MSSP, IT management, Government security, Compliance Management, Government Regulations, Risk Assessments/Management

CMMC 2.0 Requirement Deadline is Right Around the Corner

The time when the Defense Department (DoD) begins to enforce the strict requirements for the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework is only days away, and the cybersecurity industry is scrambling to get ready.

Beginning November 10, Defense Industrial Base (DIB) contractors and subcontractors – and farther down the pipeline, MSSPs and MSPs with security services – that sell goods or services to defense agencies will have to comply with the regulations or risk losing out on business. The CMMC program is designed to protect DoD agencies from supply chain and other cyber threats by ensuring security firms working with them meet specific standards and can protect sensitive government information.

According to the Cybersecurity and Infrastructure Security Agency (CISA), there are more than 100,000 DIB companies and their subcontractors.

The Pentagon put the cybersecurity industry on notice late last year, mandating that strict adherence to the framework would be required for those seeking a contract with the DoD, and now, after some shifting deadlines and even as the government shutdown continues, that time is almost here.

As the partner team at iboss, which offers cloud-based secure access service edge (SASE) and zero trust cybersecurity tools, wrote in a blog post this month, the DoD “isn't playing around anymore. The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework requires defense contractors at all levels – from prime contractors to small sub-contractors – to demonstrate compliance with stringent cybersecurity controls based on NIST 800-171.”

“The most important change with the new CMMC requirements is that compliance is no longer a one-time, ‘check the box’ activity,” Rochelle Godfrey, senior compliance advisor with security and compliance automation platform provider Drata, told MSSP Alert. “It’s about continuous, demonstrable security maturity for all primes and subcontractors. ... Critical points every organization and third-party provider should understand boil down to four main areas: supply chain accountability, certification levels and risk, continuous compliance, and cloud and provider updates.”

Bob Layton, chief revenue officer for compliance platform vendor Apptega, told MSSP Alert that “as far as requirements, it's still kind of opaque, but I think the ripple that this is going send through the market is not just for companies that are primes or subs or subs under subs, it's also going to roll down to the MSPs as well because, if you're a prime, you've captured this contract for the Department of Defense and then you're subcontracting some things out.”

Compliance Help

The CMMC program – which has a three-year phased implementation model that starts November 10 – comes with three tiers, with Level 1 being for contractors that work with less sensitive information. They will be able to run their own compliance assessments. Those at Level 2 will manage more sensitive information and need to be assessed by an independent third party, while those in Level 3 – handling the most sensitive information – will need to be assessed by the DoD’s Defense Industrial Base Cybersecurity Assessment Center.

With all that CMMC entails, there’s a fast-growing industry around helping organizations comply with the requirements, with a broad array of cybersecurity and other vendors offering tools, services, guides, and advice.

Help is needed. According to a survey of DIB contractors released in September by DoD compliance firm CyberSheath, only 1% say they are fully prepared for the CMMC audits, a drop from 8% in 2023 and 4% last year. Essentially, confidence is falling even as the deadline approaches.

Shifting Deadlines

The moving deadlines haven’t helped, creating a sort of “boy who cried wolf” scenario, according to Kevin McGrail, cloud fellow and principal evangelist with Google Cloud security partner DitoWeb.

“Will it actually be the deadline this time?  I've heard it's coming for years now with shifting deadlines,” McGrail told MSSP Alert. “The key people I hear pushing it are people with a vested financial interest in it occurring, such as auditors. With no clear guidance from the government and the history of shifting the deadlines, I don't think many people are doing enough to prepare for it.”

At the same time, while there are hundreds of thousands of DIB contractors and subcontractors, the number of certified third-party assessment organizations (C3PAOs) is only in the dozens.

“There is already a bottleneck for scheduling third-party Level 2 certifications with approved ... C3PAOs,” national CPA and consulting firm Richey May wrote in September. “This bottleneck will only grow as the deadline approaches. Early movers get the best assessment partners and flexible timelines. Late movers face limited availability, rushed implementations, and higher costs as demand exceeds supply.”

MSSPs and CMMC

MSSPs can help contractors and subcontractors – many of which don’t have teams dedicated to the compliance component – become CMMC-certified.

The new enforcement policy is both an opportunity and a challenge for MSSPs and MSPs. They can help clients – particularly SMBs, which increasingly lean on managed services providers to help them cope with increasingly sophisticated cyberthreats and a dearth of available security talent – put the pieces in place to reach CMMC 2.0 compliance.

“Compliance doesn’t stop at the main contractor,” Drata’s Godrey said. “All contractors and subcontractors that handle federal contract information (FCI) or ... CUI must comply. They also carry the responsibility to flow CMMC requirements down their supply chains, which means external service providers and cloud vendors are included in this updated scope.

“MSSPs and MSPs can play a critical role here by helping these smaller organizations fill gaps in compliance programs, providing continuous monitoring, evidence collection, and advisory support.”

Jason Spencer, senior security consultant for compliance at GuidePoint Security, told MSSP Alert that “many customers are considering building security enclaves or outsourcing work to limit the scope of compliance requirements for their main operations. They often choose MSSPs to minimize costs associated with hiring specialized personnel and maintaining equipment.”

DitoWeb’s McGrail said that “most companies are not qualified to deal with the issue and we are routinely talking to companies just about the basics of where to get started.”

Challenges for Service Providers

The compliance requirements will present significant challenges for MSSPs, Spencer said. They will force many to make strategic decisions about their business model. They’ll need to either fully commit or exclusively commit to support CMMC customers, exit the CMMC support business entirely, or build a segmented environment for CMMC support while keeping the rest of their operations out of scope.

They’ll also have to think about their own compliance capabilities.

“The burden varies significantly depending on the strategic direction MSSPs choose,” he said. “At minimum, if they support controlled unclassified information (CUI), they must either become CMMC Level 2 compliant, achieve FedRAMP Moderate compliance, or agree to participate in all their clients' assessments.”

However, they will have to ensure they also are in compliance so that their clients – and thus themselves – can stay in the running for federal DoD contracts.

“A lot of these service providers, the MSPs and the MDRs specifically, they're delivering security services, and they're delivering security services on behalf of those customers, so they should have their own security maturity in place as well as being able to document what they do for the customers,” Rahul Bakshi, Appetega’s chief product officer, told MSSP Alert. “Being able to map that to the CMMC guidelines and determining if you're Level 1 or Level 2 or, in the rare occasion, Level 3, based on the type of data that you have access to or you're interacting with, will dictate the complexity of the work and how much work they need to do to get ready.”

Steps MSSPs Can Take

So what do MSSPs need to do for themselves and their clients as the CMMC deadline closes in? GuidePoint’s Spencer outlines the steps include establishing dedicated systems or environments to support CMMC customers, deciding whether to make the entire company CMMC-compliant or build a separate environment, and undergoing a gap assessment by an authorized registered provider organization (RPO) before completing a C3PAO assessment.

They also need to designate specific people responsible for managing and maintaining CMMC compliance.

Drata’s Godfrey suggested mapping out where the MSSP intersects with clients’ environments and what information the MSSP handles, conducting a risk assessment of security practices by evaluating controls against NIST 800-171, and using automated platforms to continuously collect evidence, surface gaps in real time, and simplify reporting for both the MSSP and its clients.

And prepare for a C3PAO assessment.

“Most MSSPs and MSPs will fall under Level 2, since they handle CUI on behalf of clients,” she said. “A common misconception is that self-attestation will suffice for Level 2. In reality, most contracts will require third-party certification.”

The Bad and Good

DitoWeb’s McGrail said roll-down requirements like those in CMMC 2.0 are difficult for MSSPs and MSPs.

“Companies may find they have to search out new vendors,” he said. “The question of how far these requirements roll down is difficult. For example, the location of a project might be CUI. If you are delivering things to a project, you might now have CUI that was never anticipated. As an example, if you are a construction firm, your concrete provider may now have to hire adjudicated drivers to deliver your product.”

He added that “the biggest people hurt will be the small vendors, which is why many view CMMC as being weaponized by the bigger firms to restrict competition.”

Apptega’s Layton has another take, calling the CMMC requirements “one of those watershed moments in the area of compliance, how it's really pivoting more toward risk.” It’s a matter of viewpoint, he said.

“The purpose is spot on,” he said. “CMMC as a framework has value and is right. I think it's just people looking at it through the wrong lens. They've been more afraid of the auditor than they have of the APT [advanced persistent threat] that might be calling through their network.”

Jeffrey Burt

Jeffrey Burt has been a journalist for almost 40 years, moving from general-circulation newspapers to IT news sites in 2000. He’s an expert analyst and writer on cybersecurity, data center infrastructure, AI, and a host of other subjects for a range of organizations, including CyberRisk Alliance, eWEEK, Techstrong Group, The Next Platform, and The Register.

You can skip this ad in 5 seconds