Is Your MSP, MSSP or Cloud Service Provider Risking Your NIST 800-171 Compliance & CMMC Readiness?

Are you a Defense Industrial Base (DIB) contractor that uses an External Service Provider (ESP) like AWS, GCC or an ERP that contains Controlled Unclassified Information (CUI)? Then you should consider that as of today, ESPs will be included in scope for assessments which require them to follow specific rules outlined in NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC ). In addition to this and although not a requirement today, we highly anticipate that ESPs like Managed Service Providers (MSP) and Managed Security Service Providers (MSSP) will also fall under scope. Considering that these ESPs currently or will eventually fall under the scope of a CMMC Third-Party Assessor Organization’s (C3PAO) CMMC assessment, it will be critically important for you to verify that your IT providers are compliant – or at the very least compliant ready – before your own audit. As many small businesses lack the resources to employ full-time IT and cybersecurity staff, the majority outsource their IT needs to ESPs. These providers handle day-to-day IT responsibilities that smaller companies can’t, such as network monitoring, server administration, data storage, backup and disaster recovery, help desk technical support, and software/application management . For defense contractors handling CUI that rely on ESPs to house their critical data or help manage IT operations, the need for these stringent cybersecurity measures only increases. FedRAMP and NIST 800-171 compliance serve as a baseline for ensuring that these ESPs implement effective security controls and adequately safeguard CUI, alongside any other forms of sensitive information, from threats and unauthorized access . Keep in mind that FedRAMP certification is required for entities providing cloud services to all branches of the Federal Government, whereas CMMC is for organizations seeking to secure contracts with the Department of Defense (DoD). Furthermore, DFARS 252.204-7012 mandates that contractors using external CSPs to handle Controlled Defense Information (CDI) must ensure that the CSP meet the FedRAMP moderate baseline security requirements, or their equivalent. For these providers, achieving FedRAMP Moderate or its equivalency will be essential to your organization’s ability to achieve CMMC and adequately safeguard CUI.

Is Your MSP/MSSP & Cloud Service Provider NIST 800-171 Compliant & CMMC Ready?
It’s critically important that your MSP, MSSP, and CSPs not only understand the full breadth of your compliance requirements, but that they can prove they’ve also implemented the required solutions that fulfil their contractual obligations. Not only does this demonstrate their commitment to their compliance obligations, it also proves that they’ve gone through the painstaking task of implementing the required cybersecurity solutions that have truly satisfied the control requirements. The primary point here is that if your ESPs are unable to prove that they “practice what they preach”, your implementation strategy will likely result in a failed CMMC audit and restrict your ability to win future contracts. To preemptively avoid a compliance disaster, here are the steps you can take to verify that your ESP will compliment your compliance strategy and serve as a long-term solution for your organization.

1. Data Handling/Protection: Verify that your service provider has implemented measures to protect CUI and other sensitive data in accordance with CMMC requirements. This includes encryption, which ensures that unauthorized parties cannot view/read data, as well as access controls, which limit who can access sensitive data to begin with.

• Can your provider provide a detailed explanation of the scope of services in relation to the NIST 800-171 and CMMC requirements?
• How does your provider handle CUI, and what measures are in place to secure it?

2. Incident Response/Monitoring: Assess the provider’s incident response capabilities and reporting procedures. A compliant service provider should have extensive protocols in place to detect, respond to, and report security incidents promptly. From a practical standpoint, the sooner a breach can be identified, the better, but from a NIST 800-171 and CMMC standpoint you are required to report breaches to the DoD within 72 hours of the occurrence.

• What is your provider’s incident response plan, and how does it align with the incident reporting requirements outlined in the regulations?
• Can they provide examples of previous incidents and your organization’s response, highlighting lessons learned and improvements made?

3. Training & Audits: Ensure that your service provider conducts regular training for its staff on cybersecurity best practices. NIST 800-171 and CMMC places emphasis on employee awareness and education to reduce the risk of insider threats as well as data handling best practices, security protocols, and the importance of protecting sensitive data.

• How does your ESP conduct continuous monitoring to ensure ongoing compliance?
• What mechanisms are in place for regular assessments and audits to verify compliance with evolving NIST 800-171 and CMMC standards?

How Can Technical Support International Help You?
We understand that addressing your compliance obligations is a considerable undertaking that most organizations are unable to address on their own. For over 35 years, Technical Support International (TSI), has provided IT support, cybersecurity and compliance guidance to the Defense Industrial Base and Small Business community. As a Certified CMMC-AB Registered Provider Organization (RPO), TSI not only offers thorough compliance support but has also surpassed the baseline security measures in a comprehensive CMMC 1.0 Level 3 Readiness Review by CMMC-AB authorized C3PAO, C.H. Guernsey & Company, which underscores our commitment to delivering top-tier cybersecurity solutions and providing pivotal assistance to DIB contractors aiming to achieve NIST 800-171 compliance and CMMC finalization readiness. Considering the that estimated timeline of the finalization of the CMMC rule making process and that it takes an average of 12-18 months for defense contractors to become compliant, get started with a NIST 800-171 compliant and CMMC ready ESP today, by contacting Technical Support International- we’re here to help!

About Technical Support International
TSI is 35-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements. Our team has decades of experience navigating the pitfalls of NIST compliance and we would appreciate the opportunity to help you on your journey. For more information about TSI, please visit our site or contact us using the form below.

Inquiries & Press Contact:
Jeremy Louise, VP of Sales & Business Development
jlouise@tsisupport.com
(508) 772-6122