Last Updated on April 6, 2021
Compliance with the US Department of Defense (DoD)’s new Cybersecurity Maturity Model Certification (CMMC) framework will soon be a prerequisite for all businesses in the defense supply chain and elsewhere across the government sector—including staffing agencies.
But while manufacturers and others that handle Controlled Unclassified Information (CUI) will often need to comply with the strict controls at CMMC Level 3, most staffing firms only handle Federal Contract Information (FCI)… right? So they can get by with CMMC Level 1 controls… right?
The reality is that more and more government staffing agencies are learning that new contracts could mandate CMMC Level 3. But do you really need all those controls? Could you justify implementing just a subset of them? Or should you instead embrace CMMC Level 3 compliance as a competitive differentiator?
To help government staffing agencies get a handle on their unique CMMC compliance concerns, Pivot Point Security CISO and Managing Partner, John Verry, recently aired a special episode of The Virtual CISO Podcast.
“How does [a government staffing agency know what to do?” asks John. “If you’re being asked for CMMC Level 3 and you truly don’t believe you’ve got CUI in your environment, you’re going to want to go back to the prime contractor or agency and talk to the program manager or the contracting officer. Perhaps they’re making a request that is illogical. You can be successful working with the government; asking them to change a clause in a contract that’s not relevant to you.”
“Recently we’ve talked to multiple staffing agencies that have said, ‘We think they’re going to ask us for CMMC Level 3—but even if they don’t, we want to be CMMC Level 3. Because we’re worried that if we don’t have that, there might be some opportunities that they don’t give to us,’” John adds.
Why would you want CMMC Level 3 if it’s not explicitly required for a specific contract? Because either way, a service provider that can attest to CMMC Level 3 is more secure than one that can only attest to CMMC Level 1. This could certainly be a factor in awarding future contracts.
“We’re seeing people who are saying, ‘I’m being asked for [CMMC Level 3]. I don’t think I need it, but I still want it,” reiterates John.
Why would a federal entity require you to have CMMC Level 3 if you’re just, as John puts it, “… putting bodies on bases using government furnished equipment and using their email?”
“The way you would address that particular question is to use what we refer to as a risk assessment,” John notes. “Which is a requirement, by the way, of CMMC Level 3.
John continues: “So what are the risks, right? What are the scenarios in which CUI might leak into your environment? Think about it logically. For example, I hire Jeremy. Jeremy goes to work at the DoD. He’s working on projects that require high levels of clearance that obviously involve CUI. And Jeremy sends me a note asking a question about a paycheck. Or saying, ‘Hey, for Project X, should I be billing this code or this code?’ Either case could tie into this particular issue with CUI.”
“So one of the questions would be, what protections do you have in case data does leak into your environment? Or do you have protections that would prevent that data from leaking into your environment?” cites John. “Those could be technical measures, like where you’re filtering data or you’re preventing email from coming in from a military email address. Or it could be compensating controls that are in place so that if CUI does enter your environment, you’re still not at risk or out of compliance. I know of a two-person staffing agency that’s moving to Microsoft GCC High just in case somebody sends them [CUI] content by mistake.”
If you’re involved in security and/or compliance for a government staffing business, this special podcast episode with John Verry delivers exactly the guidance you need to make informed decisions.