What Should You Ask Your MSP About CMMC Compliance?
If you’re a business working within the defense industrial base (DIB) then you are required to comply with CMMC, the cybersecurity maturity model certification. CMMC is on it’s second iteration and consists of 3 levels: Foundational, Advanced, and Expert. The level at which your organization must comply revolves around what controlled unclassified information, or CUI, your business has access to or creates as part of your contract. As cyber attacks continue to evolved and grow in volume, it is increasingly important for companies to take security seriously and for SMB’s this could be a tall order.
Do You Need an MSP?
Many small-medium sized businesses enlist the help of a managed service provider (MSP) to maintain and secure their IT systems and infrastructure. An MSP can help shoulder some of the IT burden and stain that a small IT staff may not be able to handle. A managed service provider can also help businesses with their CMMC compliance by implementing the controls and practices plus giving them the tools necessary to become compliant. With the reduced financial strain and greater amount of resources, enlisting an MSP to help you maintain CMMC compliance may be a great idea for your business! However, if you already have an MSP or are looking for one, there are a few questions you should ask up front.
Is Your MSP Compliant With CMMC, NIST 800-171, and DFARS?
This may seem like a given, but before you hire an MSP it’s important to know that they themselves are CMMC compliant. If your an MSP in charge of protecting, storing, and transmitting your CUI then they are in scope for CMMC regulations. An important aspect of security is making sure everyone within your supply chain is secure, and the ones handling your most important data should be the strongest. Your MSP should also have implemented the necessary NIST 800-171 controls and are compliant with DFARS regulations. CMMC is built off of the NIST framework and the controls outlined in that document are what your CMMC compliance is based on.
Does Your MSP Have The Experience?
Your managed service provider should have the experience necessary to implement and maintain the controls necessary to become CMMC compliant. Your MSP is there to ensure that, come audit time, your security posture reflects the necessary compliance standard. If the MSP you are looking at or already have hired doesn’t seem to understand or know how to maintain compliance, it’s time to look in a different direction.
Does Your MSP Employ U.S. Workers?
While not the most obvious question to ask, it is still an important one to bring up. If your business is exporting ITAR or EAR data then your MSP is required to hired U.S. persons to handle and protect that data. This includes the MSP, their cloud providers, and vendors they use. If they do hire foreign persons you should ask how the MSP intends to limit who handles your CUI and to what capacity they have access to your organization.
The More Questions The Better
At the end of the day, these questions aren’t exhaustive of what you should expect out of your MSP. If you handle CUI and need to become CMMC compliant, a qualified MSP may be your best bet to get compliant on time and within budget. The more technical questions you ask your potential service provider the better. Asking them what tools and resources they offer, how they intend to secure your CUI, and how in scope they are can give you a better understanding of if they are the right fit for you.
If you believe your organization falls within scope of CMMC, contact CorpInfoTech to see how we can help you become and stay compliant. We are familiar and compliant with all of the applicable frameworks needed to make sure you can accurately protect the data you’re entrusted with!
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
This website is for informational and educational purposes only and does not render professional advice nor is it a substitute for dedicated professional guidance from a competent and duly accredited cybersecurity professional specific to your needs and implementation. There is no endorsement of any kind for products or services listed on this website; it is entirely the readers responsibility to conduct appropriate due diligence and due care in selecting and engaging with any product or service.
Comments are closed