The Cybersecurity Maturity Model Certification (CMMC) requires the approximately 300,000 defense industrial base (DIB) contractors to improve their security posture in order to earn contracts with the U.S. federal government. Even more recently, President Biden’s executive order on improving the nation’s cybersecurity specifically mentioned the need for IT service providers to bolster their cyber initiatives. Ultimately, the CMMC injects more defense contractor accountability into the protection and privacy of sensitive government contract information.
“Being cybersecurity-ready is mission critical for these businesses, and MSPs are in the thick of it,” explains Leia Shilobod, CEO of InTech Solutions and author of “Cyber Warfare: Protecting Your Business From Total Annihilation.” “The new battles are being fought in cyberspace, and America relies on the supply chain that can be at risk of cyberattack. At the end of the day, the CMMC helps protect us from our enemies.”
Full implementation into all new Department of Defense (DoD) contracts will take five years, but in the meantime, an interim rule kicked in on Nov. 30, 2020, with tough requirements for all new and renewing contracts:
- A self-assessment, reviewing implementation of 110 cybersecurity controls defined in NIST SP 800-171
- A System Security Plan (SSP) that provides the details of the environment and implementation of the controls
- A Plan of Action & Milestones (POA&M) that defines which controls are not addressed and specific time frames and plans for implementation
CMMC compliance is particularly important to MSPs that work directly and/or indirectly with the U.S. federal government.
Many of the organizations that these requirements apply to are often small and medium-sized businesses (SMBs) without the internal IT resources to perform the assessment or prepare the documentation.
Roll it all together, and CMMC compliance could play a big role in helping MSPs mitigate their own cyber risks while also doing their part to protect the United States.
“Compliance isn’t just an opportunity for MSPS, it is the opportunity,” says Mike Semel of Semel Consulting & Semel Systems.
The Ground Floor Opportunity For MSPs
MSPs that are paying attention have a great opportunity to get in on the ground floor of this development and expand their compliance offerings.
If MSPs have any clients that currently do business with the DoD, they now have serious new IT assessment requirements related to their cybersecurity practices that need documentation.
And if they don’t have any clients in the DoD supply chain, the estimated 300,000 businesses that make it up will create a demand for compliance services that will certainly outweigh supply in the immediate future.
The CMMC is broken down into five levels that build on each other. It is estimated that about half of all DoD contracts will only require CMMC Level 1 because many contractors do not store Controlled Unclassified Information (CUI). Contractors storing or processing CUI will be required to comply at Level 3 or above.
Level 1 – Basic Cyber Hygiene includes 17 of the NIST SP 800-171 cybersecurity controls and is intended to safeguard FCI. It requires basic cybersecurity controls but does not require them to be documented.
Level 2 – Intermediate Cyber Hygiene is considered a transitional step toward the protection of CUI. It includes the Level 1 requirements plus 55 more, for a total of 72. Documentation is required.
Level 3 – Good Cyber Hygiene is the lowest certification level required to protect CUI. It includes all 110 practices in NIST SP 800-171, plus 20 additional practices.
Level 4 – Proactive (156 Practices) And Level 5 – Advanced/Progressive (171 Practices) include additional practices designed to protect against advanced persistent threats (APTs). It is expected that a very small percentage of contracts will include requirements at these levels.
Opportunity 1: CMMC Readiness Service
Each prime contractor — and all its subcontractors — will ultimately need to achieve at least CMMC Level 1 certification (and most are at a Level 3).
The demand is going to be huge, well beyond the supply of Certified Third-Party Assessor Organizations (C3PAO) required to perform the independent certification assessments. And when the time comes for the independent assessment, contractors who are more prepared will experience a faster and less expensive assessment.
There are very specific cybersecurity requirements that must be met, and there needs to be documented evidence to prove it. While only an independent C3PAO can provide the certification, clients will be relying on their MSPs to perform the initial internal “readiness assessment” and to gather up the evidence of compliance.
Opportunity 2: CMMC Document And Artifact Creation
A key component of any compliance program is documentation. If organizations can’t prove that they do (or did) the right things at the right time, they will fail an audit or assessment review.
MSPs and MSSPs won’t be able to certify their own clients due to conflicts of interest. But clients will see a great return on the time and money they invest in their MSP to prepare for the independent assessment by a C3PAO.
Opportunity 3: Ongoing CMMC Compliance Management
While SMBs will undoubtedly need assistance in obtaining their certification, an even bigger opportunity is in helping them maintain compliance during the three-year term of their certificate.
In addition to adding many more controls to the certification requirements, Level 3 also states that a contractor must have an ongoing assessment and review of its security performance in place and must maintain ongoing documentation. The current requirement under the NIST SP 800-171 certification is for periodic review and updating of the System Security Plan as well.
“MSPs that have committed to delivering their IT and security services more efficiently through documentation can now take their documentation to the next level and monetize it through a Compliance-as-a-Service offering,” says Max Pruger, General Manager of Compliance at Kaseya. “By helping SMBs navigate the evolving CMMC guidelines, MSPs can build their businesses while keeping organizations safe from cybercriminals.”
The certification process involves many layers and can feel overwhelming and time-consuming. MSPs don’t have to go at it alone and should leverage the guidance of solutions providers working in the space to navigate the process and ensure documentation is aligned with actual environments. It may feel cumbersome, but there is tremendous opportunity for MSPs as demand for compliance services surges. MSPs will also be doing their part to protect the country, and themselves, from potential cyberattacks.
Tools To Help
Kaseya’s Compliance Manager for CMMC automates the rigorous security assessment process laid out by the Department of Defense. MSPs can now help their clients navigate Levels 1–3 of CMMC and the NIST 800-171 interim rule.
The CMMC IT Documentation Toolkit from inTech fills in the policy gap. They will assess your systems, configurations, policies, and procedures for alignment with NIST 800-171 and the CMMC Level you need to certify and provide a remediation plan to close the gaps. Their simple yet effective documentation and policies are just what you need to protect your customers — and yourself.
To shortcut your success and get your entire company on board quickly, check out “CMMC for Profit,” which is available from Semel Systems. It includes hours of training videos, templates and checklists, an interim rule scoring tool, policies, and other things you can use to quickly be seen as an authority in this space.