MSP Questions: How Much Does Your MSP/MSSP Know About CMMC Requirements?
1. Do they ‘practice what they preach’- Does your MSP/MSSP at least meet or exceed the same CMMC requirements that you need to follow?
A: You’re only as strong as your weakest link…..It’s of the utmost importance that your MSP not only understand the complete set of CMMC requirements but that they’ve implemented at the very minimum, the comparable security controls that are being asked of you. Not only does this demonstrate the MSP’s commitment to cyber-security, but that they’ve gone through the trouble of implementing the services for themselves and have done so correctly. The primary point here is that if your MSP isn’t practicing what they preach, your implementation strategy will likely experience some costly hiccups.
2. Is the MSP/MSSP willing to accept a contractual obligation to apply the same degree of CMMC cybersecurity rigor to their environments to adequately protect your CUI?
A: Similarly, to the first question, can your MSP/MSSP function as your true CMMC partner and commit to adequately safeguarding your CUI? At this time, there’s no requirement for your MSP/MSSP to be CMMC certified, but at the very least- and if they’re capable of accessing CUI-, shouldn’t they at a minimum meet your own CMMC maturity level requirements? Should they be comfortable enough to commit to a contractual obligation so you can ensure your CUI is
safeguarded? What about any 3 rd party software providers; are they able to demonstrate adequate cybersecurity safeguards that are at least FEDRAMP moderate? Do you need a Govt. level software subscription based on the CUI you access? These are some meaningful questions that will quickly determine where there may be areas for improvement or if a contingency plan should be considered.
3. Does your MSP/MSSP have assessment or audit experience/expertise within the NIST/CMMC/GRC (governance, risk & compliance) space?
A: A significant factor that will contribute to your CMMC success is the experience and expertise your MSP/MSSP has had conducting these types of audits and the understanding of the type of information that auditors are looking to verify. At first, auditors will review the managerial/administrative and document controls so they can verify that the technical controls have been successfully implemented and reflect the reality that’s outlined within the documentation. In short, ‘write what you do and do what you write’. Your auditors will test the technical controls and may go as far as perform scans and pull data to ensure the control requirements are met. As part of an ongoing CMMC strategy, these controls need to be routinely evaluated- and especially tested- so that your audit will result in a favorable outcome and ensure you adequately safeguarding the CUI within your environment. With anywhere between 17-171 CMMC technical requirements, you’re going to feel more comfortable working with MSP/MSSP that’s undergone the process before and has the technical, industry, and auditing expertise to get you past the finish line.
4. Has the MSP/MSSP completed the C3PAO training provided by the CMMC Accreditation Body?
A: It’s important that whoever is involved with the execution of your CMMC strategy, that they’re trained to understand what auditors are looking for and are well versed in the language used within the official guidelines as well. More times than not, your auditors are going to have a limited understanding of how each control addresses CMMC requirements and how they tie into your overall compliance strategy. To make things even more difficult, a lot of the language outlining these requirements can be convoluted and were clearly written using DoD vernacular that may be susceptible to the auditors’ interpretation of those requirements. Considering the challenges these two issues present, it’s great to have a readily available resource that can understand these terms and understand your auditors’ objectives so you can effectively- and painlessly- avoid any misunderstandings that could result in a failed audit. There’s also the issue that technology is constantly evolving to reactively address emerging types of cyber threats. Threat actors are routinely changing their methodologies and as they evolve, so must the defensive solutions to combat them. Partnering with an MSP/MSSP with C3PAO training and extensive experience within the DoD space, not only affirms their ability to successfully guide your organization through the auditing process but also minimizes the chances of any issues that may arise stemming from any degree of misinterpretation.
5. Will the MSP/MSSP be available to provide audit support during a CMMC audit?
A: It’s absolutely critical to the success of your CMMC strategy, that you’re MSP/MSSP be available throughout your CMMC auditing process- from start to finish. Although much – if not most- of the auditing process can be performed remotely, there are always times when immediate consultation is required especially when an auditors’ questions can potentially result in considerable delays in the audit’s timeline. Another thing to keep in mind is that not all auditors are going to be technically oriented, so one slight misunderstanding about a technical detail can potentially derail considerable progress and potentially present unfavorable, skewed perceptions of your compliance strategy’s maturity. Auditors oftentimes ask a number of layered questions about how any given control and associated documentable processes address the CMMC, which can be a challenge if the MSP/MSSP isn’t available. Your IT partner is likely going to be the only one who can effectively address these complicated issues and explain how the control is met.
6. Can your MSP/MSSP readily answer how many CMMC controls your organization needs to specifically adhere to? Can the MSP/MSSP answer how many CMMC controls your organization already has in place?
A: Depending on the contractual agreement you have with your prime, you may be required to have anywhere from 17-171 IT solutions that are required to be compliant! It’s a rather straightforward process to learn what your specific required CMMC level is by referring to section H.27 of your Federal Contracts as well as section L&M of the RFP itself. What is less than straightforward is formulating a cost-effective CMMC strategy that requires managing approximately 150 controls while ensuring you’re also addressing the technical, management, and administrative/document controls that include a higher degree of complexity that can only be addressed by an experienced partner with higher-level expertise.
7. Do they know if any of your company’s software that you use from Office365, AWS, or your anti-virus/malware, actually have the capability or compatibility to be used in a CMMC compliant IT environment?
A: Unfortunately, there are some instances where an organization may have to upgrade some- if not all- of it’s software to a CMMC compliant platform. Based on your CMMC requirements, software like AWS, Office 365 or your anti-virus/malware subscriptions may need to be upgraded to a much more costly ‘Government’-level licensing plan or some other comparable solution. In addition to this, if you were obligated to do so, in most cases it would also require the complete rebuilding of your cloud architecture; if you’re going to need G-level licensing, the software providers will contractually obligate you into organizing their solution according to their understanding of best practices, which can be a painful experience for most as it would change everything from how you access your CUI environment and managing the data within it. Here’s an overview that we previously provided speaking specifically to that subject:
TSI Publication: You May Not Need Gov’t Software Licensing for CMMC/DFARS
8. Does your MSP/MSSP have the capability to manage all the technical aspects of your CMMC compliance requirements?
A: This seems rather straightforward, but to be perfectly candid, it took us almost 3 years to reach our ideal degree of a cybersecurity posture and took countless hours of research, testing- and a few failures along the way- to get where we are. Today, TSI has a dedicated CISSP lead, Director of Cyber-Security & Compliance with a team dedicated to addressing our clients’ cyber-security objectives. These individuals are training on an ongoing basis to address today’s evolving IT threat landscape to ensure our clients are adequately positioned to minimize the impact of those threats. Understanding that every MSP/MSSP is structured differently, we would encourage you to see if their team has comparable capabilities- and auditing experience- to address the CMMC.
9. Does your MSP/MSSP have any of its team members with designations as a CISO, CISSP, CISM, CEH, CCNP, or CCSP?
A: Following up on the previous question, does your MSP/MSSP have any team members with these designations? The effective implementation of your organization’s CMMC strategy is critical to your continued and future success. Achieving these milestones requires expertise beyond traditional MSP capabilities. The required time and effort associated with these designations can provide comfort that your CMMC strategy is being effectively managed and you’re receiving the degree of service your organization needs and deserves.
10. Can the MSP/MSSP recommend innovative ways to meet a client’s CMMC requirements while not affecting the client’s entire enterprise?
A: The ‘name of the game’ so to speak is to isolate and minimize the areas of your network containing CUI so that you can effectively safeguard those assets and ensure you minimize your network’s exposure to compliance. Not only will this help minimize any complications, but it will also help manage your costs as well. However, this isn’t a straightforward process and requires an MSP/MSSP with cybersecurity, compliance, and networking expertise. Your MSP/MSSP should have the technical expertise and compliance knowledge to help architect your environment in a way that not only addresses your compliance requirements but in a clear, formulated plan outlining your immediate and longer-term resources.
11. Can the MSP/MSSP effectively communicate a clear long-term CMMC compliance strategy for your organization?
A: Achieving your respective CMMC level is a long-term, ongoing process that will require an all hands-on deck approach to accomplish. Your strategy should be clear with the ultimate goal of having an actionable, comprehensive security program addressing those compliance requirements. As we’re all aware of, the smallest technical oversight can easily derail an organization’s compliance posture and potentially present the risk of failing to meet contractual obligations. It’s of the utmost importance that your organization has a clear, long-term, sustainable cyber-security program based on the basic tenets of the CMMC; documentation, technical controls, evidence, management, and sustainability.
12. Have you been recommended to send your CUI to the Cloud as a cost-effective or efficient strategy to address your CMMC requirements?
A: Although we’re huge advocates of cloud technology, if you’re putting your CUI environment to the cloud to ‘outsource’ the impact of these costly CMMC requirements, it’s likely you’re overlooking a number of critical considerations to keep in mind. Be absolutely certain that you have the technical, administrative, and evidence controls completely aligned and updated but more importantly, verify that your cloud provider is FEDRAMP certified or comparable. It’s of equal importance to also address your cloud provider’s ability to also implement their own CMMC type controls and that they have the technical expertise to configure them. Based on our experience evaluating different cloud providers, it’s highly likely they don’t provide this level of service and in the rare instance they can, it’s at a significant premium. Keeping aware of these two facts will limit the terrible surprise to learn on the day of your audit, that your 3 rd party providers are unable to fulfill their CMMC requirements and that they in fact present a risk to sensitive CUI.