The Pentagon has released proposed rules to incorporate Cybersecurity Maturity Model Certification (CMMC) requirements into the contracting process, featuring a three-year phased rollout. Contractors will need to either self-assess or obtain third-party certification based on data sensitivity, with compliance required at the time of contract award. By the end of the rollout, 35% of contractors handling sensitive data will need a level two certification, while 65% will require a level one self-assessment. The comment period for the proposed rule ends on October 14, 2024.
Speaking of CMMC, ConnectWise has announced its commitment to assist managed service providers (MSPs) in achieving CMMC Level 2 compliance by 2025. The company plans to implement a staged adherence strategy, including achieving compliance in a separate AWS environment, evaluating Level 3 requirements, and providing hosted CMMC-compliant products. A key quote “With our hosted solution across the company’s solutions, MSPs can easily access and leverage our CMMC-compliant products, empowering them to navigate the complexities of CMMC Level 2 with confidence.”
Why do we care?
I’m a touch worried about misguided providers thinking that if their tool providers achieve CMMC compliance, they, too, will get this by some kind of osmosis. This rule compliance is a primary concern for the providers, and should absolutely be done in coordination with their vendors. Kudos to ConnectWise for doing their part, I’m just a bit concerned about this kind of potential positioning.
And if you have comments on the requirements, now is your time.

