you doing any consulting? Are you just doing assessments?
Pat Garcia: We are primarily focused on assessments. We do readiness assessments. We perform automated assessments outside of the CAP. We also do mock assessments following the CAP procedures, and we also perform formal assessments for OSCs. That's within the CMMC ecosystem. For FedRAMP, we are also a FedRAMP 3PAO, and we help companies go through the FedRAMP authorization process. And we have done a couple of FedRAMP equivalency assessments as well to meet DOD requirements for FedRAMP equivalency. So, yes, we are heavily invested in terms of time with the assessment procedures that the government asks and requests from any organization in this area.
Andrew Lynch: Okay, great. And for an OSC who has not yet even reached out to a C3PAO, could you maybe just speak to what it would be like when they first engage with you? What's your first interaction like with them, and maybe speak to a timeline from, on average, first communication to maybe getting an assessment scheduled?
Pat Garcia: Yeah, definitely. We have built a step-by-step process where we start by ingesting information and understanding the needs of the customer. There are some situations where the contractor may not even need a certification itself. So we try to understand as much as possible the information they ingest and also the different contract vehicles they have, CAGE codes, and all that. So we ingest all that information within the first or second interaction. And then based on that, we work using the project management approach. When we engage with a customer and we sign the contract, we kick off a project, and we open up a compliance portal where we exchange information. That portal is secure, has been audited, and approved by DIBCAC as part of our pre-annual assessment. And we just start exchanging information through that solution. So we move then into the planning of the assessment, which is basically determining the different stages and phases, and establishing the program milestones that we're going to follow for the assessment itself. The third step is performing a pre-assessment, which is a formal step within the CMMC Assessment Process document, the CAP. And we just determine if the company is ready to undergo an assessment or if they may need additional work internally to prepare for that specific stage. The next step is establishing the draft audit plan, where we confirm the availability of personnel and make sure that if the company uses an MSP or a consultant that is going to help them through the audit process, they will be present as well as any of the resources that we'll need to attend those interviews and testing sessions. Then the next step is, of course, the assessment itself, the performance of the testing and interviews. And finally, we go through compiling all the results and reporting that back to the organization. The last step is to issue the certificate. There are some considerations in between. We share the draft certificate with the customer just to make sure of the accuracy of the information prior to uploading that CRC email. So the process altogether, from the moment we sign the contract all the way down to the moment we issue a certificate, could take anywhere from six to eight weeks.
Andrew Lynch: Okay, great. That sounds like it's a really thorough, efficient process, and that sounds like that's something that would then benefit the OSC, having that sort of organization and streamlined process. So thanks for sharing that, Pat. And I know that we kind of got to know each other through me sharing what Virtru does from an encryption perspective, helping organizations to meet some of the controls for CMMC. I'm curious, what are some pieces of advice that you would give to any organization as they're beginning to speak with vendors like Virtru, considering them to help with CMMC? What would be some tips that you would give them to look out for?
Pat Garcia: Of course, the most important one is to understand what the vendor can give you, what the vendor can do for you to meet the different requirements. It's important to understand that the vendor itself has some responsibilities; you can inherit either fully or partially the different controls and control objectives from the vendor. Therefore, they can help you meet the requirements in a better way. Of course, in terms of Virtru, it is a FedRAMP authorized solution, and that will take care of some of the requirements established by 252.204-7012, the clause for protecting or safeguarding Controlled Unclassified Information. So that's key, right? So understanding how the vendor is meeting the different requirements—in this particular case, the CSPs and ESPs requirements, which is part of 32 CFR Part 170.19, that they will force to be in scope within the regulation. That's going to be important. Find a vendor that already meets those requirements, so it's going to make the life of the contractor easier in terms of the implementation. Not easy, but easier.
Andrew Lynch: Yeah, that's great, thanks Pat. And I guess, lastly, just in general, what advice would you give to an organization that is working towards meeting CMMC Level 2, and how would maybe Kompleye be able to help them?
Pat Garcia: Absolutely. So the most important part is the scope and right-sizing the assessment. There are different organizations that have been used to using an enterprise environment when not all of the users or all the individuals working for the organization have or need access to this specific type of information. So right-sizing the scope, understanding how CUI flows through the environment is the most important part. So that is the key portion. And then, as the company and the organization progresses, identifying the different assets that are processed in the CUI asset—those that process, store, or transmit CUI, security protection assets, and all the responsibilities that are behind those assets, right? So those are the ones that process or transmit security protection data, and all the requirements that are behind those. The use of MSPs, if they have a company that helps them go through the preparation process as well as the implementation process, making sure that those also understand the requirement. How can Kompleye help? We can support organizations through the assessment process. Again, our approach is to partner with organizations while maintaining our independence requirements. But the way we see this down the road is these are long-term partnerships that the department wants us to have so we can secure the information to protect our nation.
Andrew Lynch: That's great. Well, you've obviously shown that you've been able to build strong relationships just given how long you've been doing it. So for any organization who's interested in maybe getting in touch with you, what would be the best way for them to do so?
Pat Garcia: Well, they can either go through our webpage or just get in contact through the CMMC webpage. We can also be contacted at info@kompleye.com. And also there are multiple events we are attending. We're going to be at the Defense Manufacturing Conference in Orlando next week. We'll go up to Milwaukee for DeepCom 26, then the following week at CS5. So there are multiple events, and we'll be posting those events on our webpage, so OSCs that might attend those can visit us directly, or as I mentioned, visit our webpage www.kompleye.com, or just write us to info@kompleye.com.
Andrew Lynch: That's great. Well, thanks so much for joining this episode, Pat, and we'll talk to you later.
Pat Garcia: Thank you, Andrew. Thank you for having me.
Pat Garcia: Thank you, Andrew, and thank you for inviting me. Kompleye is a cyber assurance firm that provides multi-certification services, including FedRAMP, as well as StateRAMP or GovRAMP, and now CMMC, and many other cybersecurity assurance and standards for security like ISO 27001 and SOC 2. We are specialized in cyber assurance and compliance for multiple DOD contractors, as well as commercial enterprises.
Andrew Lynch: Wow. And so how long have you all been doing this?
Pat Garcia: Well, if I count my years, I'm going to date myself. But we've been doing this for more than fifteen years now, helping all types of businesses, sizes, and industries to meet their compliance and cybersecurity requirements.
Andrew Lynch: Great. Well, so being a firm that has assessed and consulted organizations in things prior to CMMC, I'm curious, what is your take on CMMC, and how does it relate to maybe other compliances that organizations have had to meet before?
Pat Garcia: Well, CMMC is a more strict and formal program. I see other certifications like SOC 2 and ISO 27001 having a lower level of assurance in that sense, not because the auditor is wrong or because the processes or what is required from organizations is bad, but just because the risk profile of those organizations is lower compared to the ones we are dealing with in CMMC, because we are talking about national security within the CMMC ecosystem and FedRAMP itself. So the level of risk is lower in that sense; CMMC raises the bar in terms of compliance as a whole.
Andrew Lynch: Okay, great. Well, and can you share a little bit about what is it like for an organization to work with Kompleye?
Pat Garcia: Absolutely. We engage closely with customers. We believe this is a long-term partnership, and this is based on my experience as well with DIBCAC and our JSVAs, as well as the assessments they perform on us. DIBCAC is not looking to get companies out of the space. They want to bring more companies into the space while protecting the information and the department's mission. Working with Kompleye is establishing a long-term partnership, understanding that we are here to protect and to fulfill the mission of protecting our nation.
Andrew Lynch: That's great. And what are some of the services that Kompleye offers around CMMC? Are you doing any consulting? Are you just doing assessments?
Pat Garcia: We are primarily focused on assessments. We do readiness assessments. We perform automated assessments outside of the CAP. We also do mock assessments following the CAP procedures, and we also perform formal assessments for OSCs. That's within the CMMC ecosystem. For FedRAMP, we are also a FedRAMP 3PAO, and we help companies go through the FedRAMP authorization process. And we have done a couple of FedRAMP equivalency assessments as well to meet DOD requirements for FedRAMP equivalency. So, yes, we are heavily invested in terms of time with the assessment procedures that the government asks and requests from any organization in this area.
Andrew Lynch: Okay, great. And for an OSC who has not yet even reached out to a C3PAO, could you maybe just speak to what it would be like when they first engage with you? What's your first interaction like with them, and maybe speak to a timeline from, on average, first communication to maybe getting an assessment scheduled?
Pat Garcia: Yeah, definitely. We have built a step-by-step process where we start by ingesting information and understanding the needs of the customer. There are some situations where the contractor may not even need a certification itself. So we try to understand as much as possible the information they ingest and also the different contract vehicles they have, CAGE codes, and all that. So we ingest all that information within the first or second interaction. And then based on that, we work using the project management approach. When we engage with a customer and we sign the contract, we kick off a project, and we open up a compliance portal where we exchange information. That portal is secure, has been audited, and approved by DIBCAC as part of our pre-annual assessment. And we just start exchanging information through that solution. So we move then into the planning of the assessment, which is basically determining the different stages and phases, and establishing the program milestones that we're going to follow for the assessment itself. The third step is performing a pre-assessment, which is a formal step within the CMMC Assessment Process document, the CAP. And we just determine if the company is ready to undergo an assessment or if they may need additional work internally to prepare for that specific stage. The next step is establishing the draft audit plan, where we confirm the availability of personnel and make sure that if the company uses an MSP or a consultant that is going to help them through the audit process, they will be present as well as any of the resources that we'll need to attend those interviews and testing sessions. Then the next step is, of course, the assessment itself, the performance of the testing and interviews. And finally, we go through compiling all the results and reporting that back to the organization. The last step is to issue the certificate. There are some considerations in between. We share the draft certificate with the customer just to make sure of the accuracy of the information prior to uploading that CRC email. So the process altogether, from the moment we sign the contract all the way down to the moment we issue a certificate, could take anywhere from six to eight weeks.
Andrew Lynch: Okay, great. That sounds like it's a really thorough, efficient process, and that sounds like that's something that would then benefit the OSC, having that sort of organization and streamlined process. So thanks for sharing that, Pat. And I know that we kind of got to know each other through me sharing what Virtru does from an encryption perspective, helping organizations to meet some of the controls for CMMC. I'm curious, what are some pieces of advice that you would give to any organization as they're beginning to speak with vendors like Virtru, considering them to help with CMMC? What would be some tips that you would give them to look out for?
Pat Garcia: Of course, the most important one is to understand what the vendor can give you, what the vendor can do for you to meet the different requirements. It's important to understand that the vendor itself has some responsibilities; you can inherit either fully or partially the different controls and control objectives from the vendor. Therefore, they can help you meet the requirements in a better way. Of course, in terms of Virtru, it is a FedRAMP authorized solution, and that will take care of some of the requirements established by 252.204-7012, the clause for protecting or safeguarding Controlled Unclassified Information. So that's key, right? So understanding how the vendor is meeting the different requirements—in this particular case, the CSPs and ESPs requirements, which is part of 32 CFR Part 170.19, that they will force to be in scope within the regulation. That's going to be important. Find a vendor that already meets those requirements, so it's going to make the life of the contractor easier in terms of the implementation. Not easy, but easier.
Andrew Lynch: Yeah, that's great, thanks Pat. And I guess, lastly, just in general, what advice would you give to an organization that is working towards meeting CMMC Level 2, and how would maybe Kompleye be able to help them?
Pat Garcia: Absolutely. So the most important part is the scope and right-sizing the assessment. There are different organizations that have been used to using an enterprise environment when not all of the users or all the individuals working for the organization have or need access to this specific type of information. So right-sizing the scope, understanding how CUI flows through the environment is the most important part. So that is the key portion. And then, as the company and the organization progresses, identifying the different assets that are processed in the CUI asset—those that process, store, or transmit CUI, security protection assets, and all the responsibilities that are behind those assets, right? So those are the ones that process or transmit security protection data, and all the requirements that are behind those. The use of MSPs, if they have a company that helps them go through the preparation process as well as the implementation process, making sure that those also understand the requirement. How can Kompleye help? We can support organizations through the assessment process. Again, our approach is to partner with organizations while maintaining our independence requirements. But the way we see this down the road is these are long-term partnerships that the department wants us to have so we can secure the information to protect our nation.
Andrew Lynch: That's great. Well, you've obviously shown that you've been able to build strong relationships just given how long you've been doing it. So for any organization who's interested in maybe getting in touch with you, what would be the best way for them to do so?
Pat Garcia: Well, they can either go through our webpage or just get in contact through the CMMC webpage. We can also be contacted at info@kompleye.com. And also there are multiple events we are attending. We're going to be at the Defense Manufacturing Conference in Orlando next week. We'll go up to Milwaukee for DeepCom 26, then the following week at CS5. So there are multiple events, and we'll be posting those events on our webpage, so OSCs that might attend those can visit us directly, or as I mentioned, visit our webpage www.kompleye.com, or just write us to info@kompleye.com.
Andrew Lynch: That's great. Well, thanks so much for joining this episode, Pat, and we'll talk to you later.
Pat Garcia: Thank you, Andrew. Thank you for having me.
Book a Demo
Become a Partner
Contact us to learn more about our partnership opportunities.
Become a Compliance Champion
Contact us to learn more about our partnership opportunities.