CMMC Compliance: What MSPs Need to Know About the Final Rule

Posted by Kevin Hutchinson, CISSP on Nov 6, 2024 9:59:08 AM

With the publication of the CMMC Final Rule (32 CFR Part 170) by the Department of Defense (DoD), many managed service providers (MSPs) can breathe a sigh of relief. The updated rule clarifies that an External Service Provider (ESP), which includes MSPs, that does not store, process, or transmit Controlled Unclassified Information (CUI) does not require a CMMC assessment. 

Understanding CMMC and Its Importance 

The Cybersecurity Maturity Model Certification (CMMC) was developed by the DoD to address cybersecurity controls, or lack thereof, in the defense industrial base (DIB). Given the increasing frequency and sophistication of cyber threats, the DoD established CMMC to ensure that contractors and their subcontractors have the necessary controls to protect sensitive information, including CUI. For MSPs working with defense contractors, understanding and navigating these requirements is critical. 

Key Changes in the Final Rule 

The rule states: 

“When ESPs that are not CSPs [Cloud Service Providers] do NOT process, store, or transmit CUI, they do not require CMMC assessment or certification, however, services they provide are in the OSA’s [Organization Seeking Assessment] assessment scope.” 

This change is significant, as previously, any MSP doing business with an organization that fell under CMMC compliance had to meet the same level of compliance as that of their customers, or OSA. This placed an undue burden on many MSPs, most of whom did not have the resources to meet the strict compliance requirements for CMMC. These changes significantly alleviate that burden. 

Under this final rule, if an ESP is a CSP and stores, processes, or transmits CUI, they must meet the FedRAMP requirements as specified in DFARS clause 252.204–7012. Conversely, if the CSP does not store, process, or transmit CUI, they are not required to meet these FedRAMP requirements. Nevertheless, the OSA is required to include the services provided by the CSP in their assessment scope. 

What If You Store, Process, or Transmit CUI? 

If you are an MSP that does store, process, or transmit CUI for your customers, you will need to meet the CMMC requirements for the same level as your customer. 

However, this compliance does not necessarily have to extend to your entire organization. You may be able to create a separate and secure enclave within your business that handles all CUI-related activities, thereby isolating it from the rest of your operations. This approach can help manage compliance costs and complexity by limiting the scope of CMMC requirements to just a portion of your business.  

How We Can Help

The path to CMMC compliance can be confusing and overwhelming. To ensure a successful audit and streamline the process, it is recommended that you work with a certified provider who can assist you through the necessary steps and preparations for certificationRather than trying to navigate these requirements alone, consider reaching out to us. We can guide you through the process, showing you how you can meet the compliance requirements without straining your resources. 

With our team, you gain a trusted advisor dedicated to helping you prepare for CMMC certification. Click here to learn more. 

Topics: CMMC