Last Updated on May 17, 2022
Momentum is building in the US defense supply chain and across government sectors to comply with CMMC 2.0 or NIST 800-171 guidelines for protecting controlled unclassified information (CUI). Managed service providers (MSPs) and managed security service providers (MSSPs) in these environments are beginning to feel the compliance pressure.
If your MSP/MSSP business serves government clients or their subcontractors, do you need to hammer out your CUI protection responsibilities on a per-client basis? Or can you efficiently and effectively identify many of your CUI obligations at the “cross-client” level of your services or by industry sector?
To highlight a range of concerns and best practices for MSPs/MSSPs that may have CUI protection requirements, a recent episode of The Virtual CISO Podcast features Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
Keeping it general
Caleb advocates a generalized, service-level approach for MSPs to identify their CUI compliance exposure as comprehensively as possible, though more detail may be needed.
“You can set things up to say, ‘Within the bounds of our client policies, we know what services we provide and what requirements those services speak to, and we know we’re going to have to access and protect our environment by the clients’ policies as well,’” suggests Caleb. “For an MSP absent of client, jump in and do a gap assessment—or at least look at your services—and understand what services you’re providing that speak to CMMC requirements. That just broadens your ability to answer to those [client concerns].”
Can you provide evidence?
MSPs will increasingly need to demonstrate that they have architected their services to fulfill CUI protection obligations and can back that up within client contracts and business processes. Service providers that can also directly support clients’ CUI duties, such as by documenting how they do things or aligning with client security policies, will compound their competitive advantage.
Whether you are operating in the client environment or they’re sending you their data, the same equation holds: If you are running technology that performs a function on their behalf, and which is critical to a CUI requirement, you need to provide evidence that your controls are operating as intended and in alignment with the requirement.
“So, [MSPs] have to, when assessment time comes—and it’s just good to know for internal business processes anyway—be able to provide evidence that they have put security controls in place that meet the requirements,” Caleb notes.
What MSP clients need to know
Using a common example, Caleb explains the level that clients need to understand MSPs’ controls:
“So, if we look at a SIEM that someone else is managing, you’ve got all kinds of requirements in the Audit & Accountability (AU) family that go into, what are you logging? How are you logging it? What do your records look like? If someone else is managing that for you, you may not have a great amount of insight into day-to-day, but you should know what they’re doing. Be able to provide evidence of what they’re doing and have a lot of insight into that, if you need to get it, right? To provide evidence or to respond to critical information that comes from that kind of service.”
To enjoy the full podcast episode with Caleb Leidy, click here.
Want to know how shared responsibility best practices are evolving? Here’s a blog post you’ll appreciate: The Cloud Security “Shared Responsibility” Model is Evolving