In Part One of this series, we explored the risks and challenges of partnering with the wrong MSP and how those decisions can impact the path to compliance.
Now we’re diving into what traits to look for to find a strong, compliance-ready External Service Provider (ESP) who can truly help you succeed.
Good signs
As promised, there are some things you can look for in an ESP that indicate they’re worth looking more into and maybe investing in. Some of these are a tad controversial right now in the industry, as many of them are anecdotal and based on our experiences working in the industry for some time now; however, we think that if you at least consider these items, you’ll have a better chance of finding a solid solution that you can be confident in. So here are a couple of indications you can incorporate into your search:
- They’re known for their efforts to help organizations in the CMMC space. They’ve been around long enough to have a reputation of successfully supporting OSAs with the services you’re interested in. It is not recommended to be the guinea pig of new Compliance as a Service offering unless you’ve got plenty of time and expertise on your staff to validate work and processes performed to ensure they meet the requirements adequately.
- They can provide you with the required documentation when you ask for it, not months later. This one is tough because, again, several organizations already have a good relationship with an ESP and want to keep it. But if you’re searching for an MSP to prepare for CMMC, you probably don’t have time to wait for them to build out a CRM that makes sense. It’s true that the 32 CFR Part 170 and other formal CMMC documentation doesn’t specify exactly what a CRM must contain or how detailed it needs to be. However, if they can’t produce a CRM that at least addresses the NIST 800-171 requirements and describes which of those requirements their services cover/don’t cover and how, then it’s probably not a good idea to get involved at their current status. If they do have a CRM and it doesn’t include the details you think it should have in it to make your assessment go smoothly, it’s up to you to either work with them to ensure it gets into a good spot or, potentially, consider other options. Again, this is your assessment that is at risk, not theirs.
One of the strongest signs of a capable MSP is that they voluntarily prepared for and had a successful CMMC Certification Assessment for the system they use to support customers. This, in addition to a well-documented CRM (see #2) should make your life a lot easier when you get assessed because it shows the MSP understands the requirements and has experience implementing and articulating them during formal assessments. It also means that their documented policies and procedures are at least good enough to get them through an assessment, which means they’ll be familiar with the obligations, policies, and procedures that your company has for your system components. Obviously, this isn’t a guarantee, but it is definitely another really good sign you can trust them to aid you and not hinder you.
- Another good indication that they are more prepared to assist you on your journey towards CMMC certification is if they have CyberAB certified personnel (CCAs and CCPs) on staff. This will show that, similar to #3, they have people on their staff that are familiar enough with the requirements of CMMC to not only govern their systems and operations but also perform their managed services in an informed and GRC-focused way.
There are probably many other good signs that an MSP could be a good fit for your organization as you’re preparing for your assessment and need outside help. I truly believe that an OSA’s assessment could rise or fall depending on the preparedness and quality of their external service providers. So be diligent and wise in how you search out and evaluate them before adding them to your system.
Just so ya’ know
There are a few caveats before I end this article. There are definitely some things that good faith practitioners and experts in this space disagree on, and I certainly don’t want to be so arrogant as to say that “it’s-my-way-or-the-highway” with some of these suggestions and points I’ve mentioned. I would like to flesh out a few topics that have been the subject of recent controversies within the industry.
Firstly, I mentioned that there’s not a ton of clarity regarding the definition and scoping of Security Protection Data. Not only is there a lack of clarity on the definition of Security Protection Data, but there are also some different perspectives on the scoping requirements associated with such data. On the one hand, some people believe that technical security-relevant data is only to be considered Security Protection Data if it’s being S/P/T by an asset that’s already categorized as a Security Protection Asset because it’s providing some sort of applicable security function to the system. In this view, the in-scope-ness (yes, I made that word up; you get the picture) of a system component/asset is only predicated on the functions/services it provides and not the nature of the data it interacts with. This view seems to be supported by the first sentence of the definition for Security Protection Data from the 32 CFR § 170.4 (b):
“Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC’s assessed environment.”
In short, one could interpret this to be saying that SPD is only SPD if it’s data on a SPA.
On the other hand (admittedly, I affirm this position), some people maintain that the scoping of SPAs is not solely predicated on the functions or capabilities the asset provides, but also on the nature of the information that is being processed by the asset regardless of the functions/capability it provides. In this view, the asset is brought into scope if the information/data being S/P/T by it is SPD. This view affirms that data is considered SPD if it is “security relevant information” (that definition is still fuzzy) to an in-scope system, regardless of whether or not the asset it is S/P/T also provides some other sort of security function or capability. This view seems to be supported by a different interpretation of the SPD definition already mentioned, coupled with the definition of an ESP from the 32 CFR § 170.4 (b) and the example given on the treatment of storage locations of audit log data in the CMMC Level 2 Scoping Guide (See below):
Why does this matter? Well, depending on your position, there could be more or less things that need to be in-scope and treated as SPAs. For example, in the latter view, a cloud backup storage service or a file server used to backup vulnerability scan reports would be in scope as an SPA since SPD resides there even if that file server or cloud backup storage doesn’t also provide the vulnerability scanning itself or any other security function at all. It simply stores SPD generated by a vulnerability scanner. This exemplifies that the file server or cloud backup storage being considered in scope is predicated on the data, not that the data being considered SPD is predicated on the asset it is S/P/T on already being considered and SPA because it provides some other related security function/capability that led to the creation on such data. See the difference and why this can lead to different scoping conclusions? Again, this is a complex topic and certainly should be considered on a case-by-case basis and many solid professionals in the industry are not all on the same page so do your best and due diligence when handling a situation like this.
The other thing I wanted to bring some awareness to is the implications of the following question: “Can an ESP, specifically an MSP or MSSP, that does not store, process, and/or transmit CUI obtain a valid CMMC Certification since they don’t have CUI in their environment?” Remember I mentioned in good sign #3 that an MSP that has voluntarily gone through a CMMC Certification Assessment should bolster some confidence that they know what they’re doing and that they’re doing it right. Well, there’s been some recent disagreement as to the true answer to this question and the nature of the CMMC program itself so let’s go right to the 32 CFR and see what it says and see if we can’t come to some reasonable conclusion.
As mentioned earlier, 32 CFR § 170.19(c)(2)(ii) sets forth the documentation requirements for an in-scope ESP as part of the assessment. It also states the following:
“Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP’s effort required during the OSA’s assessment. The minimum assessment type for the ESP is dictated by the OSA’s DoD contract requirement.”
A couple things to notice here:
- It does not qualify which ESPs are being referred to. It simply states that the ESP may voluntarily choose to get a certification assessment right after defining an ESP as a service provider that either processes CUI or It would seem (to me at least) that if it were referring to only ESPs that S/P/T CUI on behalf of the OSC, that it would say something like “Note that an ESP that stores, processes, or transmits CUI on behalf of the OSC…”
- In CMMC there are 2 main CMMC assessment types, a self-assessment and a Level 2 (or 3) Certification Assessment. The Certification Assessment is the formal assessment that leads to either a Conditional or Final Level 2 CMMC Status and certification for the OSC. In 32 CFR § 170.19(c)(2)(ii), it specifically calls out a voluntary “Certification Assessment” being an option for ESPs. If it wasn’t the intention for ESPs to get certifications, then it would seem that the regulation would not have included this assessment type.
- Notice the purpose of the voluntary certification assessment. It says the purpose would be “…to reduce the ESP’s effort required during the OSA’s assessment.” If there wasn’t some tangible proof that the ESP is meeting the requirements on the portion of their system that interact with customer CUI or SPD, then how would the assessment burden on the ESP be any less? It seems to me that the obvious tangible proof that the ESP has implemented the necessary requirements on the portion of their system where such data is processed would be an actual certification leading the assessor to only need to validate the certification is legitimate and maybe ask a few clarifying questions mainly associated with their CRM and not have to spend much time validating the implementation of requirements on the in-scope portions of the ESPs system which would otherwise be required per the CMMC Scoping Guide.
Again, this was just to bring awareness to some grey areas in the industry and things that you should be aware of as you wrestle with some of the more complex issues in implementing CMMC and preparing for your assessment.
Conclusion
The relationship between an OSC and their ESP can be a wonderful partnership that leads to success and growth for a business. I’m quite optimistic about the direction many MSPs are headed in. We’ve already seen several MSPs get their CMMC Level 2 Certification and help OSCs secure their environment. IT operations are a vital part of implementing CMMC requirements, and the utilization of an MSP can be the best way to scale your business and get the job done. As we’ve discussed, selecting and working with an ESP for this purpose is a huge responsibility and there’s a lot at stake. So, again, choose wisely!
As mentioned previously, we at IntelliGRC consistently work and partner with MSPs that already have or are trying to become the type of MSPs that the Defense Industrial Base (DIB) needs. Many times, they’re the Batmans to the DIB’s Gothams. If you’re struggling to find an MSP that meets your IT, security, and GRC needs, or are an MSP trying to figure out a path forward to DIB customer retention but don’t know where to start with preparing your organization to support DIB contractors with their CMMC needs, we’d love to talk. Please don’t hesitate to reach out to us via our Contact Us page on the IntelliGRC website. You can also touch base with me, Steven Molter on LinkedIn!
Until next time, Happy Implementing!
