The MSP Success Thought Leaders Program invites leaders in the small business IT/MSP industry to share their insights and advice with MSP Success readers.
The ability to operate in compliance with the Cybersecurity Maturity Model Certification (CMMC) unlocks businesses’ potential to win lucrative contracts in the Department of Defense (DoD) supply chain. However, actually achieving CMMC compliance is a difficult mountain to climb without an experienced sherpa; it’s a challenge that includes meeting complex security requirements and navigating exacting assessment processes. But if you’re an MSP who shapes your offerings to include that rare knowledge and assured guidance, you can create your own business opportunities and expand your client roster.
CMMC compliance requirements remain something of a moving target right now, with the present version (CMMC 2.0) set for final implementation by 2025. This dynamic nature requires MSPs supporting CMMC compliance to remain on top of new developments, and to be prepared to adjust client recommendations and security postures accordingly.
What To Understand—Right Now—About CMMC
Organizations within the DoD supply chain—including all contractors and subcontractors—are subject to CMMC and the DFARS 252.204-7012 clause. The DFARS 7012 clause states that any organization with a DoD contract or subcontract that stores, processes, or transmits controlled information must protect that information in accordance with the NIST special publication 800-171 framework, and additional requirements.
The DoD introduced CMMC 2.0 in November 2021 to better enforce cybersecurity via third-party assessment and certification. With 2.0, CMMC now has three different levels of cybersecurity requirements representing increasing maturity and controls. The type of information a contractor or subcontractor handles determines which CMMC level that organization is required to achieve. Organizations are subject to examination by a CMMC Third-Party Assessment Organization (C3PAO)—an independent and accredited entity—that will vet an organization’s security practices and provide certification if that organization is in compliance with its required CMMC level.
In practice, the odds of an organization undergoing a third-party assessment will be low. However, CMMC also requires organizations to undergo a Basic Contractor Self-Assessment and submit and self-attest to the resulting Summary Level Score, or Supplier Performance Risk System (SPRS) score, to be eligible to bid on defense contracts. The SPRS score is based on the NIST SP 800-171 DoD Assessment Scoring Template. A perfect score is 110, which means that an organization is in compliance with all 110 CMMC controls. Anything less is a failing score. An organization that scores less than 110 must submit a Plan of Action and Milestones (POA&M) that documents the cybersecurity improvements it will pursue (along with projected times to completion). The DoD views this submitted document as a binding commitment to achieve necessary CMMC compliance.
MSPs’ CMMC Opportunity
If you have customers that are just starting out on the road to CMMC compliance, they can face a years-long struggle if they choose to go it alone. If your MSP business has expertise in CMMC’s 110 controls and security solutions designed to meet them, you can help them fast-track this process, and save tremendous time, money, and headaches along the way. You can provide crucial support to ensure that clients understand their duties under CMMC, successfully navigate assessment processes, and achieve CMMC compliance in order to ultimately win new business. Specifically, you should deliver cybersecurity services that include effective data protection and access controls, thorough and accurate risk assessments, and the other guidance required to meet the technical criteria required by CMMC.
Position your offerings by touting holistic CMMC compliance support strategies built around fit-to-purpose security technologies that specifically address clients’ needs. You can also make it clear that the advantages of investment in CMMC compliance go beyond just winning DoD contracts. CMMC compliance directly reflects compliance with NIST 800-171 controls, which are fast becoming the recognized standard for baseline cybersecurity measures across industries. Therefore, CMMC compliance demonstrates unquestionable security chops, and puts an organization ahead of the curve as NIST-grade security rapidly becomes table stakes for winning new business.
This is why a strategic security technology stack is crucial. With a well-planned tooling strategy that’s ready to go, you can instantly vault clients ahead of competitors when it comes to providing security assurances—and do the same for yourself while you’re at it.
Importantly, because CMMC focuses on safeguards that secure controlled unclassified information (CUI)— including personally identifiable information (PII), sensitive technical data, and more—you can serve clients well by introducing security controls that align with best practices for securing this information across their organizations. CMMC similarly calls for all cybersecurity practices to undergo continuous monitoring. You should thus provide clients with effective check-and-balance strategies and ongoing security assessments, with a focus on maintaining and assuring compliance with the CMMC framework.
Caution Clients To Accept No Imitators, And Provide The Real Deal CMMC Compliance They Need
Businesses that are eager for CMMC compliance but lack expert savvy face real dangers from vendor offerings that make big claims but won’t meet their needs. With 110 controls to address, the path to CMMC success is narrow and tricky. An MSP company that commits to championing the interests of CMMC-focused clients and clearly demonstrates those capabilities can easily serve as a beacon leading those businesses out of the wilderness, while quickly growing its own business in the process.
For more information on Dispatch Tech, go to dispatchtech.com.
