ConnectWise has rolled out a new program to support its MSP partners on the journey to achieving Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance requirements.
As technology and regulatory changes continue to impact the cybersecurity landscape, ConnectWise, a software company serving the MSP industry, is helping MSPs in navigating these challenges.
Achieving CMMC Level 2 certification indicates that an organization has moved beyond basic cybersecurity measures and is beginning to implement more formal and structured processes to safeguard sensitive information.
Carter Scheonberg, vice president and chief cybersecurity officer of SoundWay Consulting, a company that helps MSPs with their CMMC compliance, said that it is critically important for an external service provider like ConnectWise to be CMMC 2 certified before their actual clients can become certified.
ConnectWise to Adopt CMMC Level 2 Strategy
ConnectWise said it will adopt a staged CMMC Level 2 strategy through:
- Achieving CMMC Level 2 Compliance. By 2025 deadline, ConnectWise aims to achieve CMMC Level 2 compliance. The initial launch will take place in an isolated AWS Commercial hosting environment, separate from existing environments. ConnectWise will apply the necessary training and controls to meet Level 2 requirements. This will also enable the company to better guide partners through the compliance process.
- Hosting in Government Community Cloud, Following Level 2 compliance, the company will evaluate Level 3 requirements and potential hosting in Government Community Cloud (GCC) environments.
- Making ConnectWise's CMMC portfolio hosted and available. MSPs can use ConnectWise CMMC-compliant products to help them navigate the complexities of CMMC Level 2, supporting its partners in safeguarding their clients' data and building a stronger cybersecurity ecosystem.
ConnectWise plans offer a set of solutions that meet CMMC level 2 requirements and will allow MSPs to leverage these tools support their customers, rather than needed to develop in house tools that they would have to certify.
"We are anticipating an ecosystem where MSPs will be able to support their customers with tools they are already familiar with, allowing for a faster transition for our Partners as CMMC requirements are phased into contracts over the next three years," ConnectWise Chief Information Security Officer Patrick Beggs told MSSP Alert.
CMMC Expert: “Devil in th Details”
Schoenberg, who will deliver the “CMMC Final rule – Friend or Foe” session at MSSP Alert Live on October 16, said the fact an external service provider obtains a CMMC 2 certification “is not a golden ticket” for their client.
“There is a significant disconnect by most of industry about these material facts,” he told MSSP Alert. “In this case, ConnectWise would be evaluated for certification scoped to ‘their environment’ and not how they perform services on behalf of their clients to demonstrate conformance with CMMC.”
Schoenberg explained that many businesses who outsource their cybersecurity do not know what they should be looking for. As a result, the language in most MSP/MSSP service level agreements is vague and designed to benefit the service provider not the client.
“I certainly commend ConnectWise or any external service provider for taking on the initiative, but the devil is in the details,” he said. “At SoundWay, we already have an agreement with another C3PAO (CMMC third-party assessor organization) that stipulates within 45 days of the rule going live, we are being assessed and we are also incorporating a proprietary model with this same C3PAO that allows our managed clients to obtain a CMMC L2 certification for less than $9,000.”
Understanding CMMC 2.0
CMMC 2.0 program is the next iteration of the CMMC cybersecurity model, according to the Cybersecurity and Infrastructure Security Agency (CISA). The CMMC framework streamlines requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards.
The U.S. Department of Defense (DoD) developed the CMMC to assess and enhance the cybersecurity practices of its contractors. The goal of CMMC is to protect sensitive information, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), that contractors handle while working with the DoD.
According to Beggs, CMMC Level 2 is significant since it’s an intermediary step between basic cyber hygiene (Level 1) and the more advanced requirements (Level 3) for protecting CUI. CMMC 1.0 has five levels, while CMMC 2.0 has three levels, and CMMC 2.0 Level 2 applies to both FCI and CUI. Level 2 is now the level the DoD is anticipating for the majority of the defense industrial base.
Beggs noted that CMMC encourages market rewards specialization through economies of scale, as many contractors are not specialists in IT and cybersecurity. The Department of Defense' recommends the defense industrial base (DIB) leverage an MSP or MSSP to assist with these needs is clear, but guidance for MSPs has been limited.
"CMMC will drive changes in the DIB small business space, as well with the external service providers," Beggs said. "MSPs and MSSPs who previously only dabbled in this space may find themselves exiting. MSPs with a significant DIB customer base will likely find expansion opportunities in the coming years."
Prime contractors are currently driving some of these changes now by requesting readiness information and requirements ahead of the final publication of CMMC and DFAR rulemaking, according to Beggs.
"MSPs will need to help their customers navigate this uncertainty if they want to stay in the defense sector," he said.
Critical Aspects of CMMC Level 2 Compliance
- Intermediate Cyber Hygiene. CMMC Level 2 requires organizations to demonstrate intermediate cyber hygiene practices. This means the organization must establish and document standard operating procedures for its cybersecurity practices, creating a foundation for more advanced practices.
- Processes and Practices. Level 2 includes 17 domains with 110 security practices derived from NIST SP 800-171, which is a set of standards for protecting CUI. Organizations must show they have a documented and managed plan for implementing these practices.
- Self-Assessment and Third-Party Assessment. For Level 2, organizations may be required to undergo a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) to verify compliance. The level of rigor depends on the contract's requirements.
- Certification Requirement. Organizations seeking to work on DoD contracts involving CUI must achieve at least CMMC Level 2. This level is a steppingstone towards higher maturity levels that involve more comprehensive practices.
Key Requirements:
- Access Control. Implementing measures to restrict access to information only to those who need it Incident Response. Establishing procedures for detecting, reporting, and responding to cybersecurity incidents.
- Risk Assessment. Regularly assessing the organization’s cybersecurity risks and adjusting practices accordingly
- Security Awareness Training. Providing regular training to employees on cybersecurity best practices
This article was written with the assistance of ChatGPT.