To understand why external providers can have such a big impact in terms compliance with the DFARS 252.204-7012, DFARS 252.204-7021, and 32 CFR Part 170 (CMMC Program Rule), think about things in terms of your home’s security. You can spend a significant amount of money and go out of your way to install the best locks, alarms, and cameras that are available. You can take every precaution known to man. But if you give a spare house key to someone who then leaves it under their doormat, all the security provisions in the world won’t be able to help you.
The same concept is true in the world of controlled unclassified information, albeit on a much larger scale. A CMMC assessment will often look at the relationship with external providers (e.g., MSPs) you have and, if one of them is in scope but doesn’t meet the necessary and applicable CMMC requirements, guess what – your organization doesn’t, either. Understanding the lengths to which this is true is the key to making sure that there are no surprises moving forward.
Why Vendor Risk Matters in CMMC Readiness
It’s incredibly common for defense contractors to rely on a network of external providers to support systems, users, security tools, cloud environments, and more as it relates to controlled unclassified information. But just because those vendors are “outside of” your organization in a logistical sense doesn’t mean they won’t impact you from a CMMC readiness sense.
The most succinct example of this idea is the use of a managed services provider, or MSP. Because these providers often perform activities that contribute to security control implementation, their practices can directly impact an organization’s ability to demonstrate compliance. A contractor may have well-documented policies and procedures, but if an MSP is responsible for operating a critical security control and cannot provide supporting evidence, assessment readiness can be affected.
How External Providers Affect Evidence Requirements
When you think about the sheer volume of external providers that the average organization can work with, the list can quickly become enormous. Based on that, it shouldn’t be a surprise that one of the most common challenges organizations encounter during CMMC assessment preparation is gathering evidence from third parties.
Never forget that the assessors evaluate not only whether controls exist, but also whether organizations can demonstrate that those controls are operating effectively. “Effectively” is the operative word and is where things start to break down in terms of vendor relationships.
Thankfully, a lot of these providers may already have the documentation you need, you just have to find it. Managed service providers may maintain records showing how systems are monitored, patched, or administered. Service providers may supply responsibility matrices, security documentation, audit/assessment reports, and configuration information that help establish control coverage and give you the resources necessary for reference in your System Security Plan.
The problem is that A) determining what documentation you need, and B) where to get it from can be time-consuming to say the least. That’s why vendor risk in CMMC must be addressed as early on in the process as possible. If you wait until the final stages to learn that you need information that requires reaching out to a third party, that can delay things significantly. That’s why vendor risk management platforms or some other type of third-party management software is recommended. These tools can help identify the need for this data early, and help store it so that you can have it available later on.
Where Shared Responsibility Can Create Control Gaps
In an effort to manage your own expectations, you also need to familiarize yourself with the concept of shared responsibility. Many people assume that just because a vendor like a cloud service provider offers a service, they are automatically responsible for every related security control. In no uncertain terms, there is absolutely nothing that requires that to be true.
Another easy example is an MSP. The reality is that they might manage security tools while you maintain responsibility for policy enforcement, risk management decisions, and things of that nature. But if you’re not clear on who owns what, important activities fall through the cracks only to rear their head at the worst possible time.
To avoid these issues, you need to clearly define who owns each control, who maintains supporting evidence, and who is responsible for corrective actions when deficiencies are identified. Establishing accountability before assessment preparation begins helps eliminate confusion and creates a more reliable path toward compliance.
How IntelliGRC Helps Track Vendor-Related CMMC Readiness
If all this sounds like an enormous amount of work, that’s because it can be – especially if you’re still trying to complete these processes manually. You’ll be dealing with endless spreadsheets, email threads, shared drives, and more.
That’s why IntelliGRC is more than just third party management software. It’s true compliance management software that will help you understand the nuance of each vendor relationship that you have, all so that they don’t become a liability at the worst possible moment.
IntelliGRC helps your teams connect vendor involvement to not only controls and evidence, but also remediation tasks, ongoing readiness visibility, and more. By linking these actions and vendor relationships together in a pragmatic and visible way, compliance management software like IntelliGRC provides a clearer view of the entire ecosystem. Organizations can spend less time chasing documentation and more time strengthening their security posture, which is exactly how it should be.
If you’re interested in finding out more information about how external providers impact evidence and control responsibility regarding CMMC compliance, or if you’re going through CMMC assessment preparation and would like to make sure your organization is as prepared as possible, please don’t hesitate to contact the IntelliGRC team today to book your demo.