By: Paul Veeneman
Share This Post
Understanding MSP’s Responsibilities to Clients Seeking CMMC
If you’re a service provider with clients looking to achieve CMMC, we totally get it if you aren’t sure where to start with all of the compliance requirements. Most of the time Managed Service Providers (MSP) don’t have to worry about the ins and outs of compliance on top of keeping a client’s technology running smoothly. But if you’ve got clients who want CMMC? All of a sudden, you’ve got a lot more responsibility than you may realize (or want).
Knowing where your level of responsibility begins and ends isn’t an easy task. To achieve CMMC Level 2, there are 110 controls and 320 control objectives. With each one, it may or may not be your responsibility to provide appropriate documentation to an auditor. So, where do you start?
Do You Have Clients Seeking CMMC?
First of all, whether you’re an MSP, ESP, ISP or basically any third party or external service provider, the following might apply to you. If you’re providing products or services in support of the goals, missions or objectives of a client organization who is seeking certification – you’ll likely have some level of responsibility to sort out.
For a client to be able to achieve CMMC, they have to be able to provide evidence that every aspect of their system is properly secure. So, if any of your products or services involve the transmission, receipt, or storage of controlled unclassified information (CUI), then it’s part of the certification process. And that means you’re at least partly responsible.
What Do You Manage For Them?
In our work with clients, we’ve seen that many MSPs don’t have a clear sense of what they are taking on when agreeing to support clients seeking CMMC. If they’ve done a great job of keeping the systems securely running already, why would CMMC make a difference? Because it’s not just about keeping the green lights green. It’s about providing clear, traceable evidence for how you handle every single step of that process – including policy.
The scary truth is that responsibility for 65-70% of the 110 CMMC controls fall to the MSP. So, it’s likely that there will be a lot of documentation you’ll suddenly need to be able to provide. Both your clients and auditors will be looking for evidence from beginning to end of every process, product or service.
If you’re managing any of the following, then you’ll likely have some level of responsibility to help your clients meet CMMC standards.
- Managing desktop, workstation and laptop endpoints
- Mobile devices
- Configuration management of applications, endpoints and servers
- Storage repositories (local or cloud)
- Network communications
- Network infrastructure (wired and wireless)
- Or the information system boundary edge (e.g. a firewall)
- And any myriad of cloud services (such as AWS, 365, Google Cloud)
These are all fairly standard products and services that MSPs provide. But the level of documentation and accountability that CMMC requires is often far beyond standard operating procedures.
How CMMC Differs From Standard Procedure for an MSP
Historically, MSPs have largely been on the operational side. You keep the green lights blinking green and when there’s a red light, you get it back to green. Most MSPs have never been required to take on active accountability and responsibility for this level of security posture and documentation. All of a sudden, the MSP is responsible not just to keep things running but to safeguard a particular type of information as it moves through an entire system. This could mean it moves through a collection of networks, end points and storage – all of which requires proper documentation. That’s one of the biggest challenges for many MSPs. They’ve never had to worry about data classification – what to do with different types of data.
The tricky part of CMMC is that Controlled Unclassified Information (CUI) differs from organization to organization, contract to contract. CUI for clients may be data that they receive from the Department of Defense and/or prime contractors and then take action based on their contract. Then, that action may create additional information and data in execution and in accordance with the contract. They may provide that data or information back to DoD, Prime, or other subcontractors of their own. All of which may be classified as CUI – and therefore require documentation for CMMC.
The problem is that often the documentation that would serve as evidence for the controls is written by people who already know what they’re doing. But that’s not what CMMC is trying to solve. CMMC is working to ensure that the controls are in place at a process, technology and personnel level. So the point of it all is to audit and assess the documentation, policies, procedures, standards and plans of how an organization achieves the criteria in the controls.
In other words, like your high school math teacher, an auditor isn’t just looking for the right answer (that data is secure). They’re looking for evidence that you can show your work (that you can prove it will remain secure).
How Does CMMC Impact an MSP?
In general, MSPs haven’t historically been required to produce information for auditors or prove that kind of evidence. You probably haven’t had to say, “here’s how we – on behalf of our client – configured their services and met all of these objectives.” If your client is seeking CMMC, it’s almost like you’re under an audit, too. Even though the MSP isn’t trying to achieve certification, you are a critical part of the process.
Let’s look at an example. One of the very first categories of CMMC is access control. It’s asking, who are the authorized users under this account? The organization defines who users are but the MSP creates the accounts on behalf of the user. What’s the process for account creation and identification of access levels with approvals?
Often, an MSP receives a request for a new account for a new user coming on board. The MSP receives the request, reviews it, has some clarifying questions, and then starts the creation of the account. Once it’s completed, they send it back for verification, and then the user is able to login. Seems pretty straightforward, right? Sure! Until an auditor gets involved.
Because the MSP has taken on the responsibility of creating the account, when it comes time for assessment, the auditor will ask to see the documentation. An MSP has to document the entire procedure for creating a new account on a request from the client. You also have to produce documentation for any of your support personnel who work on behalf of the client. You have to be able to show how they login, authenticate, go to the domain controller, create the account, provision the right account access based on roles and responsibilities, complete the creation of the account, and then hand it off back to the OSC for use. And that’s just the beginning. You also have to show procedural documentation for anything to do with password resets, creating an email account, installing a workstation, etc. All of it. Needs thorough documentation.
We’re Here to Help
If all of this seems daunting and not your “thing,” don’t worry. You don’t have to parse through it alone. As a Registered Practitioner Organization (RPO) in CMMC Consulting, PSG is well equipped to help MSPs navigate their responsibilities to clients.
We’re experts in CMMC and in helping MSPs and OSCs have a clear sense of who is responsible for what. So, if you’re an MSP with clients seeking certification, we’d love to ensure you know where your responsibilities begin and end. And to help you get the documentation and procedures in place to make CMMC your client’s reality.