Cybersecurity firm
Huntress is partnering with consulting firm
DEFCERT to help federal contractors more easily achieve compliance with Level 2 of the Cybersecurity Maturity Model Certification (CMMC), a
key regulation for any company looking to do business with the U.S. Department of Defense (DoD).
Through its collaboration with DEFCERT, Huntress will provide free documentation that will simplify the assessment process and accelerate the time to compliance with CMMC Level 2. The Columbia, Maryland-based company’s announcement comes days before the Final Rule of the Defense Federal Acquisition Regulation Supplement (DFARS) goes into effect on November 10.
Starting then, all DoD contractors and subcontractors – and on down the line to MSSPs and MSPs – that handle controlled unclassified information (CUI) or federal contract information (FCI) must meet particular requirements to comply with and maintain active CMMC status. CMMC has been around for a while, but now, after some stops and starts, companies have to prove their security capabilities meet particular standards to work with the federal government.
Contractors and subcontractors are now scrambling to meet those standards, and security companies are stepping in to make it easier and faster for them. For example, Strike Graph last month unveiled a free and guided
CMMC self-assessment and compliance tool kit. Now comes Huntress and DEFCERT.
Stress is the Word
“For a long time, the stress came from a lack of clarity,”
Jeremy Young, community growth strategist at Huntress, told MSSP Alert. “Now that the ruling is final, the stress is coming from the need to play catch-up. There’s a big gap between the number of currently CMMC-certified contractors and the number needed to consistently perform on contracts involving CUI.”
The CMMC program comes in three tiers, with Level 2 for contractors handling sensitive information and that need to be assessed by a certified third-party assessment organization (C3PAOs).
“Prime contractors will have limited subcontracting choices when they get an award with CMMC Level 2 C3PAO requirements,” Young said. “For the companies who tap into that first-mover advantage, it could result in certain subcontractors being a ‘sole supplier’ while their peers try to catch up.”
Playing Catch-Up
There will be a number of peers trying to catch up. A
survey of Defense Industrial Base (DIB) contractors by DoD compliance firm
CyberSheath found that only 1% of contractors are fully prepared for the CMMC audits, a drop from 8% in 2023 and 4% last year. In a statement,
Ryan Bonner, founder and CEO of DEFCERT, said that “the path to CMMC certification is notoriously complex and resource-intensive.”
The assessment-ready documentation that Huntress and DEFCERT developed will help speed up the assessment process, saving contractors time and resources by ensuring they don’t need to create such documentation from scratch.
The Need for Speed
The documentation includes a Shared Responsibility Matrix that outlines the responsibilities of Huntress, partners, and companies for meeting particular CMMC objects, and an Operations Plan that details the individual tasks needed for compliance, including jobs that are recurring or one-timers. Huntress and DEFCERT believe the offering will shave weeks from the planning process for contractors and days from their assessments.
As an example, Huntress noted that a MSP recently achieved CMMC Level 2 certification with the vendor in scope in only nine hours over two days with a perfect score of 110 in the assessment.
“Most defense contractors aren't the size of Lockheed Martin,” Huntress’ Young said. “The majority of contractors rely on MSPs and MSSPs for help meeting these requirements. Our efforts with DEFCERT are focused on giving defense contractors and their MSPs shared resources to make decisions, implement Huntress, and use it to satisfy NIST 800-171 requirements more quickly, and bring proof to their Level 2 assessment.”
MSSPs and MSPs are Key
Young also said that MSSPs and MSPs need to illustrate their relationship with the client via better documentation, “so the resources we developed are documentation for things that sometimes fall between the cracks, like client approvals, agent deployment scope, permissions, and known good settings,” he said. “We want to flatten the documentation curve and get teams to the step where practical security and compliance happen sooner.”
MSSPs and MSPs have needs that are tied to helping defense contractors meet the requirements and pass the CMMC assessment, which is a different problem set than what contractors must deal with internally. The Shared Responsibility Matrix outlines what Huntress can provide, additional steps partners can take to span the vendor’s platform and clients, and additional actions they need to take to show a fully implemented control.
“Transparently and fully documenting our platform in this fashion is how Huntress is supporting MSPs and MSSPs to help their clients get certified,” Young said.
Other CMMC-Compliant Tools
The vendor also has other products that ensure organization and partners are CMMC-compliant, including detection-and-response capabilities that are backed by an AI-assisted security operations center (SOC) and that support 37 of the 110 NIST SP 800-171 requirements.
Huntress’ platform also includes
Sensitive Data Mode, a recently added feature that blocks security researchers from accessing CUI files while allowing them to still detect and remediate threats, while its managed identity threat detection and response capability integrates with Microsoft 365, including the Government Community Cloud (GCC) High environments.
