The Cybersecurity Maturity Model Certification, or CMMC, is a unified standard for implementing cybersecurity across the Defense Industrial Base (DIB). This certification encompasses multiple cybersecurity performance maturity levels ranging from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” CMMC serves as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place. These are necessary to ensure basic cyber hygiene, protect controlled unclassified information residing on Department of Defense industry partners’ networks and allow for incorporation into the Defense Federal Acquisition Regulation Supplement, and its use is a requirement for contract award.
As you may already know, CMMC adoption is moving along at a rapid pace. C3PAOs are being certified, 50 at last count, and other pieces are in motion to complete the CMMC puzzle. One of the most challenging issues regarding CMMC is the amount and diversity of government contractors that will be bound by this certification. With around 300K in the DIB, many of which are small businesses, the work ahead will be daunting. CMMC certification will bring some challenges to the smaller contractors as they look for contract awards. Not only is there the cost to be compliant, but there’s also the need to change some of their business and IT practices.
What happens if small contractors use or plan to use a Managed Services Provider (MSP) for their IT work? We at Tenace would like to give you some tips to make sure you are using the right MSP while keeping yourself ahead of the curve as you work toward, or try to maintain, CMMC compliance.
Make sure your business has internal policies and procedures that your MSP follows.
Having a well-defined set of policies and procedures for your business makes your company vendor agnostic. That is, your company defines how tasks are accomplished and not the other way around.
Tip: Have a cybersecurity expert help while drafting your policies so they address the different requirements of the CMMC while creating a strong security posture for your business.
Ask about your MSP’s cybersecurity practices.
Understanding your MSP’s internal cybersecurity practices will give you a good idea of how they will handle your cybersecurity. Make sure your vendor is following good cybersecurity practices and make sure that they are “practicing what they preach.”
Tip: Make sure that the MSP is able to provide information about who will have access to your systems, as well as where any data would be stored if applicable and what products they use to manage your network.
Is your MSP willing to modify their practices to accommodate your new cybersecurity requirements?
How is your MSP handling account creation? Who has privileged access to your network? Does your MSP inform you and discuss with you changes to your infrastructure ahead of time? These are just a few examples of the questions that will be presented, but the main idea here is to make sure your current MSP is willing to change how they do things to fulfill your compliance obligations.
Tip: Have the MSP provide any certifications or frameworks that they use to secure their practice. Are they pursuing CMMC certification themselves? If they are going through the same requirements as your company, it will be easier for them to understand your business needs.
Does your MSP have cybersecurity experienced personnel in audits, assessment and authorization?
Having personnel that understands the process of an audit or an assessment will assist your company in being prepared for the audit process. Understanding what evidence auditors are looking for and having everything in place will make for a smoother audit process.
Tip: There is a difference between having a cybersecurity background and understanding the assessment and authorization process. Having an MSP that understands how an audit is performed and knows what artifacts will satisfy certain controls will give you a much-needed boost toward compliance.
How much support can your MSP provide before/during/after the audit?
Having an MSP that will get you ready for the audit and be available for any questions during the audit can make the audit process a successful one. By the same token, can they help you in case something doesn’t go as planned? Can they remediate findings from the audit, and how fast they can provide their assistance?
Tip: Make sure your MSP will be “on-call” during the audit process. Having access to their knowledge base, practices and artifacts will make an audit much more manageable.