Military soldier holding laptop showing MSP compliance with CMMC framework

An MSP’s Perspective On the Defence Department’s CMMC Compliance Standards

The continued fallout from the SolarWinds hack, first reported in December of last year, has become a clarion call for strengthening the cybersecurity apparatus of businesses working with the US government. The severity of this hack is hard to understate: As recently as March, new reporting emerged that the hackers accessed the emails of the acting secretary of the US Department of Homeland Security, as well as other top DHS officials. Eight other federal agencies were targeted in total, in what Microsoft’s president called ‘the largest and most sophisticated attack the world has ever seen.’

Preparing for and preventing the next attack largely falls on the Department of Defense which, just weeks after SolarWinds news first broke, released version 1.0 of its Cybersecurity Maturity Model Certification (CMMC), after months of development and input from researchers and industry professionals. While cybersecurity regulations for contractors working with the DoD have existed for years — namely, the NIST 800-171 protocols — the newer CMMC framework will require third-party assessment of mandatory practices and requirements, in pursuit of a strengthened cybersecurity infrastructure for the DoD and its more than 300,000 contractors.

It’s a daunting task, made only somewhat easier by the timeline to compliance. A phased rollout means that full implementation of the rules is not expected until 2025. Yet the DoD has already announced plans to enforce CMMC regulations on seven contracts it plans to award in late 2021. In short, the rollout has already begun, and companies vying for DoD contracts — as well as the Managed Services Providers (MSPs) providing their IT infrastructure — should begin making steps toward compliance now, to avoid time-sensitive challenges in the future.

This starts with understanding how the CMMC differs from previous regulations, and where an individual company’s infrastructure fits within the new standards.

Five levels of compliance

The most noticeable change from the previous NIST 800-171 standards lies in the five levels of compliance established in the CMMC. Level one, “Basic Cyber Hygiene,” establishes 35 practices companies must implement in order to meet compliance.

At this level, companies can be authorized to receive Federal Contract Information (FCI): “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public.”

Level two of the CMMC includes more protocols and processes meant to bring a company up to the intermediate level of cyber compliance. It’s also a bridge toward level three, which corresponds with the previous NIST 800-171 standards and adds more protocols for companies to protect Controlled Unclassified Information. Companies utilizing this information, which “requires safeguarding or dissemination controls” but is not classified information, will need to comply with 58 level three practices, as well as the practices of level one and level two, in order to meet compliance.

Levels four and five add additional practices that can strengthen a company’s cybersecurity infrastructure, however it’s expected that only a handful of companies will implement these higher standards since CUI is protected in level three. Regardless, once companies have set their sights on a particular level, the real work begins: meeting these compliance standards.

Meeting compliance: The role of MSPs

In some sense, meeting CMMC compliance for a given level is straightforward. The DoD has published assessment guides that detail the required practices and processes in alphabetical order.

The level three guide runs to 430 pages, a substantial read even for the most experienced cybersecurity professionals.

It’s important to note that the companies seeking even level one compliance are not necessarily working in the cybersecurity field. They affect suppliers and service providers both domestic and foreign, for everything from food service contractors to the manufacturers of clothing and other products. No surprise, then, that one DoD official noted that “only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the [NIST].”

The new CMMC standards seek to rectify this situation by providing clear level guidelines and requiring assessment by third-party organizations. The CMMC Accreditation Body (CMMC-AB) website is already live, and while assessors have yet to be certified, companies already have the chance to begin preparing themselves to pass their upcoming assessments.

Given the complexity of the new regulations, the MSP industry will need to step in to fill the void that exists within many DoD contractors when it comes to advanced cybersecurity. And what we’ll no doubt see over the next few years is MSPs being far more heavily relied upon by clients to help them achieve ever more rigorous compliance standards – with CMMC being the most rigorous to date.

As things stand, however, the MSP industry has its work cut out when it comes to being able to support DoD contractors in achieving compliance. Many smaller, local MSPs lack the in-house resources and expertise required to navigate these new regulations. So what we’ll no doubt see is an acceleration of the consolidation we’re already witnessing in the industry, as a growing number of smaller players determine they can no longer compete given the increased overheads of meeting compliance standards.

Ultimately, it’s down to DoD contractors to ensure they are able to meet the required standards of CMMC compliance by the deadline. But while 2025 seems like a long way off, now is the time for contractors to begin conversations with their existing or future MSP, to ensure their provider has a plan in place that details how they will help their clients achieve this.