What does the latest proposed CMMC rule mean for MSPs?
Bobby Guerra
CEO of Axiom | Managed Service Provider | Climbing Mount CMMC | Cloud Solutions
Written by: Adam Evans, CISSP
Over the last several years, MSPs have had to grapple with the obligations imposed on our clients because of the Cybersecurity Maturity Model Certification (CMMC.) CMMC isn’t new – in fact it’s been discussed within the defense industrial base for several years now. However, MSPs have had a lot of questions.??
Well, on December 26th we finally got our answer when the Department of Defense released their long-awaited proposed rule. I took some time to read over the proposed rule and to chat with some other folks in the CMMC ecosystem regarding the impact on MSPs and our clients. Let’s dive in and look at some of the big questions that have been addressed with this rule.??
How are MSPs impacted???
Many MSPs have been asking how we will be impacted by CMMC as it progresses. I’ve heard arguments ranging from ‘CMMC will go away’ to ‘MSPs don’t need to worry about this as we’re not in scope.’ Well let’s see what the rule says.?
This rule specifically references ‘External Service Providers’ and defines them as follows:?
This sounds an awful lot like Managed Service Providers, doesn’t it? After all, our clients look to us to provide technical support and often security protections. If we are doing this, then chances are we have data that falls under the definition of ‘Security Protection Data’ and as such, scopes us into the CMMC requirements.??
Do MSPs need to pursue CMMC themselves???
Yes. Moving on.?
Just kidding, let’s look a little closer at this. Specifically, we’re going to look at the level 2 scoping guidance set forth in the proposed rule.??
In short, this means if the client of an MSP is required to meet the requirements of CMMC Level 2 or Level 3, then the MSP must also meet the requirements AND be certified themselves at the same level. This applies if the MSP handles controlled unclassified information (CUI) and/or security protection data.??
But this isn’t exactly new per say. The CMMC Assessment Scoping documentation from as far back as December 2021 has been saying that MSPs are likely to be part of the assessment scope and should be prepared. And if you’ve been following me for a while now, then you’ve heard me say this several times.??
MSPs use a lot of neato tools, how do these fit into this rule??
The MSP ecosystem has a ton of incredible tools that make our lives easier – from fancy security tools, RMM platforms, our PSA tools, and many more. These tools make up the backbone of our support offerings. Let’s see how this proposed rule impacts those.??
So, in short – if our tool can process, store, or transmit CUI then it MUST meet FedRAMP moderate, FedRAMP high, or equivalent. But in the infamous words of our favorite infomercial personality – but wait, there’s more.?
If these tools are used to provide security protections for any CMMC component, then these too must meet the FedRAMP requirements. This means our SEIM tools, EDR platforms, and more are now in scope. This can even extend to our RMM and PSA tools as well.??
This is where it gets painful. FedRAMP Moderate & FedRAMP high align to NIST SP 800-53 and contain a LOT of security controls that the provider must meet. Unfortunately, many cloud based MSP tools do not currently align and would result in the MSP being non-compliant with this provision.??
This also isn’t new per say. DFARS 252.204-7012 has been in effect since 2017.??
Hold up a second, that section says that it can meet an ‘equivalent’ set of security requirements. Does that mean my vendors’ SOC report will suffice???
领英推荐
No. The DoD clarified this with a memo published-on January 2, 2024. In this memo they state:??
So, in short, the only thing equivalent to FedRAMP is in fact just FedRAMP.??
This all sounds incredibly expensive, will the DoD allocate any funding for implementing the CMMC requirements???
No. CMMC is based off NIST SP 800-171 which has been required under DFARS 252.204-7019 since 2017. If an organization has active contracts with DFARS clauses, then the organization has already told the DoD they’ve satisfied these controls, and as such there should be no additional costs to satisfy the requirements. If that’s not the case with an organization, well, that’s a big problem.??
Will they help offset the costs of the C3PAO assessment and final certification???
Also no. The DoD breaks down the cost and deems that over the assessment period these costs are not prohibitive.??
Do I REALLY have to do all of this to the extent that these CMMC documents state? Surely the DoD will ease up when they realize how this will impact the smaller businesses out there.??
Believe it or not, I’ve heard this from MSPs and other technology consultants. This line of thinking is frankly irresponsible, negligent, and dangerous.??
CMMC exists as a measure to safeguard sensitive information and is a matter of national security. The DoD will not sacrifice national security to appease the MSP or SMB space.??
There is some degree of flexibility with the cybersecurity safeguards outlined under 800-171, which can give organizations some options to meet these requirements. However, organizations still must implement these controls effectively. Failure to do so can result in lost contracts, actions under the False Claims Act, litigation, and more.??
What if I’m a small business within the Defense Industrial Base that uses an MSP? What should I do??
In short – start asking questions.??
Here’s a few that you should consider:?
And of course, if you’re not happy with the answers you’ve received from your current MSP or would like a second opinion – feel free to give us a call here at Axiom.??
Wrapping up?
Whew that was a LOT of information. So, let us wrap up the key bullet points.??
And that’s a wrap! There’s much more excellent information in this proposed rule, and if you’re an MSP in this space (or a compliance nerd like me) I highly suggest giving it a read.
You can learn more about us and our CMMC journey on our website.
CMMC | RP RPO | DOD Cybersecurity Compliance Government Contractor | MSSP | MSP | CUI | ITAR
10 个月Excellent article you nailed all important points. One way we have been working around the FedRAMP situation for our tools interacting with CUI is we make sure no data goes to the cloud and all instances are within the LAN (premise base installations). Make sure you only get US Support for these tools. Must have 2FA. Must have FIPS140-2 if interacting with any CUI (in transit/at rest). Again, no data goes to the cloud, this then excludes the tool(s) to be FedRAMP compliant or “equivalent.” Adam Evans, CISSP or Bobby Guerra are we on track or would you recommend anything else?
Delivering Cybersecurity Solutions and Compliance Services
10 个月Adam Evans, very good article and nice summary of the rule with regards to MSPs. I would just point out that MSPs need to give some love to their CMMC Level 1 clients as well. Even at Level 1 MSPs are going to be leaned on heavily to provide assurances of their support for those 15 controls and the all the associated assessment objectives. Even though it is a self assessment, a company executive has to sign an affirmation that they have accurately assessed and are operating under the controls. Self Assessments have a little more teeth under this rule than they have in they past.