MSPs and CMMC Compliance: 3 Ways to Help Customers

In 2020, the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD)A&S)) from the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC).

Designed by a combination of federal and private experts, CMMC is a maturity model, not a regulation. Compliance requirements are based on the data that a company manages. CMMC discusses two types of information:

• Federal Contract Information (FCI): information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
  
  
• Controlled Unclassified Information (CUI): government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulation, and government-wide policies

Generally speaking, small and mid-sized organizations use MSPs because staffing their own IT departments is cost-prohibitive. As MSP customers seek CMMC certification, they need business partners who can support their strategic goals.

Meanwhile, MSPs find themselves trying to understand what certification level they require so that their customers can trust them.

The first step to determining whether an MSP must be CMMC compliant lies in the customer data it collects, transmits, processes, or stores. If an MSP will be managing FCI or CUI, then it needs to be at the appropriate CMMC Level.

In reality, most MSPs do not manage FCI or CUI. In fact, even those that manage FCI would only need to be certified to Level 1, which requires proving that the company follows Basic Cyber Hygiene practices across the 17 processes. Most organizations with a cybersecurity program already meet this standard.

However, many DoD contractor customers are beginning to require MSPs to meet CMMC Level 3 certification. MSPs working with DIB clients should be familiar with CMMC and CUI.

How MSPs Can Leverage CMMC Compliance for Competitive Advantage

For MSPs that want to maintain or expand their DIB customer base, CMMC may be used as a market differentiator rather than a contract requirement. Not only would they be able to prove their own cybersecurity maturity, but they will understand the certification process, making them better suited to support DIB members.

Small and mid-size business customers will likely look to MSPs to explain how their services enable compliance. Since internal IT teams would normally manage the controls that enable a cybersecurity program, MSPs will find themselves in a similar position.

To protect themselves from customer churn, MSPs will need to do several things:

• Understand CMMC documentation, attestation, and audit requirements + know how their services meet these requirements
• Articulate these benefits to customers
• Help customers set the right controls to meet CMMC documentation, attestation, and audit requirements

“Compliance-as-a-service” (CaaS) is nothing new to MSPs. With this in mind, MSPs should start understanding how the technologies they use with their customers help them maintain and grow their customer base.

CMMC Opens Up a New Market for MSPs

Many small businesses looking to be CMMC Level 1 or Level 3 compliant may start outsourcing services that they previously handled in-house. To use CMMC as a market differentiator, MSPs need to understand where their services enable customers to set Basic Security Requirements or mature programs to meet Good Cyber Hygiene standards. As MSPs look to develop offerings that enable their DIB customers, they should understand CMMC and look to the “CMMC Assessment Guide - Level 3” to gain insight into how the CMMC Accreditation Body (AB) will review practices.