Is your MSP ready for CMMC compliance? How did the final 32 CFR rule affect this? Learn about the implications for MSPs serving the Defense Industrial Base and the key questions to ask in preparation.
As of October 15, the 32 CFR Part 170 CMMC Rule has been finalized and will go into effect on December 16th. But what changed regarding MSPs? Let’s dig in!
Every Managed Services Provider (MSP) that serves the DIB is facing some tough decisions.
To 'play ball' in the DIB, MSPs will either need to get CMMC certified at the same level their clients will be or participate in every assessment their clients have. However, there are still lots of gotchas and nuances to that statement. To get us started, here’s an excerpt from the final rule:
[Excerpt from section 170.19 of the 32 CFR rule]
To do this, MSPs are, or should be, preparing their systems, agreements, pricing, and much more to align with the requirements of the final rule.
In this blog post we will explore what you will need to ask your current MSP to ensure you are ready for CMMC.
We’ll cover the following exciting topics:
- How does CMMC affect MSPs?
- Is my MSP in scope for CMMC?
- What about subcontractors and non-US persons?
- Do MSPs have to be FedRAMP authorized?
- What questions can I use to interrogate…I mean query my MSP?
.jpg?width=6325&height=3354&name=MSP_Certified_Graphic%20(1).jpg)
How does CMMC affect MSPs (Managed Service Providers)?
If you search the rule for "MSP" or "Managed Services Provider", you won't find it mentioned anywhere. Why?
Well, because the DoD needed more acronyms and decided to use a new term: the External Services Provider (ESP).
It makes sense if you think about it, because that term covers a very broad spectrum of external companies or services your company may use, like cloud services (Microsoft 365, Azure, AWS) or contractors that need access to your FCI or CUI to complete their tasks.
It’s important to note that MSPs that do not process, store, or transmit CUI do not have to be CMMC certified, as of this final rule. However, they will have to participate in every client’s CMMC assessment if they are not CMMC certified. If this is your MSP, then you need to ensure you have a very clear SRM in place, as well as an updated SSP to show the scope of their support. However, if your MSP is CMMC certified, then they do not have to participate in any assessments.
Another spicy meatball is “Shared Services” in organizations like Private Equity firms and Universities that might be considered in-scope, even if they are internal to the overall organization.
Many MSPs outsource services, systems, or personnel to 3rd parties, and this is very important to know. Every company they outsource to may need to get CMMC certified or participate in every assessment, and then every company they outsource to and so on and so on.
You've heard the saying "💩 rolls downhill?" Well, in the CMMC world, that "💩" rolls uphill.
If you're bidding on a contract as a Prime, then you must have an active CMMC certification at the appropriate level at time of award. But – and here's the kicker – every subcontractor you use to execute, service, or support that contract must also be CMMC certified at the appropriate level, and that starts at the lowest level.
If you have 10 subcontractors, at any level, then you are responsible for ensuring that those 10 subcontractors have the appropriate CMMC certification for the flow downs they will receive.
Considering it takes 12-18 months to prepare for and achieve certification, you're looking at…a very long time before you can even think about bidding on contracts.
Do MSPs need to work with all-US persons for CMMC?
Speaking of who has access to your data, does that include any Non-US Persons? Non-US Persons cannot access ITAR/EAR without extensive legal work.
In my previous role at a DIB company, I dealt with non-US persons a lot. Many of our subcontractors were foreign and there was a lot of legal "stuff" (ie. TAA, NDAs, etc.) that had to be put in place before they could access systems and data. This caused a lot of overhead, and it was painful at times.
In the case of MSPs, not only would all their non-US persons need to go through this legal "stuff" for every one of your contracts, but every company they outsource to would have to do the same for anyone with the ability to access this information. The overhead this can create can be a huge headache for any MSP to manage. Sticking with US Citizens is the safest and easiest path forward here.
Do MSPs have to be FedRAMP authorized?
One of everyone's favorite topic (besides FIPS) is FedRAMP. Talk about an exciting discussion, right? I'm sorry to say, we must talk about FedRAMP regarding MSPs too.
If your MSP is using a cloud service to process, store, or transmit your CUI then that SaaS service must be FedRAMP Moderate / Equivalent or higher.
There are very few SaaS products out there for each category, so this limits what your MSP can use. If they aren't already using all FedRAMP'd products, then what is the likelihood that they will rip out and replace systems they are using to support all their other clients just for you or the small number of DIB clients they already have?
I've covered a lot of information and scenarios so far, so what's the TL;DR?
Here are some key questions you should ask yourself or consider regarding your existing MSP:
1. Does my MSP process, store, or transmit CUI?
a. If so, will my MSP achieve CMMC level 2? If you will need a level 3, then so will your MSP!
b. If not, can and will they support me in a CMMC assessment?
2. What is my MSP’s timeline?
3. Does my MSP have a Shared Responsibilities Matrix (SRM)?
a. If so, this is a good sign they are taking things seriously.
b. What cloud providers does my MSP use? Have they verified each cloud provider’s compliance (i.e. FedRAMP Moderate or Equivalent)?
c. Does the SRM mention any outsourced support?
4. Does my MSP support enough DIB clients to make financial sense for them to continue supporting me?
5. Will the cost of the MSP’s service to me increase? If so, how much?
6. Are there any non-US persons used in the MSP’s service or support to me?
7. Am I in an MSP contract now?
a. What does it say about compliance or NIST 800-171?
b. Can I terminate due to regulatory requirements?
This is a complicated and difficult journey.
If you're still reading, then congratulations and thank you.
Companies in the DIB have many hard decisions to make if they want to continue servicing the DoD, and MSPs (er, ESPs) are just one of them.
Luckily, Summit 7 has solved every one of these problems and are more than prepared to service your needs. If you have made it to this point and have decided you need to change MSPs, or maybe you need to start using one, then please reach out in the form below. Operators are standing by!
