Why Your MSP Could Disqualify Your CMMC Assessment

Now that CMMC is a mandatory part of participating in the defense supply chain, a lot of businesses are starting to grapple with the requirements and what they mean for operations.

One of the biggest roadblocks is the use of an MSP, or Managed Services Provider. MSPs are the backbone of many businesses that don’t have the resources to spin up entire architectures on their own. It’s a huge benefit and allows companies to exist when otherwise the investment to get started would be way too high. On the other hand, it means a close partner in service that needs to comply with many of the same rules you do.

Understanding what affects your MSP, what your MSP needs to be able to do, and how you can verify all of this is a key part of passing a CMMC assessment or audit. It’s also something you need to do now, not when it comes time for the assessment and you realize you aren’t the only source of possible failure.

Are MSPs in Scope for CMMC?

In short, yes.

Probably.

The longer answer is, it’s complicated. You need to follow the flow of information and understand where that information touches.

The DoD or its prime contractors will handle controlled, unclassified information, or CUI. When a DoD contractor wants to retain the services of a subcontractor, they need to make an evaluation. Will that subcontractor be providing a service that touches CUI, or not?

If yes, the subcontractor needs to comply with CMMC. If no, they don’t.

For example, if the contractor is using a cloud storage system to hold data while it’s being worked on, and the data being held includes CUI, then the cloud storage system they’ve chosen needs to be CMMC-compliant.

On the other hand, if the contractor is using a CSP that provides a temporary service, such as vulnerability scanning, but does not actually access, process, transmit, store, or use CUI, then that service doesn’t need CMMC.

Follow the information.

CMMC is all about protecting information, not about security for businesses. If the entity (the CSP, the MSP, the service provider, the contractor, or any other entity in the supply chain) handles CUI in any way, they need at least those systems to be CMMC-compliant. They are free to secure just those systems in an enclave model, or to secure their full environment. It doesn’t matter, as long as the information is protected.

This is actually part of a fairly significant change in the recent CMMC Final Rule. Previously, any contractor all the way down the DoD supply line would require CMMC security.

That truth remained true even if the CSP didn’t handle information at all. This placed an unnecessary burden on many companies, effectively making a lot of services that never touch CUI or information at all make the choice between an expensive compliance process, or the inability to work with DoD subcontractors at all.

The Final Rule loosened up these restrictions as described above: it’s all about the information. If the information doesn’t flow down, neither does the CMMC requirement.

Three Exceptions to the Rule

There are three situations where an entity like a subcontractor, CSP, or MSP might be exempt from CMMC requirements.

The first is temporary access services. These are services like the vulnerability scanner example above; services that only need temporary, often limited access to the subcontractor’s systems and information. A pen-testing agency doesn’t need to be CMMC-certified to perform pen tests on CMMC systems.

The second is staffing agencies. If an agency provides people, not services, then the staffing agency does not need to be CMMC certified. The individuals provided to the subcontractor will need to behave accordingly to the systems they use, so those individuals may need to undergo CMMC and controlled information training, but since there’s no individual CMMC certificate, it’s a matter of roles within the subcontractor.

The third is COTS, or Commercial Off-The-Shelf products. COTS products are commercially available products that have widespread availability to both public and private sector entities, have competitors, and are offered to the DoD DIB with no modifications. These can apply for a CMMC exemption.

Where Do MSPs Fall?

MSPs come in many different forms and provide many different services. They can provide managed IT services, network monitoring, information security and cybersecurity, cloud storage and data processing, data backups, and much more.

Many of these services either store, transmit, or transform data. That’s what they’re there for, after all. Hiring an MSP to provide data backups is much cheaper and more reliable than setting up data backup infrastructure on your own. But, since the data being backed up includes CUI, then those backup systems (and thus, the MSP itself) need to comply with CMMC.

Some MSPs provide services that do not interact with controlled information. These MSPs can likely get away without CMMC, though if you, as the subcontractor, try to use their information-handling services for CUI, you’ll be in for trouble.

The responsibility for assessing whether or not your MSP needs CMMC falls to both you and your MSP. It’s likely something you will need to work together to evaluate, and proper communication is a must.

As a DoD subcontractor, you have a choice:

• Change your data flows so that CUI never touches systems managed by the MSP.
• Work with the MSP to assist them in CMMC compliance.
• Drop your MSP and find another one that is already compliant with CMMC.

As an MSP, you also have a choice:

• Work to secure your information-handling systems along CMMC guidelines and earn certification.
• Make it clear to customers that you do not offer CMMC-certified services, and ignore DIB clients.
• Use an enclave strategy to implement limited, secured systems specifically for DIB customers.

There are no wrong answers here, only business decisions. Well, that’s not quite true. There’s one wrong answer: handling CUI on unsecured systems.

MSPs, SPAs, and Limited Certification Requirements

There’s one other situation that an MSP can fall into that is worth discussing.

So far, we’ve talked about CUI and the flow-down requirements of CMMC. If an MSP handles CUI (or FCI) in their own systems, they need to have their own CMMC certification, usually at level 2. If they don’t handle CUI, they don’t need to have their own CMMC certification.

Some MSPs don’t handle CUI, but they do handle another kind of data, called SPAs: Security Protection Assets.

SPAs are data that is not CUI itself, but is related to CUI systems. The most common examples come from MSPs that provide security services. SPAs can include data such as firewall logs and security event logs.

If this is the case, the MSP is considered in-scope, not for their own CMMC, but for their client’s CMMC.

As a subcontractor, if you’re using an MSP for security or other controlled system management but not for handling CUI, part of your assessment will include those logs and artifacts of proof. The MSP doesn’t need to be CMMC-certified, but as part of your certification, you need to provide those logs from the MSP.

MSP Pitfalls and Solutions

If you’re a DoD subcontractor and you’re working with an MSP, that MSP has the potential to jeopardize your CMMC certification, so it’s critical that you understand their requirements and how to engage with them- or whether you’re better off changing MSPs.

What should you look for, and how should you navigate this situation?

Check if Your MSP Understands CMMC

This is an important one. Reach out to your MSP point of contact and ask them if they understand the CMMC requirements of working with you.

If they don’t know what they’re required to do, they almost certainly don’t understand or comply with CMMC. If they handle any services for you that touch CUI, then this ignorance puts your certification at risk.

The biggest risk here is MSPs that claim to know what they’re doing, but actually don’t. Some MSPs recognize that CMMC is a keyword that attracts clients, but don’t understand the depth of responsibility tied to it; they may make a claim that they’re CMMC-ready, but don’t actually comply. If you trust them, only to find out later that they aren’t valid, you can fail your assessments.

How can you solve this problem? Talk to the MSP in detail.

• Ask if they have registered practitioners or CMMC professionals on staff, and talk to them directly.
• Investigate certain obvious CMMC requirements and see if they use them, such as basic access controls you can test.
• Ask for references to other clients that are CMMC certified, and talk to those clients.
• Check to see if the MSP is listed in the CMMC marketplace.

If you see red flags or your MSP simply isn’t CMMC-ready, it may be best to take an alternative approach. If you’re too deeply invested in the MSP to change, you may be able to adjust your own data flow and work with a second MSP on a limited basis just for CUI, or spin up your own architecture just for CUI and CUI-handling systems.

Make Sure Your MSP Provides Appropriate Data

Sometimes, you have systems designed such that the MSP doesn’t handle CUI, and the MSP doesn’t need its own CMMC certification. However, as discussed above with SPAs, you may need data from the MSP as part of your own CMMC assessment.

Therefore, you need to make sure that your MSP is able to provide you with all of the appropriate data, in the right format, the right timing, and right scope.

If your MSP is not providing the right data, or not keeping it accessible and updated, or is otherwise failing to meet the documentation requirements, it falls to you. You can fail to meet CMMC documentation requirements because of it.

The solution here is easy, at least: make sure your MSP is able to provide you with the right data. Either they do, or they don’t, and if they don’t, you either get them to or you change MSPs.

Ensure Your MSP Involves You in the Process

Occasionally, you might end up in an opposite situation: a case where your chosen MSP is all-in on CMMC, but they put up barriers between their security and you. Acting as a walled garden and handling everything themselves might feel like a good solution, but there’s a critical flaw: if you aren’t able to see beyond the boundary, you can’t prove that they’re doing what they claim.

As part of your own CMMC validation, you need to work with the MSP, not simply trust them. If your MSP is a black box, they aren’t appropriately working with you to ensure consistent data security, and thus can prove to be a point of failure in your assessment.

Again, communication is essential here.

Monitor Your MSP for Changes

Another common problem with MSPs is that MSPs aren’t under your control. Definitionally, that’s the point of an MSP, but it’s also a possible point of failure.

MSPs making changes to their systems, their configurations, their security, or their policies may seem to the MSP to be an internal decision. But when you’re working with them, their policies and procedures affect you. If they change something that puts them outside the rules for CMMC, it can put your own assessments at risk.

Broadly, this means you need either an MSP that is stable and knows how to stay within the bounds of CMMC, or that is open to communication and keeps you in mind when they have changes to make.

Ensuring Compliance with Ignyte

Here at Ignyte, we know all of the challenges you can face as a member of the Defense Industrial Base seeking compliance with CMMC. That’s why we built the Ignyte Assurance Platform. Our platform serves as a comprehensive dashboard to monitor your compliance, and helps you ensure that not only are you in compliance, but any subcontractors, CSPs, MSPs, or other services you use aren’t going to put you at risk.

To see how it can work for you, get started by booking a demo so we can show you how it works. We’re sure you’ll be pleased with what you find.