MSPs Can Simplify and Streamline CMMC 2.0 Preparation and Certification for SMBs

More than 300,000 organizations are expected to pursue the Cybersecurity Maturity Model Certification (CMMC) 2.0. The requirements for CMMC 2.0 may appear in requests for information (RFIs) and requests for proposals (RFPs) as early as May, or at least by early 2023, even though the timeline remains fluid.

As a managed security services provider (MSSP), impending CMMC 2.0 requirements can be a great opportunity to engage with existing clients, expand service offerings, and seek out new clients like small- and mid-sized businesses that will need help.

First, what is CMMC 2.0?

CMMC 2.0 is a set of standards all organizations and subcontractors must meet to bid on or renew contracts with the Department of Defense (DoD).  

DoD released CMMC model version 1.0 in January 2020, thinking it would appear in RFPs and RFIs by fall 2020. Later that year, DoD released version 1.02 and then, after getting a lot of feedback on the standards, in November 2021, it released the current version, CMMC 2.0.

CMMC is an extension of the controlled unclassified information (CUI) program, which standardized how contractors and service providers deal with non-classified protected government information. It’s included in contract awarding requirements. Organizations that don’t have CUI but have federal contract information (FCI) are also expected to adhere to FAR Clause 52.204-21 and be minimally certified at CMMC Level 1.

While CMMC 2.0 is relatively new (and has undergone many changes), information security compliance is not a new concept for government contractors and subcontractors. These organizations have been subject to NIST 800-171 compliance since 2018. This transition to CMMC 2.0 was predicated by the lack of standardization ensuring that organizations met requirements to manage CUI storage, handling, and dissemination. 

The MSP Opportunity

Right out of the gate, there have been a lot of changes to the CMMC program. First, there were five levels with various self-attestation and certification requirements. The current version reduced that down to three levels based on the complexity and volume of relevant CUI and shifted which CMMC levels allow organizations to self-attest and which levels must work with an official certification agency. The intent of these changes, after getting feedback on the earlier versions, was to reduce assessment costs and streamline implementation and management.

The current CMMC levels are: 

1. Foundational: 17 practices and requires annual self-assessment for certification.
2.  Advanced: 110 practices and requires a third-party assessment for prioritized acquisitions every three years and self-assessment for non-prioritized acquisitions.
3. Expert: more than 110 practices and requires a government-led assessment every three years.

CMMC underwent some additional changes, too. In the original version, organizations were expected to get a contract-level certification prior to a DoD contract award or renewal. In 2.0, organizations may be able to use Plans of Action & Milestones (POA&Ms) to secure contracts prior to complete compliance, even though they come with some restrictions such as being bound to a specific time period. 

The current version also offers compliance waivers for very limited circumstances, such as mission-critical incidents. The waivers require senior DoD approval, will only be awarded on a case-by-case basis, and, similar to the POA&M’s, will be time-bound.

The reality is most SMBs don’t have the time, resources, or staff to stay up to date on all of the changes, and fewer have the capabilities to implement the requirements before the target date rollout of fall 2025. Any clients who want to competitively bid on new contracts and those looking to renew existing contracts are already behind the eight ball if they’re not on track to achieve CMMC certification in the near future.

This is a good opportunity for MSPs to chat with clients about their DoD contract goals and objectives, evaluate what must be done to meet CMMC 2.0 requirements, and offer suggestions on how to remediate any gaps.

CMMC preparation (and MSP expertise and knowledge) is a great way to build relationships with existing and prospective clients, many of whom are likely overly frustrated with the changes and date shifting that’s already happened with the CMMC program.

Because MSPs offer specialized services, they have a unique opportunity to stay one step ahead of what’s expected to happen with CMMC 2.0, help their clients prepare for changes, and meet compliance obligations as they happen in real-time.

The Dreaded Audit

While some organizations can self-attest for CMMC certification, those wanting to attain higher levels will have to work within CMMC Accreditation Body (CMMC-AB) requirements.

CMMC-AB oversees consultants and organizations certified to give assistance for CMMC certification preparation, such as:

• Registered Practitioners (RPs): RPs help with readiness assessments and preparing for certification, but they can’t perform CMMC certification assessments.
• Registered Provider Organizations (RPOs): RPOs can conduct non-certified CMMC consulting services to help contractors with readiness assessments and preparation.

CMMC-AB also oversees individuals and organizations approved to conduct CMMC certification assessments: Certified Assessors (CAs) or Certified Third-Party Assessment Organizations (C3PAOs). CAs have met CMMC-AB backgrounds and training requirements, and have also met examination requirements at one of three levels. C3PAOs are certified to conduct certification assessments and provide consultative advice.

But, whether clients are doing self-assessments or engaging with a C3PAO, they must prepare for these assessments – a task with which MSPs can help. And, with a cybersecurity framework management platform like Apptega, MSPs can help their clients efficiently implement the required CMMC controls, provide instant insight into compliance scoring, and even help identify and address any weaknesses and gaps before the official assessment process gets underway.

An Apptega partnership also offers MSPs a chance to show clients how much easier it is to implement CMMC 2.0 controls and ensure all programs work as intended within the platform. Many of these clients use error-prone and tedious spreadsheets or paper manifests to track their compliance, but using a cybersecurity framework management platform provides a clear advantage and another service MSPs can offer clients on their CMMC 2.0 journey.

Furthermore, with Apptega, MSP capabilities go beyond just showing clients how to set up and implement a CMMC 2.0 framework. The ability to monitor compliance, organize evidence, address security issues, and have customized insight, guidance, and remediation suggestions is a game changer for MSPs – and all these things are possible with Apptega. 

Apptega takes a lot of the repetitive, manual work out of the compliance process. Within the dashboard, framework controls are visible and compliance progress is scored, even before official implementation. This dashboard allows tracking of current security infrastructure, plans, processes, and policies to determine if additional or new frameworks are necessary, too.

Apptega takes the heavy lifting off the shoulders of MSPs with a growing library of industry-recognized frameworks available, such as NIST 800-52, NIST Cybersecurity Framework, PCI DSS, ISO 27001, and many more.

The Ongoing Compliance Journey

Ensuring compliance for CMMC 2.0 is not a one-and-done project. While MSPs do play a valuable role in helping clients understand what is needed for CMMC compliance and how to implement the necessary controls, the work never ends. Continuous monitoring, risk assessment, and management are critical. Most SMBs just don’t have the bandwidth and resources to fully address compliance, especially if they’re working within rapidly changing environments – so MSPs can help.

And Apptega is here to help the MSPs by offering a tool to provide clients with continuous, around-the-clock compliance monitoring, much of which can easily be automated, including alerts, notifications, and recommended tasks and roles to resolve issues. This continuous monitoring is critical to ensure clients are always protected against evolving cyber threats and that they’re always in compliance with CMMC 2.0 mandates.

*** This is a Security Bloggers Network syndicated blog from Apptega Blog authored by Cyber Insights Team. Read the original post at: https://www.apptega.com/blog/msps-can-simplify-and-streamline-cmmc-2.0-preparation-for-smbs