August 10, 2021
A Closer Look at the Cybersecurity Maturity Model Certification (CMMC)
It is no secret public sector cybersecurity protocols have been at the center of much debate across the nation’s capital in recent years. With Clearsight headquartered just outside of DC, we are attuned to the changes taking place in these federally mandated compliance initiatives and are beginning to recognize their impacts on our industry sectors of focus. For one, we have been entering into more discussions centered around Cybersecurity Maturity Model Certification (CMMC).
First instigated by the Department of Defense (DoD) in November 2020, CMMC is a framework that assesses a company’s cybersecurity implementation practices and maturity processes to ensure government information is adequately protected. While the current ruling applies mostly to a few prime defense contractors, all defense contracts will need to comply with CMMC by October 2025. Notably, this includes professional services firms and MSPs/MSSPs providing consulting and tech-enabled services to the DoD.
Part of the challenges faced by professional services firms in obtaining CMMC is internal agreement upon the level of maturity to achieve based on their business models. A lower maturity level (less controls) will be quicker and less expensive to obtain, but a higher maturity level could make a company a more attractive potential M&A target. In fact, some MSPs are adopting CMMC early as a differentiator in the white-hot market, while many firms are still in the education and planning phase.
As with other certifications, CMMC does not come without cost and an extensive time commitment on the part of the obtainer. Smaller MSPs with government sector verticals will be less than enthused to add CMMC to an already lengthy list of state and federal regulations they must abide by. Additionally, some MSPs may not have the breadth or depth of resources available to obtain the certification on their own, thereby accelerating the current consolidation trend of private equity roll-up acquisitions.
While the full impact of CMMC is yet to be realized, Clearsight has a front row seat for the influence this new regulation will have on thousands of organizations in the DoD’s supply chain. For more updates on CMMC and other trends we are seeing in the Public Sector Technology, Risk & Regulation and MSP/MSSPs spaces, please contact Managing Director John Rakowski or Director Jim McCabe.