96
Understanding the $100,000 Cost of CMMC 2.0
View this email in your browser
The weekly newsletter of the Business of Tech, giving you new insights into the world of IT service delivery.
Looking for stories from the podcast stories? Check out the pod itself on Apple Podcasts, Spotify, or daily in your inbox. Stories are available to everyone for five days,and Patreon supporters forever.
Was this forwarded to you? Join the list!
Will CMMC 2.0 rewrite the rules for MSPs?
If you haven’t already heard, allow me to break the news: CMMC 2.0 is coming.
Whether you’ve been fixating on the regulation or haven’t thought twice about it, Mike Semel, a compliance and business continuity consultant, has some insight he thinks everyone should know.
From practical advice for government contractors to survival strategies for worst-case scenarios, here’s what Semmel shared on a recent bonus episode of The Business of Tech.
CMMC 1.0 v 2.0
Let’s start with Semel’s overarching message: even though CMMC 1.0 and 2.0 are for government contractors, word on the street is that the requirements will one day (potentially quite soon) be extended to other industries where MSPs have clients.
But that’s just a theoretical. So why, exactly, is Semel sounding the alarm bells now?
When CMMC was first released several years ago, Semel—who worked as an MSP before going into consulting—was concerned about how vague the language about MSPs was. He contacted Stacey Busjanek, the woman in charge of CMMC, and asked if MSPs were going to be covered by the regulations. She said yes. So 2.0’s recent release was not a surprise.
However, when 2.0 came out with a new three-level system and a government estimate that about half of the impacted 300,000 defense contractors would only be at level one, Semel became concerned about MSPs’ level of preparedness.
You’re probably thinking, “I’m not a defense contractor, so why do I care?” Well, Semel pointed out that every government contractor has subcontractors. And those subcontractors have subcontractors. In his own words:
“There had been doubt that CMMC was going to happen. But there’s no doubt anymore. It’s in the Federal Register as a proposed rule. It says that if you are an external service provider who’s not a cloud service provider, then if your client requires a CMMC level two assessment, then you do too. And if you fail, your client fails.”
He’s already had clients face this harsh reality:
“I’ve had MSP say, oh, we really don’t do the cybersecurity. That’s done by a SOC as a service or some other vendor or using XYZ company. The way they define this, if you’re just doing patches and updates and managing that network, you’re within scope,” he said.
So what’s the timeline here?
According to Semel, we’re going to see CMMC 2.0 contracts in a year. And…
“It’s taking an average company 12 to 18 months to prepare. In the government’s estimate of the assessment, just to prepare for the assessment, not the cost of implementing the cybersecurity, is over $100,000. So to summarize, MSPs are going to have to be assessed if you have defense contractor clients. And as I said when I started, this is likely to spread across many other industries,” he said.
Could 2.0 impact all MSPs?
My instinct here was to push back. Wouldn’t this just fracture the market into providers capable of delivering in the defense industry and those that aren’t?
Semel agreed that some MSPs will simply not make the 100k investment. But, he sees the $$$ as an investment similar to the introduction of HIPAA. His MSP at the time got the certification, but didn’t change any of the products and services they offered and benefited from promoting them as HIPAA compliant.
“I would never take the $100,000 and just say it’s for one customer. I’d increase my rates across the board. And the reason that I think this is so important is that you’re going to be beating a lot of other companies that can’t answer the bell,” he said.
He also believes that the folks who will answer the bell the best are the MSPs that have consolidated through mergers and acquisitions. In fact, he sees them as the wedge that will take business away from those who aren’t prepared for 2.0.
As for tool providers, Semel did mention them here and there. I clarified whether he expects them to jump on board with FedRAMP authorizations, and he thinks that eventually, they will. But this process can take years, so don’t hold your breath just yet.
Will it really be that bad?
I was still on the fence here about the gravity of the situation. The defense department has said they’re going to run programs to help smaller companies ramp up compliance (and invest in their own supply chain), so don’t we expect the government to be proactive and helpful in the lead-up to 2025?
Semel said there will be some help, but he doesn’t expect it to be warm and fuzzy. His reason why is interesting: before 1.0 came out in 2017, 80% of defense contracts required contractors to implement all the cybersecurity controls in NIST 800-171. However, a DOD audit found that fewer than 10% actually implemented those requirements, leaving the entire defense industry at risk of cyber attacks. This betrayal was the origin of CMMC, and when contractors complained about having to comply, according to Semel…
“Their answer was, you’ve taken our money since 2017 when this regulation came out. We are not going to help you pay to implement the regulation. You should have been doing that now for six years. So their position was, no, we’re not going to help.”
And, worst case scenario, Semel flagged that the DOD has already made it clear that misrepresenting cybersecurity programs while still accepting government money gives them the right to sue through the Department of Justice.
In case you haven’t picked up on his vibe by this point, Semel sees the stakes as high. Very, very high.
What to do next, according to Semel
So, what should the average MSP do next?
First, Semel says to look at the NIST 800-171 framework line by line. Look into doing a self-assessment (including how compliant your vendors are), review your score, and see if you’re ready for third-party assessment.
Next, Semel says to put aside the shock of the $100k sticker price and think of it from a marketing and business perspective:
“When you pay for this, don’t look at that one client or those two clients for whom you have to do this. If you spread this, if you do a million dollars a year in business, so three million over three years, you can add a few percent, three, four percent to every one of your contracts and cover the cost of this whole thing,” he said.
Well, Semel has certainly given us a lot to think about. If you’ve been persuaded to prepare for the storm, you know who to talk to. Mike Semel is known as the Complianceologist and is President of Semel Consulting. He’s a Certified CMMC Professional, CMMC Registered Practitioner, Certified HIPAA Security Professional, Certified Cyber Resilient Professional, and a whole bunch more.
What do you think of Semel’s positioning? As always, my inbox is open for stories, questions, or whatever else is on your mind.
More from MSP Radio
Missed Things?
How about our latest videos to catch you up?
The Daily Podcast available as videos
Key Insights from the Service Leadership Compensation Report with Peter Kujawa
Understanding NIS 2: A Deep Dive into European Cybersecurity Regulation with Erik Jan Frieser
Mitigating Risks of AI in Organizations: Insights from Jon Gillham
AI in Cybersecurity: A Nuclear Threat or a Defensive Tool? with Rodrigo Loureiro
The Changing Landscape of Influencer Marketing in 2024: Insights from Lunar Crush CEO Joe Vezzani
Future Challenges and Opportunities for MSPs: A Discussion with Ramsey Sahyoun
Want the Daily News?
All the stories from the daily Business of Tech Podcast are available in the daily digest, and stories are available to everyone for the first five days, and Patreon supporters forever. Catch the audio of the show anytime on Apple Podcasts, Spotify, YouTube, or wherever you find podcasts. Links at businessof.tech
Copyright © 2024 MSP Radio, All rights reserved.
Want to change how you receive these emails?
You can update your preferences or unsubscribe from this list.