ConnectWise Launches New Program to Support MSPs on the Path to CMMC Level 2 Compliance
In an era where cybersecurity threats are ever-evolving and regulatory frameworks are becoming increasingly stringent, ConnectWise, a leading software provider for Managed Service Providers (MSPs), has taken a significant step forward. The company has rolled out a new program aimed at assisting its MSP partners in achieving compliance with the Cybersecurity Maturity Model Certification (CMMC) Level 2 requirements. This initiative is crucial as organizations strive to bolster their cybersecurity measures and protect sensitive information.
Understanding CMMC Level 2 Compliance
Achieving CMMC Level 2 certification is a pivotal milestone for organizations, indicating that they have progressed beyond basic cybersecurity measures. This level signifies the implementation of more formal and structured processes designed to safeguard sensitive information, particularly for those working with the U.S. Department of Defense (DoD). The CMMC framework, developed by the DoD, aims to enhance the cybersecurity practices of its contractors, ensuring that sensitive data, such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), is adequately protected.
CMMC 2.0, the latest iteration of this cybersecurity model, streamlines requirements into three levels, aligning them with widely accepted NIST cybersecurity standards. Level 2 serves as an intermediary step between basic cyber hygiene (Level 1) and the more advanced requirements of Level 3, which focuses on protecting CUI.
ConnectWise’s Strategic Approach to CMMC Level 2
ConnectWise has outlined a comprehensive strategy to achieve CMMC Level 2 compliance by the October 31, 2025 deadline. This strategy includes:
-
Achieving CMMC Level 2 Compliance: ConnectWise plans to launch its initial compliance efforts in an isolated AWS Commercial hosting environment, separate from existing environments. This approach will allow the company to implement the necessary training and controls required for Level 2 compliance, ultimately enabling them to guide their partners through the compliance process more effectively.
-
Hosting in Government Community Cloud (GCC): Following the attainment of Level 2 compliance, ConnectWise will evaluate the requirements for Level 3 and explore potential hosting in GCC environments, which are specifically designed to meet the needs of government contractors.
- CMMC-Compliant Product Portfolio: ConnectWise aims to make its CMMC-compliant products available to MSPs, providing them with the tools necessary to navigate the complexities of CMMC Level 2 compliance. This initiative will support partners in safeguarding their clients’ data and contribute to building a more robust cybersecurity ecosystem.
Patrick Beggs, ConnectWise’s Chief Information Security Officer, emphasized the company’s commitment to empowering MSPs. “By providing comprehensive solutions and guidance, we aim to empower MSPs to navigate these challenges with confidence and ensure the security of their clients’ data,” he stated. “Together, we can build a stronger and more resilient cybersecurity ecosystem.”
The Importance of CMMC Certification for Service Providers
Carter Schoenberg, Vice President and Chief Cybersecurity Officer of SoundWay Consulting, a firm specializing in CMMC compliance for MSPs, highlighted the critical importance of external service providers like ConnectWise obtaining CMMC Level 2 certification. He noted that this certification is essential before their clients can achieve compliance. However, Schoenberg cautioned that certification for service providers does not automatically guarantee compliance for their clients.
“There is a significant disconnect in the industry regarding these material facts,” Schoenberg explained. He pointed out that while ConnectWise may be evaluated for certification scoped to their environment, this does not necessarily reflect how they perform services on behalf of their clients to demonstrate conformance with CMMC.
Schoenberg also noted that many businesses outsourcing their cybersecurity do not fully understand what to look for in their service agreements. Often, the language in MSP/MSSP service level agreements is vague and tends to favor the service provider rather than the client. He commended ConnectWise for taking the initiative but emphasized that “the devil is in the details.”
Key Aspects of CMMC Level 2 Compliance
Achieving CMMC Level 2 compliance involves several critical aspects:
-
Intermediate Cyber Hygiene: Organizations must establish and document standard operating procedures for their cybersecurity practices, laying the groundwork for more advanced practices.
-
Processes and Practices: Level 2 includes 17 domains with 110 security practices derived from NIST SP 800-171. Organizations must demonstrate a documented and managed plan for implementing these practices.
-
Self-Assessment and Third-Party Assessment: Organizations may be required to undergo a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO) to verify compliance, with the level of rigor depending on contract requirements.
- Certification Requirement: Organizations seeking to work on DoD contracts involving CUI must achieve at least CMMC Level 2, serving as a stepping stone toward higher maturity levels.
Key Requirements Include:
-
Access Control: Implementing measures to restrict access to information only to those who need it.
-
Incident Response: Establishing procedures for detecting, reporting, and responding to cybersecurity incidents.
-
Risk Assessment: Regularly assessing the organization’s cybersecurity risks and adjusting practices accordingly.
- Security Awareness Training: Providing regular training to employees on cybersecurity best practices.
Conclusion
As the cybersecurity landscape continues to evolve, the importance of achieving CMMC Level 2 compliance cannot be overstated. ConnectWise’s new program is a significant step in supporting MSPs on this journey, providing them with the tools and guidance necessary to navigate the complexities of compliance. By fostering a stronger cybersecurity ecosystem, ConnectWise is not only enhancing its own capabilities but also empowering its partners to protect sensitive information effectively. As Schoenberg aptly noted, while the path to compliance may be fraught with challenges, the collaborative efforts of service providers and MSPs can lead to a more secure future for all.