7 Steps to CMMC - Step 5: Find A Managed Service Provider For CMMC
Finding the right Managed Service Provider (MSP) for CMMC compliance could be one of, if not the most important step for aerospace and defense contractors supporting the Department of Defense.
74% of the Defense Industrial Base (DIB) is comprised of small businesses, most of which rely on cloud-based, outsourced third-party solution providers. Many of these DIB organizations are under the impression that they are under an agreement where the responsibilities specific to compliance are provided by their current Managed Service Provider (MSP)/ Managed Security Services Provider (MSSP); these organizations will quickly be surprised when their service level agreement terms do not match up with the requirements of CMMC.
As the Department of Defense (DOD) begins to implement CMMC requirements in 2023, organizations are looking for MSP/MSSPs with experience in helping customers achieve and maintain federal compliance requirements such as DFARS and NIST 800-171. For most Organizations Seeking Certification (OSCs), finding the right Managed Service Provider is an essential step in their CMMC journey.
The goal of this blog is to help you find the right MSP / MSSP for your CMMC requirements.
What is the difference between an MSP and MSSP?
The difference between a Managed Service Provider (MSP) and a Managed Security Service Provider (MSSP) is that an MSP focuses on IT management to support your day-to-day business operations. However, an MSSP provides IT security for your business by adding technology, processes, and service to proactively protect the business as well as scanning your network for threats and remediating vulnerabilities.
Do You Need an MSP/MSSP?
Internal IT departments manage the hardware, software, and information technology services related to a business's internal functions. However, small businesses with one or two IT staff members can no longer provide the necessary skills to support the desktop support environment, network infrastructure, ubiquitous mobile devices, and the ever-expanding cloud-based environments while maintaining security and compliance programs required by the government. No matter how qualified or knowledgeable, a small team will not have time or the breadth of skills to securely architect, administer, and manage these environments.
Many businesses look to MSPs to outsource their IT requirements, and with CMMC, MSP/MSSPs are essential to maintaining compliance. Effective MSPs take care of these basic IT requirements and allow a company to focus on its core competencies.
While this is great from a focus standpoint, it can introduce its own set of issues, vulnerabilities, and compliance headaches if the MSP is not adequately equipped to manage data and processes. Additionally, with the MSP handling almost every piece of hardware, software, infrastructure, etc. - an organization wishing to outsource their IT must assess the right security practices of their MSP to ensure there are no unexpected risks.
Suppliers with CMMC requirements, specifically CMMC Level 2 requirements, are faced with critical decisions when it comes to outsourcing compliance because of industrial complexities and the potential lack of operational resources.
You can download a Cost-Benefit Analysis of using an MSP/MSSP for CMMC here.
MSPs and the CMMC Implementation Timeline
CMMC compliance requires contractors and those handling sensitive data (CUI/CDI/CTI/ITAR) on behalf of the DoD to clearly define obligations and responsibilities when using external providers for compliance.
Here’s the challenge: many MSPs that support government contractors are not singularly focused on CMMC requirements; as a result, there is a potential for misinformation and mass confusion amongst organizations that support the United States Warfighter.
How Do You Choose an MSP for CMMC?
Finding an MSP that fits your business and has experience with CMMC compliance is a difficult task in a market saturated with bad actors offering “compliance as a service.”
Here are a few questions DIB companies should be asking in order to find the best MSP for CMMC:
1. “Do you have a Shared Responsibility Matrix (SRM)?”
CMMC 2.0 Level 2 requires DoD contractors and those handling sensitive data on behalf of the DoD to define obligations and responsibilities when using external service providers (MSP/MSSP). A Shared Responsibility Matrix (SRM) helps explain the responsibilities of external service providers leading organizations seeking certification (OSC) to successful CMMC assessments.
2. “If you do have an SRM, is it mapped to NIST 800-171A?”
Many organizations are unaware that the 110 requirements in NIST SP 800-171 are only half of the battle when it comes to achieving CMMC certification. The only authorized method for determining if 800-171 requirements are implemented is by satisfying all 320 “assessment objectives” in NIST SP 800-171A. A closer inspection of the CMMC Level 2 Assessment Guide reveals that it is really just NIST SP 800-171A by another name.
As a result, any shared responsibility matrix needs to reflect the granularity of NIST SP 800-171A, rather than just NIST SP 800-171. The additional granularity provided by NIST SP 800-171A can be tedious, but it serves double duty in providing business owners with the assurance that their security requirements under CMMC are fully implemented – especially when relying on external providers to get the job done.
3. “Can you provide artifacts/proof for the items covered on the SRM?”
Taking an external service provider at their word for implementing security requirements is not a reliable way of gaining assurance over third parties. The fundamental reason why DoD established the CMMC program, to begin with, is that self-attested compliance simply doesn’t work.
Now put yourself in the shoes of a CMMC assessor analyzing an SRM that indicates upwards of 50% - 70% of the CMMC requirements are being implemented by a third party. Simply accepting their word for it won’t suffice. Using reliable and experienced external service providers makes good business sense, but it doesn’t erase the need for assessors to gain assurance that requirements really are implemented.
4. “Do you have other DoD Contracting Customers?”
If your current provider does not have existing relationships with current DoD contractors, then that is of serious concern. Choosing an MSP who is heavily focused on supporting the Defense Industrial Base will likely be a good candidate for healthy security and compliance posture, especially as CMMC begins to appear in contracts.
Use extreme caution if this is a “new avenue” for the MSP.
Summit 7 was named 2020 Microsoft's US Partner of The Year for Security and Compliance, and recently named the 2022 Microsoft US Partner of The Year for Compliance. Check out our other accolades here.
5. “Is your staff made up of US persons?”
If your company is handling, or will potentially handle export control (ITAR/EAR) data in future contracts, then any external service provider with access to your data will need to be a US person. If your MSP/MSSP has non-US persons on staff or utilizes third-party outsourced personnel to help deliver your services, then there is potential for export control violations depending on the circumstances.
You might not currently have ITAR data, but if you are planning on heading in that direction, it is important to know what your MSP might be doing with the sensitive data; specifically, it's important to know if the MSP understands what platforms have the ability to handle ITAR/EAR data - this could be a good starting point to know if they have done their homework on sensitive data regulations.
6. “Can you support me through our CMMC Assessment?”
When a CMMC assessor is going through your environment they will ask what level of responsibility your MSP/MSSP maintains and will likely ask for documentation as supporting evidence (SRM) as well as to interview the responsible party to make sure how they say they perform that task lines up with the documentation. Your level of responsibility is impacted depending on how many services you are acquiring from an external provider and their ability to prove they perform their functions according to the compliance requirements. The responsible person is the one actually performing the task at hand. The accountable person/company is the one that is ultimately accountable for ensuring that the task is completed.
FedRAMP, DFARS 7012, and Managed Service Providers
Does the MSP leverage FedRAMP Moderate or FedRAMP High cloud-based environments that meet the security needs for holding the information about your environment (vulnerabilities, system documentation, tickets, etc)? If so, are they configuring those environments to the NIST 800-171 standard?
While there are a few FedRAMP High datacenters like Azure and AWS, the majority of cloud services are not hosted in FedRAMP Moderate/High environments, and even fewer are built to CMMC Level 2 (NIST 800-171) or NIST 800-53 security controls. It is important to ask your MSP if their data is stored in a compliant environment.
How does your MSP manage virus’ and vulnerability information? Any system that tracks vulnerability information like anti-virus, missing patches, or operating system levels may fall under the classification of CUI data and require storage in a CMMC Level 2 compliant environment.
Is your MSP leveraging a backup solution that ensures your data is stored in a FedRAMP Moderate environment and secured to NIST 800-171? It is one thing to make sure you are handling your data properly in your email and collaboration system, but that same data is in your backup environment as well.
In short summary, it's important to ensure that the MSP is:
- Is using a FedRAMP infrastructure
- Has a DFARS-compliant infrastructure
- Is US-based and hosted
- Has US citizens to support your environment
7. “Does your company have the SAWCE?”
Slathering your IT environment in premium security and compliant services can be a challenge, especially if your organization is suffering from dry, bland, and crusty compliance issues.
Check out what makes Summit 7 The #1 Managed Sawce Provider for Small-Medium businesses in the DIB.
The right Managed Service Provider (MSP/MSSP) can be a critical component of your cybersecurity program and play a major role in your ability to pass a CMMC assessment. They provide a broad range of services that can help you manage and secure your IT infrastructure. MSP/MSSPS are an important part of the DoD supply chain cybersecurity ecosystem and selecting the right business to work with is essential to maintaining the security of your systems.
When selecting an MSP, it is important to consider their experience working with similar organizations, their technical capabilities, their business continuity plans, and their customer service policies. Cybersecurity is a constantly evolving field, and it is important to partner with an MSP/MSSP that can keep up with the latest threats and trends. The right MSP/MSSP will be a trusted partner in helping you protect your systems against cyberattacks.
Still unsure? Here's a blog and video on achieving CMMC compliance with an SRM.
As the DoD seemingly continues to delay timelines for CMMC, contractors should be moving forward in their steps to CMMC compliance. In the next blog, we'll cover what documentation organizations should be seeking and using to prepare for their upcoming CMMC assessments.