At the recent BigBIG Conference in Hollywood, Florida, Prescott's Director, Mark Pardee, took the stage alongside Dan Gilligan, President of Integra MSP, to discuss the complexities of the upcoming Cybersecurity Maturity Model Certification (CMMC) rule, and the value of partnership with an experienced team like Prescott.
Their presentation offered valuable insights into what Managed Service Providers (MSPs) need to know to navigate these changes and thrive in this evolving landscape.
The Big Decision: Commit or Exit
Mark kicked off the presentation by outlining a crucial decision facing MSPs: whether to fully commit to CMMC compliance or exit the market altogether. For those serving the Department of Defense (DoD) contractors, achieving CMMC certification will be mandatory. MSPs that choose not to pursue certification will no longer be able to support DoD clients, meaning they must decide whether to hand off these clients, sell their contracts, or trade them with other MSPs. Dan continued by explaining the value of having a knowledgeable partner like Prescott alongside the MSP, to guide them and their client through the process.
Why CMMC Compliance Makes You a Better MSP
To achieve CMMC certification, MSPs need to implement and adhere to stringent cybersecurity practices, including documented policies, incident response protocols, change management processes, and risk management strategies. These measures not only result in compliance, but also lead to a more consistent and secure client experience. By enforcing these practices, MSPs are less likely to overlook incidents or alerts, thereby increasing their overall reliability and trustworthiness.
The Uniqueness of CMMC
CMMC stands out from other cybersecurity frameworks due to its mandatory nature and comprehensive assessment requirements. Unlike voluntary frameworks where companies can self-report compliance, CMMC requires MSPs to meet all 110 controls and 320 assessment objectives. This all-or-nothing approach means that MSPs must either fully comply with all CMMC requirements or risk losing their ability to work with DoD contractors.
Understanding the CMMC Ecosystem
During the presentation, Mark also broke down the CMMC ecosystem, highlighting the roles of various stakeholders such as Cybersecurity Maturity Model Accreditation Body (CMMC-AB) certified third-party assessment organizations (C3PAOs) and Registered Practitioner Organizations (RPOs) like Prescott. He explained how MSPs and their clients fit into this ecosystem and why it’s essential for MSPs to become certified. Even if MSPs keep all data on the client's network, they still handle sensitive information, necessitating certification.
The Timeline and What's Next
Mark also provided a detailed timeline for the rollout of CMMC. The new CMMC regulations are expected to go live later this year, with a formal rule expected to be published in September or October, followed by a 60-day congressional review period. This means that MSPs could begin their assessments as early as late this year. He warned that while the road to compliance has been a long one—spanning nearly two decades—it’s now moving quickly. “The light at the end of the tunnel definitely is a train - and it’s headed this way,” Mark cautioned.
Opportunities and Costs
The presentation also touched on the opportunities and costs associated with becoming CMMC-compliant. Mark highlighted that MSPs who are early adopters of CMMC compliance could see substantial financial benefits by gaining a competitive edge and commanding higher prices for their services.
However, for those MSPs who fail to prepare, the consequences could be severe, including losing clients who require compliance or facing a significant drop in business value.
What MSPs Need to Have in Place
Mark concluded by outlining the key elements MSPs need to succeed under the new CMMC framework:
At Prescott, our team is composed of compliance specialists and business process analysts who will embed themselves into your company’s culture and corporate structure while being overseen by a board of notable industry experts in the information technology, information security, and cybersecurity sectors.
If you want to learn more about CMMC and how to prepare your business, check out our on-demand CMMC webinar series, or connect with our team of CMMC experts.