MSPs who work with U.S. Department of Defense (DoD) contractors and subcontractors — or are interested in building a practice to assist DoD contractors with meeting the latest CMMC cybersecurity requirements—have several things to consider.
First, you must be prepared to meet the CMMC requirements at the appropriate level to protect the confidentiality of controlled unclassified information (CUI). MSPs who want to support defense contractors must be willing to accept the same safeguards and reporting requirements as the government subcontractors and contractors they want to work with.
Only when your own house is in order, will you be in a good position to lead customers in their CMMC readiness initiatives. Our new guide, How MSPs Can Help Government Contractors and Subcontractors obtain CMMC Compliance, provides details on the five cybersecurity maturity levels within the new CMMC model, an outline on steps that MSPs can take to ramp up a CMMC certification practice, and a list of the 17 controls that fall within the CMMC framework.
Becoming a specialized MSP
The CMMC model, introduced in January 2020, was released by the U.S. DoD to address the compromise and exfiltration of DoD information from contractors within the Defense Industrial Base (DIB) supply chain.
CMMC certification presents a substantial opportunity for MSPs to work with DoD contractors because getting up to speed with the new controls is a daunting task for small businesses with limited resources. There are about 350,000 businesses in the DIB supply chain, many of whom are small businesses who must rely on MSPs to provide cybersecurity services.
Becoming an MSP specialized in helping DIB suppliers meet the CMMC requirements for their appropriate level of cybersecurity maturity is a multi-step process. Here is a brief outline of what’s involved with ramping up a CMMC certification practice (more details are available in the guide):
- Understand the CMMC controls, all of which are listed in the CMMC manual published by the DoD.
- Understand the role of third-party assessment organizations (C3PAOs) and the role of fedRAMP guidance.
- Understand what level of maturity your clients want to achieve (there are five levels of maturity, as noted above).
- Understand how you’re going to meet each control within your MSP organization.
As you build your own level of cybersecurity maturity, you’ll be creating a bank of services related to CMMC and positioning yourself as a specialized MSP. Here is a sample list of services you can potentially offer to DIB suppliers:
- Active threat hunting (Huntress)
- Two-factor authentication
- SIEM and SOX service
- What written policies do you offer to help clients write their data security policies
- DNS filtering
Note: Each of the services in the above list meet specific controls within the category 3 layer that MSPs and their clients are trying to achieve.
For in-depth information about CMMC standards including an outline of the five cybersecurity maturity levels, more specifics on how MSPs can build up a CMMC certification practice, and an outline of how StratoZen addresses each of the 17 controls in the CMMC model, download our free guide, How MSPs Can Help Government Contractors and Subcontractors obtain CMMC Compliance.