MSPs Need To Keep CMMC Compliance Top Of Mind
New data security requirements for U.S. defense contractors are providing a major opportunity for managed service providers to help customers upgrade their cybersecurity technology.
Stringent new data security requirements for U.S. defense contractors are presenting a massive opportunity for MSPs and other service providers to help customers navigate the complex compliance maze and upgrade their cybersecurity technology to meet Department of Defense expectations, experts told CRN.
The new requirements, part of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program, also have major compliance implications for MSPs themselves. And on both fronts—whether it’s helping customers to achieve CMMC compliance or meeting their own internal obligations—too many MSPs remain underprepared, according to experts.
“Right now, there might be a few dozen MSPs who are actively focusing on CMMC. And there are probably less than a dozen who are themselves CMMC-certified,” said Ryan Bonner, founder and CEO of Ann Arbor, Mich.-based consulting firm Defcert, which focuses on compliance for defense contractors. “So when we think about the tens of thousands—or more than likely hundreds of thousands of organizations who need help in these areas—there are not nearly enough MSPs out there to meet the demand.”
[RELATED: Staying On The Right Path: Partner Enablement Needs To Be A ‘Continuous Journey’]
CMMC is the centerpiece of the DoD’s effort to better ensure the safeguarding of sensitive information shared with contractors and subcontractors. For contractors looking to do business with the DoD, or as a defense subcontractor, CMMC equates to much steeper security requirements that could be included in contracts as soon as this year.
The major opportunities for solution and service providers related to CMMC range from assisting customers with risk assessment, advising on technology replacement, implementing technical controls and documentation.
But many MSPs looking to assist customers with CMMC will first need to ensure they are compliant themselves, according to experts. MSPs will need to make CMMC a key focus—and likely make investments in technical resources and talent—if they want to be positioned to assist customers with meeting the new obligations.
When it comes to MSPs potentially aiding customers around CMMC, “I think there is opportunity there,” said Jason Pufahl, vice president of security services at Vancord, an MSP and MSSP based in Milford, Conn.
“That being said, I think you can’t really do this properly unless you’ve got sufficiently technical resources to be able to perform that assessment and understand what the outcomes are to then help with the remediation,” Pufahl said.
Overview Technology Solutions, a New York-based MSP, has been developing CMMC expertise since 2020 when the first version of the DoD program was unveiled. The MSP has explored multiple ways to help customers with the certification and is currently focused on providing implementation services related to CMMC, according to Marc Menzies, president and CTO of Overview Technology Solutions.
Along with serving customers around CMMC, Overview Technology Solutions has also been working with numerous other MSPs that are looking to get up to speed on the DoD program, Menzies said.
“We’re doing a ton of work with our clients and a ton of work with other MSPs,” he said. “I’d say that of all the regulatory compliance verticals, we work with CMMC by far the most.”
CMMC regulations were finalized in December 2024, and some certifications under the program may start being required in new defense contracts as soon as this year. The DoD has yet to finalize a second rule, covering the use of CMMC requirements in contracts. All defense contracts are slated to require CMMC compliance by 2028.
Prime contractors, in turn, are likely to place CMMC-related requirements on their subcontractors even before the prime contractors have a contract requiring CMMC certification, experts said.
While the requirements for contractors will vary based upon the sensitivity of the data they’re handling, passing a third-party assessment will be required for CMMC certification operating at the higher tiers of data sensitivity.
Without a doubt, the arrival of CMMC requirements is a more involved matter for most MSPs than previous regulatory shifts such as HIPAA or PCI DSS, Defcert’s Bonner said.
“All the MSP had to do for those regulatory pushes was find new tooling, sell new SKUs and provide some marginal services,” he said. “However, the level of scrutiny that’s being applied in the world of CMMC basically audits the MSP’s internal processes as much as it does the tools that are in use.”
In other words, “the level of organizational maturity that’s going to be required for an MSP to truly meet requirements on behalf of one of their end customers is orders of magnitude more stringent than I think most MSPs have ever seen,” Bonner said.
Overview Technology Solutions’ Menzies said there’s no question that the amount of preparation required for an MSP to get involved with CMMC is beyond what most MSPs have come to expect in today’s hyperconnected IT industry.
“It’s more akin to starting off as an MSP 15-plus years ago—when there was less integration in the space—and just much more to deal with [up front],” he said.
The focal point for the CMMC program is around protecting what’s known as Controlled Unclassified Information (CUI) that is shared by the DoD with its contractors. The required CMMC assessments are meant to help the DoD verify—and enforce—the implementation of tightened security requirements around this sensitive data.
Crucially, it’s not just MSPs that are looking to grow their businesses through assisting on CMMC who need to be aware of the new compliance requirements, experts said.
In fact, many MSPs may already be serving customers affected by CMMC without realizing it, according to executives at Columbia, Md.-based cybersecurity vendor Huntress, which has been developing CMMC compliance resources for partners and customers.
“There’s a high likelihood that if you’re an MSP, you already have a client that is going to be beholden to this,” said Huntress CISO Chris Henderson. “Waiting for them to raise their hand and tell you that they need to be compliant is going to put you so far behind the ball on getting that compliance in place that it will be far too late.”
In all probability, it’s only a matter of time before letters start going out to defense subcontractors informing them that they will be expected to achieve a certain level of CMMC compliance by a certain date if they want to keep the business, according to Jeremy Young, community growth strategist at Huntress.
The vast majority of MSPs probably serve at least one customer that is not even aware they’re a defense industrial base (DIB) subcontractor, Young said.
“In my opinion, pretty much every [MSP] has a ticking time bomb in their client base” related to CMMC, he said.
Among defense contractors, there’s been a range of reactions to the arrival of CMMC, according to Vancord’s Pufahl. Some smaller contractors believe they have more time, assuming they will be a low priority for DoD auditors.
“You’ve definitely got customers that are rolling the dice,” he said. “Then you’ve got some that are taking it really seriously.”
Based in the defense contracting hub of Connecticut—and with about one-third of its revenue coming from manufacturers—Vancord is one MSP that has made CMMC a major focus in recent years. While CMMC has been in the works for years, “we’re seeing a lot more inquiries now” in the wake of the finalization of the program rule in December, Pufahl said.
One key theme that has emerged with customers so far is that many of them are surprised by the total cost of complying with CMMC, he noted. This can mean some difficult conversations with customers, particularly when it comes to companies that are not generating the bulk of their revenue from defense subcontracting.
For such companies, “it’s a really difficult hurdle to get behind some of [the requirements],” Pufahl said. “It is really expensive.”
Beyond meeting the 110 security requirements for achieving compliance with CMMC, the program also has hundreds of associated objectives that must also be met. For instance, when it comes to meeting the requirement for access control on CUI data, there are a number of assessment objectives around ensuring that only authorized users, devices and systems can access sensitive data systems.
Ultimately, “the framework is bigger than many people realize,” Pufahl said.
Meanwhile, with deregulation efforts by the Trump administration underway—which reportedly could impact the finalization of rules governing CMMC requirements in contracts—it could be one more hurdle for CMMC to overcome, he said.
And given that CMMC has already been plagued by delays and lack of clarity, “It likely does influence how seriously some companies pursue CMMC compliance,” Pufahl said.
For MSPs, CMMC implications can vary—extending even into areas such as how they choose and use their tools, according to Defcert’s Bonner.
For instance, an MSP might need to pay attention to whether a certain tool grants access to a foreign national, while sensitive data from a defense contractor can easily end up in an MSP’s systems, he said.
“These are some of the considerations that MSPs need to grapple with before they kick it into high gear on go-to-market [around CMMC],” he said. “Because if they don’t, they’re going to have to rework [their systems] or they’re going to provide services that violate requirements for some of their end clients.”
Documentation is another area where many MSPs will need to pay greater attention because of CMMC, according to Bonner. Certain CMMC requirements will force MSPs to perform activities for clients in a highly documented and auditable way, for instance.
“This will cause MSPs to grow into new operational maturity in areas where they might not have had to in the past,” Bonner said. “It’s also going to require them to be a lot more proactive than reactive, which is absolutely a culture shift for most MSPs. So it will absolutely require a new mindset.”