MSPs who are paying attention have a great opportunity to get in on the ground floor of a huge opportunity to expand your business.
If you have any clients that currently do business with the Department of Defense, they now have serious new IT Assessment requirements related to their cyber security practices that need documentation. Effective Nov. 30, 2020, stringent new cybersecurity rules were put into place requiring contractors and their subs to conduct extensive cybersecurity self-assessments and submit the results, and extensive documentation to the government. See The Interim Rule.
Opportunity 1: Interim Rule Compliance
The CMMC requirement is being very slowly rolled into new DoD contracts between now and 2025. In the meantime, an Interim Rule is in place requiring most Defense contractors and subcontractors to perform cybersecurity self-assessments that check implementation status against 110 cybersecurity controls.
Most of the subcontractors are small and medium-sized businesses that lack the internal IT resources to perform and score the assessment, nor to put together the detailed System Security Plan and Plan of Action and Milestones required by the rule.
This creates an enormous opportunity for MSPs, as demand among the 300,000 organizations that work on DoD contracts surely outweighs the number of MSPs to help. See The Interim Rule.
Opportunity 2: CMMC Readiness Service.
Each prime contractor – and all of their subcontractors – will ultimately need to achieve at least CMMC Level 1 certification. The demand is going to be huge, well beyond the supply of Certified Third-Party Assessor Organizations (C3PAO) required to perform the independent certification assessments. Also, when the time comes for the independent assessment, the more work that the Contractor has done to prepare, the faster and less expensive the assessment cost will be.
There are very specific cybersecurity requirements that must be met, and there needs to be documented evidence to prove it. While only an independent C3PAO can provide the certification, your clients will be relying on YOU, the MSP, to perform the initial internal “readiness assessment,” and to gather up the evidence of Compliance. The CMMC module will guide you through this process.
And when your client is ready to move up to Level 2 and then Level 3, you can use your Level 1 assessment as the starting point and continue building your new readiness assessment on top of it.
Opportunity 3: CMMC Document & Artifact Creation
A key component of ANY compliance program is documentation. If you can’t prove that you do (or did) the right things at the right time, you will fail an audit or assessment review.
As an MSPs or MSSP, you won’t be able to Certify your own clients due to conflict of interest. But your clients will see a great return on the time and money they invest in you to them for the the independent assessment by a Third Party Assessment Organization (3PAO)
While no pricing standards have been set yet, your client should expect to pay a 3PAO an average of $300/hour to perform a CMMC assessment. A documentation review will likely occur before the 3PAO conducts any staff interviews, so the more questions you can address by clear documentation, the less time the audit will take and the less money your client will pay. This is a great selling point for you to get involved early. Expect your 3PAO to start their assessment by:
Performing a thorough review of your System Security Plan — which by, the way, is automatically generated by Compliance Manager’s 800-171 assessment process.
Assessing your Plan of Action & Milestones (POA&M) — which also is automatically generated by Compliance Manager’s 800-171 assessment process
Evaluating your IT security policies, standards and procedures — also produced by Compliance Manager.
Since these documents are already requirements of the Interim Rule, helping your defense contractor clients meet their cybersecurity requirements now, will help them prepare for CMMC whenever their contract requires it.
While your clients will undoubtedly need some kind of assistance in obtaining their certification, an even bigger opportunity is in helping them maintain compliance during the three-year term of their certificate.
In addition to adding many more controls to the certification requirements, Level 3 also includes a contractor to have in place an ongoing assessment and review of its security performance, and to maintain ongoing documentation. And, the requirement under the NIST 800-171 certification is for periodic review and updating of the System Security Plan.
Compliance Manager is ideal for delivering this type of compliance-as-a-service offering. It maintains an ongoing archive of each assessment, and retains the data from each review to speed the update process. Evidence of ongoing compliance can be supplied to the government agency literally with a click of a button.
LET US SHOW YOU HOW IT WORKS!
Ready to buy now? Click on the Buy Now button. Need to know more? Request a demo and we’ll show you how it works.