Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.


333 West San Carlos Street
San Jose, California 95110
United States


ChannelPro Network Awards

hello 2
hello 3


August 16, 2021 |

C-M-M-C Spells Opportunity

MSPs following cybersecurity best practices have the foundation to add CMMC compliance services to their portfolio.

EVERYONE READING “Breach of the Week” news headlines understands the need for better cybersecurity. To force the issue, the U.S. Department of Defense issued the Cybersecurity Maturity Model Certification (CMMC) program that goes into effect October 2025 for fiscal year 2026. All 300,000-plus DoD prime contractors, subcontractors, and other businesses in the “Defense Industrial Base” must comply with the appropriate CMMC level of regulations or lose their contractor status.

“CMMC is the DoD’s reaction to contractors not following earlier requirements to secure data,” says Mike Semel, owner of security advisory firm Semel Consulting and training company Semel Systems. Companies have been required to follow NIST 800-171 guidelines, which codify requirements for securing “”controlled unclassified information,”” since 2017, he notes, but largely haven’t.

Mike Semel

Channel pros who get up to speed on CMMC have a high-margin opportunity to help their customers, whether or not they’re defense contractors. “We may see these types of guidelines in a decade for all corporations,” says Kevin Beaver, an independent security consultant at Principle Logic.

The CMMC has five levels that are self-documented or certified in ascending order, as each level is cumulative.”The DoD decides CMMC levels for each part of each contract,” Semel says. Uniforms might not fall under “”high security,”” for instance, but an order for a million uniforms must be protected as confidential information.

All contractors have to be at least CMMC Level 1. At Levels 1 and 2, companies state they follow basic or intermediate cyber hygiene, respectively. Levels 3 through 5 require an audit, and those audit requirements increase with each level. “The teeth of CMMC means higher levels are audited, which is probably what we need,” says Beaver.

Channel pros are already helping customers with some of the 17 domains the CMMC outlines, Beaver says. These include access control, configuration management, maintenance, physical security (IP cameras and surveillance systems), identification and authentication, and data recovery. “”These are really no different from any other ISO 27002 security framework,” he notes.

And those channel pros supporting companies following HIPAA and PCI guidelines are in an excellent position to include some type of CMMC support.

One way to get in on CMMC is providing third-party assessments. “‘Assessment’ is the official CMMC word for ‘audit,'” says Semel. “These are not casual, but assessments with a capital A. MSPs need certification to do these, and if you do an assessment for a company, the code of ethics stops you from selling any services to that client.”

He warns that the process is not one and done. “Certifications for DoD contractors are good for three years, but the auditing team can visit any time.” Companies must stay prepared, implement security improvements constantly, and maintain all the documentation to prove they’ve done so.

There are also consulting certifications available, Semel adds, “”but you can consult for CMMC contractors without certification.”

Kevin Beaver

Both Semel and Beaver agree that there’s a wide range of services MSPs can provide clients without certification, including configuring and patching firewalls. In addition, access control, media protection, physical protection, system and information integrity, security consulting, training, and remediation services are all  part of CMMC Level 1’s basic cyber hygiene. “This may be the last high-margin business,” Beaver adds.

“MSPs are in a great position to help CMMC clients protect data and keep their systems safe,” adds Semel. “There are lots of confusing terms in CMMC, but once you learn the vocabulary for that industry, like many did for HIPAA compliance, you can succeed.” In this case, success means as much as $25-$50 more per user, per seat to cover the rigorous requirements.

For MSPs already helping their clients with cybersecurity, Beaver stresses, “None of this is new.”

(For more on CMMC, see CMMC Growing Pains … or More.)

Image: iStock

Editor’s Choice

Midwest MSPs Treated to Personal Stories, Compelling Demos, and More at ChannelPro LIVE: Columbus Show

June 7, 2024 |

Ohio technology professionals joined ChannelPro to share business best practices at the area’s first-of-its-kind event.

Asigra Makes a Splash with New SaaS App Data Backup Platform

June 3, 2024 |

Asigra’s new SaaSAssure platform offers MSPs comprehensive, secure, and easy-to-use backup solutions for SaaS apps, addressing a critical market need and providing an unparalleled opportunity for revenue.

Peer to Peer: John Kampas on Why EMPIST Thrives — Plus, 1 Mistake Too Many MSPs Make

May 31, 2024 | John Kampas

How prioritizing customer protection and technological empowerment helped EMPIST evolve into a “managed technology provider” with an international presence.

MSPs React to Comprehensive, Aggressively Priced Kaseya 365

May 1, 2024 |

Hear from MSP peers on the launch of the new Kaseya 365 program — designed to provide a crucial package of tech services at an affordable monthly price.

Related News

Growing the MSP

Explore ChannelPro


Reach Our Audience