FAQs about MSPs

In this blog, we break down MSPs in relation to the CMMC initiative Today, most companies rely on some form of third-party assistance, whether from a Cloud Service Provider (CSP) or a Managed Service Provider (MSP). An MSP is a third-party provider that specializes in managing and providing fundamental internal IT services to enhance your company’s daily productivity and financial goals.

Outsourcing IT or cybersecurity services to a third-party provider can provide quality services that a company cannot afford with an on-premise solution, and for lower overall cost. Outsourcing to an MSP can provide significant cost savings for Organizations Seeking Certification (OSCs). In this blog, we cover MSP requirements with respect to supporting the efforts of the CMMC program.

Recently we have been receiving questions about MSPs and CMMC compliance. Below, we will provide some basic answers to your MSP questions with respect to CMMC. However, it is highly recommended you consult cybersecurity professionals to continue with your preparation for a CMMC assessment. Please note, we cannot cover all aspects of MSP compliance in a newsletter. Each organization is different and each organization has its own nuances with respect to its third-party providers.

Q: What Are the Benefits of Using an MSP?

A: MSPs come in different flavors and sizes. The OSC will need to determine what is required of their current MSP or for future MSPs with respect to meeting CMMC requirements to protect Controlled Unclassified Information (CUI). OSCs may outsource to an MSP that provides solely or a combination of:

• IT infrastructure
• Endpoint provisioning and management
• Policies and procedures Security Operations Center (SOC) and Security Information and Event Management (SIEM)
• Vulnerability management
• Audit log reviews
• Incident response

While the OSC can benefit from cost savings, the OSC also transfers risk to the MSP. As such, the MSP has responsibilities to meet CMMC requirements. In any case, both the MSP and OSC must prove CUI is adequately protected from both parties.

Q: Is an MSP a Part of the CMMC Assessment Process?

A: Yes, if the services are a part of the MSP CMMC authorized service and the OSC is using that service. The OSC would inherit any applicable services that the MSP is providing to the OSC to protect CUI. In other words, the OSC cannot simply state that “they are good, so we are good, too”.

Depending on the sharing agreements, the MSP may require a CMMC Level 3 certification in its own right or it may provide inherited services to the OSC.

We recommend contacting experts with respect to federal, DoD, and CMMC requirements to help navigate you through your path to preparing for CMMC.

How Redspin can help >>

If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, contact us.