MSP Grader
Your Results
Your Results
/ 100
Based on the information you provided, we have calculated a grade for your MSP. Meeting CMMC (Cybersecurity Maturity Model Certification) compliance can be a complex and challenging process, and it is crucial to ensure your MSP has the knowledge and resources to support your CMMC compliance.
A link to these results has been sent to the email you provided so you can reference this later.
Does your MSP have a Shared Responsibility Matrix?
✔ Yes, they have a shared responsibility matrix
CMMC 2.0 Level 2 requires DoD contractors and those handling sensitive data on behalf of the DoD to define obligations and responsibilities when using external service providers (MSP/MSSP). A Shared Responsibility Matrix (SRM) helps explain the responsibilities of external service providers leading organizations seeking certification (OSC) to successful CMMC assessments.
✕ No, They don’t have a Shared Responsibility Matrix
This is a HUGE red flag.
CMMC 2.0 Level 2 requires DoD contractors and those handling sensitive data on behalf of the DoD to define obligations and responsibilities when using external service providers (MSP/MSSP). A Shared Responsibility Matrix (SRM) helps explain the responsibilities of external service providers leading organizations seeking certification (OSC) to successful CMMC assessments.
⚠ I don’t know
This is a VERY important thing to know, and it’s something they should be communicating to you.
CMMC 2.0 Level 2 requires DoD contractors and those handling sensitive data on behalf of the DoD to define obligations and responsibilities when using external service providers (MSP/MSSP). A Shared Responsibility Matrix (SRM) helps explain the responsibilities of external service providers leading organizations seeking certification (OSC) to successful CMMC assessments.
Is Your MSP’s SRM Mapped to NIST 800-171?
✔ Yes, it is mapped
Many organizations are unaware that the 110 requirements in NIST SP 800-171 are only half of the battle when it comes to achieving CMMC certification. The only authorized method for determining if 800-171 requirements are implemented is by satisfying all 320 “assessment objectives” in NIST SP 800-171A. A closer inspection of the CMMC Level 2 Assessment Guide reveals that it is really just NIST SP 800-171A by another name.
✕ No, It is not mapped
Many organizations are unaware that the 110 requirements in NIST SP 800-171 are only half of the battle when it comes to achieving CMMC certification. The only authorized method for determining if 800-171 requirements are implemented is by satisfying all 320 “assessment objectives” in NIST SP 800-171A. A closer inspection of the CMMC Level 2 Assessment Guide reveals that it is really just NIST SP 800-171A by another name.
⚠ I don’t know
It’s very important to know if their SRM is mapped to NIST SP 800-171A instead of just to 800-171.
Many organizations are unaware that the 110 requirements in NIST SP 800-171 are only half of the battle when it comes to achieving CMMC certification. The only authorized method for determining if 800-171 requirements are implemented is by satisfying all 320 “assessment objectives” in NIST SP 800-171A. A closer inspection of the CMMC Level 2 Assessment Guide reveals that it is really just NIST SP 800-171A by another name.
Can Your MSP provide artifacts/proof for the items covered on the SRM?
✔ Yes, They Can
This is a great sign. Put yourself in the shoes of a CMMC assessor analyzing an SRM that indicates upwards of 50% – 70% of the CMMC requirements are being implemented by a third party. Simply accepting their word for it won’t suffice.
✕ No, They Can Not
This isn’t a good sign. Put yourself in the shoes of a CMMC assessor analyzing an SRM that indicates upwards of 50% – 70% of the CMMC requirements are being implemented by a third party. Simply accepting their word for it won’t suffice.
⚠ I don’t know
Put yourself in the shoes of a CMMC assessor analyzing an SRM that indicates upwards of 50% – 70% of the CMMC requirements are being implemented by a third party. Simply accepting their word for it won’t suffice.
Does your MSP have other DoD Contracting Customers?
✔ Yes, They Do
This is a must-have. You don’t want CMMC to be a “new avenue” for the MSP. Choosing an MSP who is heavily focused on supporting the Defense Industrial Base will likely be a good candidate for healthy security and compliance posture.
✕ No, They Do Not
Use extreme caution if this is a “new avenue” for the MSP. Choosing an MSP who is heavily focused on supporting the Defense Industrial Base will likely be a good candidate for healthy security and compliance posture.
⚠ I don’t know
Use extreme caution if this is a “new avenue” for the MSP. Choosing an MSP who is heavily focused on supporting the Defense Industrial Base will likely be a good candidate for healthy security and compliance posture.
Is Your MSP’s staff made up of all US persons?
✔ Yes, They Are
If your company is handling, or will potentially handle export control (ITAR/EAR) data in future contracts, then any external service provider with access to your data will need to be a US person.
✕ No, They Are Not
If your company is handling, or will potentially handle export control (ITAR/EAR) data in future contracts, then any external service provider with access to your data will need to be a US person. Otherwise, there is potential for export control violations depending on the circumstances.
⚠ I don’t know
Any external service provider with access to your data will need to be a US person. Otherwise, there is potential for export control violations depending on the circumstances.
Can Your MSP support you through your CMMC Assessment?
✔ Yes, They Can
Your level of responsibility is impacted depending on how many services you are acquiring from an external provider and their ability to prove they perform their functions according to the compliance requirements. The responsible person is the one actually performing the task at hand. The accountable person/company is the one that is ultimately accountable for ensuring that the task is completed.
✕ No, They Can Not
This is a deal-breaker. Your level of responsibility is impacted depending on how many services you are acquiring from an external provider and their ability to prove they perform their functions according to the compliance requirements. The responsible person is the one actually performing the task at hand. The accountable person/company is the one that is ultimately accountable for ensuring that the task is completed.
⚠ I don’t know
This isn’t a good look for them. You want to be confident that they can support you through your assessment.
Your level of responsibility is impacted depending on how many services you are acquiring from an external provider and their ability to prove they perform their functions according to the compliance requirements. The responsible person is the one actually performing the task at hand. The accountable person/company is the one that is ultimately accountable for ensuring that the task is completed.
Does Your MSP Have DIB Expertise?
You don’t want anyone but the best handling something as important as your cybersecurity and compliance.
Check out what makes Summit 7 a top Managed Service Provider for Small-Medium businesses in the DIB.
Talk to an Expert
Our team of compliance and cybersecurity experts are on standby and ready to help.
