CMMC Presents New Marketing And Sales Opportunity for MSPs
Published: May 15, 2021
Last Updated: February 27, 2022
Have you heard about the Cybersecurity Maturity Model Certification (CMMC)? It’s a universal standard meant to enhance and normalize cybersecurity throughout the Defense Industrial Base (DIB).
Released on January 31, 2020, CMMC will affect about 300,000 companies that do business with the U.S. Department of Defense (DoD). These include contractors who engage directly with the DoD and subcontractors who work with the major contractors in fulfilling DoD contracts. The New CMMC Regulation presents a fantastic opportunity to add a cyber security compliance auditing offering for Managed Service Providers and Cyber Security Companies. In this post we’ll talk a little bit more about the CMMC regulation, what you need to know, and why it presents a marketing opportunity.
Impact of Cybercrime on the Federal Government
As various sectors move with the wave of digitization, the federal government has also kept up with them. However, the increased use of the internet and online data resources has brought new challenges.
It has made government databases a prime target for cyber warfare by state and non-state actors. These include foreign governments, criminal organizations, extremists, terrorists, political groups, hacktivists, and even companies.
Cyberattacks from such groups have proliferated over the years. According to a DoD report, the United States suffered multiple data breaches from Russia, China, North Korea, and non-state groupings between 2016 and 2020.
Looking at financial damage, 2018 was the worst year for the country. Experts say that the U.S. Federal Government spent over $13.74 billion due to cybercrime, while the global GDP loses about $600 billion every year.
That said, the government must find ways to strengthen cybersecurity in its agencies. One solution is the CMMC, which addresses data security issues when the DoD interacts with external contractors.
The Importance of CMMC
Traditionally, contractors doing business with the government handled cybersecurity in their organizations independently. They were responsible for deploying, certifying, and monitoring the security of their I.T. systems. That includes any DoD data stored or transmitted using those systems.
The government has found leaving its sensitive information in the hands of uncontrolled entities risky. If a DoD supplier’s cybersecurity controls are subpar, a hacker can break into the contractor’s I.T. systems and steal government information. That’s the issue CMMC comes to address.
Third-parties who transact with the government sometimes access or generate data that needs protection. In particular, DoD contractors may possess and transmit:
- Federal Contract Information (FCI)
FCI is the information the government generates or provides under a contract to facilitate the delivery of a product or service. Contractors should not release it to the public.
- Controlled Unclassified Information (CUI)
The government or an entity may create or possess CUI. This is information that a law, regulation, or government policy requires an entity to apply strict dissemination or safeguarding controls.
Since the DoD transacts with over 300,000 contractors, the amount of high-profile information with private entities is immense. CMMC aims to assess contractors’ cybersecurity preparedness and the ability to secure FCI, CIU, or any other DoD data they hold or transmit.
Under the framework, contractors are still responsible for maintaining high cybersecurity standards. However, they will be subject to third-party assessments to ensure compliance with certain compulsory data security practices and procedures outlined by the DoD.
The DoD expects the CMMC to ensure cybersecurity controls that can handle existing and adapt to new and evolving security threats.
CMMC Maturity Levels: What Do DoD Contractors Require?
The CMMC framework has five distinct maturity levels. Each level has its specific cybersecurity practices and processes as highlighted below:
- Level 1: Basic cyber hygiene
- Level 2: Intermediate cyber hygiene
- Level 3: Good cyber hygiene
- Level 4: Proactive
- Level 5: Advanced
The maturity level a DoD contractor must achieve depends on the sensitivity of the information they handle.
CMMC Level 1
Level 1 emphasizes basic cyber hygiene to safeguard covered contractor information according to 48 CFR 52.204-21 regulation information. All organizations seeking to do business with the DoD must comply with Level 1.
DoD contractors in this level may receive FCI, which they should protect. They can perform security practices on an ad hoc basis without documentation. Therefore, the DoD doesn’t demand CMMC maturity assessment at this level.
CMMC Level 2
Level 2 has a set of more advanced practices to enable organizations to protect their assets from cyber threats than Level 1. DoD contractors must establish and document strategic plans, standard operating procedures (SOPs), and policies to guide their cybersecurity program. It serves as a transitional stage from Level 1 to Level 3.
CMMC Level 3
Apart from demonstrating good cyber hygiene, organizations assessed at Level 3 must show effective implementation of controls according to NIST SP 800-171 Rev 1. Any contractor who requires or generates CUI must achieve CMMC Level 3.
Level 3 means that a contractor can protect and sustain their assets and CUI reasonably. However, they might have challenges addressing advanced persistent threats (APTs). Any contractor subject to DFARS Clause 252.204-7012 has an additional responsibility of incident reporting.
CMMC Level 4
Level 4 requires an organization to have a proactive cybersecurity program enough to protect CUI from APTs. The protection and sustainment activities should adapt to tackle ATPs’ changing tactics, techniques, and procedures (TTPs).
Organizations that pass Level 4 maturity can assess and measure their cybersecurity practices for effectiveness. Additionally, they can take corrective actions when needed and inform management of issues.
CMMC Level 5
For level 5 assessment, an organization must have advanced or progressive cybersecurity programs. The contractor should have the ability to optimize their security controls as necessary to thwart APTs. Process implementation must be standard across the entire organization.
CMMC Compliance: Marketing Opportunity for MSPs
Business entities will no longer qualify to do business with the DoD before passing a CMMC audit. The CMMC Accreditation Body (CMMC-AB) is training Registered Practitioners and Provisional Assessors. The role of these officers is to advise companies seeking CMMC compliance before the framework gets into full swing by 2026. Many of those companies, and all new contractors and subcontractors are going to require help with these audits
If you are a managed service provider (MSP), you have a golden chance to diversify your service portfolio. Consider becoming an auditor for local DoD contractors and subcontractors. Since this is a relatively new regulation, there is a lot of opportunity to attract inbound search traffic via pay per click campaigns, and creating content about the CMMC regulations in a relatively new domain.
The CMMC-AB is recruiting certified third-party assessment organizations (C3PAOs) and Certified Professionals. These appear to be the perfect sales opportunities for professional IT companies that offer managed services.
Let’s elaborate on what these CMMC positions entail.
Certified Third-Party Assessment Organizations (C3PAOs)
CPAOs are service provider organizations that will run CMMC assessments on Organizations Seeking Certification (OSCs) and submit findings to the CMMC-AB. They will also give recommendations to help the CMMC-AB certify OSCs compliant with the CMMC maturity model.
The CMMC-AB authorizes C3PAO to enter into CMMC assessment contracts with aspiring DoD contractors and Certified CMMC Assessors.
To become a C3PAO, you will need to sign a license agreement with the CMMC-AB. You’ll also require an errors and omissions policy, cybersecurity breach policy, and general liability with CMMC-AB.
C3POAs will have to be 100% U.S. citizen-owned. If you operate a public company or a global partnership, your entity will have to complete a FOCI background investigation.
Certified CMMC Professional
Certified professionals are the individuals who will perform the cyber audits that the DoD will require its contractors to undergo. If you become a certified professional, you will be a valuable resource for C3PAOs, consulting agencies, and companies looking for CMMC guidance and support.
You will have the privilege to be part of an assessment team under a Certified CMMC Assessor’s supervision. The CMMC-AB will list you in the CMMC-AB marketplace and allow you to use the Certified CMMC Professional logo.
As a Certified CMMC Professional, you’ll be eligible to become a Certified Assessor or Certified CMMC Instructor. The CMMC-AB will regard you as a valuable expert with a comprehensive understanding of the CMMC framework and the requirements of various DoD suppliers.
There will be three levels of Certified Instructors. Let’s highlight the roles and benefits of each in brief.
Certified CMMC Assessor Level 1
A Level 1 Assessor is a professional credentialed to perform CMMC ML-1 assessments. They will oversee Certified CMMC Professionals when conducting ML-1 assessments.
Upon completing three assessments, a Level 1 CMMC Assessor will qualify to use the CCA1 logo. They will also feature in the CMMC-AB Marketplace.
Certified CMMC Assessor Level 3
These assessors will run CMMC-AB ML-1, ML-2, and ML-3 assessments. They will also supervise Certified CMMC Professionals and CCA-1 officers when conducting CMMC assessments at their respective levels.
Additionally, you will feature in the CMMC-AB Marketplace listings and use the CCA-3 logo after completing three assessments. You may apply for CCA-5 training after completing 15 audits.
Certified CMMC Assessor Level 5
The highest rank of assessors, Certified CMMC Assessor Level 5, will conduct assessments at all CMMC maturity levels. They will supervise CMMC professionals performing CMMC assessments at any maturity level.
Certified CMMC Assessor Level 5 will use the CCA-5 logo and appear in the CMMC-AB Marketplace listings.
How Many CMMC Assessors Does the DoD Need?
At this moment, it’s hard to say the exact number of assessors needed to complete CMMC audits per year. Experts think that about 300,000 DoD contractors will require between 1,000 and 2,000 certified assessors.
The number could fluctuate for several reasons. For instance, some companies will need multiple audits, and some audits will take longer than others. For the foreseeable future, there will be a steady stream of existing subcontractors and new subcontracts seeking certification.
It’s high time MSPs pursue accreditation for CMMC assessment before the CMMC-AB closes its doors. Set up the CMMC marketing funnels for your local area and attract local DOD subcontractors to your website. Want to learn more about how we can help you set up these marketing funnels and create new sales opportunities for your MSP?
Contact us for more information.