Last Updated on January 19, 2024
Third parties that store, transmit and/or process sensitive data inherently introduce an element of security and compliance risk to their clients—and potentially vice versa. Case in point: managed service providers (MSPs) and managed security service providers (MSSPs) serving the US defense industrial base (DIB) and other US government supply chains will increasingly need to address CMMC 2.0 and NIST 800-171 compliance requirements that “flow down” from their clients that handle controlled unclassified information (CUI).
How can MSPs/MSSPs most efficiently address potentially overlapping security and compliance responsibilities around CUI?
To share advice and best practices for MSPs/MSSPs and their clients regarding CUI protections, Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security, joined a recent episode of The Virtual CISO Podcast. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
What is a shared responsibility matrix?
If an MSP provides a suite of relatively standardized services to their clients, it should be straightforward to look at how your service-related security controls comply with CMMC practices and NIST 800-171 requirements. From there, you can develop a security responsibilities “template” to share with clients.
From the viewpoint of the MSP, Caleb explains: “’We know this is what we do and what we control. We know that for this same set of requirements, you, our client, are going to need to take part of [the controls], and here’s exactly what those things are. Here’s what we do and how we’re meeting it.’ And you have that all laid out ahead of time.”
Giving clients this guidance to support their security program and compliance process is a highly beneficial service that shows you understand their needs. The more details and evidence of control operation an MSP can provide, the better.
Besides making clients happy, creating a shared responsibility matrix reduces the overall level of work for an MSP to achieve, maintain and attest to its own compliance responsibilities. One reason is that the need to drill down into client-specific implementation details in response to compliance queries is reduced. Plus, working on the matrix gives you a better view of your compliance picture so you won’t often be surprised by compliance requirements going forward.
Thus, developing a shared responsibility matrix not only helps with marketing and customer relationships, but also with efficiency and effectiveness of an MSP’s internal operations.
“If you have smart clients, they will flow down that [CUI protection] requirement,” John clarifies. “And you [the MSP] are going to be asked for documentation to reflect that. The responsibility matrix is that documentation, and you’re providing that from the very first moment that you start working with them.”
Going a step further
To further distinguish itself as a partner that understands security and compliance, an MSP can evolve its shared responsibilities matrix into a prepopulated System Security Plan (SSP) template for clients. This is similar to the generic SSP content that AWS or Microsoft Azure make available to users in relation to their FedRAMP ATOs.
Clients can just copy the information that relates to their controls as a basis for those sections of their SSP (a required document for CMMC or NIST 800-171 compliance). Pretty valuable stuff!
“That makes it super easy for a client to come in and know what they need to do, and to already have the documentation they need for evidence and verification that those practices are being met,” says Caleb.
To hear the podcast episode with Caleb Leidy all the way through, click here.
What’s the connection between FedRAMP and CMMC? Here’s a blog post on the topic: FedRAMP and CMMC – Here’s How They Relate
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.