Article by Jonathan Wolff, Luminant Digital Security
If CMMC is part of your business’s future when do you look at making an IT provider shift to a security focused Managed Services Provider (MSP) and what criteria does the business need to look at?
Cybersecurity Maturity Model Certification (CMMC) is a relatively new standard that is meant to unify the implementation of cybersecurity across the Defense Industrial Base (DIB). This is achieved through a tiered approach that follows a maturity rating of five levels. Level one is focused on the protection of Federal Contract Information (FCI) and consists of 17 basic cyber security practices. Level three focuses on protecting Controlled Unclassified Information (CUI) and consists of 130 practices, building on levels one and two. Levels four and five focus on practices that enhance capabilities of organizations to protect against advanced persistent threats (APTs), however the vast majority of organizations only need to reach level three.
When an organization operates fully or even partially within the spectrum of the DIB, it is important to understand the types of agreements or contracts in place and understand the ramifications of said contracts. Many organizations are now realizing CMMC will be a part of their foreseeable future and taking steps to ensure they will be ready when it comes time to have a formal assessment completed. Previously, organizations were allowed to simply self-assess and show a plan of action and milestones (POAM); with CMMC, that has all changed. Organizations must now provide evidence that are fully compliant with all controls at the time of assessment or risk non-compliance and possible loss of contracts.
The realization that compliance means all or nothing in terms of CMMC standards, has caused many organizations to reevaluate their priorities and business objectives. This includes deciding if the juice is worth the squeeze, in terms of operating in the DIB to begin with. The stringent requirements require organizations to take a hard look at how they operate and the impact the practices will have on operations. This includes technology to not only satisfy practices, but to also enable the workforce to continue to operate.
For small to medium-sized businesses that operate within the spectrum of the DIB, it is a large challenge to overcome, as they often do not have the resource availability of larger enterprises. This typically means smaller businesses will have to be strategic in how they approach CMMC, including leveraging outside expertise. When it comes to Information Technology (IT), it can be difficult to keep up as a small business and outsourcing IT operations to an MSP has been a great option for businesses for many years. This is where things seemingly are coming to a head. Traditional MSPs are not designed or prepared for what comes with CMMC and most are currently trying to figure it out and how to support their customers.
With technology underpinning many of the controls in CMMC, it is important for organizations with CMMC requirements to ensure their internal IT department or IT provider have a security first mindset, approaching the controls from a foundational level. This is an important step to evaluate early in the process as much of the practices compound on one another. Making this evaluation and decision early in the process allows the organization to be strategic with available resources, which can be hard to come by. Partnering with a security first MSP who already understands compliance will pay dividends when it comes to supporting standards and practices, as well as maintaining your CMMC certification.
When a business needs to evaluate partners with a security first mindset, it is important to look for key indicators that will help make an informed decision. First, and most importantly companies must assess the culture fit. Does your organization and the prospective MSP have a likeminded company culture and vision? This is the single greatest contributor to success between an organization and a partner. Does the MSP have experience with clients under compliance frameworks such as PCI-DSS, HIPAA, DFARS, NIST CSF/800-171, ISO 27001, or CMMC?
Understanding what experience an MSP has with other frameworks and their efforts already put towards CMMC will provide you with a better understanding of how security focused they truly are. This includes internally with frameworks they must adopt to facilitate IT support for their clients. Ask what frameworks they comply with and how past assessments have gone. Speak with references! Ask for some client references you can speak with and get firsthand feedback.
When evaluating, it is extremely important to get a good look at how an MSP operates around compliance frameworks and the impact that it has on operations. It is one thing to be compliant, but it is a completely different thing to comply and keep operations functional and end users happy. Getting firsthand feedback from client references should help give you a better idea of how well the MSP is performing while operating within the confines of various frameworks.
The most important step is to evaluate early and ensure you’re partnering with a likeminded, security first MSP. Ensuring the foundational building blocks are in place is crucial, and with technology being such a large factor for CMMC, partnering with a security first MSP is a key element toward a successful CMMC journey.
If you have questions, concerns or need assistance navigating the cyber-risk landscape of your MSP, contact us.