MSPs and CMMC: What MSPs Need To Know

As cloud computing is entering its second decade in existence, it has far surpassed the experimentation phase. This technology has advanced into a wider-scaled investment, but security must be part of the managed service provider (MSP) approach and not a practice that can be treated separately. The best MSPs must build security practices to address all daily threats faced by customers.

Therefore, security needs must be implemented from day one into the system design, throughout the day-to-day operations, and when a security incident is addressed. The Cybersecurity Maturity Model Certification (CMMC) was launched on January 31st, 2020 to create a new era of accountability and visibility among defense contractors. CMMC has fostered sweeping adjustments as to how the Department of Defense regards cybersecurity. Therefore, it is important for all MSPs to better understand the CMMC requirements.

CMMC Is a Great Addition to the Industry

In addition to the need to protect your network from cyberattacks and preserve intellectual property, CMMC creates a new baseline ensuring all MSP contractors implement meaningful investments into cybersecurity. These compliance requirements create a level playing field for those who have already been following the rules.

DFARS 252.204-7012 is Still Active

A quick note to remember that CMMC buildings on NIST 800-171 and DFARS 252.204-7012 by adding additional requirements and clarifying some controls. That means that these previous practices and requirements are not obsolete.

Don’t Wait to Get on Board With CMMC

The CMMC process takes a decent amount of time to become certified so start as soon as possible. If you are starting from scratch, then plan at least six months to reach compliance. Deploying solutions, writing policies and implementing cultural changes all take time. Also, if you do not yet have a staffed compliance professional then hire one in-house or as a consultant. Given the newness of the certification, there continues to be confusion on all requirements, so it is not a good practice to toss your IT manager into the fire without assistance.

Policies Are Critical

The days of writing a policy, sticking it in a virtual locker, and only retrieving it during an audit are over. CMMC requires all policies to be integrated into your daily practices. For instance, if you have a cloud mobile device policy, does it require users to be enrolled in a mobile device management program? Your IT team must be able to detail the requirements to ensure device compliance to run reports that verify the implemented policy. It is a form of self-checking within the organization.

Review Your Cloud Platforms

As an MSP, you must review all cloud platforms to ensure it meets CMMC requirements. Since CMMC is such a new certification, it is going to take time before all service providers advertise that they are compliant. As you are going down the compliancy path, review NIST 800-171 and NIST 800-53 as a helpful roadmap.

Start at Level 3

If you hold or create government data within your contracts, then you typically also hold Federal Contract Information and Controlled Unclassified Information (CUI). If you process, store, or transmit CUI then you require Level 3 certification or higher. Also, if you manage export-controlled data that is categorized as CUI then you are required Level 3 and ITAR-related data rules. CMMC guidelines do not clearly state the type of data that qualifies as Levels 4 and 5.

System Boundaries Are Crucial

The first version of CMMC requires contractors to attain a specified CMMC level for the entire network or a segment depending on where the protected information is being stored and managed. This is critical because limiting systems that process, store, and transmit data helps minimize attack services and lowers the cost of compliance. For instance, MSPs using cloud-based CRMs may be able to exclude government data if it is not entered into the system.

Since CMMC is such a new measure, it is still evolving and defining more advanced requirements. Regardless, whether your company is ready or not, it is time to get started with CMMC compliance as it is trailblazing a new path for the government contracted MSPs. By better understanding these guidelines and with assistance from a compliance professional, you can implement the necessary changes faster to become CMMC compliant.