CMMC Presents New Marketing And Sales Opportunity for MSPs

cmmc marketing for msp and cybersecurity
Home » Blog » CMMC Presents New Marketing And Sales Opportunity for MSPs

Join Thousands Of Other Founders, Innovators, And Marketing Leaders And Get The Latest Growth Insights.

Have you heard about the Cybersecurity Maturity Model Certification (CMMC)? It’s a universal standard meant to enhance and normalize cybersecurity throughout the Defense Industrial Base (DIB).

Released on January 31, 2020, CMMC will affect about 300,000 companies that do business with the U.S. Department of Defense (DoD). These include contractors who engage directly with the DoD and subcontractors who work with the major contractors in fulfilling DoD contracts. The New CMMC Regulation presents a fantastic opportunity to add a cyber security compliance auditing offering for Managed Service Providers and Cyber Security Companies. In this post we’ll talk a little bit more about the CMMC regulation, what you need to know, and why it presents a marketing opportunity.

Impact of Cybercrime on the Federal Government

As various sectors move with the wave of digitization, the federal government has also kept up with them. However, the increased use of the internet and online data resources has brought new challenges.

It has made government databases a prime target for cyber warfare by state and non-state actors. These include foreign governments, criminal organizations, extremists, terrorists, political groups, hacktivists, and even companies.

Cyberattacks from such groups have proliferated over the years. According to a DoD report, the United States suffered multiple data breaches from Russia, China, North Korea, and non-state groupings between 2016 and 2020.

Looking at financial damage, 2018 was the worst year for the country. Experts say that the U.S. Federal Government spent over $13.74 billion due to cybercrime, while the global GDP loses about $600 billion every year.

That said, the government must find ways to strengthen cybersecurity in its agencies. One solution is the CMMC, which addresses data security issues when the DoD interacts with external contractors.

The Importance of CMMC

Traditionally, contractors doing business with the government handled cybersecurity in their organizations independently. They were responsible for deploying, certifying, and monitoring the security of their I.T. systems. That includes any DoD data stored or transmitted using those systems.

The government has found leaving its sensitive information in the hands of uncontrolled entities risky. If a DoD supplier’s cybersecurity controls are subpar, a hacker can break into the contractor’s I.T. systems and steal government information. That’s the issue CMMC comes to address.

Third-parties who transact with the government sometimes access or generate data that needs protection. In particular, DoD contractors may possess and transmit:

  1. Federal Contract Information (FCI)

FCI is the information the government generates or provides under a contract to facilitate the delivery of a product or service. Contractors should not release it to the public.

  1. Controlled Unclassified Information (CUI)

The government or an entity may create or possess CUI. This is information that a law, regulation, or government policy requires an entity to apply strict dissemination or safeguarding controls.

Since the DoD transacts with over 300,000 contractors, the amount of high-profile information with private entities is immense. CMMC aims to assess contractors’ cybersecurity preparedness and the ability to secure FCI, CIU, or any other DoD data they hold or transmit.

Under the framework, contractors are still responsible for maintaining high cybersecurity standards. However, they will be subject to third-party assessments to ensure compliance with certain compulsory data security practices and procedures outlined by the DoD.

The DoD expects the CMMC to ensure cybersecurity controls that can handle existing and adapt to new and evolving security threats.

CMMC Maturity Levels: What Do DoD Contractors Require?

The CMMC framework has five distinct maturity levels. Each level has its specific cybersecurity practices and processes as highlighted below:

  • Level 1: Basic cyber hygiene
  • Level 2: Intermediate cyber hygiene
  • Level 3: Good cyber hygiene
  • Level 4: Proactive
  • Level 5: Advanced

The maturity level a DoD contractor must achieve depends on the sensitivity of the information they handle.

CMMC Level 1

Level 1 emphasizes basic cyber hygiene to safeguard covered contractor information according to 48 CFR 52.204-21 regulation information. All organizations seeking to do business with the DoD must comply with Level 1.

DoD contractors in this level may receive FCI, which they should protect. They can perform security practices on an ad hoc basis without documentation. Therefore, the DoD doesn’t demand CMMC maturity assessment at this level.

CMMC Level 2

Level 2 has a set of more advanced practices to enable organizations to protect their assets from cyber threats than Level 1. DoD contractors must establish and document strategic plans, standard operating procedures (SOPs), and policies to guide their cybersecurity program. It serves as a transitional stage from Level 1 to Level 3.

CMMC Level 3

Apart from demonstrating good cyber hygiene, organizations assessed at Level 3 must show effective implementation of controls according to NIST SP 800-171 Rev 1. Any contractor who requires or generates CUI must achieve CMMC Level 3.

Level 3 means that a contractor can protect and sustain their assets and CUI reasonably. However, they might have challenges addressing advanced persistent threats (APTs). Any contractor subject to DFARS Clause 252.204-7012 has an additional responsibility of incident reporting.

CMMC Level 4

Level 4 requires an organization to have a proactive cybersecurity program enough to protect CUI from APTs. The protection and sustainment activities should adapt to tackle ATPs’ changing tactics, techniques, and procedures (TTPs).

Organizations that pass Level 4 maturity can assess and measure their cybersecurity practices for effectiveness. Additionally, they can take corrective actions when needed and inform management of issues.

CMMC Level 5

For level 5 assessment, an organization must have advanced or progressive cybersecurity programs. The contractor should have the ability to optimize their security controls as necessary to thwart APTs. Process implementation must be standard across the entire organization.

CMMC Compliance: Marketing Opportunity for MSPs

Business entities will no longer qualify to do business with the DoD before passing a CMMC audit. The CMMC Accreditation Body (CMMC-AB) is training Registered Practitioners and Provisional Assessors. The role of these officers is to advise companies seeking CMMC compliance before the framework gets into full swing by 2026. Many of those companies, and all new contractors and subcontractors are going to require help with these audits

If you are a managed service provider (MSP), you have a golden chance to diversify your service portfolio. Consider becoming an auditor for local DoD contractors and subcontractors. Since this is a relatively new regulation, there is a lot of opportunity to attract inbound search traffic via pay per click campaigns, and creating content about the CMMC regulations in a relatively new domain.

The CMMC-AB is recruiting certified third-party assessment organizations (C3PAOs) and Certified Professionals. These appear to be the perfect sales opportunities for professional IT companies that offer managed services.

Let’s elaborate on what these CMMC positions entail.

Certified Third-Party Assessment Organizations (C3PAOs)

CPAOs are service provider organizations that will run CMMC assessments on Organizations Seeking Certification (OSCs) and submit findings to the CMMC-AB. They will also give recommendations to help the CMMC-AB certify OSCs compliant with the CMMC maturity model.

The CMMC-AB authorizes C3PAO to enter into CMMC assessment contracts with aspiring DoD contractors and Certified CMMC Assessors.

To become a C3PAO, you will need to sign a license agreement with the CMMC-AB. You’ll also require an errors and omissions policy, cybersecurity breach policy, and general liability with CMMC-AB.

C3POAs will have to be 100% U.S. citizen-owned. If you operate a public company or a global partnership, your entity will have to complete a FOCI background investigation.

Certified CMMC Professional

Certified professionals are the individuals who will perform the cyber audits that the DoD will require its contractors to undergo. If you become a certified professional, you will be a valuable resource for C3PAOs, consulting agencies, and companies looking for CMMC guidance and support.

You will have the privilege to be part of an assessment team under a Certified CMMC Assessor’s supervision. The CMMC-AB will list you in the CMMC-AB marketplace and allow you to use the Certified CMMC Professional logo.

As a Certified CMMC Professional, you’ll be eligible to become a Certified Assessor or Certified CMMC Instructor. The CMMC-AB will regard you as a valuable expert with a comprehensive understanding of the CMMC framework and the requirements of various DoD suppliers.

There will be three levels of Certified Instructors. Let’s highlight the roles and benefits of each in brief.

Certified CMMC Assessor Level 1

A Level 1 Assessor is a professional credentialed to perform CMMC ML-1 assessments. They will oversee Certified CMMC Professionals when conducting ML-1 assessments.

Upon completing three assessments, a Level 1 CMMC Assessor will qualify to use the CCA1 logo. They will also feature in the CMMC-AB Marketplace.

Certified CMMC Assessor Level 3

These assessors will run CMMC-AB ML-1, ML-2, and ML-3 assessments. They will also supervise Certified CMMC Professionals and CCA-1 officers when conducting CMMC assessments at their respective levels.

Additionally, you will feature in the CMMC-AB Marketplace listings and use the CCA-3 logo after completing three assessments. You may apply for CCA-5 training after completing 15 audits.

Certified CMMC Assessor Level 5

The highest rank of assessors, Certified CMMC Assessor Level 5, will conduct assessments at all CMMC maturity levels. They will supervise CMMC professionals performing CMMC assessments at any maturity level.

Certified CMMC Assessor Level 5 will use the CCA-5 logo and appear in the CMMC-AB Marketplace listings.

How Many CMMC Assessors Does the DoD Need?

At this moment, it’s hard to say the exact number of assessors needed to complete CMMC audits per year. Experts think that about 300,000 DoD contractors will require between 1,000 and 2,000 certified assessors.

The number could fluctuate for several reasons. For instance, some companies will need multiple audits, and some audits will take longer than others. For the foreseeable future, there will be a steady stream of existing subcontractors and new subcontracts seeking certification.

It’s high time MSPs pursue accreditation for CMMC assessment before the CMMC-AB closes its doors. Set up the CMMC marketing funnels for your local area and attract local DOD subcontractors to your website. Want to learn more about how we can help you set up these marketing funnels and create new sales opportunities for your MSP?

Contact us for more information. 


Tortoise and Hare Software Content Team

The Tortoise and Hare Software content marketing team produces technical thought leadership content for our clients in multiple industries and for Tortoise and Hare Software. Our distributed team of writers create, edit, publish, and optimize content to help build traffic, and generate revenues.

Leave a Comment

Up Next

The Ultimate Guide To SEO For B2B Tech

By Hunter Nelson | September 12, 2021

Search Engine Optimization (SEO) is one of the most important ways to attract new business for mid-market B2B tech companies. If you look at B2B tech companies that have achieved any sort of meaningful scale and grown to the 10MM ARR mark and beyond, you will almost always see a significant portion of their growth…

Building A North Star For Your Brand

By Hunter Nelson | September 2, 2021

Today I had an “epiphany”. I was writing a lead magnet for the top 10 mistakes I see technology companies making when it comes to their marketing and wrote down the lack of a strong brand as the number 1 mistake. Since I typically work with companies in a post-branding lead generation capacity, I don’t…

Establishing Web Analytics And Conversion Tracking Foundations Using The Google Marketing Platform

By Hunter Nelson | August 25, 2021

Building a quality website is the absolute cornerstone of everything that comes next in a digital marketing context. The coronavirus pandemic has significantly accelerated a shift to digital that has been a long-time trend. Yet, there are still so many companies that don’t understand the value of digital and the impact that their website is…

The 5 Second Test For PPC Landing Pages

By Hunter Nelson | August 11, 2021

I’ve been having a lot of conversations recently about optimizing websites for lead generation and explaining a concept called the 5 second test. The 5 second test is a design usability test that aims to help usability testers evaluate and prove the effectiveness of user experiences designs. The idea is that you show someone a…

Business Lessons Learned From 15+ Years In Competitive Online Gaming

By Hunter Nelson | August 6, 2021

When I was in 3rd grade my family picked up and moved from the poor side of town to a better neighborhood on the outskirts. After my first time experiencing how much moving stinks, and losing the family cat (R.I.P Tinkerbell), I came in as a rough and tumble south sider to the north side…

LinkedIn Ads Rolls Out New JavaScript Event Based Conversion Tracking

By Hunter Nelson | July 13, 2021

I was poking around in a couple of LinkedIn Ad accounts today, while working on some campaigns and got a notification that there was a change to conversion tracking behaviors. I popped on over to the conversion tracking and noticed that there was a new option to enable event based conversion tracking via a JavaScript…

3 Key Elements Of A Successful Sales And Marketing Transformation

By Hunter Nelson | May 17, 2021

Generating a steady stream of leads and growing annual revenues at a rate that satisfies you, your investors, and your employees can be a significant challenge. It requires transforming your organization into a sales and marketing company as much as it does providing the product or service that your selling. I’ve worked in various capacities…

The PRESTO Landing Page Copywriting Framework

By Hunter Nelson | May 10, 2021

Creating a landing page that converts can be a challenge. There’s a lot that goes into it, but one of the most important aspects of that is the copywriting. It would be a significant challenge to create a landing page that converts that uses 0 copy and only design, but it would be much more…

How To Measure Your Social Media Performance With Google Analytics

By Hunter Nelson | April 27, 2021

Measuring social media performance can be tricky. Most of the interactions happen on a 3rd party platform, which means you are at the mercy of the reporting provided and integrations available from the platforms in question, in this case social media websites. Getting a complete picture of what’s happening in terms of lead generation and…