Channel, Governance, Risk and Compliance

CMMC Final Rule: Is Certification Worthwhile?

Twofactor authentication represented by a digital key and smartphone, cybersecurity, blue tones, 3D rendering

The final Cybersecurity Maturity Model Certification (CMMC) rule is slated to go into effect in the first quarter of 2025. But is the work required to gain CMMC certification worth the squeeze for your MSSP business?

That's what Carter Schoenberg, VP and chief security officer, SoundWay Consulting, will discuss in his session at MSSP Alert Live, held October 14-16 in Austin, Texas. There's still time to register for this event, and you won't want to miss it!

[Register here to attend MSSP Alert Live. Explore the full agenda here.]

The CMMC program is aligned to the U.S. Department of Defense (DoD)’s information security requirements for defense industrial base (DIB) partners. It is designed to enforce the protection of sensitive, unclassified information that the Department shares with its contractors and subcontractors, including MSPs and MSSPs. The CMMC program provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.

The CMMC 2.0 program has three key features:

  • Tiered Model: CMMC requires that companies entrusted with national security information implement cybersecurity standards at progressively advanced levels, depending on the type and sensitivity of the information. The program also sets forward the process for requiring protection of information that is flowed down to subcontractors.
  • Assessment Requirement: CMMC assessments allow the Department to verify the implementation of clear cybersecurity standards.
  • Implementation through Contracts: Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award.

Over 75,000 government contractors need a CMMC certification, and approximately 85% of these firms rely heavily on MSSPs, Schoenberg explained.

"Over 95% of defense contractors rely on external service providers, including MSPs and MSSPs. As a result, these service providers must be independently certified," he said. That's especially important for the upcoming transition to CMMC 2.0, he said, which is introducing several key changes that build on and refine the original program requirements.

"Most MSSPs do not understand what percentage of their portfolio is now in scope for these obligations. Subsequently, there's the potential for loss of revenue due to no longer being allowed to service these clients," Schoenberg warned.

In his session at MSSP Alert Live, Schoenberg will explain how you can:

  • Determine if the costs associated with CMMC are justified for your business.
  • Gain a better understanding of what a CMMC L2 Certification means versus what's in your SLAs.
  • Learn how you can set yourself apart from your competitors by using CMMC as a differentiator.
Sharon Florentine

Sharon manages day-to-day content on ChannelE2E and serves as senior managing editor for CyberRisk Alliance’s Channel Brands. She also covers enterprise-class technology companies, strategic alliances and channel partner strategies. Sharon is a veteran tech journalist and editor with more than 25 years experience in the industry, and has previously held key editorial, content and leadership positions at Techstrong Group, CIO.com, Ziff Davis Enterprise and CRN.

You can skip this ad in 5 seconds