April 7, 2021

Last Updated on January 14, 2024

Government staffing agencies that do business with the US Department of Defense (DoD) or other entities using the Cybersecurity Maturity Model Certification (CMMC) framework may face unique compliance challenges. Many staffing agencies are worried that new contracts will mandate compliance with CMMC Level 3, a robust suite of controls designed to secure Controlled Unclassified Information (CUI).

Why are prime defense contractors and government agencies requiring CMMC Level 3 compliance for staffing firms? Is their rationale logical and valid? What CMMC Level 3 controls might actually be “in scope” for your environment?

Pivot Point Security CISO and Managing Partner, John Verry, addressed these and other critical concerns that government staffing agencies are voicing about CMMC compliance in a recent episode of The Virtual CISO Podcast specifically targeting this hot topic.

To make sense of CMMC compliance for government staffing agencies, John introduces the concept of shared responsibility: “The idea behind shared responsibility is that in any relationship with a third party, we share responsibility for managing the risk associated with the relationship. So, if I’m hosting my own equipment and I’m managing the risks… I’m responsible for making sure there’s locks on the doors. I’m responsible for making sure that there are security guards and badges and people being escorted. I’m responsible for making sure that the underlying computer system is properly configured and patched. I’m responsible for asset management. I’m responsible for background screening of all the employees. So literally every control that you might imagine would be necessary to manage that universe of risk is my responsibility.”

“Now compare that with, instead of hosting that application in my environment, I go to a software-as-a-service company,” John posits. “Am I now responsible for the physical security of those servers, or their patching and management, or the underlying operating systems, and ensuring that the database stays up-to-date? No. That’s being outsourced to [the SaaS provider]. But I still have the responsibility of making sure that the users who are using the data know their [cybersecurity] obligations, that they’re being properly vetted/background-checked, that they’re using strong passwords, and so on.”

“So that’s where that shared responsibility comes in,” clarifies John. “If I’m the federal government or a prime, I’m thinking you [as a government staffing agency] still own some responsibility. As an example, you’re putting a body on my base. Did you properly background screen that body? Or maybe I’m going to do that, so I don’t need you to. Have you given the security awareness education that is necessary for them to understand the risks? Have you told them not to send email out? Or will I cover that on my side?”

“I think that’s where you might see some of the elements of CMMC Level 3 as being ‘on your side of the fence,’ or in scope for you, and some might be on their side,” John observes. “I think getting that clarity is going to be important for most staffing agencies.”

In other words, depending on the view of shared responsibility that is relevant to your specific contract, you could be responsible for a particular subset of the 130 CMMC Level 3 controls.

“That’s where the idea of understanding risk and in each scenario saying, ‘What if this happened? What would be my responsibility and what would be their responsibility?’” pinpoints John.

What’s Next?

Here’s the bottom line, courtesy of John:

“If you’re a staffing agency, I think if you can get clear definition of what the expectation is from the agency or prime, that’s really what you want to shoot for. That way you’re not at this ‘debating and trying to figure it out’ level. “In all cases, we still have that shared responsibility that we need to understand and make sure that we’re addressing well.”

If you’re helping to uphold your company’s responsibility for cybersecurity as part of doing business with the US government, this podcast with John Verry was created just for you.

To hear the full episode, click here. If you don’t use Apple Podcasts, you can peruse all of our podcast episodes here.


New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.