74% of businesses working within the Defense Industrial Base (DIB) are small-medium sized businesses. This means that a large number of contractors will be utilizing a managed service provider (MSP) to help secure their organization and handle their IT concerns. However, not every MSP is created equal, and many organizations may find themselves in trouble come audit time. This is due to the fact that under the latest iteration of the CMMC rule, any MSP (or ESP as written in the rule itself) must be CMMC compliant at the same level as the contractor they're providing their services too.
Many organizations may be asking themselves "why does my MSP need to be CMMC compliant?" There are several reasons as to why the DoD has deemed this requirement important as outlined below.
It is important to reiterate that it is required that your MSP be compliant with CMMC in order to offer your business their services. It is not a suggestion or simply good advice, but rather a necessity to remain faithful to your contract. According to the proposed final rule released in December of 2023, " If the OSA utilizes an External Service Provider (ESP), other than a Cloud Service Provider (CSP), the ESP must have a CMMC Level 2 Final Certification Assessment."
Straight from the source, the DoD is clearly stating that any ESP (which can be used interchangeably with MSP) must be at least CMMC Level 2 compliant. That being said, many organizations may wonder why this requirement is even necessary?
For the longest time, MSPs have not really been bound by industry regulations like many other organizations. Many businesses would simply trust that their service provider is capable of protecting their business assets and is doing what they claimed they were. This represents a large amount of trust as an entire organization's security will often rely on the expertise of an MSP and their security practices. However, the new CMMC rule understands that trust cannot be assumed and should always be verified. Sure, your MSP may claim they are CMMC compliant or can help your business achieve certification, but is there any accountability to ensure this? This is one of the main reasons MSPs are being held to the same standard as contractors. Accountability is key!
Additionally, the intention behind the CMMC rule is to protect controlled unclassified information, or "CUI". In many cases, an MSP may be directly given CUI to protect or the administrative privileges needed to access it. Let's say your organization is perfectly compliant with the CMMC requirements, but your MSP is not. This one weak link defeats the entire purpose of CMMC compliance in the first place. Suddenly, the service provider you trusted to protect your sensitive data is now your greatest vulnerability.
However, these CMMC requirements go beyond just access to CUI. MSPs are tasked with storing, creating, and transmitting large amounts of diverse data that includes more than CUI. Security protection data, i.e. things like log data and configuration data need just as much protection. In the event that attackers access these types of data protection, CUI and other business assets could be at a severe risk of being compromised. MSPs also need to be wary of what tools they use within a contractor's environment. RMM platforms or PSA tools must also be FedRAMP compliant to ensure that external applications that touch CUI are secure.
As a contractor, your organization may already be partnered with an MSP. As you continue to pursue contracts it's important that you make sure your MSP is prepared to support your compliance efforts.
CorpInfoTech is a managed service provider location in Charlotte, NC that offers IT and security solutions to SMBs across the country. As a certified RPO with the CyberAB, we are able to provide CMMC compliance services to SMBs across the DIB. We are also committed to CMMC Level 2 compliance and are fully capable of helping organizations achieving and maintain compliance. Our services include firewall management (xDEFENSE), vulnerability management (v360), security assessments, managed IT, and compliance aid.
Contact us today to learn more about how we can prepare your organization for CMMC compliance!