DoD Contractors: Will You Have to Replace Your MSP?
If you are a defense contractor, then over the next few years you will likely have to be compliant and maybe certified for CMMC, either at level one or level two. Level one has about 17 controls and 59 assessment objectives; level two has 110 controls and about 315 assessment objectives. Assessment objectives are the specifics that an assessor will be looking for to see if you are actually meeting the control.
Okay, so what does that have to do with your MSP?
The DoD loves acronyms, so they recently coined a new one. ESPs or external service providers are those folks who are not your employees but who have access to your data or your security systems. MSPs are one group of ESPs. If you say that your MSP doesn’t need access to your data, that may be technically correct, but they could, technically, access it, that is a problem. For example, they need access to all of your data in order to run backups. That is just one example. But all MSPs need access to your security data like configuration information or log data.
Okay, still clear as mud, right?
Here is the clincher. If you need to be certified then YOUR MSP MUST BE CERTIFIED AT THE SAME LEVEL AS YOU ARE OR HIGHER if they have access to your data or security protection assets BEFORE YOU CAN APPLY FOR CERTIFICATION.
To really make this even more challenging, the tools that THEY use also have to be CMMC compliant (which for tools likely actually also means fedRAMP authorization). Possibly both fedRAMP and CMMC. All of them.
They will also have to meet the incident response requirements of DFARS -7012. That is not easy either.
Next, if you have data on your systems that are ITAR restricted, EAR data or data that is labelled “no foreign” then there is one more caveat for whether you have to find a new MSP. Everyone at your MSP must be a US person (that is a legal term that includes citizens and green card holders, among a few others). That includes the person who is monitoring your systems and responding to the alert at 3:00 in the morning in India. Yes, they have to be U.S. persons. That also includes the people at the MSP’s tool vendors – they have to be U.S. persons too.
Many of these cloud providers don’t do enough government business to make it worth their while to become compliant.
Some questions to get answers to from your MSP.
- Will your MSP be able to achieve CMMC Level x (1,2,3) and also meet the cloud requirements of DFARS -7012?
- Do they want to/plan to achieve CMMC certification for them and their tools? For MSPs for whom their DoD base is small, it is not going to be profitable for them to get certified.
- Are you going to be certified in time, since they have to be certified before you can be certified. That means they have to meet all of the required controls.
- What if there are changes to the proposed rule in the final rule and they decide later that they won’t be willing to get certified? It is possible that you won’t be able to find a new MSP.
- How much more are you going to charge for this new CMMC compliant service? They are spending more money so they are going to want to recoup their expenses
- If you are in a contract, can you even get out of the contract if the regulatory requirements change? If they can’t meet your needs and you can’t get out of the contract, you need to know when the contract expires so that you can plan for a transition.
- Does your MSP have a shared responsibility matrix (SRM)? If not, that is a problem because it means they are not taking this seriously. Does it include their outsourced partners and tools?
If this gives you a headache, it probably should. If you have not started addressing this, now would be a good time.
And if can’t even really get your arms around this, please give us a call.
by 