Hey everyone,

I passed the CyberAB RP training which frankly brought up more questions than answers that it provided. I work for a CPA firm who does taxes and financial audits for DoD contractors and subcontractors. We do not work directly for the DoD. From the training I believe that since we obtain copies of the DoD contracts from our clients and if they are FCI, my firm (CPA) would be required at a minimum to be CMMC level 1. *Question 1 - Does my CPA firm need to attest to CMMC level 1 compliance?

If this is the case which I am pretty certain we would then need to look at our cloud platforms where we save our files, workpapers, (including evidence of the DoD contracts, believed to be FCI in my eyes) to ensure that those SaaS applications are CMMC compliant. *Question 2 - Does the 3rd Party SaaS application my firm uses to storage our client's FCI need to attest to CMMC level 1? Or is it just the controls we have in place at the SaaS provider? For example Access Control List, Segregation of Duties, Change log monitoring, MFA, etc...

Thanks All!