CMMC Compliance and MSPs: Do They Need It? (+ 8 Security Standards)
Is your company under contract with the Department of Defense (DoD), and are you overwhelmed by the changing CMMC requirements?
We understand.
The DoD is still finalizing the CMMC guidelines. They've already moved from CMMC 1.0 to CMMC 2.0, and with the 60-day call for comments for CMMC 2.0 ending in February 2024, more changes will likely follow.
So, should you hold your current (or future) managed services provider (MSP) to the same standards the DoD holds you to?
In this article, we promise to explain what standards you should hold an MSP to. Intelligent Technical Solutions (ITS) has experts dedicated to mastering CMMC compliance, and we invited Todd Whitley (one of our CMMC experts and ITS Olympia SVP) to answer the following questions:
- Do MSPs need to be CMMC compliant?
- What are the essential security standards for MSPs serving DoD contractors?
Do MSPs Need to be CMMC Compliant?
Yes, your MSP needs to be CMMC compliant.
"As of right now, that is the interpretation of the ruling,” Todd explained. “MSPs must be at the equivalent level of a client that they're working with – which for most organizations is going to be CMMC 2.0 Level 2.”
But there’s a catch: no one is currently CMMC 2.0 compliant. The regulations haven’t been finalized; the DoD is eyeing January 2025 for CMMC finalization and October 2026 for mandatory implementation. Ergo, no one can claim they’re certified.
Essential Security Standards for MSPs
So, if no one is CMMC-certified yet, what standards should you hold an MSP to?
1. They have (or are training) CMMC professionals.
Just because no one has the certification yet doesn’t mean MSPs are twiddling their thumbs. Forward-thinking companies already have team members who are getting RP or CCP accreditation.
Implementing the required security controls is expected to take at least 12 months. An MSP should already be training staff and preparing IT infrastructure so they can hit the ground running by January 2025.
2. They have a compliance division.
Verify if an MSP has a strong compliance department. It’s a sign that they have the chops to maintain another certification and can draw from their experience with other regulatory requirements.
If a company has clients in the finance, healthcare, and law industries, that’s a good sign they’re already experienced in regulatory requirements.
“For example, at ITS, we have a dedicated compliance landing page,” Whitley added. “We have [educational] compliance articles and a compliance team headed by Ed Griffin and Sean Harris.”
Aside from a compliance landing page, articles about compliance, and a compliance team, your MSP should also have security tools like Huntress or Covalence to help ensure regulatory compliance.
3. They implement strong access controls.
Another must-have for MSPs is a strong access control and identity management system.
Some signs an MSP has strong access controls are the use of multi-factor authentication, least privilege access, and session management.
“Companies can isolate all their work that they do for the DoD into a siloed enclave,” Whitley said.
4. They conduct frequent cybersecurity awareness training.
The good MSPs know that their team members pose a considerable security risk. Find MSPs that regularly provide cybersecurity awareness training for all employees, including those specific to CMMC's requirements.
Training should cover topics such as phishing, social engineering, and safe internet practices.
5. They have stable patch management and secure system configuration.
Patches and security updates, if done incorrectly, open a window of opportunity for hackers. So, when choosing an MSP, check if they have a secure system for managing their patches and system configuration.
6. They vet their vendors.
Good MSPs understand and manage the risks associated with third-party vendors and the supply chain. This involves ensuring that subcontractors and suppliers also adhere to CMMC requirements.
7. They have business continuity, incident response, and disaster recovery plans.
Good MSPs also recognize that their services are a pillar to the sustained operation, resilience, and success of their clients' businesses. They’ll have plans in place to minimize downtime and keep their clients' businesses secure—no matter what happens on their end.
RELATED: Disaster Recovery vs. Business Continuity vs. Incident Response Plans
8. They have data protection protocols.
Lastly, MSPs with data protection protocols are better for businesses with CMMC needs. They’ll already have the infrastructure to protect information in accordance with applicable regulations and standards.
This includes data encryption at rest and in transit and adherence to privacy laws and regulations.
Ready to Find the Right MSP to Help with CMMC Compliance?
When choosing a CMMC-compliant provider, you're not just ticking a box for compliance; you're ensuring that your business navigates the cybersecurity landscape with the utmost confidence and security.
At ITS, we believe in proactive cybersecurity – and CMMC preparation is part of that. Partnering with a compliant MSP means investing in your business's future security and resilience, keeping your data safe.
So, are you ready to step up your cybersecurity game with a CMMC-compliant MSP? Let us help you take that leap. Discover how our services can offer you more than just compliance but also peace of mind. Contact us to explore our IT solutions and start securing a safer future for your business today.
But if you need more resources for choosing the right MSP, check out these links: