By: Paul Veeneman
Share This Post
Critical Areas of Shared Responsibility for Clients Seeking CMMC
Data management within any organization often involves a lot of moving parts. Most companies handle some aspects of their IT needs and infrastructure internally and outsource the rest. This is especially true of small and medium sized businesses. But when one of these companies tries to achieve CMMC, who is responsible for what can get pretty murky. There are several key areas of shared responsibility for MSPs with clients seeking CMMC.
For managed service providers (MSPs), you’re often on the hook for a fair bit of a client’s CMMC requirements. The good news is that you’re only responsible for what you put in the contract. The bad news is that a lot of standard contracts and service offerings cover more than you may have realized.
What Are the Responsibilities of the MSP?
Often, a Managed Service Provider handles all the configuration, maintenance, provisioning, accounts and identification for clients. They also tend to be in charge of monitoring everything that’s going on inside the network.
The trouble is that with CMMC, you have to document all of it. And the critical services we mentioned that are handled primarily by 3rd parties fall under a whole lot of the 110 controls of CMMC Level 2. Which means that well over half of the compliance requirements typically fall to the MSP or 3rd party provider.
What Are the Responsibilities of Clients Seeking CMMC?
By the time responsibility gets down to the organization seeking compliance (OSC), they’ve got a certain level of inheritance. In other words, the MSP and/or Cloud Service Provider are responsible for a vast number of controls outside the OSC. However, the OSC does have the fundamental responsibility and accountability to ensure that everything is compliant. Because, at the end of the day, the OSC is the one seeking certification.
All the service providers? You aren’t seeking certification. It’s not about the certification, it’s about the responsibility you have for all the activities you perform on behalf of the client that fall under the client’s ability to support the contract.
Four Key Areas for MSPs Supporting CMMC
The main thing to understand about supporting clients seeking CMMC is the need for documentation. For all of the services you provide, there has to be a paper trail. MSPs must be able to provide evidence and artifacts to the OSC and auditor. You need documentation of policy, process and procedure that demonstrate their capability to meet the control and the control objectives.
So, if you have clients seeking CMMC, there are a few key areas to pay attention to as a baseline. If you aren’t already doing these things, then there will likely be a lot of work ahead to get things up to speed and in order for yourselves and your clients.
Accounts and Access Control
CMMC means managing who has access to Controlled Unclassified Information (CUI). If you’re in charge of account creation for a client, that means you’re in charge of who can access CUI. That, in turn, means you’re on the hook for many of the CMMC requirements related to accounts and access control.
So, the place to start is looking at your documentation. Across all information systems of the client that store, receive or transmit CUI, do you have articulate procedure documentation for the:
- creation of accounts
- changes to accounts
- disabling or removal of accounts
Is there a clear paper trail from the initial request for account creation all the way through vetting, approval, creation, etc? And is there also a clear paper trail for that policy and/or process itself?
Again, auditors for CMMC are going to be looking for proof which in most circumstances means policy, procedure, and technical execution. So, while you certainly have an incident response plan, how thoroughly documented is it? Do you have a comprehensive incident response plan? Comprehensive meaning it clearly articulates all of the policies and procedures related to the:
- identification of an incident
- investigation of the incident
- escalation of communication concerning the incident
- remediation and resolution of the incident
You also need documentation related to how all of the above would involve your personnel as well as the client’s personnel. The final component would involve any additional external personnel including your insurance provider and law enforcement based on severity.
If you’re providing any technological services, then you’re likely already providing some degrees of security. And you’re almost definitely already encrypting things. But are you encrypting things enough for CMMC?
For all products and services that provide encryption at rest or encryption in transit, have you ensured each product is identified and under a current certificate with the NIST cryptographic module validation program (CMVP) for FIPS 140-2 validation? Are you running in FIPS mode on all devices that are storing, receiving or transmitting CUI? For Windows workstations, have you turned on Windows 11 FIPS mode? That’s what an auditor would likely take a look at.
Oftentimes, MSPs and 3rd party providers have some kind of wording in their standard contracts about logging and tracking activities. That’s great! It looks good from a security standpoint and makes clients happy. But for CMMC, it also means a lot of very specific attention, technical execution and added responsibility.
So, if that’s in your contract, consider these two questions. Across all products, services and information systems, are you able to log, track and trace all activity? And, importantly, how often do you review the logs?
If you’re only reviewing the logs when there’s a problem… that’s a problem. For CMMC Level 2, the responsible party needs to be monitoring/reviewing logs on a periodic basis. The frequency is typically defined by the policy. Ideally that’s monthly. You can do it quarterly if you must. But annually won’t cut it.
What Are Your Contractual Obligations and Are You Meeting Them?
Essentially, supporting clients seeking CMMC means supplying a truckload of documentation. We went through this with one client, and they had to produce 250 pieces of documentation and evidence. Jaws dropped, hearts palpitated, but we got through it. So if you’re committing to cover specific aspects of the client’s technology, and some of that overlaps with CMMC requirements, then you’re on the hook for the proof and execution.
But the good news for an MSP is that you only have to cover what you say you’re going to cover. So, the question to ask is what do you want to be responsible for? You get to define that under the terms of your contract. And if a client wants more coverage, then that can be negotiated and added separately. Or, you can send them to a referral or strategic partner in the market.
Creating a Shared Responsibility Matrix with Clients Seeking CMMC
In order to keep track of who is responsible for what – you guessed it – you need more documentation. In addition to supporting you and your clients with all of the above, we can help you parse out all the minutiae of the 110 controls and 320 objectives and map out who has to handle what. What the MSP is responsible for, what the OSC is responsible for, and how to find everything you need for an auditor.
That’s what a Shared Responsibility Matrix (SRM) is – a chart that maps all this out for you and your client. Essentially the Shared Responsibility Matrix is the map that identifies all of the connections between every CMMC control and objective, the MSP and OSC. Once you have that charted out, you then create the documentation that covers everything on the chart.
That document is your System Security Plan. It identifies in detail what the SRM shows on a control and control objective basis. For each and every element that an auditor might be looking for, the SSP identifies:
- Who is accountable
- Who is responsible
- What are the duties and activities performed
- Where the documentation is located that supports this policy, procedure, or technical deployment
- Where to find the evidence and artifacts demonstrating that the standards are maintained
As you might expect, the SSP can run several hundred pages. Which is why you probably don’t want to try and create it on your own. Working with a company like PSG or other CMMC Registered Practitioner Organizations will help both you and your clients get the structure and execution you need with vastly less headache.