.. Loading ..
Point Solutions Group
  • Home
  • CMMC
  • Critical Areas of Shared Responsibility for Clients Seeking CMMC

Critical Areas of Shared Responsibility for Clients Seeking CMMC

By: Paul Veeneman October 14, 2022 no comments
By: Paul Veeneman
October 14, 2022
no comments
Share This Post
Categories:
Tags:
, , , , ,

Critical Areas of Shared Responsibility for Clients Seeking CMMC

Data management within any organization often involves a lot of moving parts. Most companies handle some aspects of their IT needs and infrastructure internally and outsource the rest. This is especially true of small and medium sized businesses. But when one of these companies tries to achieve CMMC, who is responsible for what can get pretty murky. There are several key areas of shared responsibility for MSPs with clients seeking CMMC.

For managed service providers (MSPs), you’re often on the hook for a fair bit of a client’s CMMC requirements. The good news is that you’re only responsible for what you put in the contract. The bad news is that a lot of standard contracts and service offerings cover more than you may have realized.

What Are the Responsibilities of the MSP?

Often, a Managed Service Provider handles all the configuration, maintenance, provisioning, accounts and identification for clients. They also tend to be in charge of monitoring everything that’s going on inside the network. 

The trouble is that with CMMC, you have to document all of it. And the critical services we mentioned that are handled primarily by 3rd parties fall under a whole lot of the 110 controls of CMMC Level 2. Which means that well over half of the compliance requirements typically fall to the MSP or 3rd party provider. 

What Are the Responsibilities of Clients Seeking CMMC?

By the time responsibility gets down to the organization seeking compliance (OSC), they’ve got a certain level of inheritance. In other words, the MSP and/or Cloud Service Provider are responsible for a vast number of controls outside the OSC. However, the OSC does have the fundamental responsibility and accountability to ensure that everything is compliant. Because, at the end of the day, the OSC is the one seeking certification.

All the service providers? You aren’t seeking certification. It’s not about the certification, it’s about the responsibility you have for all the activities you perform on behalf of the client that fall under the client’s ability to support the contract. 

Four Key Areas for MSPs Supporting CMMC

The main thing to understand about supporting clients seeking CMMC is the need for documentation. For all of the services you provide, there has to be a paper trail. MSPs must be able to provide evidence and artifacts to the OSC and auditor. You need documentation of policy, process and procedure that demonstrate their capability to meet the control and the control objectives.

So, if you have clients seeking CMMC, there are a few key areas to pay attention to as a baseline. If you aren’t already doing these things, then there will likely be a lot of work ahead to get things up to speed and in order for yourselves and your clients.

Accounts and Access Control

CMMC means managing who has access to Controlled Unclassified Information (CUI). If you’re in charge of account creation for a client, that means you’re in charge of who can access CUI. That, in turn, means you’re on the hook for many of the CMMC requirements related to accounts and access control.

So, the place to start is looking at your documentation. Across all information systems of the client that store, receive or transmit CUI, do you have articulate procedure documentation for the:

  • creation of accounts 
  • changes to accounts 
  • disabling or removal of accounts

Is there a clear paper trail from the initial request for account creation all the way through vetting, approval, creation, etc? And is there also a clear paper trail for that policy and/or process itself?

Incident Response 

Again, auditors for CMMC are going to be looking for proof which in most circumstances means policy, procedure, and technical execution. So, while you certainly have an incident response plan, how thoroughly documented is it? Do you have a comprehensive incident response plan? Comprehensive meaning it clearly articulates all of the policies and procedures related to the:

  • identification of an incident
  • investigation of the incident
  • escalation of communication concerning the incident 
  • remediation and resolution of the incident

You also need documentation related to how all of the above would involve your personnel as well as the client’s personnel. The final component would involve any additional external personnel including your insurance provider and law enforcement based on severity. 

Encryption

If you’re providing any technological services, then you’re likely already providing some degrees of security. And you’re almost definitely already encrypting things. But are you encrypting things enough for CMMC?

For all products and services that provide encryption at rest or encryption in transit, have you ensured each product is identified and under a current certificate with the NIST cryptographic module validation program (CMVP) for FIPS 140-2 validation? Are you running in FIPS mode on all devices that are storing, receiving or transmitting CUI? For Windows workstations, have you turned on Windows 11 FIPS mode? That’s what an auditor would likely take a look at.

Activity Logging

Oftentimes, MSPs and 3rd party providers have some kind of wording in their standard contracts about logging and tracking activities. That’s great! It looks good from a security standpoint and makes clients happy. But for CMMC, it also means a lot of very specific attention, technical execution and added responsibility. 

So, if that’s in your contract, consider these two questions. Across all products, services and information systems, are you able to log, track and trace all activity? And, importantly, how often do you review the logs?

If you’re only reviewing the logs when there’s a problem… that’s a problem. For CMMC Level 2, the responsible party needs to be monitoring/reviewing logs on a periodic basis. The frequency is typically defined by the policy. Ideally that’s monthly. You can do it quarterly if you must. But annually won’t cut it.

What Are Your Contractual Obligations and Are You Meeting Them?

Essentially, supporting clients seeking CMMC means supplying a truckload of documentation. We went through this with one client, and they had to produce 250 pieces of documentation and evidence. Jaws dropped, hearts palpitated, but we got through it. So if you’re committing to cover specific aspects of the client’s technology, and some of that overlaps with CMMC requirements, then you’re on the hook for the proof and execution.

But the good news for an MSP is that you only have to cover what you say you’re going to cover. So, the question to ask is what do you want to be responsible for? You get to define that under the terms of your contract. And if a client wants more coverage, then that can be negotiated and added separately. Or, you can send them to a referral or strategic partner in the market.

Creating a Shared Responsibility Matrix with Clients Seeking CMMC

In order to keep track of who is responsible for what – you guessed it – you need more documentation. In addition to supporting you and your clients with all of the above, we can help you parse out all the minutiae of the 110 controls and 320 objectives and map out who has to handle what. What the MSP is responsible for, what the OSC is responsible for, and how to find everything you need for an auditor. 

That’s what a Shared Responsibility Matrix (SRM) is – a chart that maps all this out for you and your client. Essentially the Shared Responsibility Matrix is the map that identifies all of the connections between every CMMC control and objective, the MSP and OSC. Once you have that charted out, you then create the documentation that covers everything on the chart. 

That document is your System Security Plan. It identifies in detail what the SRM shows on a control and control objective basis. For each and every element that an auditor might be looking for, the SSP identifies:

  • Who is accountable
  • Who is responsible
  • What are the duties and activities performed
  • Where the documentation is located that supports this policy, procedure, or technical deployment
  • Where to find the evidence and artifacts demonstrating that the standards are maintained

As you might expect, the SSP can run several hundred pages. Which is why you probably don’t want to try and create it on your own. Working with a company like PSG or other CMMC Registered Practitioner Organizations will help both you and your clients get the structure and execution you need with vastly less headache. 

Latest Posts

Point Solutions Group Appointment of Chief Information Security Officer
August 5, 2024
By: Paige Goss
Announcing the Recipients of the 2024 Colorado Titan 100 & Titan 100 Hall of Fame
May 22, 2024
By: Paige Goss
Point Solutions Group Adds Two Space/Defense Industry Veterans to Leadership Team
December 19, 2023
By: Point Solutions Group
Paige Goss Illuminates the Significance of Colorado’s Workforce
August 28, 2023
By: Sam
Copyright 2018-2024 © Point Solutions Group   |   Privacy Policy

This site uses cookies to track statistics. You may choose to enable or disable these cookies. Read more about our Cookie policy