| |

Five Interesting Thoughts from…Mike Semel

ByRich Freeman

Think you’re ready for CMMC? Think again. Here are five facts about the newest compliance mandate that even MSPs who don’t serve defense contractors need to know.

The final rule for the federal government’s Cybersecurity Maturity Model Certification (CMMC) regulation has been in place since last October. To help us understand the implications for managed service providers, Channel Mastered’s MSP Chat podcast invited Mike Semel, a former MSP who’s now one of the tech world’s foremost compliance advisors, to join us for an interview. Here are five of Semel’s many observations that may surprise you.

1. CMMC covers a lot more end users than you probably realize. As most people know, CMMC requirements apply primarily to “controlled unclassified information” (CUI), the kind of information handled on a routine basis by the roughly 80,000 contractors and sub-contractors that sell to the Department of Defense. What’s less known is that the rules also apply to “federal contract information,” a much less sensitive but more widespread form of information routinely seen and saved by as many as 300,000 companies.

“All defense contractors, even those that are doing things like mowing the lawns at an Air Force base or cleaning the offices or providing food services, they have a government contract that needs to be protected by basic cybersecurity requirements,” Semel says. “This affects a huge number of businesses.”

2. Get your documentation right or your clients will suffer. CMMC auditors carefully scrutinize an end user’s security. They also, however, carefully scrutinize the security-related work done on behalf of that end user by their MSP.

“The big thing about CMMC is people think about it as a cybersecurity requirement and it’s really an audit preparation requirement,” Semel says. “That’s different, because you have to be able to fully document what you’re doing as an MSP for a defense contractor that’s a client, and show all sorts of written evidence and be able to demonstrate your own processes as an MSP. And if you don’t do that as part of your client’s assessment, you’re going to be the cause for your client to fail their assessment.”

3. It’s not just your documentation that auditors want to see. It’s the software you’re using too. Regulated end users are required to present network maps during audits. Those maps, in turn, must include not only the end user’s devices and applications but those of any contractor with access to those systems—like an MSP—as well.

“You’re going to have to be very transparent with your clients about what tools you’re using, because they’re going to be assessed for the way you deliver those services,” Semel says.

4. The backup system you’re using is probably not CMMC-compliant. Semel is confident of that fact, because few of the backup products most popular with MSPs and their customers today meet two specific CMMC requirements, as Semel recalls telling a client once.

“I said, ‘you can’t use that backup company to store controlled unclassified information, because they don’t meet the federal FedRAMP requirements for cloud services and they don’t encrypt their data using FIPS-validated encryption, which are two requirements for CUI,’” Semel recalls.

5. Despite all the complexity, offering CMMC compliance services can really pay off. In fact, providing any kind of compliance assistance can be hugely advantageous if you make the necessary investments in skills, tools, and people, as Semel himself saw a decade ago when he repositioned his managed services practice as a compliance services practice.

“We did the same thing as every other MSP. We all had the same products and services and tools in our stack and things like that. But by positioning our services as compliance services, I was able to distinguish myself and have different conversations with clients,” Semel says. “We eliminated a lot of our competition and we were able to charge more because we positioned our MSP services as compliance services and helped our clients not just secure their data, but be ready for audits and investigations by regulators.” Semel’s CMMC 2.1 Desktop Reference Guide is available for free online. More information about Semel’s company, Semel Consulting, is available here and you’ll find our entire conversation with Semel here.

Similar Posts