ConnectWise: MSPs Potentially Impacted By CMMC UpdatesConnectWise: MSPs Potentially Impacted By CMMC Updates

Recent Cybersecurity Maturity Model Certification (CMMC) updates are now in effect, bringing important changes around the role of external service providers (ESPs), including MSPs and MSSPs.

That’s according to ConnectWise CISO Patrick Beggs. The CMMC model aims to protect federal contract information (FCI) and controlled unclassified information (CUI) shared with defense contractors and subcontractors during contract performance. The Department of Defense developed the CMMC.

ConnectWise's Patrick Beggs

The final CMMC updates took effect at the end of 2024 and maintained the requirements for defense industrial base (DIB) contractors. However, the final wording reverted from the language in the December 2023 interim rule.

“This brings some important changes – especially around the role of ESPs,” Beggs said. “For example, ESPs that do not store, process or transmit CUI are no longer required to get their own CMMC certification to provide services to customers who are DIB contractors. This is evaluated using a shared responsibility matrix between the ESP/MSP and the DIB end user.”

Significance of CMMC Updates

The removal of the requirement for ESPs is the most significant aspect of the CMMC updates, Beggs said.

“This decision is a significant difference from earlier expectations, where ESPs were anticipated to be directly subject to certification requirements,” he said. “By shifting the focus, the final ruling emphasizes the importance of a shared responsibility model between the ESP and the DIB contractor.”

Related:ConnectWise Hires Former Mimecast Exec to Lead Tech, Products

Also among the CMMC updates, the definition of a CSP has reverted to its 2011 framework, clarifying that ESPs utilizing off-the-shelf SaaS tools are not classified as CSPs. This eliminates the need for additional certification requirements for ESPs using such tools.

In addition, the CMMC updates don't require compliance with the latest version of the National Institute of Standards and Technology (NIST) requirements for safeguarding sensitive information on federal contractors' IT systems and networks.

CMMC has brought both benefits and challenges for MSPs, Beggs said.

“On a positive note, it has driven MSPs to adopt more robust cybersecurity practices, enhancing both their own security posture and that of their clients,” he said. “Additionally, achieving CMMC certification offers a competitive advantage, making MSPs more attractive to defense contractors and other clients who require high levels of cybersecurity. It also opens doors to new business opportunities within the DIB, enabling MSPs to secure contracts and expand their market reach.”

Related:Kaseya, CEO Voccola Guiding Congress on MSP Regulation

However, these benefits come with challenges, Beggs said. Achieving and maintaining CMMC compliance can be costly and resource-intensive, particularly for smaller MSPs, as it involves expenses for assessments, audits, training and implementing necessary controls.

“The complexity of compliance adds another layer of difficulty, requiring MSPs to navigate guidelines and ensure every aspect of their operations meets the standards,” he said. “CMMC also demands continuous monitoring and updates to cybersecurity practices, which can be time-consuming and require substantial effort to sustain over time. Overall, while CMMC offers valuable opportunities, it also requires MSPs to invest heavily in resources and expertise to meet its requirements.”

ConnectWise Offers Help With Compliance

ConnectWise can provide MSPs with the tools and resources they need to navigate the evolving compliance landscape, Beggs said.

“As DIB contractors rely on MSPs/MSSPs to help document and demonstrate functional security control activities within their scoped FCI/CUI environments, ConnectWise is focused on enhancing its products and services to align with these needs,” he said. “Specifically, ConnectWise is focusing on products and services that map the most controls in NIST 800-171 R2 and NIST 800-171A, ensuring MSPs can effectively support their customers in achieving and demonstrating compliance. With these targeted improvements, ConnectWise is dedicated to guiding its partners through this next phase of the CMMC compliance journey, making it easier to support DIB customers and meet regulatory requirements.”

MSPs can expect further CMMC updates as the compliance landscape is constantly evolving, Beggs said.

“The U.S. Department of Defense (DoD) estimates that only 135 CMMC audits will be conducted in the first year by third-party assessment organizations,” he said. “As these audits are completed and certifications are issued by entities beyond the Defense Contract Management Agency (DCMA)’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the guidance and recommendations provided to the community are likely to evolve. ConnectWise remains committed to staying ahead of these changes, ensuring its products and services align with the latest developments, and equipping MSPs with the tools and support needed to help DIB contractors navigate the ongoing CMMC compliance process effectively.”