Crown Logo

Technology Support For San Diego Since 1996

Click here for 60 minute consultation858-483-8770

The cybersecurity and regulatory world have been buzzing about CMMC 2.0 (Level 2) for quite some time. As a framework for ensuring cybersecurity requirements are met by companies that do business with the US government, its implications will be more widespread than people may think. Now that the final rule has been published in the Federal Register, some clarity has been given on some of the details. Today, we’ll ask the most important questions for small and medium business that may find themselves under the regulations as soon as next year.

CMMC for Newcomers

CMMC is a standard that is currently used to help ensure that companies that handle Controlled Unclassified Information (CUI) do so securely. In its current form (level 1), it’s a self-assessment that companies submit to show that they’ve implemented the expected, baseline security controls for handling this sensitive information. The list of what constitutes CUI is fairly wide-ranging, but companies typically know when they’re subject to these kind of controls in the same fashion as export-controlled information or information subject to ITAR.

As a cybersecurity standard, CMMC 1.0 has been relatively easy to achieve because it is a self-assessment that is submitted when required by a contract. Its security controls are good ways to strengthen physical and network security for any organization and has been instrumental in helping companies achieve better security standards for business computing systems. Its implementation has been quite similar to those self-reported services that would be a part of a cyber insurance self-assessment.

CMMC 2.0 is the newly published rule that will become the de facto standard for the highest levels of cybersecurity, but with three tiers: Levels 1, 2, & 3. Level 2 is the most commonly talked about, because it will apply to any company that stores CUI (and unlike Level 1, will not be a self-assessment, but rather, need to be certified by a third-party audit).

Level 3 is focused on enhanced protection against advanced persistent threats (APTs), and at the time of writing, it’s not very clear what will distinguish companies who need Level 2 versus companies that need Level 3. There is some chatter out there that it will be a very small number of defense contractors that are beholden to Level 3.

How Do I Know if My Company Needs CMMC Level 2?

CMMC Level 2 further builds on the original CMMC standard by requiring a third-party assessment of all of the controls. It is a vigorous and detailed look at all of the systems used to handle CUI and it will probably cost quite a lot to attain certification.

The regulation is being implemented through contract language that spirals out from defense contracts. Companies that do business with the government, either directly or indirectly, will become subject to the rule when they sign a contract (either with a government entity or a subcontractor) that contains an expectation that CMMC will be met as a condition of the contract. Any time that access to CUI is a part of a contract, it is expected that the contract will contain language requiring CMMC certification.

Because of this method of propagating the standard, the timing for the rollout of CMMC has been a little fuzzy. Since the rule is now published, the requirement could be put into currently written contracts. This will happen first for companies that work directly with the Department of Defense or other governmental agencies. When the DoD starts putting it in contracts, it will then flow down to service providers and other companies that they do business with.

CMMC Final Rule: What Does This Mean for My Managed Services Provider?

A few months ago, it looked like all MSPs (referred to in CMMC documents as External Service Providers, or ESPs) who have CMMC certified clients were going to be required to attain CMMC Level 2. The way the earlier versions of the rule were written, managing any part of the system in a CMMC environment would require CMMC certification for the external, managing company.

The rule was softened-including clarity on what is a cloud provider and what it means to handled the security protection data for a CMMC system-but it still applies to managing systems that store or process CUI. Some experts, such as the CMMC experts at Kieri, think that it’s still going to end up causing a lot of MSPs to get certified themselves. This is because some of the systems that an MSP manage or help manage might store CUI, meaning that the MSP will be in-scope of a CMMC assessment and treated like they’re a part of the client company’s network.

According to this idea, an MSP with clients that have CMMC requirements risks going through many assessments as part of their clients’ assessments. Likely, it’ll make more sense for those companies to get their own certification and avoid going through the assessment multiple times-but at their own cost.

What Does This Mean for My Cloud Providers?

Other services are entirely hosted online by a cloud provider. If your company uses Microsoft 365-SharePoint, OneDrive, etc.-to store or process CUI, then the cloud provider needs FEDRAMP authorization (Federal Risk and Authorization Management Program). In this case, the provider should already have an offering that is a different tier or subscription for use with CUI. For Microsoft 365, you need a specific version of 365, SharePoint Online, etc. to be able to use the product to work with CUI or other controlled information, and these versions require that you use a specific vendor who can sell you those licenses.

An MSP with CMMC certification will be able to manage these licenses on behalf of client companies, in the same way that they would manage cloud service licenses in current practice. This typically includes help desk services that serve as the first line for getting help with administering and troubleshooting services.

Current Outlook for the Rollout

Experts are expecting a bottleneck with the assessments that will enable all companies, including MSPs, to get certified in at least the first half of 2025. Once the language starts appear in prime contractors’ government contracts, it’ll start to flow to other manufacturers, construction companies, etc. who they do business with.

As experts in cybersecurity and compliance, Crown Computers looks forward to helping our clients navigate this and other compliance challenges. If your business is planning on becoming compliant with the standard, reach out to let us know how we can help design and manage your information security in a way that is both robust and user-friendly!

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team