CMMC final rule: Top takeaways for MSPs and MSP+s
After years of uncertainty, the defense industrial base (DIB) and its vendors finally received confirmation on the final language of the Cybersecurity Maturity Model Certification (CMMC) program when it was published on October 15, 2024. The rule became effective on December 16, 2024. The final rule held the line on requirements for DIB contractors, closely matching the requirements from the draft rule. It is clear the DoD expects the DIB to have active NIST 800-171 R2 compliance programs. This expectation is a continuation of the messaging and requirements from CMMC 1.0.
The final wording in CMMC 2.0, however, reverted from the language in the December 2023 interim rule specifically for vendors supporting DIB contractors, referred to as external service providers (ESP). The major takeaway from the final rule is that ESPs who do not store, process, or transmit controlled unclassified information (CUI) do not have a specific mandate or requirement to have their own CMMC certification.
This is a significant shift from the initial CMMC 2.0 draft language. ESPs no longer have to complete their own certification prior to providing services to customers who are DIB contractors. Instead, the products and services provided to their DIB customers will be assessed during the DIB customer’s own assessment. The foundation of these assessments will be based on the customer’s system security plan (SSP) and the shared responsibility matrix between the ESP or MSP and the customer. The SSP and shared responsibility matrix may overlap with other compliance frameworks and requirements, but a version specific to CUI and NIST 800-171 is a non-negotiable requirement to move forward with CMMC compliance activities.
The final rule supports the option for ESPs to pursue their own CMMC certification to help limit the impact of client audits on the ESP. However, even with some inheritability, many customers will still likely require significant assistance with maintaining and documenting their CUI environment boundary, SSP maintenance, and ongoing audit support. If your customers are not clear on their CUI boundary and what CUI they hold, this is an urgent first step. Ultimately, the responsibility for understanding what is and is not CUI and protecting that CUI is the DIB contractor’s responsibility.
ConnectWise is committed to improving our products and services to support our partners as they help their DIB customers document and demonstrate these control activities, with a focus on controls related to security protection data (SPD). DIB contractors are likely to need their MSP’s or MSP+’s assistance in demonstrating the functional security control activities within their scoped FCI/CUI environment. MSPs must have a clear understanding of the difference between CUI and SPD.
If you need more information about CUI and FCI, the National Archives and the DOD CUI program are good places to start.
The DoD is still working through the process of issuing an updated final Defense Federal Acquisition Regulation Supplement (DFARS) rule language for DFARS 252.204-7012. While CMMC is phased into contracts over the next three years, the DFARS rules are also going through their own rulemaking process to align the DoD’s contracting with CMMC requirements.
One way to frame the relationship between CMMC and DFARS is that CMMC is a third-party auditor who will validate that the contractor is complying with the requirements of DFARS. Updates to the DFARS rulemaking process are anticipated in 2025.
The top three takeaways for MSPs
- The DoD clarified that MSPs/MSP+s and their tooling do not require the MSP/MSP+ to carry their own certification as long as the MSP/MSP+ does not hold CUI and the CUI remains in the DIB contractor’s systems
- The NIST SP 800-171 R2 (final June 2018) requirements have been confirmed; not the updated NIST SP 800-171A Rev. 3 (final May 2024)
- The cloud service provider (CSP) definition was reverted to a 2011 definition of a cloud service provider; it clarified ESPs using off-the-shelf SaaS tools are not CSPs
Our focus in the coming months will be on the ConnectWise products and services that map to the most controls in NIST 800-171 R2 and NIST 800-171A. We look forward to supporting this next step in the CMMC compliance phase for ConnectWise partners and their DIB customers.