Are You A MSP? Tired Of That Dumpster Fire Feeling?
We know it is a very sensitive topic for an extraordinary number of Managed Service Providers (MSP) and Managed Security Services Providers (MSSP) where they just cannot get CMMC right. The common issue appears to be motivational where many MSP/MSSP view CMMC as a "client problem" and fundamentally misunderstand that CMMC is a MSP/MSSP problem and like that rash cannot be ignored and isn't going away. While there is no magical, performance-enhancing pill for this kind of dysfunction, there are ways that you can become a rock star MSP / MSSP and satisfy your clients' CMMC needs!
The following information is specifically tailored for MSPs/MSSPs. Yes, we are going to make fun of you a bit, mainly for our childish entertainment but that is all part of the price of admission! [please note that it is all done from a place of love... well, mostly]
Harsh Reality #1 - your client took US taxpayer money to produce products and/or services as part of a prime or sub-contract. Your client contractually obligated itself to meet certain cybersecurity compliance obligations (e.g., DFARS clause). It might not be a pleasant discussion, but your client has to wear the big boy/girl pants and accept these are legal requirements with repercussions.
Harsh Reality #2 - you took money from your client to get them compliant with NIST SP 800-171 & CMMC, so you have an obligation to provide competent services and guidance for their IT and cybersecurity compliance needs. If you don't like it, then do not take on clients that have DFARS/FAR contract requirements.
Harsh Reality #3 - the False Claims Act (FCA) can affect both you and your client. If your client doesn't want to do what is required as part of a government contact, then they are running afoul of the FCA. As a MSP/MSSP, if your products and/or services "caused the submission of the false claim" then you are possibly running afoul of the FCA. These are very real implications, so take it seriously. Here is an excellent primer on the FCA.
Gain Perspective - Start Here With These CMMC-Specific Articles
To save us from reinventing the wheel, these two articles are well worth your time to read to establish some perspective, since they specifically deal with MSP/MSSP-related issues and CMMC:
"Is dumpster fire too strong a word to describe CMMC compliance concerns with many MSPs?"
"5 questions to ask when selecting the right MSP partner for CMMC"
How Not To Suck As A MSP/MSSP With CMMC:
Think through this section from this perspective, "How am I, as a MSP/MSSP, going to successfully support my client during pre-certification activities, during the assessment itself and the ongoing 'care and feeding' of their controls to keep them compliant?"
When the time comes for the third-party CMMC assessment, the reality is that as a MSP/MSSP, your client will want/need you to be a central figure in that assessment. This means that you need to be a subject matter expert on your client's business practices and how the technology supports it. If you shrug your shoulders and don't know, there is a good chance you and your client have improperly scoped the environment and overlooked something, so with the current 100% pass/fail criteria that can be bad news.
1. Read NIST SP 800-171, NIST SP 800-171A & The CMMC Assessment Guide
This should be a no brainer and it pains us to say this to other professionals, but for the love of God, just read the material. If not, stop right here and just fuck off, since you are merely masquerading as an IT/cyber professional - if you won't educate yourself on the requirements, it demonstrates that you are not salvageable and should do everyone a favor by just going out of business. Seriously - we are not bullshitting you on that one, since you have to read these documents if you really want to successfully support your clients with CMMC:
NIST SP 800-171A (notice the "a" - that document is specific to assessment criteria)
If your first thought when opening those documents is, "Wow! That is a lot of stuff. How in the world can I be expected to read through and understand this stuff?" you now understand what your clients are going through and can hopefully appreciate why they are paying you to help them with CMMC compliance in the first place. The reality is they are outsourcing the shitty, hard work to you and that is your paycheck, so you better be willing to do the work that your clients expect you to do. If not, you are in the wrong line of business and are just hurting the industry.
2. Approach CMMC From A "Data Centric" Perspective
CMMC is not HIPAA, SOX or GLBA. The closest analog is going to be privacy laws (e.g., Personally Identifiable Information (PII)) or PCI DSS, due to the focus of confidentiality and integrity controls for PII and Cardholder Data (CHD). As a MSP/MSSP, if you don't know what PII or CHD is, then you are fucked as a MSP and can stop reading.
If you want to get a good handle on scoping considerations and how to approach CMMC from a data-centric perspective, then read the Unified Scoping Guide.
3. Don't Fuck Over Your Clients With The Wrong Technology Solutions
Similar in concept to #2 (see above), CMMC is different than other compliance requirements. This means that the "normal" tools you offer as part of your toolkit of services might not work for CMMC. By "not work" that generally means that while the solution might be technically secure, it will not be compliant (e.g., encryption requirements, scope creep, etc.).
Beyond the common landmines of MFA and FIPS-validated cryptography, one of the biggest issues for MSP/MSSP is often around Remote Management & Monitoring (RMM) tools. Remember way back in #2 when we discussed scoping? Yeah, that will bite your ass in a big way with RMM and likely invalidate your clients' compliance efforts, since that RMM you love so much is in scope, which pulls your entire usage of the RMM into scope. Yeah.
Make a couple cups of coffee and read the CMMC Kill Chain since that will help paint the picture that there are certain fundamental building blocks for CMMC that need to be done earlier to avoid potentially reworking services or replacing technology. That is, unless you are one of those MSP / MSSP that just like to sell stuff that is a bad fit for your client and you really just don't care. That is a horrible business model, so we hope you are not one of those. If you are, you should be ashamed of yourself.
4. Welcome to CMMC! You Get To Play, Too!
You are NOT immune to CMMC. Since you have the "keys to the kingdom" for your clients' data, systems and network infrastructure, that means your services are going to be in scope for CMMC. Administrative practices such as a policy or standard stating "we would never abuse our access" doesn't cut it - while you need well-documented policies, standards and procedures (evidence of due diligence) you also need to be able to demonstrate how security is operationalized on a daily basis (evidence of due care) both internal to your organization and through the secure services that you provide to your clients.
If you are not capable of passing a CMMC Level 3 assessment, then it is highly-unlikely that your clients are either. They look to you to keep the wheels on the IT bus rolling, so you have to have secure operations and not just from a bullshit marketing perspective, but in real life. You've got to eat your own dog food here!
5. Avoid The "He Said / She Said" Drama - Update Your Contracts
You must, must, must document roles and responsibilities, specifically what your organization is contractually obligated to perform for CMMC-related activities. That is, unless you want to deal with irate clients who want to sue you for negligence or breach of contract (even though it technically isn't written down in a contract anywhere)? Your call there. At the end of the day, you need to be able to prove what both you and your client are obligated to perform within the scope of CMMC compliance activities, so there are no assumptions that you are on the hook for something your client needs to do. This includes defining your SLAs!
6. Create A CMMC Responsibility Matrix
It is called many things from "customer responsibility matrix" to "cloud inheritance matrix" to "MSP inheritance matrix" to blah, blah, blah. The underlying concept is the same where every one of the 382 controls that make up Level 3 CMMC requirements are assigned to either the client or your organization. Supporting concept #5, this should be part of a contract addendum, so that it is formally documented in a contract between you and your client.
Take this one seriously. This is going to be a document that a CMMC assessor is going to want to see, so it is better to create it now and have it accurately reflect the reality of your clients' CMMC roles & responsibilities for all the stakeholders involved.