‘No Joke’: How Huntress Is Helping Midmarket Orgs Achieve Complex New CMMC Compliance

If an organization is not compliant with the new CMMC requirements, it may not get that government contract.

Midmarket organizations that fall under the FEDRAMP category or ones that must adhere to regulatory oversight, can often find themselves bogged down in a morass of obscure rules, a lack of staffing, and budgets blown when attempting to meet compliance.

This week, cybersecurity firm Huntress announced enhancements to its platform that it says can help midmarket organizations achieve Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance.

New rulings from the Department of Defense make changes to the verification process for IT government contractors that handle CUI (Controlled Unclassified Information).

For organizations seeking to do business with the government, as of Nov. 10, they must meet these new requirements which include a mandatory assessment by a Certified Third-Party Assessor Organization (C3PAO).

To assist customers in meeting these requirements, Huntress now offers CMMC-compliant detection and response via its 24/7 SOC supporting 37 of the 110 NIST SP 800-171 requirements. The company also now offers assessor-ready documentation to help organizations pass CMMC Level 2 assessments in collaboration with compliance consulting firm Defcert.

DoD’s new rule is a “set of contract clauses that allows government, well, specifically DoD contracts, to require you have either a third-party certification or additional self-assessments to make sure that you’re meeting these requirements more fully,” said Ryan Bonner, Defcert founder and CEO.

From Self-Assess To Reassess

Organizations that may have waded through CMMC compliance by “self-assessing” will have to reassess their procedures.

“If [organizations] try to self-certify in the same way [as of Nov. 10] and say, ‘yeah, I’m good,’ that is directly telling the government that we are falsely certifying this, which [now] there’s an actual lever of real authority to go after them,” Jeremy Young, community growth strategist at Huntress, told MES.

Huntress’ new enhancements can, firstly, help organizations with the almost infinite amount of documentation needed for CMMC compliance, Young said.

“The thing that has been top of mind for everyone ... is CRM and SRM, Customer Responsibility Matrix and Share Responsibility Matrix,” Young added. “But that’s just like the Rosetta Stone. There are all these other documents that you need to prepare and tie that back into the SRM, and that’s what we’ve done to make it easier and put them in a format for documents, Excel spreadsheets that are co-operatable,” he said.

In addition to SRM and CRM documentation, organizations must have a detailed Operations Plan which breaks down individual tasks needed to meet compliance.

Huntress’ new capability provides that documentation in a way that “you can take it and then add your other tools in, so it becomes a template for you to get further faster” to meet compliance, Young said.

“What we wanted to do was show people ... the way that requirements are met, and the way that you could document that in a very provable, auditable way, in our attempt to sort of teach best practice. So that’s why we’re providing editable documents,” Bonner said,

The other new capability in Huntress’ platform is a CMMC-compliant detection and response backed by an AI-powered, 24/7 SOC.

The new feature supports 37 of the 110 NIST SP 800-171 requirements, Huntress said in a news release. It features Sensitive Data Mode that blocks unneeded access to potential CUI files. Huntress’ Managed Identity Threat Detection and Response also integrates with Microsoft 365 including Government Community Cloud (GCC) High environments.

Assistance For The Midmarket

Midmarket customers can opt to work with an MSP that partners with Huntress to achieve CMMC compliance.

Nick Pritchard is the vice president of service at First Column IT, an MSP that uses Huntress’ offering to help customers be CMMC compliant.

Fifty percent of their customer base is midmarket, Pritchard said.

“One of the biggest hurdles we have seen for our clients is understanding the flow of their data that they need to keep compliant to CMMC regulations – generally we’re talking about CUI,” Pritchard said.

“That can be a very large hurdle for our clients because there’s not a lot of understanding about where their CUI is, how it’s marked, and where it can go,” he said.

“One of the nice things about Huntress and their offering is that they have Sensitive Data Mode which blocks CUI,” Pritchard added.

“I believe the data and documentation that Huntress has provided will be clear to our auditors and be complete for our auditors. It has been very easy to find and gather.”

“This CMMC is no joke. And you can really be turned down for a contract if you don’t have it,” Pritchard said.