ProShop Clients and CMMC
Some current and prospective ProShop clients have contractual requirements related to cybersecurity and cloud storage. Specifically, DFARS 252.204-7012 requires contractors to implement controls defined in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” to safeguard covered defense information, including Controlled Unclassified Information (CUI). These requirements form the basis of the Cybersecurity Maturity Model Certification Program (i.e. CMMC). The CMMC Program, Model 2.0 at Level 2 contains 110 requirements or controls. In general, most ProShop clients require level 2 assessment and certification. But again, the actual assessment level is based on each organization’s contracts. ProShop clients either partially or fully inherit some controls through ProShop ERP due to the nature and application of the controls.
ProShop clients retain sole responsibility for the remaining controls. ProShop clients receive a Shared Responsibility Matrix related to ProShop’s Cloud Service Offering (refer to proshop fedramp page), which defines the extent of controls partially or fully inherited by the Client from ProShop ERP.
ProShop Clients, CMMC and Professional Services
In addition to ProShop ERP, ProShop USA offers several professional services to support client needs. These services include: remote training, on-site training, consulting, custom development and client support. These services are subject to CMMC requirements because the company will have and need access to client instances that may contain covered defense information, including CUI.
In fact, DFARS 252.204-7012 specifically requires contractors (e.g. ProShop clients) to flow down the 7012 clause in all subcontracts where the performance of the contract involves covered defense information. In this context and the latest proposed rule, ProShop Clients will flow down 7012 to ProShop USA because ProShop USA is considered a Managed Service Provider.
In the course of providing these services, the company will have and need access to client instances that may contain covered defense information, including CUI.