Why the CMMC Update Presents a Business Opportunity for MSPs
In December 2023, the Proposed Final Rule for the Cybersecurity Maturity Model Certification (CMMC) program was published by the Department of Defense (DoD). The changes to the CMMC cybersecurity framework impact DoD contractors and the MSPs and MSSPs that service them. In this article, we’ll review the rule updates to the CMMC compliance framework and what it means for your business.
Overview of CMMC Certification
The Defense Industrial Base (DIB) is composed of private sector contractors and subcontractors that provide various goods and services to the DoD. These companies are entrusted with sensitive unclassified information as well as controlled or otherwise vulnerable data. Without adequate security measures to protect that information and data, the DIB poses a significant security risk to the DoD.
The DoD developed the Cybersecurity Maturity Model Certification (CMMC) program in response to this risk. The program creates a unified standard for implementing a cybersecurity framework across the DIB, based on the National Institute of Standards and Technology standards in the NIST 800 series. It’s designed to achieve five primary goals:
- Safeguarding sensitive information
- Enforcing cybersecurity standards
- Ensuring accountability
- Perpetuating a collaborative culture of cyber resilience
- Maintaining public trust
US DOD Rule Updates for CMMC 2.0
Based on CMMC 1.0 and introduced in December 2023, CMMC 2.0 is the most recent iteration of the DoD’s standard. It establishes several new rules around certification levels, who needs to be CMMC certified, who performs assessments of CMMC compliance, and renewal requirements.
CMMC Certification Levels
CMMC 1.0, which is being superseded by CMMC 2.0, defined 17 domains of cybersecurity controls. Each domain addressed a specific aspect of cybersecurity and the complexity of the controls varied. Level 5 represented the highest level of maturity, but not all contractors were required to achieve it.
CMMC 2.0 replaces the five-tier system with three levels:
- Level 1 is Foundational
- Level 2 is Advanced
- Level 3 is Expert
The DoD determines the level of certification required for each contract.
CMMC Certification
While not yet required, CMMC compliance can be expected to start showing up in contracts around 2025 for any company working with the DoD or bidding on a DoD contract. Specific contract requirements are still being determined, but the DoD has indicated:
- Level 1 might be acceptable for some low-risk contracts with minimal CUI involvement.
- Level 2 is expected to be the baseline for most DoD contracts involving CUI.
- Level 3 will remain for contracts with high-risk CUI.
However, there's a strong possibility that Level 2 will become the standard requirement for most contracts in the future. CMMC 2.0 also aims to impact supply chain security, but the specific levels required for different supplier tiers are still under development.
CMMC Compliance Assessments
The DoD previously depended on a self-attestation process to substantiate compliance among suppliers, but CMMC 2.0 establishes stricter verification controls. Under the new CMMC 2.0, compliance for Level 2 contractors will be determined through audits conducted by accredited third-party assessment organizations (C3PAOs), following procedures and criteria still under development by the DoD. Level 3 requirements, including assessment specifics, are still being defined and will involve some level of government participation. Additionally, self-assessments remain an option for certain Level 1 and Level 2 requirements.
CMMC Certification Renewal
CMMC compliance is not a one-time occurrence. CMMC 2.0 states that Level 2 and Level 3 suppliers must undergo reassessments for each new contract or renewal, in addition to maintaining their compliance every three years through reassessments (not necessarily “renewals”). Self-assessments remain an option for certain Level 1 and Level 2 requirements. Remember, specific details for Level 3 assessments are still under development.
What CMCC 2.0 Means for MSPs
As we mentioned above, CMMC 2.0 emphasizes supply chain security, potentially impacting MSPs and MSSPs working with the Defense Industrial Base (DIB). MSPs/MSSPs whose clients handle CUI might need to comply with CMMC in the future. The required level of compliance will depend on specific contract details and CUI involvement.
CMMC 2.0 might require aligning with its compliance framework if you do business with DoD contractors who handle CUI. The extent of alignment depends on the specific contract and your role. You'll need to understand the relevant CMMC requirements, assess your current cybersecurity controls, implement any necessary changes, and potentially undergo an assessment by a C3PAO depending on your compliance level.
Why MSPs Should Know CMMC Rulemaking
Not only do you need to know CMMC rulemaking for your own compliance, but having this expertise presents a serious opportunity for your business.
Become the CMMC Compliance Expert for Clients
CMMC compliance is a complex process that your CMMC clients are going to need help navigating. Becoming a CMMC expert who can offer guidance on best practices, identify gaps, and assist with remediation, makes you an invaluable partner to those clients.
Meet the Increasing Demand for MSP Compliance Services
Consider that small businesses represent 67% of contracts awarded by the DoD. Many of these small businesses don’t have the financial resources to invest in compliance without compromising their net earnings. These organizations are going to be looking for help from MSPs and MSSPs like you.
Sell CaaS with MSP Programs
As an MSP or MSSP, you’re uniquely positioned to serve CMMC clients. Why? Because you’re already offering your clients a range of IT and managed cybersecurity services. Becoming an expert in CMMC means that you can offer guidance on required policies and procedures while at the same time providing and implementing the actual controls to achieve cybersecurity and CMMC compliance.
Achieve MSP Compliance with CMMC Using Compliance Scorecard
Compliance Scorecard positions your MSP or MSSP for future success. Equip yourself with the right tools and knowledge to navigate CMMC requirements as they evolve, ensuring readiness for potential client needs.
Align with CMMC Using Our Supported Frameworks
CMMC compliance is a complex and challenging framework. It requires a thorough assessment of current security postures, identifying gaps, and establishing new procedures and controls where you fall short. Using our pre-built CMMC framework, the assessment and alignment processes are easy. The framework includes document templates for required policies and procedures, and a scorecard that identifies current gaps and updates so you can maintain compliance over time.
Adopt CMMC Across an Organization
The first line of defense in cybersecurity is the employees. They must be aware of requirements, best practices, and response procedures. Compliance Scorecard facilitates the adoption of CMMC across an organization, ensuring that employees are aware of what’s required of them and helping them integrate those practices into their daily operations, ultimately reducing the risks of human error and improving compliance.
Continuous Monitoring for Continuous Compliance
Noncompliance, especially when it results in a security breach, can carry severe financial consequences. Hefty fines, the loss of large contracts, and damage to reputations all impact your bottom line. Compliance Scorecard enables you to implement a continuous monitoring program that ensures you and your clients are up to date and aligned with changes to regulations, and you’re always ready for the reassessment and recertification processes required by CMMC 2.0.
Compliance Scorecard is Your Partner in CMMC Compliance
CMMC 2.0 could potentially impact your business if you're an MSP or MSSP serving DIB clients. While the specific requirements and timelines are still being finalized, understanding CMMC and offering related services like gap assessments and remediation support can position you as a valuable partner for your clients as they navigate these upcoming changes. This could present an opportunity to expand your service offerings and attract new clients seeking CMMC compliance support.
We know the process is daunting, but Compliance Scorecard has all the tools you need to achieve certification and help clients do the same. Contact Compliance Scorecard to learn more about our CMMC framework or download our playbook for step-by-step instructions on how to begin a strong governance program in your organization.
Read More
What Is PHI and Why Should MSPs Care?
Why MSPs Should Offer Governance as a Service
How Compliance Scorecard Helps Manage SOC 2