Helping Security Vendors Understand CMMC: “Use a net, not a harpoon.”
Many cybersecurity companies struggle to understand the nuanced requirements of DFARS and CMMC. As a result, government contractors find themselves in the awkward position of being unable to find a vendor contact who can help them.
This article by Ryan Heidorn originally appeared in Washington Technology.
There is a major new revenue stream available to companies that sell cybersecurity solutions. There’s just one problem – vendor sales processes are out of step with the market opportunity, and some buyers are left holding their money with no one to take it.
This revenue stream has been presented by the Cybersecurity Maturity Model Certification (CMMC) program, a set of cybersecurity requirements developed by the Department of Defense (DoD) to reduce theft of sensitive information and ensure the integrity and security of the DoD supply chain. CMMC affects an estimated 300,000 companies who, collectively, are the beneficiaries of hundreds of billions of dollars in annual DoD spending.
CMMC, which will require defense contractors to undergo third-party assessment of their cybersecurity practices and receive certification to win new DoD contracts, represents an existential threat (and competitive opportunity) for companies in the defense industrial base. Although DoD contractors have, for several years, been required to implement the cybersecurity requirements in NIST SP 800-171 to protect the government’s sensitive data (Controlled Unclassified Information, or “CUI”) on their networks, CMMC is an enforcement mechanism: secure your information systems or become effectively locked out of working with the DoD.
Cybersecurity vendors play a critical role in contractors’ ability to achieve CMMC certification. At CMMC Level 3 (the minimum level required for contractors who handle CUI), there are currently 130 security practices that span security domains like Access Control, Systems and Communications Protection, Incident Response, and Audit and Accountability. Almost every vendor in the cybersecurity space could find alignment between their product or service and a CMMC practice requirement. But vendors are leaving money on the table for lack of understanding a few key aspects of this market.
Separating FedRAMP from Fed Sales
Successful technology companies already know that the U.S. government buys a lot of cybersecurity. Federal sales teams are staffed by seasoned sales directors and channel managers who understand the unique procurement process of federal agencies. Selling to the public sector requires a detailed understanding of federal requirements and programs, including FedRAMP, the program that accredits and authorizes cloud-based services for use across the federal government.
It’s no easy feat for a cloud service to achieve FedRAMP authorization, but a quick look at the FedRAMP marketplace shows that many cybersecurity vendors have already succeeded in getting their cloud services authorized. But here’s where it falls apart: federal sales teams, with their long sales cycles and massive opportunity values, are often managed completely separately from the commercial side of the company, where sales reps target enterprise accounts within a geographic region, and inside reps process transactional orders for small and mid-sized businesses (SMBs).
In this setup, DoD contractors fall into a sort of “no man’s land,” with public sector requirements but demographics and buying habits that look more like commercial SMBs. In fact, most of the 300,000 companies in the defense industrial base are small businesses (in manufacturing, technology, R&D, and a host of other verticals), who often lean on service providers like MSPs to vet, select, and implement security solutions. At some FedRAMP authorized vendors, finding a sales rep who can process an order can prove surprisingly hard.
Take this recent example: one of our customers had approved budget to purchase a next-gen network security solution from a major, publicly traded company. The customer was a subsidiary of a giant global brand – a logo any SaaS company would go through three enterprise sales reps to acquire. Like all companies working with the DoD, the customer is contractually obligated (under DFARS 252.204-7012 (b)(2)(ii)(D)) to only use cloud service providers that meet the FedRAMP Moderate baseline when handling the DoD’s sensitive data. We helped the customer identify and select this vendor’s solution in large part because it had already received FedRAMP authorization.
But there’s a catch. Only a subset of the customer’s users needs to interact with CUI, so they wanted to start with a 50-user license. The initial outreach was promising – the first sales rep we connected with had just gotten back from a Quarterly Business Review (QBR), where his sales director was all fired up about “figuring out this CMMC thing.” Yet months later, we were still being shuffled between federal reps (including one who told us that he only handled seat counts over 300,000?), inside reps who couldn’t sell the FedRAMP offering, the Director of Federal Sales, and, finally, a reseller who processes large federal orders.
Believe it or not, I count this as a win. The vendor was attentive, wanted to help, and was diligent in finding someone who could process the order. Many SMBs find it outright impossible to find the right vendor contact to talk about FedRAMP offerings.
Ryan Bonner, a compliance consultant for defense contractors, offers a nautical metaphor to explain the disconnect.
“The defense industrial base [DIB] has millions of users who will need to migrate into DFARS compliant services in the next five years,” he explained. “However, the federal sales teams of vendors with FedRAMP and DFARS alignment won’t touch the average DIB contractor with a 10-foot pole. They’re equipped with a harpoon when they really need a net.”
Enabling inside sales teams to sell FedRAMP offerings is likely a move in the right direction. However, the nuanced context of compliance requirements that DoD contractors are subject to may warrant special treatment within a sales organization, with dedicated sales engineers to bridge the gap between federal requirements and SMB buying habits.
Understanding the Technical Requirements
With hundreds of billions of dollars in defense contract revenue at risk, DoD contractors are motivated buyers. But the realization of this market need alone does not create an effective go-to-market strategy; a deeper technical understanding is required. As vendors start to catch wind of the opportunity, CMMC-related marketing – often in the form of “mapping” guides that show how a given security product aligns to CMMC practices – is flooding the market and confusing buyers.
I recently attended a webinar where a sales executive at a leading endpoint security company suggested that by simply installing their product, 80% of CMMC requirements could be satisfied. Such silver bullets do not exist, and technical marketing teams will need to go beyond a surface reading of CMMC practices to understand the underlying frameworks and practices that inform the CMMC model. Though not directly required under CMMC, the vendor who can talk about system boundaries, STIGs, and data sovereignty will have an advantage in the market over vendors who read the CMMC practices at face value and determine, “yeah, our product does that.”
Take, for example, a multinational industry leader in networking hardware and security solutions whose CMMC marketing tells a story of integrated solutions across product lines, but whose main wireless business unit doesn’t support FIPS 140-2 validated cryptography, a key requirement under CMMC for protecting the confidentiality of CUI.
Requirements at even the lower maturity levels of CMMC for auditing and retaining system logs and using multi-factor authentication should prompt vendors to emphasize functionality like SIEM integration, RESTful APIs, and support for SAML authentication. The ability to self-host systems and data (to meet data sovereignty or incident response requirements) is also a strong selling point.
And, with the requirement to demonstrate process maturity under CMMC, perhaps the biggest enablement tools vendors can provide to the market are robust technical documentation and sample policy statements that contractors can adopt to help assessors understand how the solution addresses CMMC practices.
Building a Compliance-Driven Sales Strategy
As issues of data security and privacy spur further regulation across all industries, cybersecurity vendors must develop an internal competency for understanding emerging compliance requirements and adjusting their sales tactics accordingly. Vendors like Microsoft, whose Azure Government and Office 365 GCC High offerings provide robust support for DoD contractors to address CMMC alongside the alphabet soup of other requirements they are often subject to, demonstrate a market awareness that will likely set the pace for their competitors.
In addition to aligning sales to the CMMC market opportunity and making sure that marketing and product teams understand the technical details, vendors should also look to strategic channel partners for support. Expanding existing channel strategies – often limited, in the federal space, to a couple niche partners – to include Defense-focused MSPs and consultants could prove invaluable for cybersecurity vendors looking to accelerate outreach to the defense industrial base.
For the DoD, improving the cybersecurity posture of its supply chain is an imperative. With the rollout of CMMC, each of the 300,000 companies that touch a DoD contract represents a captive audience for security vendors. All the tools for success in this market already exist, vendors will just need to trade in their harpoons for a net and a crew who knows how to bring in a big haul.