May 4, 2021

Last Updated on January 12, 2024

There’s no question that the DoD’s Cybersecurity Maturity Model Certification (CMMC) is impacting more organizations than any information security framework in history. For MSPs that want to do business with the US federal government or its supply chain partners in industries like defense, IT and staffing, CMMC “flowdown” requirements as well as direct compliance language in contracts are driving fast and furious upgrades to internal security.

But is CMMC just painful news for MSPs? Or is there a silver lining to this cyclone on the horizon?

Who better to parse the impacts of CMMC on the MSP industry than MSPAlliance cofounder Charles Weaver? Charles talked over this “next big thing” for MSPs with Pivot Point Security CISO and Managing Partner, John Verry, on a recent episode of The Virtual CISO Podcast.

As John points out, helping clients comply with CMMC could be a big opportunity for well-prepared MSPs: “I think any MSP that’s dealing with the defense industrial base (DIB) is got to be just all over this. A huge opportunity, whether or not they’re working with somebody like Pivot Point Security at the upper advisory level. And they’re going to say, ‘Hey, guys, you’ve got to migrate to GCC High. You’ve got to migrate to FTP Now or PreVeil, or one of these other services. You’re going to have to update your encryption. You’re going to have to move to a SIM solution.’ So they’re going to have to work with an MSP or an MSSP.”

What guidance is MSPAlliance giving its constituents on CMMC? And does Charles see CMMC as a threat or an opportunity, given how it will impact MSPs internally?

“The folks in Washington actually reached out to us two years ago when they were coming out with pre-CMMC, and they were trying to come out with a cybersecurity framework for MSPs,” notes Charles. “It’s published and people can check that out. I think it’s always good for people to do more and have more discussion about MSP security.”

More Isn’t Always Better

But more isn’t always better when it comes to overlapping cyber standards that MSPs may need to comply with. As Charles points out: “You’ve got the US federal government acting. You certainly have the Canadian federal government acting. You’ve got the European community at a federal level acting as one under GDPR with ISO 27001. So you’ve got a patchwork quilt around the globe of different standards. Even within the US, you’ve got CMMC underpinned by NIST being pushed down through the DoD community. But you’ve got a completely separate community in the federal government at the FFIC or FDIC level, which is promoting not NIST, but SOC through the FFIC examinations of the US banks and their subsequent outsourcing to MSPs. So you’ve got some interesting political convergence that’s going to be like fireworks to watch, I think. I’m not making predictions.”

“I think all of these standards are good, but I think that having maybe some flexibility and give in the system is going to be good thing for the next five years,” continues Charles. “Because the last thing that MSPs want to say is, ‘Alright, I’m servicing banks. The bank examiners are telling me to get a SOC 2. And then I’ve got a federal contractor as a client and they want me to get CMMC.’ There’s gotta be some reasonableness is all I’m saying.”

“I will leave it to most bureaucracies to get in their own way and figure out exactly how to stop progress,” jibes Charles. “And just remember, the original FedRAMP thing caused a lot of service providers to kind of back away and say, ‘You want to put me through this, then I’ll just back out.’ And there could be the opposite effect, which is if they don’t make it something that is scalable, meaning that normal MSPs can handle. And I’m talking like, beyond just Azure, Rackspace, AWS, and those kinds of global giants. Because there’s a lot of downstream MSPs in the supply chain that provide really valuable stuff. I’m talking about very point solutions that you probably know very well. They’re database experts or they’re firewall experts or they’re in a particular ERP application that the government uses, whatever.”

What’s Next?

The bottom line is that constraining freedom of choice in selecting MSPs could leave government agencies and their suppliers struggling to execute on their missions.

As Charles observes: “They have to really make sure that they don’t force out the variability… The ability of the customer, even a federal customer, to select an MSP. Because that is exactly what happened at the FDIC level when they realized, we got a ton of MSPs handling U.S. bank infrastructure. If we come down really hard, we might have the satisfaction of knowing that we’re applying a consistent principle. But we could also lose half of the MSPs handling infrastructure for US banks, leaving them with… what? Nobody? That will be disastrous. And the DoD I don’t think wants to end up in that situation. So those are public policy things that keep me up at night.”

“I think we’re seeing the same kind of questions,” adds John. “Because as you go down the CMMC food chain, the new CMMC interim rule basically says that an organization needs to ensure that the same standard is being pushed down the supply chain. So now we have a situation where if I’m a 300-person manufacturer, I have no choice but to comply with this. But now I have an MSP. Am I going to ask them to comply? Or am I going to build out a methodology by which they can provide the service without having to comply themselves? So, it’s going to be a fun few years trying to figure that out.”

If you’re responsible for MSP, CSP or MSSP cybersecurity or business development, don’t miss this podcast episode with MSPAlliance cofounder Charles Weaver.

To hear the show all the way through, click here. If you don’t use Apple Podcasts, you’ll find all our cybersecurity podcasts here.