Click here to download the guide.

On January 1, 2020, the United States Department of Defense (DoD) released their Cybersecurity Maturity Model Certification (CMMC) requirements. CMMC is a new unified standard for companies in the defense industrial base (DIB) supply chain who are required to protect the confidentiality of federal contract information (FCI) and controlled unclassified information (CUI).

There are an estimated 350,000 contractors, suppliers, and manufacturers within the DoD supply chain. The new CMMC standard requires that DoD contractors and subcontractors work with third-party auditors to measure the maturity of their cybersecurity capabilities. 

CMMC has five maturity levels that include, and expand on, the existing requirements of NIST SP 800-171 which are required under DFARS 252.204-7012.

DFARS = The Defense Federal Acquisition Regulation Supplement. DFARS requires that contractors meet all 110 controls of NIST SP 800-1717 security guidelines.

The CMMC model measures cybersecurity with the following five levels:


Per the official CMMC guidelines document released by the DoD:

“The CMMC levels and the associated sets of processes and practices across domains are cumulative. More specifically, in order for an organization to achieve a specific CMMC level it must also demonstrate achievement of the preceding lower levels.”

To be in compliance, organizations must demonstrate they meet the required institutionalization of processes and implementation practices illustrated on both sides of the above chart. 

Since the CMMC program is brand new, there are no certified third-party assessment organizations (C3PAOs) yet. The DoD is expected to be accrediting the first C3PAOs beginning mid 2020.

DIB supplier vulnerability

DIB suppliers are vulnerable from foreign entities who aim to steal sensitive data and intellectual property from unprotected networks. The Rand Corporation, a nonprofit organization that offers research and analysis to the U.S. armed forces, released a report that found small DIB firms are particularly vulnerable to attack due to deficiencies in several key areas of cybersecurity, including:

  • User authentication
  • Network defense
  • Vulnerability scanning
  • Software patching
  • Security information/event management (SIEM)
  • Cyber-attack response

Since small suppliers comprise 99% of the DIB, there is a significant opportunity for MSPs to help smaller DIB suppliers implement the practices and plans needed  to satisfy the newly released CMMC requirements.

StratoZen CMMC certification assistance

To assist MSPs working with existing contractors as well as those MSPs that would like to expand services to government contractors within the DIB supply chain, we’ve published a CMMC guide for MSPs.

Achieving the current DoD cybersecurity requirements can be difficult for smaller DIB suppliers with immature cybersecurity practices. The resources needed to meet the CMMC standards are costly and time intensive. This presents an opportunity for third-party service providers like MSPs to step in, but only if the MSSP is prepared to meet the requirements themselves.

StratoZen’s guide contains information for MSPs on how to meet the DoD’s CMMC requirements for government contractors. We provide background information on the DoD’s CMMC standards, steps for ramping up a CMMC certification practice, and present an overview of how StratoZen addresses each one of the DoD’s seventeen controls, as illustrated in the below graphic.

Source: Under Secretary of Defense for Acquisition and Sustainment

To learn more about the CMMC standards, including how your organization can become an accredited C3PAE, 
download the free guide: How MSPs Can Help Government Contractors and Subcontractors obtain CMMC Compliance. 

You can also schedule a free consultation with one of our cybersecurity professionals to discuss how you can prepare to meet the CMMC requirements or learn more about our SOAR Platform, which provides 75 CMMC related reports, including reports on rogue access points, real time and historic account/group changes, EDR data, and more.