At North Star Strategies, we believe that “It’s about the journey and the destination” when it comes to compliance. As the Department of Defense (DoD) finalizes its Cybersecurity Maturity Model Certification (CMMC) rule, Managed Service Providers (MSPs) and External Service Providers (ESPs) must be ready to meet new certification requirements. This journey might seem daunting, but with the right partner, it becomes manageable—and we’re here to help you every step of the way.

Key Takeaways for MSPs and ESPs from the Final CMMC Rule

1. Certification Requirements for MSPs and ESPs

As an MSP or ESP supporting contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you will be responsible for specific security practices, depending on the services you provide. According to the final rule:

• MSPs and ESPs that handle security protection data but do not store, process, or transmit CUI will be assessed only on the relevant security requirements related to the protection services they offer. However, if you do process CUI, you will be considered a CUI asset, and your entire system will be subject to a full CMMC Level 2 assessment.

• If you’re using third-party cloud providers to deliver your services, those providers must comply with FedRAMP Moderate requirements if they handle CUI.

2. The Role of MSPs in Supporting Clients

MSPs are now required to provide External Service Provider (ESP) descriptions and Customer Responsibility Matrices to document which CMMC requirements you, as a service provider, are fulfilling, and what responsibilities remain with the client. This is a crucial part of preparing for assessments, as it clarifies both the MSP’s and the client’s roles in maintaining compliance.

3. Scoping and Assessment Changes

One of the more significant changes in the final rule is the focus on scoping and separating assets. For example, security protection assets (like SIEM tools) must now be documented in System Security Plans (SSPs), asset inventories, and network diagrams. You’ll also need to ensure that these assets meet the relevant security controls.

Additionally, Virtual Desktop Infrastructure (VDI) setups are now formally considered out of scope, as long as the infrastructure doesn’t store or process CUI locally. This is a huge win for MSPs using VDIs, making BYOD (Bring Your Own Device) solutions more practical and affordable.

4. Get Certified to Stay Ahead

MSPs and ESPs that handle multiple clients will likely want to pursue their own CMMC certification. Otherwise, you may find yourself subject to multiple assessments by every client you serve, which could be a cumbersome process. With certification, your controls can be inherited by clients, making the overall process smoother for both parties.

Phased Rollout: Key Dates to Keep in Mind

The final rule lays out a phased approach to CMMC implementation:

• December 16, 2024: The rule goes into full effect, allowing assessments to begin.

• Mid-2025: You’ll start seeing CMMC requirements in contracts, initially through self-assessments.

• 2026 and beyond: Certification assessments will be required for all applicable contracts.

How north star Can Help You

At North Star Strategies, we understand the complexities that come with cybersecurity compliance. As MSPs and ESPs, you're integral to your clients’ success—and we’re here to ensure you meet the new CMMC requirements with confidence. Our team offers:

• Guidance on certification: Whether you're aiming for CMMC Level 1 or Level 2, we can help you navigate the process.

• Support with documentation: We’ll assist you in preparing the necessary SSPs, asset inventories, and Customer Responsibility Matrices.

• Expert advice on scoping: We'll help you determine how your services fit within your clients' assessment boundaries and what responsibilities are yours to own.

Let us be your partner on this journey. Navigating compliance. Securing your future. Reach out to us today to discuss how we can help you prepare for the CMMC certification process.