The Department of Defense (DoD) has indicated that CMMC 2.0 requirements will begin to appear in contracts in Spring 2023. If you’re already working with the DoD – or are interested in competing for DoD contracts – you’ll need to become CMMC compliant in order to bid on DoD contracts. For businesses that outsource some, or all of their IT services, this also means you should be looking for a Managed Service Provider (MSP) that supports both your efforts to get compliant, as well as maintain compliance. Not all MSPs are created equal – and it’s important to choose carefully as you consider your road to compliance.
While the general MSP market has “gotten the memo” that there is market opportunity in CMMC, very few have the experience and expertise to truly support most contractors’ needs. Companies should be wary of “get compliant quick” promises that organizations are failing to meet. But how do you choose the right one to help? The following are some things to look for and questions to ask:
Do They Understand the Requirements?
CMMC is based on NIST 800-171, but there is more to it that just that. DFARS 7012 and other regulations, such as ITAR also influence technology decisions and strategies. Experienced providers will understand all of your requirements.
Can They Support GovCloud?
Depending on your contracts and the data you hold, you may require versions of the cloud that are designed for government data. Microsoft, CrowdStrike, Salesforce, and may other providers have a dedicated cloud environments intended for government requirements to support your requirements. Make sure your provider can transact and support the version of the cloud you need.
What is their Shared Responsibility Matrix?
Assessors for CMMC 2.0 Level 2 are going to need to understand what actions you perform and which ones “flow down” to your IT vendors. A Shared Responsibility Matrix (SRM) helps explain the responsibilities that are shared by both the MSP and your company. An MSP should be familiar with this matrix – if they don’t, you should be wary of their commitment to the market.
What is their previous experience – and do they have references?
As everyone waits for CMMC assessments to officially open, there are currently no MSPs who can truthfully say, “We’ve done this before.” However, there are still MSPs who are more experienced than others at similar processes. The first thing to ask is whether the MSP has gone through DIBCAC assessments with a partner or customer. For example, the DIBCAC is performing these assessments as part of the process to authorize CMMC C3PAOs to be accredited.
Less than 20 C3PAO candidate companies have passed the DIBCAC, so it’s a very exclusive list of MSPs that have made the grade. If DIBCAC experience is not available, experience with other certifications such as ISO 27001 is a must.
What about cyber insurance?
All MSPs are prime targets for cybercriminals; any good MSP knows this and carries an appropriate level of cyber insurance. Make sure your MSP is covered – and most importantly, make sure YOU are covered. Your organization must carry cyber insurance as well. If an MSP is compromised, those insurance funds will be stretched across all their clients, not just you.
Are the MSP’s employees U.S. Persons located inside the United States?
Many contracts include access to “CUI Specified.” This is data that has controls incremental to standard CUI. Many times, this means that there is also a “data sovereignty” requirement. Data sovereignty means that data must reside in the U.S. and only be accessed by U.S. Persons. Anyone with access to CUI Specified should be a U.S. Person located inside the United States – that means everyone on the team from the executives to the help desk employees. Look for an MSP that is aware of this requirement and offers it, with background checks and U.S. Citizenship validation.
How We Stack Up
C3 Integrated Solutions is one of the original providers for Microsoft 365 GCC High to small and medium sized companies, which means we’ve had a five-year head start on working with companies to implement NIST 800-171 controls. We’ve had CMMC RPO certification for two years, and have worked with more than 150 DIB clients to support their preparations for CMMC.
As an MSP, C3 acknowledges and accepts flow downs based on the level of services purchased. In many cases, our services can reasonably be considered “in scope” or “in-boundary.” As such, we strongly agree that MSPs need to be CMMC Level 2 accredited and plan to pursue that accreditation as soon as the market can support it. For fully managed clients, we expect to lead the CMMC assessment to the greatest extent possible.
About C3 Integrated Solutions
C3 Integrated Solutions has had industry-leading experience implementing GCC High, working with the DIB on NIST 800-171 compliance and preparing for CMMC assessments. We recently participated in a DIBCAC Assessment with a key partner validating our approach to CMMC compliance. Our team is committed and experienced with helping companies GET compliant and STAY compliant, and we can help you do the same. Contact us at email@example.com to get the conversation started.