EVERYONE READING "Breach of the Week" news headlines understands the need for better cybersecurity. To force the issue, the U.S. Department of Defense issued the Cybersecurity Maturity Model Certification (CMMC) program that goes into effect October 2025 for fiscal year 2026. All 300,000-plus DoD prime contractors, subcontractors, and other businesses in the "Defense Industrial Base" must comply with the appropriate CMMC level of regulations or lose their contractor status.
"CMMC is the DoD's reaction to contractors not following earlier requirements to secure data," says Mike Semel, owner of security advisory firm Semel Consulting and training company Semel Systems. Companies have been required to follow NIST 800-171 guidelines, which codify requirements for securing “controlled unclassified information,” since 2017, he notes, but largely haven’t.
Channel pros who get up to speed on CMMC have a high-margin opportunity to help their customers, whether or not they’re defense contractors. "We may see these types of guidelines in a decade for all corporations," says Kevin Beaver, an independent security consultant at Principle Logic.
The CMMC has five levels that are self-documented or certified in ascending order, as each level is cumulative."The DoD decides CMMC levels for each part of each contract," Semel says. Uniforms might not fall under “high security,” for instance, but an order for a million uniforms must be protected as confidential information.
All contractors have to be at least CMMC Level 1. At Levels 1 and 2, companies state they follow basic or intermediate cyber hygiene, respectively. Levels 3 through 5 require an audit, and those audit requirements increase with each level. "The teeth of CMMC means higher levels are audited, which is probably what we need," says Beaver.
Channel pros are already helping customers with some of the 17 domains the CMMC outlines, Beaver says. These include access control, configuration management, maintenance, physical security (IP cameras and surveillance systems), identification and authentication, and data recovery. “These are really no different from any other ISO 27002 security framework," he notes.
And those channel pros supporting companies following HIPAA and PCI guidelines are in an excellent position to include some type of CMMC support.
One way to get in on CMMC is providing third-party assessments. "‘Assessment’ is the official CMMC word for ‘audit,’" says Semel. "These are not casual, but assessments with a capital A. MSPs need certification to do these, and if you do an assessment for a company, the code of ethics stops you from selling any services to that client."
He warns that the process is not one and done. "Certifications for DoD contractors are good for three years, but the auditing team can visit any time." Companies must stay prepared, implement security improvements constantly, and maintain all the documentation to prove they've done so.