A group of people circled around a table discussing.

CMMC 2.0 compliance: It’s about you, not the service provider.

CMMC 2.0 is the next generation of cybersecurity requirements for Department of Defense (DOD) contractors and subcontractors. It’s coming soon, expected to be in place as early as Q4 2024. Unlike the current DFARS standards, third-party certification of full compliance will be mandatory and strictly enforced. In other words, under CMMC 2.0, if you’re not certified as 100 percent compliant, you cannot not be awarded a DOD contract.


CMMC represents a huge challenge for mid- to smaller-sized companies that serve the DOD or would like to. Government regulations are notoriously complex, and many smaller contractors and subs operate with a lean IT staff that have neither the specialized knowledge nor the time to tackle cybersecurity compliance.


The easy part is deciding you need outside help. The hard part, aside from compliance itself, is choosing the right provider.


Remember that it’s about you and your company, not the provider

We’re hearing about many well-known Managed Security Service Providers (MSSPs) requiring customers to meet certain preconditions before accepting a DFARS or CMMC compliance engagement.


Typically those preconditions include requiring you to agree—in writing—to put your DOD-related data on their cloud committing you to using the MSSP’s proprietary architecture to protect your data. This is great for the MSSP but might not be the right decision for your business.


There are many serious problems with the preconditions dictated by an MSSP. You may not want to house your DOD data on the cloud, and it might not be best for you to be locked into the MSSP’s proprietary architecture for eternity.


Maybe the biggest problem? Preconditions indicate a provider that seems more focused on themselves than you. Not a good sign.


Do you really need to be on the cloud?

Maybe the best place for your DOD project data is on the cloud. There are some good cloud-based solutions—especially those that the industry calls enclaves—that can offer a faster, less costly way to meet CMMC requirements. Or, maybe the cloud is not for you. Maybe you’d prefer the control of housing your data securely and compliantly within your own IT infrastructure.


The point is, this is not a decision you should be forced to make before even engaging an MSSP. The provider should be interested in meeting you where you are, with the first priority being understanding where that is, before determining—or dictating—where your data should be housed.


Who owns the architecture?

Many cybersecurity service providers’ DOD compliance solutions utilize architecture owned by them. Yes, you own the data, but not where it lives. Effectively, you’re just renting the space for your data, with the software for securing it often in the provider’s name. Again, it’s all about the MSSP.


The advantage to using proprietary MSSP-owned architecture is the assumption that it’s safe and secure. The problem is, someone else controls your data, not you. And you’re locked in. If you decide you want to move your data inhouse, or work with another MSSP, or if the provider decides to increase prices, to leave, you’ll have to start over to at least some degree. This will cost you additional time, hassle and money to maintain compliance.


Maybe you’ll decide that renting secure space for your data is right for you. But do you really want to commit to this approach—especially when there are alternatives—before you actually know where you are in the cybersecurity compliance journey?


Engage with an MSSP that puts you first

Some cybersecurity firms have no preconditions to be met prior to accepting an engagement. Some, from the first conversation, are focused on you and your company, and on determining where you are in the process so they can meet you there with what they recommend.


They’re not concerned about risk for them, or whether you’re on the cloud, or looking to lock you into their architecture. They put you first—getting your company fully, 100 percent compliant with CMMC 2.0 in the most time-efficient, cost-effective way. And keeping you there.


An MSSP that puts clients first is upfront and transparent about their process, focused from day one on helping you determine, and then delivering, the best solution for your situation.


You’ll want to work with a cybersecurity firm with an end-to-end approach designed to get you to full, not partial, compliance (a surprising number of providers don’t actually deliver full compliance). Look for a provider that has a long and deep track record in DOD cybersecurity compliance for companies like yours, and that tailors the end product to you. No boilerplates.


Interestingly, the MSSPs that fit these criteria often charge significantly less overtime than those that come in with preconditions and insist on using their proprietary architecture.


The time to get started is now

Finding the right provider takes time, and with CMMC 2.0 expected to launch as early as fourth quarter of this year, time is getting short. And once you’ve selected that provider, it will take time to assess your situation, develop and install the solution, and check all the boxes required to win that DOD contract. That’s why it makes sense to identify potential providers and set up conversations with them sooner, not later.


One final thought—don’t forget the bigger picture. This is more than checking boxes for the DOD. There are real, growing cyber threats out there, and if you’re not adequately protected, you could lose much more than a DOD contract. Especially for a smaller business, a data breach can be devastating. You could lose your livelihood. If you haven’t adequately addressed this critical need, the time to get started is now, regardless of CMMC timing.

Join our May 29th 12 pm ET webinar Mastering CUI Boundaries: A Comprehensive Guide to Scoping, SPRS Input and Audit Navigation.
This is default text for notification bar