CMMC and the Role of MSPs
For the past three years Department of Defense contractors and the MSPs that serve them have been facing the inevitable need to meet Cybersecurity Maturity Model Certification (CMMC) requirements. There has been a lot of hand wringing and gnashing of teeth regarding the relatively new model. The goalposts have moved a few times and the messaging has been unclear from the Department of Defense. That is until now.
First a little history on CMMC. Bear with me as there is an alphanumeric bowl of soup coming. We'll start in October 2016 when the DoD issued the DFARS 252.204-7012 or the "Safeguarding Covered Defense Information and Cyber Incident Reporting" clause. This clause, when included in a DoD contract, required the contractor (and their subcontractors) to develop a System Security Plan (SSP) based on the NIST 800-171 set of controls regarding the handling of Controlled Unclassified Information (CUI). The program was based on a self-assessment process that contractors would conduct using the NIST 800-171A Assessment Guide. NIST 800-171A articulated the 110 Controls and the underlying determination statements that need to be met to be complaint with the DFARS 252.204-7012 clause.
In 2019, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) performed audits against a number of contractors and discovered that none were fully compliant, and most were woefully deficient.
In response, The DOD developed a certification program that would become known as the Cybersecurity Model Certification (CMMC). CMMC Version 1.0 was released in late 2019. The first version of the CMMC program was overly complex and confusing. There were five different levels of certification depending on the controls met. It was a strict program which required full compliance with all 110 NIST 800-171 controls. There was no allowance for Plans of Action and Milestones (PoAMs) for controls that had not been fully met. Full compliance would be required by 2025 to be eligible for DoD contracts. Many contractors complained that it would be very difficult to certify on such a new program without significant burden and expense. However, the controls were based on the requirements of the original DFARS 252.204-7012 clause that contractors should have already implemented back in 2016.
In September 2020, the DoD issued an Interim Rule consisting of three new DFARS 252.204 (7019, 7020, 7021) clauses. In a nutshell, these new clauses defined the Supplier Performance Risk System (SPRS) and required contractors to score themselves on a self-assessment basis using a defined scoring system. Contractors are required to upload their score into the SPRS tool. Finally, it states that, if asked, contractors are required to provide proof of compliance with those controls met as indicated on their uploaded SPRS score.
In November 2021, The DoD announced CMMC 2.0. It streamlined the program down to three levels (1, 2, and 3). Although CMMC 2.0 is still under development, the Interim Rule released in September 2020 is in effect now. Therefore, contractors are required to have their scores recorded in SPRS in order to be eligible for DoD contracts containing the DFARS 252.204-7012 clause. The requirements of DFARS 252.204-7019, 7020, and 7021 apply regardless of whether expressly stated in the contract or not.
For sake of this article, we will focus on CMMC 2.0 Level 2 which is required for any contractor or subcontractor handling CUI. CMMC 2.0 Level 2 is not a specification in and of itself. It is simply a certification program wrapped around the requirements of meeting NIST 800-171A. The CMMC 2.0 Level 2 Assessment Guide includes the same controls and determination statements as NIST 800-171A. The wording is identical. The entire CMMC process involves having a Certified 3rd Party Assessor Organization (C3PAO) perform an audit of the contractor’s compliance with the controls and determination statements defined by NIST 800-171A.
The timeline for the requirement of certification is still undetermined but in a recent presentation by Stacy Bostjanick, Senior Program Director of CMMC at the DoD, and Dave McKeown, Deputy CIO of Cybersecurity at DoD, gave some indication was given as to the potential timeline for implementation. Depending on the speed at which the Office of Management and Budget (OMB) can complete its rule-making process, the requirement could go into effect as early as May of 2023. On the outside, the timeline may be pushed out to May of 2024. Regardless, DoD contractors and subcontractors should be working toward compliance NOW. Despite the fact that CMMC 2.0 is still not completely defined, the underlying requirements of NIST 800-171A are not changing.
Additionally, in June the DoD released a memo indicating that Contractors not compliant with the November 2020 Interim Rule risk serious penalties up to and including termination of existing contracts.
So how does all of this affect Managed Service Providers that service DoD contractors handling CUI? Many MSPs have wondered whether they will be required to become CMMC certified as well. In the recent DoD presentation in June, Stacy Bostjanick, Senior Program Director of CMMC at the DoD, stated that full CMMC certification would not be required of MSPs (see update below). However, she was clear that MSPs would be required to work with their DoD contractor clients on the development of a Shared Responsibility Matrix (SRM). This is a document that describes who is responsible for the attainment of each control, the role each plays, and the documentation (evidence) of compliance. MSPs offering cloud services and other functions to DoD contractors will be required to declare in the SRM what their responsibility is and document the processes and procedures involved. In the event the MSP is reselling services provided by others, they must provide evidence of due diligence in ensuring that third-party provider has implemented the necessary controls. Bostjanick also hinted that the DoD may develop a FEDRAMP type program for MSPs to demonstrate compliance. FEDRAMP is an existing program where cloud service providers can prove compliance at "Medium" or "High" Levels once and that certification can be applied to all government contracts as necessary.
Even though MSPs will not be required to certify under CMMC, it is in their own best interest to implement the NIST 800-171 controls within their environments. Many contractors will require MSPs to prove compliance to remain their MSP to allay any doubts. At the very least it will provide a competitive edge over other MSPs not holding the certification. In a nutshell, MSPs are under the same requirements and deadlines as the DoD contractors they serve.
I'll continue to follow this topic as it emerges so check back for the latest info.
Update: December 2023
The sands of CMMC continue to shift. I stated back in the summer of 2022 that it was unlikely that MSPs would have to fully certify on CMMC in order to offer their services to contractors in the DIB that had to certify themselves. This was not just speculation but was based on comments from Stacy Bostjanick, Senior Program Director of CMMC at the DoD, during a briefing in June of 2022. In July 2023 the DoD passed the final rule on to the Office of Information and Regulatory Affairs (OIRA) for review. The rule was accidently published to the OIRA website for about 24 hours but that was long enough for people in the industry to get a good look at it. In the final rule which will be released for comment very soon, it is expected to clearly define the role of “External Service Providers”. Under the definition MSPs would qualify as an ESP and thus be required to fully certify under CMMC Level 2.
This obviously places a hurdle for many MSPs servicing those in the DIB. However, it can create opportunities for others. The barrier to entry will be quite high and therefore there will be far fewer MSPs servicing the industry. As CMMC rolls out, contractors will be seeking partners from a much smaller pool. MSPs that decide to “take the plunge” and make the required investments will command much higher rates than those seen in unregulated industries.
There is also speculation that CMMC will find its way into the contracts of other federal agencies. MSPs looking to do business the the federal government would be advised to get on the bandwagon now or risk being shut out of that market.