No, It Wasn't a Dream: CMMC is Here!
Updated: November 7, 2024
On Tuesday October 15, 32 CFR, the law that defines the CMMC program was officially written to the Federal Register. The CMMC program and all of it requirements are baked! What is not quite finished baking, but will be shortly, is the 48 CFR law which defines how the CMMC requirements will appear in contracts issued by the Department of Defense. That is expected to be finalized early to mid-2025. The entire program will be released over four years in distinct one-year phases.
So there is no more speculation as to whether or not CMMC will actually happen. It is here. And the clock is ticking with regard to actually getting certification. We now know exactly what is required to certify. And we also now have clarity as to how External Service Providers (ESP), which include MSPs, fit into the flow-down requirements. Succinctly, if an MSP is providing managed services for an organization that is required to certify at CMMC levels 1, 2, or 3, the MSP is not REQUIRED to certify at that same level. However, any of the services provided by the MSP that have corresponding NIST 800-171 control requirements are within the scope of the Organization Seeking Compliance (OSC) Assessment. MSPs will have to be prepared to provide evidence and artifacts of compliance for their clients undergoing an assessment. In many cases the MSP will have to be present with the assessor to answer questions.
Although MSPs are not required to be CMMC Level 2 certified they may go through an assessment voluntarily. MSPs are already seeing questionnaires or contract provisions requesting information about their CMMC preparedness. Many DoD contractors will not want to take the risk of working with an MSP that is not CMMC certified. If the MSP is not fully prepared to the provide the necessary evidence during the contractors assessment that contractor may fail their assessment and put business at risk.
According to the law, organizations are not required to meet the CMMC requirements at the time of submitting a bid, but they are required to meet the requirements at the time of the acceptance of the contract. But don’t take any solace in assuming the government moves very slowly. A recent study by the Government Accountability Office (GAO), the average time between the solicitation and the awarding of a bid under $50M was 29 days. Therefore, contractors throughout the Defense Industrial Base (DIB) supply chain are preparing now to ensure a subcontractor's lack of preparedness does not prevent them from accepting a bid.
If MSPs with customers in the Defense Industrial Base (DIB) supply chain have not already begun their CMMC journey they are already behind the eight ball. But that doesn’t mean it is too late to start. At the same time CMMC may not be for everyone. Depending on the existing client base and the potential market in the MSPs area they may determine that the costs outweigh the benefits.
The first step is to investigate the investments that would be required to certify. The costs of certifying under CMMC levels 1, 2, and 3 are vastly different.
CMMC Level 1, which only governs Federal Contract Information (FCI), is not a far stretch for most MSPs to self-attest. The control requirements are relatively basic and MSPs typically already have them in place. They are just not well documented and may not be consistently applied. Simply tightening those practices up and documenting the policies and processes will get the MSP there. Then it is a simple matter of performing a self-assessment against those practices. However, that self-assessment must be recorded in the Supplier Performance Risk System (SPRS). The SPRS system records a score representing your compliance with the NIST 800-171 Security standard, the underlying standard of CMMC. It yields a score between -230 and 110. Also referred to as your "spurs" score, it is based on an assessment of all 110 controls in NIST 800-171, far more than the 17 controls required for CMMC Level 1. Therefore, the organization self-assessing against CMMC Level 1 must also perform an honest assessment of the 93 controls additional controls related to NIST 800-171. finally the self-assessment must be signed off on by Executive Management, attesting to the fact that the SPRS score is accurate and reflects the organization's current practices. This needs to be performed annually. If it is found later that the score is inaccurate and the organization willfully misrepresented their compliance they can be found in violation of the False Claims Act, a law dating back to the Civil War. This can result in fines as much as three times the original award of the contract and jail time. In addition, there is a lucrative whistleblower program in place that offers significant rewards to those exposing such corruption.
CMMC Level 1 is relatively easily within reach of the average MSP. However, most manufacturers are going to be dealing with Controlled Unclassified Information (CUI). CUI is information about the actual "product" being developed by the DIB contract. This includes technical specifications, diagrams, configuration information, and other information critical to the manufacture of the product. The standards for protecting CUI are much higher than those governing FCI. NIST 800-171 defines the 110 controls required to be in place to adequately protect CUI. These are the basis for CMMC Levels 2 and 3.
Similar to CMMC Level 1, Organizations Seeking Compliance/Assessment (OSC/OSA) must meet all 110 controls of NIST 800-171 in order to become certified under CMMC Level 2. In order for OSCs to attain Level 3 certification they must also implement all controls in NIST 800-172.
Unlike CMMC level 1 certification, Level 2 certification requires an assessment by an external organization known as a Certified Third-Party Assessment Organization (C3PAO). That organization will examine all of the organization's processes and procedures and compare those against the associated controls requirements. Some controls may be considered outside of compliance at the time of assessment. Those would be incorporated into a Plan of Action and Milestones (PoAM). Items on the PoAM must be resolved within 180 days to pass the assessment. It is important to understand that only a few specific controls can be placed on a PoAM. Most controls must be met at the initial time of assessment. If all 110 controls are not met through the assessment and PoAM period, certification will not be awarded and the process must start all over. The cost of a CMMC Assessment can run from tens of thousands of dollars into six figures for larger organizations. As there is no "partial credit" associated with incomplete assessments, failure to certify can be very costly. For this reason, many organization are having a separate third-party perform a preliminary assessment prior to the official C3PAO performed assessment. This adds several thousands of dollars to the overall costs. A CMMC Level 2 certification lasts three years and the certification process must be repeated each three years. The entire process of certifying under CMMC Level 2 will take 12-24 months depending on the size of the organization and the resources expended on it.
CMMC Level 3 is another leap completely. Only the largest or most highly specialized MSPs will embark on that path. The rest of this article will focus on Level 2 compliance.
There is some provision for some contractors to self-assess for CMMC Level 2 depending on the sensitivity of the CUI involved in the contract. This is particularly the case during the first phase of the CMMC roll-out. This will be done on a contract-by-contract basis. The level of certification and any self-assessment allowances will be at the discretion of the DoD contract administrator. These contracts are typically negotiated by the top level prime contractor and those requirements flow down through the supply chain. Small and medium MSPs are typically servicing manufacturers farther down the supply chain and therefore have no leverage in negotiating contract requirements.
One other consideration for MSPs is that they commonly offer third-party cloud services as a function of their Managed Services. Under CMMC Levels 2 any cloud services must be FedRAMP certified or FedRAMP moderate equivalent. Many MSPs will find that some of their current third party service providers are not FedRAMP certified at this time. Many have announced plans to achieve FedRAMP compliance next year. Those that are FedRAMP certified now come at an increased cost. For instance, Microsoft MS 365 must be GCC high level to comply. MSPs will have to examine their current vendor stack and determine if they may need to make a switch to play in the CMMC space.
So what should MSPs do next?
First, MSPs need to determine if any of their manufacturing clients (and other related industries) service contractors in the Defense Industrial Base. Engage in conversations with those clients to determine what they are hearing from their upstream contractors regarding anticipated CMMC requirements. Again, if that client is hearing that future contracts will likely require CMMC Level 2 certification, you, as their MSP, will need to be part of their assessment. It is a fair assumption that those manufactures will require the MSP to become CMMC level 2 certified if they wish to continue doing business with them. Identify those clients that will have this requirement and assess the total amount of recurring revenue that would disappear if you are not able to meet their requirements.
Assuming there is some business that would go away due to CMMC requirements, The MSP must now determine how well positioned they are against the NIST 800-171 controls. It is relatively simple to perform a baseline assessment of the current environment and which controls are largely in place (although likely not well documented) and which ones are either partially in place or not addressed at all. From this they can perform a gap analysis to determine those controls that will need to implemented to certify. This will inform the MSP as to how to estimate the costs of certification in the next step.
With the results of the gaps analysis the MSP will estimate the costs of achieving CMMC Level 2 certification. This includes the fixed costs of implementing the appropriate tools, and the costs in terms of time to create the policies, document the processes, train the staff, and audit the procedures. It also needs to include the costs of the actual third party assessment (and pre-assessment, if necessary). Even a small MSP is looking at tens of thousands of dollars tri-annually.
Now, the MSP will take a look at the revenue at risk versus the cost of CMMC certification. In many cases the MPS will be in danger of losing more recurring revenue over three years than the costs of certifying. Even a single small client, generating $2,000/month in recurring revenue equates to $72,000 over three years. And simply implementing the higher level of security for that client would likely double their monthly premiums. This makes a compelling argument for an MSP to move forward with certification.
This requirement will also be forcing defense contractors to jettison their existing MSP that is not certified and seek out those that are. It is going to a much smaller pool of eligible MSPs for contractors to draw from. And those that certify will be able to command some of the highest premiums in the industry.
In the end, each MSP is going to have to determine whether CMMC Level 2 certification make sense. MSPs with no clients doing business with the DIB are unlikely to jump right into the fire with CMMC on the speculation that the business will be there to support it. However, those practices would be well served to adopt another framework that covers the same ground as CMMC without the hard costs of a formal external assessment. For instance, the Center for Internet Security (CIS) cybersecurity framework or the NIST Cyber Security Framework address about 80% of the requirements of NIST 800-171. These frameworks are publicly available and do not require external independent certification.
Implementing a formal cyber security framework will improve an MSPs overall quality and offer protections their competitors don't. This will, in turn, lead to higher service premiums and better overall financial performance.
OTX Roundtable GRC
Regardless of the framework, the adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here.