The Cybersecurity Maturity Model Certification (CMMC) is set to become a crucial requirement for defense contractors, including External Service Providers (ESPs) like Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). As the rules are finalized, expected by the end of 2024, it’s essential for MSPs to take proactive steps now, positioning themselves to meet these requirements and continuing to support their clients effectively.
What is CMMC?
CMMC is a unified standard for implementing cybersecurity across the defense industrial base (DIB). It encompasses multiple levels of certification (Levels 1, 2, and 3), each with escalating requirements for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Compliance with CMMC will soon be a condition for contract awards, making it a critical factor for both prime contractors and subcontractors.
CMMC Overview and Levels
– Level 1: Basic – Focuses on basic safeguarding of FCI with 17 practices aligned with FAR 52.204-21.
– Level 2: Advanced – Builds on Level 1 with a total of 110 security requirements from NIST SP 800-171 rev2, protecting CUI. DFARS 252.204-7021 will mandate CMMC certification via a Certified Third-Party Assessment Organization (C3PAO) every three years at this level, including a flow-down requirement for subcontractors.
– Level 3: Expert – Aimed at protecting CUI with additional security controls beyond those in Level 2. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) will conduct assessment for Level 3.
Why CMMC Matters
CMMC’s primary purpose is to protect sensitive government information. For MSPs, this means understanding the role they play in their clients’ security posture and preparing to meet or exceed the required compliance level. This proactive approach not only safeguards your business relationships but also enhances your competitive edge in the DIB.
Who is Impacted by CMMC?
The DIB, including prime contractors, subcontractors, and ESPs like MSPs and MSSPs, will all be required to achieve the appropriate level of CMMC compliance. This applies to any entity handling FCI or CUI, directly or indirectly.
How Will ESP Compliance Be Assessed?
Currently, there is uncertainty about how ESPs will be assessed, particularly since they typically do not have CAGE codes, direct DFARS contract requirements, or manage CUI independently. Despite this, the proposed rule strongly suggests that ESPs will need to align with the same security practices as their clients.
What Should MSPs Be Doing Now?
Given the current ambiguity, it’s essential to start the process of aligning with NIST SP 800-171 rev2. Here are some first steps:
– Assess Your Compliance: Determine your score against NIST SP 800-171 rev2.
– Develop Essential Documentation: Create a System Security Plan (SSP) and Plan of Actions and Milestones (POAMs).
– Scope Your Responsibilities: Identify potential FCI/CUI within your managed environments.
– Prepare a Shared Responsibility Matrix (SRM): Define your role in supporting your clients’ CMMC compliance.
Understanding the Scope of an ESP
As an MSP, your access to your clients’ systems could expose you to their FCI/CUI. Systems you leverage to access client environments and tools with security protection data must be considered part of your compliance scope. Our team can assist you in assessing this scope and ensuring you’re prepared.
What Will Your Clients Be Looking For?
Clients will increasingly seek MSPs familiar with CMMC, who can demonstrate a clear understanding of the requirements and show a commitment to compliance. Using a Shared Responsibility Matrix will be crucial in defining your role and giving your clients confidence that you are ready to support their compliance journey.
Next Steps and Resources
– Stay Ahead of the Curve: Download our **Choosing the Right MSP for CMMC Compliance** checklist to ensure you’re on the right path.
– Get Support: Our team is here to help you navigate the complexities of CMMC and NIST SP 800-171 rev2. From assessments to documentation, we’re ready to support your journey.
While there’s still some uncertainty around CMMC’s final requirements, taking these steps now will position you to succeed and continue serving your clients effectively. Remember, compliance is not just about meeting a requirement—it’s about securing your place in the future of the defense industrial base.