Controlled Unclassified Information ( CUI ). Contractors storing or processing CUI will be required to comply at Level 3 or above .
Level 1 – BASIC CYBER
HYGIENE includes 17 of the NIST SP 800-171 cybersecurity controls and is intended to safeguard FCI . It requires basic cybersecurity controls but does not require them to be documented .
Level 2 – INTERMEDIATE CYBER HYGIENE is considered a
transitional step toward the protection of CUI . It includes the Level 1 requirements plus 55 more , for a total of 72 . Documentation is required .
Level 3 – GOOD CYBER
HYGIENE is the lowest certification level required to protect CUI . It includes all 110 practices in NIST SP 800-171 , plus 20 additional practices .
Level 4 – PROACTIVE ( 156 PRACTICES ) AND LEVEL 5 – ADVANCED / PROGRESSIVE ( 171 PRACTICES ) include additional
practices designed to protect against advanced persistent threats ( APTs ). It is expected that a very small percentage of contracts will include requirements at these levels .
Opportunity 1 : CMMC Readiness Service
Each prime contractor — and all its subcontractors — will ultimately need to achieve at least CMMC Level 1 certification ( and most are at a Level 3 ).
The demand is going to be huge , well beyond the supply of Certified Third-Party Assessor Organizations ( C3PAO ) required to perform the independent certification assessments . And when the time comes for the independent assessment , contractors who are more prepared will experience a faster and less expensive assessment .
There are very specific cybersecurity requirements that must be met , and there needs to be documented evidence to prove it . While only an independent C3PAO can provide the certification , clients will be relying on their MSPs to perform the initial internal “ readiness assessment ” and to gather up the evidence of compliance .
Opportunity 2 : CMMC Document And Artifact Creation
A key component of any compliance program is documentation . If organizations can ’ t prove that they do ( or did ) the right things at the right time , they will fail an audit or assessment review .
MSPs and MSSPs won ’ t be able to certify their own clients due to conflicts of interest . But clients will see a great return on the time and money they invest in their MSP to prepare for the independent assessment by a C3PAO .
Opportunity 3 : Ongoing CMMC Compliance Management While SMBs will undoubtedly need assistance in obtaining their certification , an even bigger opportunity is in helping them maintain compliance during the three-year term of their certificate .
In addition to adding many more controls to the certification requirements , Level 3 also states that a contractor must have an ongoing assessment and review of its security performance in place and must maintain ongoing documentation . The current requirement under the NIST SP 800-171 certification is for periodic review and updating of the System Security Plan as well .
“ MSPs that have committed to delivering their IT and security services more efficiently through documentation can now take their documentation to the next level and monetize it through a Compliance-as-a-Service offering ,” says Max Pruger , General Manager of Compliance at Kaseya . “ By helping SMBs navigate the evolving CMMC guidelines , MSPs can build their businesses while keeping organizations safe from cybercriminals .”
Getting Support
The certification process involves many layers and can feel overwhelming and time-consuming . MSPs don ’ t have to go at it alone and should leverage the guidance of solutions providers working in the space to navigate the process and ensure documentation is aligned with actual environments . It may feel cumbersome , but there is tremendous opportunity for MSPs as demand for compliance services surges . MSPs will also be doing their part to protect the country , and themselves , from potential cyberattacks . n
Tools To Help
Kaseya ’ s Compliance Manager for CMMC automates the rigorous security assessment process laid out by the Department of Defense . MSPs can now help their clients navigate Levels 1 – 3 of CMMC and the NIST 800-171 interim rule .
The CMMC IT Documentation Toolkit from inTech fills in the policy gap . They will assess your systems , configurations , policies , and procedures for alignment with NIST 800-171 and the CMMC Level you need to certify and provide a remediation plan to close the gaps . Their simple yet effective documentation and policies are just what you need to protect your customers — and yourself .
To shortcut your success and get your entire company on board quickly , check out “ CMMC for Profit ,” which is available from Semel Systems . It includes hours of training videos , templates and checklists , an interim rule scoring tool , policies , and other things you can use to quickly be seen as an authority in this space .