What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

November 12, 2024

How does your MSP/MSSP fit into your CMMC scope?

This has been one of the hottest topics since the proposed rule was published nearly a year ago, and with the final rule last month, we finally got some clarity (and a bit of relief). Notice I said "some" clarity because frankly it's a very complicated subject. I'll try to tackle the broad outlines in this edition. I start with an Executive Summary to raise general awareness, followed by Definitions and Discussion for those who want to dig a bit deeper. (The CMMC custom term definitions are copied from the final rule and the L2 scoping guide.)

Executive Summary

Your MSP/MSSP is in your scope at some level. The devil is in the details. If you use an outside party, whether it's an IT vendor, shared resources from a parent company or any other third-party service provider, to manage some portion of your IT/security infrastructure, that organization is in your CMMC scope at some level.

If this is the case for your organization, you need to be talking to those third parties now about how they currently fit into your scope, whether/how they could be removed from (or minimized in) your CMMC Scope, and what steps need to be taken to include them in your CMMC assessment preparation plans.

Note: I'm currently addressing only MSPs that do not qualify as a Cloud Service Provider (CSP) and which do not process, store or transmit CUI on your behalf. Those will be covered in a future edition.

Definitions

Managed Service Provider: (MSP) Commonly referred to as "my IT vendor," MSPs provide a range of services to maintain your IT infrastructure. Exactly which services your MSP provides, and how, is critical to defining your CMMC scope.

Managed Security Service Provider: (MSSP) An MSP that provides only security services, not routine IT services like installing PCs or configuring printers, for your IT infrastructure (e.g., SOC/SIEM, managed firewall, vulnerability management).

Organization Seeking Assessment (OSA): That's you! A contractor also seeking an official L2 or L3 third-party certification assessment is an Organization Seeking Certification (OSC).

Security Protection Assets (SPA): Assets providing security functions or capabilities for the OSA’s CMMC Assessment Scope. [This is a CMMC custom term.]

Security Protection Data (SPD): Data stored or processed by SPA that are used to protect an OSA's assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. [This is a CMMC custom term.]

External Service Provider (ESP): External people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (emphasis added) [This is a CMMC custom term that includes MSPs, MSSPs and others.]

ESPs can be part of the same corporate/organizational structure but still be external to the OSA such as a centralized SOC or NOC which supports multiple business units. For example, in the case of an OSA participating in shared IT/security resources with parent/sibling companies, the assets (people, facilities, technologies) providing those services could be considered an ESP.

Discussion

The first, most important question you have to ask is this:

Is my MSP an ESP?

Whether your MSP qualifies as an ESP will have a huge impact on how it fits into your CMMC scope.

So, your MSP is an ESP only if (1) it provisions or manages IT and/or cybersecurity services on your behalf and (2) SPD is processed, stored or transmitted on its assets. Remember, SPD includes (but is not limited to):

  • configuration data required to operate an SPA
  • log files generated by or ingested by an SPA
  • data related to the configuration or vulnerability status of in-scope assets
  • passwords that grant access to the in-scope environment

If you aren't sure, ask your MSP whether any of your SPD is processed, stored or transmitted on its assets (as opposed to only your own assets). If the answer is "yes," then "The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as Security Protection Assets."

Does your MSP have to have its own L2 cert before you can get assessed? No, thankfully, that is one of the requirements in the proposed rule that was walked back. Will it help if your MSP has its own L2 cert before you are assessed? Yes, absolutely! Your assessment will be faster, easier and less expensive if your MSP has a L2 cert.

If you are an MSP reading this, ask yourself: How many clients do we have that will need L2 where we qualify as an ESP? How many hours will we spend sitting through assessments as part of those clients' scope? How much time, effort and expense could we save by obtaining our own L2 cert that our clients can inherit for our part of their scope? How feasible is it to get our clients' SPD off our assets, thus avoiding ESP status, yet continue to provide managed services for them?

If your MSP is not an ESP, it is still in your scope (via 3.1.3 and 3.1.20 in particular), but the compliance burden will be lessened. Again, it depends on exactly which services your MSP provides and how they are delivered. Do they have remote access to your network? How does that happen? Do they manage your firewall or on-premise SIEM? It is possible that some portion of your MSP's assets (including people and facilities, not just technology) are in your scope that requires full 800-171 implementation (even if your MSP is not an ESP). There is no hard formula for this. Every combination of MSP + OSA is unique.

Takeaway: if you use an MSP and/or MSSP, now is the time to have a serious conversation with them about your scope and their compliance requirements.

If you need help, I'm here! email, call or schedule a time to chat.

How old is your SPRS self-assessment score? Might want to review this.



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2024 The Net Effect, L.L.C. All rights reserved. Read our privacy policy