This article by Ryan Heidorn originally appeared in CISO Magazine.
CMMC stands for “Cybersecurity Maturity Model Certification.” But what it really means for your company, if you are one of the estimated 350,000 contractors, manufacturers, and suppliers in the U.S. Department of Defense (DoD) supply chain, is a huge volume of preparatory work.
The DoD released CMMC version 1.0 on January 31, 2020 in response to wide-scale compromise and exfiltration of defense information stored on contractor information systems. The security requirements in CMMC should sound familiar to companies in the defense industrial base – the requirement to protect the confidentiality of controlled unclassified information (CUI) has been in DoD contracts since 2017.
CMMC has five maturity levels which include (and add to) the 110 security requirements in NIST SP 800-171 already required under DFARS 252.204-7012. This is not a box-checking exercise: CMMC certification requires a third-party audit that measures the maturity of a company’s cybersecurity capabilities. Starting in Fall 2020, the DoD will begin a phased roll-out that will require companies to achieve CMMC certification in order to win new contracts.
A Huge Project for Small Businesses
How does a DoD contractor begin the process of assessing and implementing the practices and plans required to satisfy CMMC requirements? Large prime contractors are likely to have mature cybersecurity practices and the resources to prepare for CMMC without needing outside assistance.
But, according to the RAND Corporation’s 2020 report on Defense Industrial Base (DIB) cybersecurity, “it is estimated that 99% of the DIB is small business.” RAND defines small as less than $100 million in revenue with an average of just 11 FTE employees. Many of these businesses rely on Managed Service Providers (MSPs) to provide IT and cybersecurity services.
The RAND Report continues to say that “unclassified networks of small defense industrial base firms are at higher risk” than their larger peers. Specifically, these small DIB firms are more likely to be deficient in several key areas, including “user authentication, network defenses, vulnerability scanning, software patching, and security information and event management (SIEM), or cyberattack response.”
How should these companies, who may not be equipped to address their cybersecurity risks and requirements, prepare for CMMC? In a 2019 survey, the SANS Institute found that one-third of small business respondents are already outsourcing cybersecurity. For many companies in the DIB, working with a third-party services provider like an MSP is likely the most cost- and time-effective way to establish and manage cybersecurity capabilities.
With that as a backdrop, below are five questions to ask when selecting an MSP for CMMC:
1. Is the MSP prepared to meet CMMC requirements themselves?
Here’s a great starter question in your quest for a qualified MSP partner: Can the MSP achieve the CMMC certification level required to protect the networks and systems they manage for their DIB customers?
According to Wayne Boline, Board Director at the CMMC Accreditation Body, “Follow the data. The CMMC requirements will follow the flow of CUI – if you’re a small company that wins a contract requiring any level of CMMC certification and you use an MSP that hosts, processes, or can access CUI on your systems, the MSP will absolutely have to meet CMMC requirements to protect this data.”
Furthermore, will the MSP accept a DFARS 252.204-7012 flowdown? If the MSP is willing to accept a contractual obligation to the same safeguarding and reporting requirements for protecting CUI as the defense contractors they support, it’s a good indicator of the MSP’s readiness to support customer requirements under CMMC as well.
Another reason to expect the highest level of cybersecurity from your MSP partner: MSPs themselves are increasingly becoming a target of ransomware operations and other cybercrime activities. According to the Perch 2020 MSP Threat Report, “Last year  saw threat actor groups shifting from enterprises to focus on Managed Service Providers…the world’s most sophisticated criminal groups are focusing their tradecraft and custom malware directly on MSPs.”
2. Does the MSP have the necessary experience and capabilities?
Ask how many of the MSP’s other customers are subject to DFARS, ITAR, or similar requirements today – and it’s always a good idea to request and check references. Determine whether the MSP has the consulting experience and compliance expertise required to lead your CMMC readiness efforts, or if they are simply looking to sell you a “stack” of software/services. If the MSP is not equipped to guide your full CMMC implementation (and, today, few are), who are the other partners they would leverage to help you prepare for audit and certification?
3. Where will the MSP be when it’s time for the audit and certification?
How confident is the MSP in the cybersecurity practices and processes they will implement and manage on your behalf? Be sure to work with an MSP that will stand by their work, and stand by you, providing audit support when it’s time to get certified.
4. Does the MSP employ U.S. Persons?
For companies holding ITAR and EAR data, export control regulations require that the anyone with access to such data be a U.S. Person. This could include the MSP’s employees, contractors, and cloud service providers. If the MSP employs non-U.S. Persons, find out how they are managing access to your network to prevent export control violations.
5. Do systems used to access and manage a customer’s environment conform to DFARS and CMMC requirements?
Ask plenty of technical questions about the MSP’s own systems and practices – particularly as to whether they conform to DFARS requirements. For example, if the MSP uses a cloud-hosted or SaaS product to manage your network, they should meet the FedRAMP Moderate baseline.
We’ll provide other technical questions you can use to vet an MSP’s cybersecurity maturity and CMMC readiness in a future article. But while we wait for further guidance from the DoD and the CMMC Accreditation Body, these five questions are a great place for a DoD contractor in need of assistance to confidently begin the search for a partner who can guide their journey to CMMC certification.