Security insights from ThreatLocker
In 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD)A&S)) from the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC).
Designed by a combination of federal and private experts, CMMC is a maturity model, not a regulation. Compliance requirements are based on the data that a company manages. CMMC discusses two types of information:
Generally speaking, small and mid-sized organizations use MSPs because staffing their own IT departments is cost-prohibitive. As MSP customers seek CMMC certification, they need business partners who can support their strategic goals.
Meanwhile, MSPs find themselves trying to understand what certification level they require so that their customers can trust them.
The first step to determining whether an MSP must be CMMC compliant lies in the customer data it collects, transmits, processes, or stores. If an MSP will be managing FCI or CUI, then it needs to be at the appropriate CMMC Level.
In reality, most MSPs do not manage FCI or CUI. In fact, even those that manage FCI would only need to be certified to Level 1, which requires proving that the company follows Basic Cyber Hygiene practices across the 17 processes. Most organizations with a cybersecurity program already meet this standard.
However, many DoD contractor customers are beginning to require MSPs to meet CMMC Level 3 certification. MSPs working with DIB clients should be familiar with CMMC and CUI.
For MSPs that want to maintain or expand their DIB customer base, CMMC may be used as a market differentiator rather than a contract requirement. Not only would they be able to prove their own cybersecurity maturity, but they will understand the certification process, making them better suited to support DIB members.
Small and mid-size business customers will likely look to MSPs to explain how their services enable compliance. Since internal IT teams would normally manage the controls that enable a cybersecurity program, MSPs will find themselves in a similar position.
To protect themselves from customer churn, MSPs will need to do several things:
“Compliance-as-a-service” (CaaS) is nothing new to MSPs. With this in mind, MSPs should start understanding how the technologies they use with their customers help them maintain and grow their customer base.
Many small businesses looking to be CMMC Level 1 or Level 3 compliant may start outsourcing services that they previously handled in-house. To use CMMC as a market differentiator, MSPs need to understand where their services enable customers to set Basic Security Requirements or mature programs to meet Good Cyber Hygiene standards. As MSPs look to develop offerings that enable their DIB customers, they should understand CMMC and look to the “CMMC Assessment Guide - Level 3” to gain insight into how the CMMC Accreditation Body (AB) will review practices.
To learn more about how your current services enable customers to meet these requirements, download our guide, CMMC Compliance as a Service: Expanding the MSP Customer Base.