The Cybersecurity Maturity Model Certification (CMMC) program is aligned to the US Department of Defense’s (DoD’s) information security requirements for partners. CMMC is designed to enforce protection of sensitive unclassified information that is shared by the DoD with its contractors and subcontractors. CMMC provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.
There is now CMMC 2.0. This new, upleveled program has three key features:
• Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring protection of information that is flowed down to subcontractors
• Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
• Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.
Everybody that sells to the federal government must be compliant with CMMC. There are different levels depending on the requirements and the data involved. The first question to ask is: what does the contract require? Once the contract requirements are known, the necessary security measures can be put in place to meet those requirements.
The difference between CMMC 1.0 and 2.0 is significant. When CMMC started, everything was to be assessed by a third-party auditor. With 2.0, FAR and DFAR requirements for federal acquisition state that those on the low end or Level 1 can still do self-attestation, upload their scores, and once they reach Level 2, a third-party audit is required.
Self-attestation can be misinterpreted. Many people read the requirements and feel they are already meeting them, but they are not meeting the specific requirements of CMMC.
What does this mean for MSPs and MSSPs - do they have to be compliant as well?
It depends on the scope. For MSPs – the questions to ask are: What services are we providing? Do the services meet the requirements? Is it connected to the cloud? Are the cloud providers authorized?
Just because something is FedRAMP equivalent, doesn’t mean the FedRAMP requirements go away – it means they still must pay to have it assessed by the federal government. The requirements are set, and they have to be audited. If within the services you provide, you are able to upload or download from a customer’s server – those features have to be disabled with CMMC.
As an MSSP there are business decisions to make. A business must decide to keep doing what it is doing, or decide to build a new stack specific to government contracts for the defense industry.
How complicated and long is the process to become compliant?
By December all defense contracts will have the CMMC requirement in it, so this year is critical to start the process. Anyone seeking certification will have to be audited by a third-party assessor. They have to get on that list – it is a waiting list essentially because some of the larger government contractors are already in line. The CMMC authority must certify that the audit was done by an authorized party. The process is: get the audit, the auditor submits to the CMMC accreditation body, then certification is issued.
For MSPs and MSSPs is CMMC 2.0 an opportunity to provide additional services?
The fee to become a certified consultant for helping organizations achieve CMMC compliance is relatively small. It costs approximately $500 per year to become a Registered Practitioner (RP) as an individual, and about $5,000 per year to become a Registered Provider Organization (RPO) as an organization. For organizations looking to enter the CMMC consulting space, particularly MSSPs, this represents a significant opportunity.
Starting in December, every government contract will require CMMC compliance, creating a substantial market for MSPs and MSSPs to get certified and offer their expertise. This presents a huge opportunity for those prepared to meet the growing demand for CMMC consulting and implementation services.