Of Chickens and Eggs: an MSP’s take on the CMMC proposed rule for the DIB

Of Chickens and Eggs: an MSP’s take on the CMMC proposed rule for the DIB

yellow chicks look at a brown egg

If your business is not a member of the Defense Industrial Base (DIB), and you don’t do work on a contract basis as part of the supply chain to the Department of Defense, you can stop reading now. Seriously. Despite the article’s title, this missive is full of acronyms and explanations of compliance requirements and has nothing to do with breakfast. And did I mention acronyms? I will wait.

Okay, since it is just “us” now, I will share a few high-importance details from the proposed CMMC rule, and specifically how you will work with companies like mine. Managed Services Providers (MSPs), Managed Security Service Providers (MSSPs), and other external service providers (ESPs) have been included in the CMMC fray, and it will impact your business.

Answered questions, with a side of questions

Over the last several years, we have had a lot of questions concerning our clients’ obligations because of the coming Cybersecurity Maturity Model Certification (CMMC). At long last, many of those questions are getting answered; the DoD released the proposed rule on December 26, 2023. 

CMMC is the verification mechanism through which the DoD is assured that the contractors and subcontractors they work with have information systems in place to protect the sensitive data they hold. It was created because the DoD discovered that many operational and cybersecurity practices within the DIB were weak making our nation vulnerable to attack. The CMMC rule closes loopholes that have allowed plans of action purposed to remediate the weaknesses to remain open for long periods of time. 

Most of our questions have been regarding the more advanced cybersecurity and operational requirements for DIB businesses that process, store, or transmit Controlled Unclassified Information (CUI) and who will need to secure a CMMC Assessment provided by an authorized CMMC Third Party Assessment Organization (C3PAO) at Level 2. Level 1 DIB businesses are required to protect Federal Contract Information (FCI) and are allowed to sell-assess their environment. Both levels 1 and 2 require that a company executive sign an affirmation that they have accurately assessed and are operating under the controls. 

The significant update is that businesses classified as Level 1 and Level 2 in the Defense Industrial Base (DIB) sector will face upcoming challenges related to choosing their service providers.

It turns out, the DoD references many of the functions that MSPs perform within the definition of an External Service Provider: “external people, technology… that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services… CUI or Security Protection Data (e.g., log data, configuration data) must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”

Accordingly, we, the MSPs and MSSPs of the world that serve the DIB, will need to achieve our CMMC certification too! Not only that, but any ESP will need to certify at or above the level of the contractor they support is required to certify. While we have been expecting this and implementing the requirements in our own business, most MSPs or other ESPs have not.  

Why does this matter to you? When your company uses an MSP or other external service providers, they are included as “in scope” for your organization’s System Security Plan; they will be included in your assessment. Meaning- you can’t pass your CMMC Assessment unless and until your ESP has passed their assessment and have a final certification as your provider.  You will not be able to work for the DoD until all your ESPs have their certification. Let’s just say, there is some debate on how this chicken-and-egg-timing will work itself out… and there are still other considerations as far as timing. 

This also means that your team will need to carefully vet the capabilities of every external service provider hired to work for you… and their tools. 

Tool Time

The tools we use that help us do our excellent work for you have not gone unnoticed! 

MSPs and ESPs utilize many tools that are based in the cloud and meet the definition of a “Cloud Service Provider (CSP).” These tools often access sensitive data in your environment. Any tools that provide automation, security information, and event management, or remote monitoring or management could be considered in scope if they process, store, or transmit CUI. The section around tools is here:

“If an OSC (Organization Seeking Compliance) uses an external CSP to process, store, or transmit CUI or to provide security protection for any such component, the OSC must ensure the CSP’s product or service offering either (1) is authorized as FedRAMP Moderate or High on the FedRAMP Marketplace; or (2) meets the security requirements equivalent to those established by the Department for the FedRAMP Moderate or High baseline.”

The ESP must be well versed in how, where, and how security protection metadata like log files and backup configuration settings are stored. Companies will need to use 100% FedRAMP Moderate or equivalent FedRAMP High tools and services. Ask your MSP or ESP if they are using 100% FedRAMP Moderate or High tools and ask them to provide the documentation. ESPs are able to use tools that are not FedRAMP Moderate or High as Commercial Off the Shelf (COTS) products IF they are hosted on-premise and provisioned and secured so that no data goes outside to the cloud. There are additional considerations to be factored in regarding US-based support as well.

Where did my MSP or ESP disappear to?

The requirements for MSPs and other external service providers put small businesses in the DIB in a perilous spot: DIB businesses outsource for services to gain talent or access to expensive tools and resources that they don’t have or can’t afford to have in-house. To plan for success, DIB businesses must have the assurance that they will have continued access to and support of the ESPs they rely on.

Undoubtedly, many ESPs will exit the federal contractor sector, in favor of the less stringent requirements of commercial clients based on the costs they would incur toward compliance implementation. MSPs that remain and who are well-equipped to provide the DIB with services will become scarce. 

Qualify your ESPs or potential ESPs now to vet their capabilities and negotiate contracts before the market shrinks and drives up costs. The DoD has been clear in the proposed rule that they will not be contributing dollars to offset any costs the DIB has toward compliance expenses.

Tick Tock.

No, not TikTok (that app is banned from devices used to serve federal contracts!) but rather, tick tock, as in time is passing quickly! There are multiple timelines that you need to pay attention to: the inclusion of CMMC in contracts, the time it takes your business toward implementation, and how long your business will wait in line to get an assessment. 

Private industry is already prequalifying subcontractors ahead of the CMMC rule: primes are choosing subcontractors based on the strength of their SPRS score. CMMC will start to be included in contracts after the rule is finalized and could be included as early as October 2024. Six months after that, third-party verification will be required, with 100% of DoD contracts updated to include CMMC by October 2026. The truth is that contractors and subcontractors in the DIB already have had self-assessment requirements in place since 2017 to attest that operational and security controls that protect sensitive data are in place. 

While the timeline for CMMC inclusion for contracts is concerning- the larger concern is the time it will take for your business to implement the controls. Average implementation takes 12- 18 months. That exceeds the time rulemaking timeline. Be certain to factor in time toward a careful review of the ESP businesses that provide you with services. Both the DIB business and the ESP have shared responsibility toward CMMC compliance. Your ESP should paint a clear picture of what they are responsible for and what your organization is responsible for. Before you contract with an ESP, be certain that there are clear expectations and definitions. This will help you steer clear of long-term relationships that may not meet the requirements of CMMC and avoid unnecessary confusion with unpleasant and expensive surprises. 

The final timeline may be the most concerning for the DIB: the availability of C3PAOs to provide CMMC Assessments. MNS Group is a CMMC Third Party Assessment Organization (C3PAO), one of less than 60 in the world that is authorized to provide CMMC Assessments when the rule is finalized. With 70,000-plus entities that will need to be assessed, not including the ESPs, there will be significant demand that will create a bottleneck for organizations seeking assessments.

The Cybersecurity Maturity Model Certification (CMMC) is definitely sticking around. Don’t wait around thinking it’ll just fly away. This is not an ostrich situation where you’d want to hide until the last second. It’s better to get a head start than play catch-up later!