Skip to main content
blog posts

MSPs as SPAs to Support OSAs? Understanding the role of MSPs in CMMC Certification for their clients

By March 5, 2025March 12th, 2025No Comments

‍How an IT MSP Who is a Security Protection Asset (SPA) Can Support an Organization Seeking Assessment (OSA)

An IT Managed Service Provider (MSP) can provide critical security functions to an OSA that needs to be CMMC Level 2 certified. The role of the IT MSP is particularly relevant when they fall under the category of Security Protection Assets (SPA). According to CMMC Scoping Guidance, Security Protection Assets are explicitly part of the assessment scope and are evaluated against the relevant CMMC Level 2 security requirements. 

SPAs contribute to protecting the OSA’s environment by providing security monitoring, incident response, secure access control, and other cybersecurity capabilities.  

Examples of Security Protection Assets include: 

  • Security Information and Event Management (SIEM) solutions 
  • Cloud-based security solutions 
  • VPN services 
  • Managed network services 
  • Security Operations Centers (SOC) 
  • Consultants providing cybersecurity services. 

Since SPAs are integral to an OSA’s cybersecurity posture, their security implementations and configurations directly impact the OSA’s ability to meet CMMC Level 2 certification requirements. Most MSPs would be considered an SPA ESP. 

Responsibilities of an IT MSP (SPA) Under CMMC

As a Security Protection Asset (SPA), an IT MSP must:

  1. Be Included in the OSA’s System Security Plan (SSP)
    • The OSA is required to document the role and treatment of SPAs in their System Security Plan (SSP).
    • The SPA’s services and configurations must be described in the network diagram and asset inventory.
  2. Undergo Assessment Against Relevant/Applicable CMMC Level 2 Requirements
    • Even though SPAs do not directly process, store, or transmit CUI, they provide security protection for in-scope assets (i.e., your customer’s CUI Scope).
    • Therefore, they are assessed against CMMC Level 2 security controls that are relevant to their capabilities.
      • For example: MFA, Session Termination, Password Complexity, SIEM/Log Management, Defined baseline configurations, etc. Does not include FIPS 140-2 validated cryptography; however, modern best practices encryption is highly recommended.
  3. Ensure Proper Security Configurations & Protections
    • SPAs are responsible for implementing security measures that meet CMMC Level 2 requirements. This includes but is not limited to:
      • Secure configuration management (CM)
      • Role-based access control (AC)
      • Incident response capabilities (IR)
      • Continuous monitoring (CA)
      • Encryption and secure communications (SC).
    • Special consideration should be given to backup management for an OSA via an MSP’s services, ensure that cloud storage for backups where the backups contain CUI data is FedRAMP Moderate Authorized or Equivalent and if CUI in backups are stored on a private managed resource either on premise or in a cloud storage then it should utilize FIPS 140-2 validated cryptographic mechanism for the backup transmissions and storage of backups at rest.
  4. Provide Clear Customer Responsibility Matrix (CRM) Documentation
    • If an OSA uses an External Service Provider (ESP) like an MSP, the OSA must obtain a Customer Responsibility Matrix (CRM) to demonstrate the shared security responsibilities between themselves and the ESP.
    • The IT MSP should provide a Customer Responsibility Matrix (CRM) that clearly defines which parts of the OSA’s implementation of any given security requirement are the MSP’s responsibility and which part remains the responsibility of the OSA customer.
  5. Comply with Authentication and Secure Access Requirements
    • If an MSP provides VPNs, identity management, or remote access services, they must ensure compliance with multifactor authentication (MFA), access control, and logging requirements.
    • Another example includes ensuring the implementation of FIPS 140-2 validated cryptographic mechanisms for secure communications the OSA may use for CUI data-at-rest and data-in-transit, not applicable to Security Protection Data (SPD).
    • Keep in mind these are some of the many requirements as examples that would need to be implemented for both the OSA and the ESP.

Impact on CMMC Certification Costs and Scope:

There has been concern that including Security Protection Data (SPD) and SPAs in the CMMC assessment scope increases costs. This cost increase potential would be realized if SPD had the same protection requirements as CUI.  For instance, if FedRAMP Moderate or Equivalent for a cloud-based SPA solution (ex: Cloud hosted EDR Management portal, cloud based SIEM, etc.) and FIPS 140-2 Validated cryptography for SPA products were requirements, both could exponentially increase the price of those solutions. Alternatively, the number of solution options available may be reduced leading to a lack of competition to moderate costs. However, according to CMMC Rule 32 CFR § 170.19, the final rule was adjusted to clarify that:

  • SPAs are only assessed against security requirements relevant to their capabilities.
  • If an SPA only stores Security Protection Data (SPD) and does not process, store, or transmit CUI, it does NOT require full CMMC certification.

Thus, IT MSPs serving as SPAs should focus on securing their own security tools, logging, and configurations rather than meeting CMMC requirements unique to protecting the confidentiality of CUI uniquely such as FIPS-validated cryptography or FedRAMP concerns. Minimizing the CUI protection level burden for SPDs is ideal for CMMC adoption in the industry and maintains separation of risk profiles.

Conclusion

An IT MSP that qualifies as a Security Protection Asset (SPA) can help an OSA meet CMMC Level 2 requirements by providing managed security services. However, their own security controls, logging, access management, and role in the OSA’s infrastructure must be assessed.

Key takeaways for IT MSPs:

  • Be included in the OSA’s asset inventory, SSP, and network diagram.
  • Ensure compliance with CMMC security controls applicable to their services.
    • All technical controls for SPAs.
    • Implementing the CMMC requirements to the portions of your system that store, process, or transmit CUI or SPD (i.e., 3.1.1, 3.1.2, etc) where applicable.
  • Clearly define security responsibilities in a Customer Responsibility Matrix (CRM).
  • Ensuring your services contracts clearly set the boundaries and liability with regards to handling CUI on your OSA’s systems or your MSP systems.
  • Implement strong authentication, encryption, and secure access management.
  • Prepare for limited assessment of your tools and services you use to provide your OSA customer’s security functions.

By understanding and fulfilling these responsibilities, an IT MSP can successfully support an OSA in achieving and maintaining CMMC Level 2 compliance while minimizing assessment burdens.

 

Sources: