May 16, 2022

Last Updated on January 19, 2024

As the implementation of CMMC 2.0 by the DIB picks up pace, the frequently shifting requirements can be daunting — especially when the guidance is already so complex.

And that’s doubly true for managed service providers (MSPs), who have to contend with diverse and potentially confusing CUI requirements.

In our latest podcast episode, making his 3rd guest appearance, I’m joined by Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, who is here to clear up the confusion and share his insights into how the rollout of CMMC into the DIB impacts MSPs.

Join us as we discuss the current state of CUI for MSPs in the DIB, including:

  • The controls MSPs have responsibility for in a client’s environment
  • The controls clients have responsibility for in their environment
  • The controls MSPs have to implement in their own environment to meet DFARS flow down requirements

Which controls are MSPs responsible for in a client’s environment?

In a shared responsibility environment, an MSP must take some responsibility in the client environment, as well as their own, and the client will need to carry the balance of their internal responsibilities.

The first step in achieving the right state of compliance is knowing which is which.

Caleb’s advice here is to first look at what services the MSP actually offers and what their scope is, per respective client. According to the CMMC scoping guidance, MSPs fall under the Security Protection asset class. So, you need to look carefully at the services you’re providing for each covered client.

Functionality, protection and responsibility

Depending on the nature of the managed services, many MSPs provide some security functionality to the client within the client’s own environment. By default, the MSP becomes liable for compliance of these operational functions. But there is a lot of overlap with what a client is inherently responsible for.

Issues like access control and user permissions must be factored into the effort to achieve CMMC compliance.

For example, a security-oriented MSP would likely need wider access and senior user permissions than the average MSP. Once the client grants the access control, though, the responsibility for getting the managed portion of the offering compliant sits with the MSP. MSPs need to manage services to the required contextualized CMMC controls of each client.

“The scoping guide has started referring to Managed Service Providers more than in any other previous documentation.” — Caleb Leidy

The controls clients have responsibility for in their environment

Access control is always the client’s responsibility.

If you’re taking on a new MSP, you need to cover the onboarding process to make sure that you grant the MSP the appropriate access to resources, data and tools, to fulfill the requirements of their operational scope.

Clients are also responsible for their own information management policies. It’s important to think about this from a governance perspective and outline how things should be done within the company, then apply the CMMC guidance. It’s also key to have a robust information log to share with any MSPs who enter the extended team later on.

You may not be able to see the nitty-gritties of the services that are managed for you (if you’re the client) but you should be aware of the scope of your MSP’s security and compliance responsibilities. This includes documentation for how you can drill down into details that you need if something doesn’t go according to plan, like if there’s a data breach.

“There’s so many different regulations and extra requirements on top of the basic CUI safeguarding rules, which is part of the reason why it’s taking so long to work this all out.” — Caleb Leidy

What controls must MSPs implement in their own environments, to meet DFARS flow down requirements?

MSPs that handle CUI need to be compliant with applicable CUI security guidance, just like their clients.

In addition to that, MSPs naturally sell the peace of mind and convenience that comes with looking after components (and therefore the related compliance) of their clients’ businesses. So, they need to be able to demonstrate compliance.

A recommended approach to start addressing internal compliance at an MSP is to standardize the approach. For each service or client type, it can save time and effort to create template-style documentation that explain what CMMC controls relate to what services, and how you generally implement each control.

The versatility of a gap assessment

For MSPs, knowing where your services stand today in relation to CMMC compliance can begin with a gap assessment. Besides telling you what you need to do to align with CMMC, it will clarify responsibilities, including how you can help clients meet their compliance objectives.

MSPs can accrue significant marketing and operational excellence points if you’re able to bake your policies and procedures in advance for clients, and help line those up with their own policies and procedures.

Perhaps the biggest lesson from this conversation is that MSPs need to carefully evaluate their CUI compliance requirements in a shared responsibilities context and with awareness of flowdown, if they haven’t already. The better you can demonstrate compliance, and the better job you can do communicating with clients about responsibilities, the better your business will look when it comes to contracts, audits… and maybe even NPS evaluations.

“If your CUI is involved, you can’t give a subcontract without validating that the subcontractor has a score in SPRS.” — Caleb Leidy

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.