The Final Program Rule for CMMC 2.0 was published in the Federal Register on Tuesday, October 15. This kicks off a compliance countdown—companies that can’t meet CMMC requirements may find themselves unable to bid on or secure Department of Defense (DOD) contracts.
While many organizations are familiar with CMMC 1.0, the updated model raises new questions: Which companies need to meet CMMC 2.0 requirements? What do the new model levels involve, and how can businesses ensure they’re prepared?
This evolving landscape presents an opportunity for sales partners. By positioning yourself and/or your company as a trusted and knowledgeable advisor, you can help customers successfully navigate their CMMC 2.0 journey.
Boosting Value with CMMC 2.0: New Standards and Partner Opportunities
CMMC 2.0 replaces version 1.0. The shift comes as the DOD looks to streamline security compliance by aligning expectations with more familiar standards such as NIST SP 800-171 and NIST 800-172.
Version 2.0 also reduces the number of compliance levels from five to three. Level 1 focuses on safeguarding Federal Contract Information (FCI), defined as information “not intended for public release that is provided by or generated for the government under a contract to develop a product or service.”
Levels 2 and 3 focus on Controlled Unclassified Information (CUI), which is information created or held by the government or by businesses on behalf of the government and requires safeguarding under current laws, regulations, or policies. Level 2 addresses the broad protection of CUI, while Level 3 focuses on defending more sensitive CUI against advanced persistent threats (APTs).
The transition to CMMC 2.0 is intended to strengthen the security of the DOD supply chain. As a result, the demand for CMMC compliance is growing as companies prepare to meet new contract requirements. Partners can create value-added opportunities by offering CMMC compliance services in addition to current offerings.
Getting Up to Speed with CMMC 2.0
The key to confidently leading customers toward CMMC 2.0 compliance? Education and training.
With training from ScanSource/Intellisys, partners are better prepared to help clients achieve compliance. Topics covered include:
- CMMC certification levels
- Compliance challenges
- Understanding who is required to comply
Starting the Conversation About CMMC
While some companies know they need to work toward CMMC 2.0 compliance, others are unsure if the new rules apply to them. Opening a conversation about CMMC can help guide customers to the right answer. Not sure how to get started? Try these four questions:
1. Where are you in your CMMC compliance journey?
This question opens the door to further conversation. For some companies, the answer may be “just starting” or “partway there”, which provides an opportunity for partners to showcase their expertise.
For other organizations, the response might be “we’re not sure if we need CMMC compliance,” setting up the next question.
2. Do you do any work with the DOD?
Almost any company engaged in work with the DOD must meet CMMC compliance. Whether they’re manufacturing bolts for military vehicles or writing technical manuals, CMMC compliance is essential.
3. What solutions do you have in place for FCI and CUI?
For businesses already considering compliance, this question helps narrow the focus. Some companies may describe their efforts in detail, while others might assume that what worked for CMMC 1.0 will suffice for the new version. In such cases, partners can guide customers in bridging the gap.
4. What challenges have you encountered so far?
Achieving CMMC 2.0 compliance isn’t necessarily a straightforward process. For example, some companies may struggle with classifying protected information or ensuring they have an auditable trail of data access and usage. By identifying these challenges, partners can help customers develop an effective compliance strategy.
Once partners have identified the need for CMMC 2.0 compliance and determined the appropriate compliance level for customers, the next step is to suggest effective security measures. These may include:
- Conducting a compliance gap analysis to identify and remediate potential weak points
- Recommending specific technologies or services, such as multifactor authentication (MFA) or zero-trust network access (ZTNA)
- Offering pre-assessment services, such as mock audits
- Providing ongoing compliance support to ensure alignment with CMMC 2.0 updates over time
Ultimately, the goal is to establish a foundation for long-term support. By building trust through CMMC knowledge, partners can become the go-to resource for compliance support. This keeps customers coming back for both current services and the peace of mind that comes with CMMC 2.0 expertise on their side.
Taking the Journey Together
Unlocking the CMMC opportunity starts with a simple question: Where are you on your CMMC 2.0 journey? If partners can get customers thinking about the need to prepare for CMMC 2.0 compliance—and demonstrate they have the skills and knowledge to help customers achieve their compliance goals—they can both deliver value-added service and become the go-to resource for compliance support.
Ready to seize the CMMC opportunity? View our end-user campaign kit to begin the conversation with your customers!
