Understanding CMMC 2.0: What MSPs & MSSPs Need to Know

William Birchett, President of Logos Systems, and myself discuss CMMC 2.0.

There’s growing interest in the Cybersecurity Maturity Model Certification (CMMC) 2.0 among all organizations that cater to the defense sector. This is particularly impactful for Managed Service Providers (MSPs)and Managed Security Services Providers (MSSPs) who must understand and meet these standards in order to ensure their clients take the right security measures This also presents a unique opportunity for MSPs and MSSPs to grow and differentiate their business. 

I met with William Birchett, a seasoned CISO from Logos Systems, to discuss the critical aspects of CMMC 2.0 and its implications for MSPs and MSSPs.

What is CMMC?

CMMC is a formal certification process required for U.S. defense contractors to protect Controlled Unclassified Information (CUI). It ensures that companies involved in the defense supply chain meet specific cybersecurity benchmarks.

While companies may already have foundational cybersecurity practices in place, they are required to undergo the formal CMMC certification process to demonstrate their compliance with U.S. Department of Defense (DoD) cybersecurity requirements.

Who Needs to Comply with CMMC?

Any company that sells products or services to the DoD must comply with CMMC. This includes manufacturers of various items, from hardware to safety gear, making it a broad requirement across different industries.

What are the Levels of CMMC?

CMMC 2.0 includes different levels of certification depending on the sensitivity of information handled and the contract requirements:

• Level 1: Basic cyber hygiene, often allowing self-attestation.
• Level 2: Requires a third-party assessment, particularly for handling more sensitive data.

What’s the difference between CMMC 1.0 and the new update CMMC 2.0? 

• Level 1 organizations can now perform self-attestation. In CMMC 1.0 they were required to carry out third-party audits.
• Level 2 organizations and above must perform third-party assessments, ensuring stringent security for higher-risk information.

What are some challenges of implementing CMMC 2.0?

Achieving CMMC compliance is complex and often misunderstood. Many organizations believe that they’re compliant but fail to fully adhere to the standards. 

Accurate interpretation and implementation of CMMC requirements are essential – this involves integrating NIST 171 and 172 standards and meeting specific federal acquisition regulations.

What is the impact of CMMC 2.0 on MSPs and MSSPs?

CMMC 2.0 applies to Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) that work with clients that sell to the defense industry.

To determine the impact, MSPS and MSSPs should identify the following:

1. Service scope: What services are you providing and do they meet the requirements? 

• What encryptions are used? 
• Are you connected to the cloud? Are the cloud providers authorized?

Example 1: Does your RMM let you download files from a customer’s computer? With CMMC those features have to be disabled or they could bring the entire MSSP into the scope of CMMC regulations.

Example 1: Just because a service or product claims to be “FedRAMP equivalent,” does not mean that the requirements are met, it just means they haven’t paid the money to be assessed by the Federal Government – and therefore are not compliant.

2. Business offering: Do you want to continue providing the services you’ve been providing? Or do you want to offer specialized services for the defense sector to meet CMMC requirements?

What are some opportunities for MSPs and MSSPs?

Despite the complexities, CMMC presents a huge opportunity for MSPs and MSSPs to grow and differentiate themselves in the cybersecurity market.

MSPS and MSSPs can become a CMMC Registered Practitioner (RP) or Registered Provider Organization (RPO). This involves relatively low entry costs (starts around $5,500/year) and can open new business avenues. There are also levels above that such as C3PAOs, certified professionals, audit, etc..

Since CMMC certification will apply to all businesses wanting to do business with the DoD, no matter how down-stream they are, there will be many opportunities for MSPs and MSSPs to support their customers in this area.

How to apply for CMMC 2.0 certification?

Whether seeking certification for yourself or your clients, it’s critical to start the compliance process immediately since it will soon be required in every service contract. 

The steps for certification are:

1. Determine your or your clients’ required CMMC level: Conduct a thorough assessment of current cybersecurity practices.
2. Schedule an audit: All CMMC certifications require an audit by a CMMC Third-Party Assessment Organization (C3PAOs). 
3. Submit the audit to the CMMC: All audits must be submitted to the CMMC accreditation body to certify that it was completed by an authorized third-party. The CMMC accreditation body then issues the certification.

Many organizations who believe they are CMMC 2.0 compliant actually do not meet the formal compliance standards. This is an opportunity for you (MSPs and MSSPs) to help your clients better understand the requirements and ensure that they are in fact compliant with the new regulations.