Of Chickens and Eggs: an MSP’s take on the CMMC proposed rule for the DIB

Posted on Apr 30, 2024

Of Chickens and Eggs: an MSP’s take on the CMMC proposed rule for the DIB

If your business is not a member of the Defense Industrial Base (DIB), and you don’t do work on a contract basis as part of the supply chain to the Department of Defense, you can stop reading now. Seriously. Despite the article’s title, this missive is full of acronyms and explanations of compliance requirements and has nothing to do with breakfast. And did I mention acronyms? I will wait.

Okay, since it is just “us” now, I will share a few high-importance details from the proposed CMMC rule, and specifically how you will work with companies like mine. Managed Services Providers (MSPs), Managed Security Service Providers (MSSPs), and other external service providers (ESPs) have been included in the CMMC fray, and it will impact your business.

Answered questions, with a side of questions

Over the last several years, we have had a lot of questions concerning our clients’ obligations because of the coming Cybersecurity Maturity Model Certification (CMMC). At long last, many of those questions are getting answered; the DoD released the proposed rule on December 26, 2023. 

CMMC is the verification mechanism through which the DoD is assured that the contractors and subcontractors they work with have information systems in place to protect the sensitive data they hold. It was created because the DoD discovered that many operational and cybersecurity practices within the DIB were weak making our nation vulnerable to attack. The CMMC rule closes loopholes that have allowed plans of action purposed to remediate the weaknesses to remain open for long periods of time. 

Most of our questions have been regarding the more advanced cybersecurity and operational requirements for DIB businesses that process, store, or transmit Controlled Unclassified Information (CUI) and who will need to secure a CMMC Assessment provided by an authorized CMMC Third Party Assessment Organization (C3PAO) at Level 2. Level 1 DIB businesses are required to protect Federal Contract Information (FCI) and are allowed to sell-assess their environment. Both levels 1 and 2 require that a company executive sign an affirmation that they have accurately assessed and are operating under the controls. 

The significant update is that businesses classified as Level 1 and Level 2 in the Defense Industrial Base (DIB) sector will face upcoming challenges related to choosing their service providers.

It turns out, the DoD references many of the functions that MSPs perform within the definition of an External Service Provider: “external people, technology… that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services… CUI or Security Protection Data (e.g., log data, configuration data) must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”

Accordingly, we, the MSPs and MSSPs of the world that serve the DIB, will need to achieve our CMMC certification too! Not only that, but any ESP will need to certify at or above the level of the contractor they support is required to certify. While we have been expecting this and implementing the requirements in our own business, most MSPs or other ESPs have not.  

Why does this matter to you? When your company uses an MSP or other external service providers, they are included as “in scope” for your organization’s System Security Plan; they will be included in your assessment. Meaning- you can’t pass your CMMC Assessment unless and until your ESP has passed their assessment and have a final certification as your provider.  You will not be able to work for the DoD until all your ESPs have their certification. Let’s just say, there is some debate on how this chicken-and-egg-timing will work itself out… and there are still other considerations as far as timing. 

This also means that your team will need to carefully vet the capabilities of every external service provider hired to work for you… and their tools.

Read More »

Love your job again: hiring a Technology Consultant can make Monday your favorite day of the week 

Posted on Dec 12, 2022

Love your job again: hiring a Technology Consultant can make Monday your favorite day of the week 

When did the Sunday Scaries, the anxious dread that precedes the beginning of the work week begin for you? The calendar is full, the to-do list is over-populated, and leaders fill multiple roles leading to burnout and negativity. It is no wonder that the modern professional is not excited to jump out of bed on Monday. A single hire could change this for your organization. 

With such heavy workloads, energy toward creativity and out-of-the-box thinking is nil.  Business leaders need energy that allows traction toward working ON the business, and not just IN it – spinning plates and wearing so many hats. A technology consultant may be the answer to “smarten” your tech to work for you, so you can work on the business you (used) to love.  

What Is Technology Consulting? 

These days, a Technology Consultant does much more than manage printers, assist with helpdesk repairs, or install networks; after all, technology is woven into every aspect of business. A consultant serves as a sounding board from whom you can ask questions, who will learn about your business, your goals, and how you implement technology. A good Technology Consultant is NOT an IT consultant; they look at a much broader picture, identifying efficiencies in processes, assessing risk, controlling costs, and advising on compliance and liability. Delegating these roles to experts will help you get back to the work you enjoy and may even help profitability. 

A study by IBM and the Ponemon Institute found that the use of emerging technologies reduces costs. For example, the adoption of artificial intelligence, security analytics, and encryption saved companies up to $1.49 million compared to those who did not use these tools.  

Read More »

CMMC Take Aways for the NON-DIB Business

Posted on Mar 24, 2021

CMMC Take Aways for the NON-DIB Business

There is a great deal for businesses in the commercial space to glean from the CMMC standards to apply to their organization’s cybersecurity. Securing your data, defending the integrity and infrastructure of your business from cyberattacks and disruption is undeniably one of the most important roles for business leaders. Even if your business is not part of the DIB supply chain as a government contractor, or as a cybersecurity professional, businesspersons have a responsibly to fellow employees, clients, and their country to remain cyber-safe, cyber-secure and cyber-resilient.

Read More »