Since the initial release of the Cybersecurity Maturity Model Certification (CMMC), there’s been a lot of uncertainty about its impact on small- and medium-sized Department of Defense (DoD) contractors. Many business leaders still mistakenly believe that the regulation only applies to huge system integrators like Northrop Grumman and Boeing, and it doesn’t actually apply to them. Nothing could be further from the truth. CMMC isn’t just about large enterprises. Any organization that currently contracts with, or plans to contract with the U.S. Department of Defense (DoD) should be well on its way to getting CMMC-certified.
Let’s quickly review what CMMC entails, then discuss why certification is important to your clients, even if you don’t work directly with the DoD.
What is CMMC?
CMMC is part of a larger effort to secure the DoD’s supply chain and protect Defense Industrial Base (DIB) contractors from cybersecurity threats. DIB refers to the “worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements” according to the federal government.
CMMC represents an amalgamation of multiple frameworks and standards, such as NIST SP 800-171 and the NIST Cybersecurity Framework, both of which represent best of breed guidelines for cybersecurity processes and practices. It comprises three levels that align with contractors’ cybersecurity practices and the sensitivity of information they manage, as well as the types and consequences of potential threats.
Big-picture, the work you do and the information you manage dictate which level you need to achieve to be compliant. Any organization in the DoD contract supply chain must comply with CMMC requirements and organizations that manage the most sensitive data must have those requirements audited by a certified independent third-party assessment organization.
These requirements include (but are not limited to):
- Critical infrastructure
- Procurement and acquisition
- Natural and cultural resources
- Nuclear energy
Effectively Manage CUI
The three different maturity levels focus on the form and caliber of controlled unclassified information (CUI):
This means that any firm managing CUI—and if you are working on a federal project you probably are managing CUI—needs to be certified at a minimum of Level 2.
For more detail on CMMC compliance, check out Egnyte’s comprehensive overview of the federal standards.
Why CMMC Matters to Your MSP and Your Clients
Now that you know what CMMC is, let’s look at the five reasons why you should care.
1. Investment in the U.S. DIB Continues to Grow: In 2021, the aerospace and defense industry reported $712 billion in revenue. A lot of that money is invested in weapons systems and computer networks, but it also goes into building roads on military bases, fixing plumbing and lighting in office space, and updating facilities that are part of the Morale, Welfare, and Recreation program.
Even if you don’t work directly for the DoD, there are plenty of smaller firms that work for defense contractors like Boeing, or other general contractors that perform work for the DoD. Those firms also need to ensure that their contractors effectively protect potential DoD information. They certainly don’t want to end up in the news, having to explain how a company that was performing routine HVAC system maintenance accidentally compromised sensitive government information.
2. CMMC Could Expand to the Remainder of the Federal Government: While the U.S. government has no immediate plans to expand CMMC beyond the DoD, we can reasonably expect other federal agencies will eventually need to adopt similar programs. In the past year, government organizations were the most targeted industry for ransomware in North America, with 15.4% reporting an attack.
Those agencies will want to be extremely vigilant about who they share data with externally, in light of rapidly-evolving threats. Even if the requirements aren’t as stringent as CMMC, you can expect to be held to a higher standard than the general industry if you want to work on federal projects in the future.
3. Broader Governmental Cybersecurity Initiatives Will Drive Infrastructure Spending: Across the political spectrum, legislation is being introduced in Washington that’s geared at expanding cybersecurity requirements for organizations that do business with the federal government. Your clients don’t want to be left out, but remember, the federal government is likely to short-list firms that can effectively protect their data.
With any politicized government program, opponents will look at any misstep—like a contractor losing a laptop that contains privileged government information—as an opportunity to score political points. Expect the bidding process to be very selective when it comes to the data protection criteria.
4. Major Contractors Want to Work with Certified Partners: Let’s say you don’t currently have any clients that work on any federal projects and they don’t ever intend to work on federal projects. That’s their prerogative, but remember this: the DoD supply chain is very expansive, and opportunities often arise that turn out to several layers removed from the core DoD project. Without an effective approach to CMMC compliance, your client will need to walk away. When larger businesses want to establish long-term partnerships with other companies in the supply chain, are they going to select companies that can work on all of their projects, or those that can work only on a subset of their projects?
We all know that this industry is relationship-driven; companies want a small, select group of partners they can always work with and trust—trust to get the jobs done right, and to protect their brand reputations.
5. CMMC is Good Business: CMMC is a first step, and it’s extremely likely to evolve over time. But, with rising cybersecurity threats—including ransomware, insider threats, and human error—its data protection requirements are a key step in the right direction. Your client doesn't necessarily need to aim for CMMC Level 3 compliance, but the processes and procedures outlined at the lower levels are great data protection guideposts for any company to follow.
These processes include:
- Limiting information system access to authorized users
- Sanitizing or destroying information system media that contains sensitive information before it’s disposed of
- Ensuring the actions of individual system users can be uniquely traced
- Creating and retaining system audit logs and records
Proper data protection is essential for any organization, regardless of industry or size. And, while CMMC applies to DoD contractors and subcontractors, embracing it now will raise your ability to support rapidly changing needs of your clients .
Most government requirements are highly detailed and can even be confusing. Since CMMC was initially launched, many organizations have spent the ensuing time just trying to figure it out, and you’ll likely need to seek help from a trusted advisor like Egnyte to get a better handle on how to meet compliance standards.
Confer with your trusted advisor, talk it through, and create a plan for achieving CMMC compliance. Remember, any company that isn’t CMMC compliant by October 2025 risks not having their DoD contract renewed, and it’s anticipated that CMMC requirements will begin to be included in DoD contracts by mid-2023. So, the CMMC deadline is coming faster than you think, and you don’t have time to lose.
Learn More about Egnyte’s Approach to CMMC Compliance
To learn more about how Egnyte is helping MSPs streamline the delivery and support of file sharing, security and compliance, visit us at www.egnyte.com/msp.