EVERYONE READING “Breach of the Week” news headlines understands the need for better cybersecurity. To force the issue, the U.S. Department of Defense issued the Cybersecurity Maturity Model Certification (CMMC) program that goes into effect October 2025 for fiscal year 2026. All 300,000-plus DoD prime contractors, subcontractors, and other businesses in the “Defense Industrial Base” must comply with the appropriate CMMC level of regulations or lose their contractor status.
“CMMC is the DoD’s reaction to contractors not following earlier requirements to secure data,” says Mike Semel, owner of security advisory firm Semel Consulting and training company Semel Systems. Companies have been required to follow NIST 800-171 guidelines, which codify requirements for securing “”controlled unclassified information,”” since 2017, he notes, but largely haven’t.
Channel pros who get up to speed on CMMC have a high-margin opportunity to help their customers, whether or not they’re defense contractors. “We may see these types of guidelines in a decade for all corporations,” says Kevin Beaver, an independent security consultant at Principle Logic.
The CMMC has five levels that are self-documented or certified in ascending order, as each level is cumulative.”The DoD decides CMMC levels for each part of each contract,” Semel says. Uniforms might not fall under “”high security,”” for instance, but an order for a million uniforms must be protected as confidential information.
All contractors have to be at least CMMC Level 1. At Levels 1 and 2, companies state they follow basic or intermediate cyber hygiene, respectively. Levels 3 through 5 require an audit, and those audit requirements increase with each level. “The teeth of CMMC means higher levels are audited, which is probably what we need,” says Beaver.
Channel pros are already helping customers with some of the 17 domains the CMMC outlines, Beaver says. These include access control, configuration management, maintenance, physical security (IP cameras and surveillance systems), identification and authentication, and data recovery. “”These are really no different from any other ISO 27002 security framework,” he notes.
And those channel pros supporting companies following HIPAA and PCI guidelines are in an excellent position to include some type of CMMC support.
One way to get in on CMMC is providing third-party assessments. “‘Assessment’ is the official CMMC word for ‘audit,'” says Semel. “These are not casual, but assessments with a capital A. MSPs need certification to do these, and if you do an assessment for a company, the code of ethics stops you from selling any services to that client.”
He warns that the process is not one and done. “Certifications for DoD contractors are good for three years, but the auditing team can visit any time.” Companies must stay prepared, implement security improvements constantly, and maintain all the documentation to prove they’ve done so.
There are also consulting certifications available, Semel adds, “”but you can consult for CMMC contractors without certification.”
Both Semel and Beaver agree that there’s a wide range of services MSPs can provide clients without certification, including configuring and patching firewalls. In addition, access control, media protection, physical protection, system and information integrity, security consulting, training, and remediation services are all part of CMMC Level 1’s basic cyber hygiene. “This may be the last high-margin business,” Beaver adds.
“MSPs are in a great position to help CMMC clients protect data and keep their systems safe,” adds Semel. “There are lots of confusing terms in CMMC, but once you learn the vocabulary for that industry, like many did for HIPAA compliance, you can succeed.” In this case, success means as much as $25-$50 more per user, per seat to cover the rigorous requirements.
For MSPs already helping their clients with cybersecurity, Beaver stresses, “None of this is new.”
(For more on CMMC, see CMMC Growing Pains … or More.)
Image: iStock
