Last Updated on May 18, 2022
Managed service providers (MSPs) and managed security service providers (MSSPs) in the US defense industrial base (DIB) and other US government supply chains now face elevated scrutiny from clients regarding the flow of controlled unclassified information (CUI) and associated CMMC 2.0 and NIST 800-171 compliance requirements.
If an MSP stores, transmits or processes CUI in the course of providing its services, then it is likely subject to the same compliance obligations as its client(s). But what if an MSP provides what is effectively a cloud service? Does this change their compliance obligations?
To answer the top questions that MSPs/MSSPs need to address around protecting CUI, Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, joined a recent episode of The Virtual CISO Podcast. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
When is an MSP a CSP?
According to the US federal government, an entity that handles CUI in the context of providing cloud services to government agencies is subject to the FedRAMP compliance program, not to CMMC. So, for example, AT&T Cybersecurity would be subject to FedRAMP Moderate compliance before it could sell its SIEM solution to a government agency.
But what about an MSSP that is managing an AT&T Cybersecurity solution on behalf of a DIB org? Does their operation of that cloud service in the client’s environment make them a CSP and therefore subject to FedRAMP? Or are they still just an MSSP subject to CMMC compliance via DFARS “flowdown” requirements in contracts?
According to Caleb, the MSSP in the above scenario is still functioning as an MSSP. However, the company that provides the cloud-based service (AT&T Cybersecurity) would need a FedRAMP Authority to Operate (ATO).
“The client is flowing down the requirement to their MSP, and the MSP has some responsibilities there,” explains Caleb. “But now with any subsequent flowdown, we’re passing CUI to a cloud environment. So now we have an obligation to ensure FedRAMP compliance.”
“Pretty soon you’re going to be asking your babysitter for a CMMC certification,” John jokes. “It might only be CMMC Level 1, but seriously… When you start to think about the way that data flows between organizations, at some point when the federal government turns this on completely, how many organizations are not going to have some type of data that’s classified as CUI, through some type of flowdown, or a flowdown of a flowdown. It’s going to get crazy.”
“It’s going to be really messy,” Caleb agrees.
To hear the podcast episode with Caleb Leidy all the way through, click here.
What’s the connection between FedRAMP and CMMC? Here’s a blog post on the topic: FedRAMP and CMMC – Here’s How They Relate