The CMMC- AB has made it clear that Managed Service Providers (MSPs) and Managed Service Security Providers (MSSPs) are required to CMMC certify if they handle their defense customers’ CUI. However, what does this mean for service providers going forward? Should all MSPs/MSSPs get certified at Level 3 or above?
We recently had the opportunity to speak with Jeremy Conway and Cliff Neve of MAD Security on these very topics and more. MAD Security is an MSSP that enables defense contractors to lower risks, increase security posture, and prepare for compliance with CMMC and DFARS through technical and advisory cybersecurity services. The following conversation has been edited for clarity and brevity.
PreVeil: Before we talk about MSPs and MSSPs becoming compliant, I want to get your take on what you are seeing out there in terms of defense contractors and their CMMC journey. How are your customers seeing DFARS and CMMC?
MAD Security: DFARS has been a requirement for all contractors processing controlled unclassified information (CUI) since 2017. But that doesn’t mean they follow it or understand it. So we’re running into a lot of cases where folks are forgetting they already have to self-certify and meet DFARS to meet DoD contractual requirements. That means we are doing a lot of education on the tail end.
CMMC has become the shiny object, and organizations processing CUI need to be cognizant that they continue to need to comply with DFARS.
“CMMC has become the shiny object, and organizations processing CUI need to be cognizant that they continue to need to comply with DFARS.”
We are seeing a separation in defense contractors. There are early adopters who think of CMMC as a differentiator. They are leaning in to get all their items in place and working off their POAMs to remediate findings associated with their projected CMMC level.
The second group – the majority we run into to – are just getting educated. We tell them it behooves them in terms of cost savings and ROI to get moving on the process.
And then there is a third group – and that’s a smaller group – who are doing nothing until someone forces them do it. In some cases, they aren’t even looking at what is required, while in other cases they have a POA&M but aren’t working those items to completion. They hope POAMs will let them maintain DFARS compliance or want to just put this off until the very last minute.
PreVeil: Do you think CMMC will do the job in a way that DFARS has not been able to?
MAD Security: Absolutely, in no small part because it will require the scrutiny of third-party certification as opposed to self-assessment. We’ve seen some really bad self-assessments that simply aren’t going to fly when the organization is evaluated by a third-party cybersecurity practitioner.
The concept being projected by CMMC is not new. An analogous concept came out about ten years ago and in the form of the Capability Maturity Model Integration (CMMI), which did something similar for the Department of Defense that CMMC is looking to do but was focused on software maturity. CMMI has 5 levels of maturity, and leverages controls sets and requirements corresponding to each level designed to ensure secure and stable code.
Level 3 was the sweet spot with CMMI to be able to write code for the government – just like Level 3 will be for CMMC for processing CUI.
Learn how to get your defense company on the path to CMMC compliance.
Download our whitepaper
CMMI has been tremendously effective at limiting bugs and maturing code for the government. Functional testing had to be part of the process with CMMI. Testing got really formalized and upped the game for all companies delivering code to the government. We believe CMMC will be equally as effective.
PreVeil:Now, what does it mean for MSPs and MSSPs? How will CMMC compliance impact them?
MAD Security: The biggest determining factor is if the MSP or MSSP processes and/or stores unencrypted CUI. If so, then the contractor or subcontractor using their services needs to ensure that the MSP or MSSP, as part of the flow, meets the requirements of the DoD contract.
If they don’t have access to CUI, everything we have seen to date points to the fact that MSPs and MSSPs don’t need to become CMMC certified themselves. They need to make sure the services they are providing customers meet the standards of controls the customers must meet. Regardless, CMMC does mean that MSPs and MSSPs need to become smarter about how they are handling CMMC.
“If they don’t have access to CUI, everything we have seen to date points to the fact that MSPs and MSSPs don’t need to become CMMC certified themselves.”
That said, I do think CMMC compliance by MSPs is a litmus test of how seriously they are taking compliance. We see it as something like…how would you build a house? Well, you would call in an expert house builder. Similarly, if you need to become CMMC compliant, you’ll probably want someone working with you who is already compliant, so they are aware of the steps and challenges that are in place.
Most companies are going to need an expert to step them through the process.
PreVeil: How can MSPs manage DIB clients and not get their hands on the CUI?
MAD Security: Let’s understand what is required of CUI. CUI must be labeled, identified, and understood. Most DIB companies are going to get smarter and distribute data outward in order to shrink the attack surface and the compliance surface. They will probably look to put the data in a protected/controlled environment and limit access. Securing an entire enterprise environment at CMMC Level 3, for instance, won’t normally be required nor feasible.
If an MSP or MSSP did handle CUI, it would need to be written into the contract and that MSP or MSSP would need to be certified to the appropriate level. But on daily operations such as managing firewalls and looking for incidents – that’s not exactly CUI, it is just log data and events occurring int the environment. This is why having a MSP or MSSP that works with DIB clients and is intimately familiar with CMMC and CUI is so important.
PreVeil: Imagine you have a DFARS incident and CUI was exposed. Wouldn’t the defense contractor – your client – want you to look deeper into the event? Telling them there’s an incident wouldn’t be enough, I would think.
MAD Security: Just because you have an incident doesn’t mean there’s CUI data that the MSSP sees or has access too. It could be as simple as being able to see that data left the system. If it’s just logs about the system such as netflows stating the connection metrics we used to deduce the issue, well that is not CUI. If the data being transferred is and stays encrypted, the MSSP will never see the CUI data.
Many of the defense contractors we work with do not know what is and isn’t CUI as it isn’t well defined in their contract, in many cases even the contracting officer has a difficult time specifying what CUI is and is not. We have found that a proactive approach by the contractor can really be beneficial, reviewing the data being handled the contractor with some guidance can deduce what they believe is CUI.
“Many of the defense contractors we work with do not know what is and isn’t CUI as it isn’t well defined in their contract, in many cases even the contracting officer has a difficult time specifying what CUI is and is not.”
We recommend the contractor document this data and then clarify with the contracting officer that it is in fact CUI. Once that is agreed upon then a pragmatic approach using the CMMC practices and/or the DFARS controls can be implemented to minimize the exposure of this data even to the MSSP or MSP.
PreVeil: But inevitably, there’s going to be a demand for tighter control of CUI. How’s that going to play out in CMMC? What will DIB companies do to better manage their CUI?
MAD Security: First, some DIBs aren’t going to be able to afford to become CMMC Level 3, and that’s ok. For some DIB companies, Level 3 is going to be a huge challenge and they will choose not to continue to business with the department of defense. A natural fallout of that is that CUI will be exposed less. The remaining companies are going to find ways to shrink the surface area that contains CUI. As it stands now, companies handling CUI are not paying particular attention to where that CUI goes. Moving forward with CMMC, companies will have to identify not only the CUI, but CUI flow.
“[S]ome DIBs aren’t going to be able to afford to become CMMC Level 3, and that’s ok. For some DIB companies, Level 3 is going to be a huge challenge and they will choose not to continue to business with the department of defense.”
Some companies will provide protections so that data is confined to what is tantamount to one locked room where very specified controls and limitations are applied. Access to CUI and physical spaces housing CUI will become far more limited. Compartmentalization will be the order of the day because many organizations don’t have resources to protect CUI broadly across the entire company.
In essence, we see a strategy unfolding where contractors will handle CUI in a separate enclave or network. This enclave will become confined to one or two office buildings and only the required few will have access to it. The surface area will shrink and that’s probably the best outcome of this entire process for DoD and national security.
The second thing that will force tighter control is that those who handle CUI will know someone is looking over their shoulder and will be validating they are handling CUI correctly. We know that compliance and regulations by themselves won’t make an organization secure but we also know that if cyber is not regulated, it likely won’t happen. Many organizations don’t see cybersecurity as a strategic investment as much as they see it as necessary cost that should be minimized to do business.
This is the problem with DFARS. It’s in place but few companies are taking it seriously because no one is verifying and these companies know it.
“This is the problem with DFARS. It’s in place but few companies are taking it seriously because no one is verifying and these companies know it.”
PreVeil: Do you anticipate MAD Security becoming CMMC compliant?
MAD Security: While we currently have no requirements on any of our current contracts to be Level 3, we are committing to our customers that we meet the Level 3 controls. We already have multiple contracts with DoD contractors that require us to ensure that our services meet clients’ Level 3 control and practice areas.
We definitely won’t and don’t stop there. We are able to achieve many of the requirements of Level 4 and 5 today, which are practice-based. Our security operation center is already extremely mature. Many Level 4 and 5 controls are already being met by our security operations center – such as anomaly detection, incident response, play books, change management.
We are in the process of becoming a Registered Provider Organization (RPO) through the CMMC-AB. We are going through the background checks that are required and expect to be approved among the first groups reviewed by the CMMC-AB. Our consultants have already registered for training to become certified and should be among the first groups processed by the CMMC-AB. The next step after this would be to become C3PAOs per the CMMC-AB published process. We are moving as fast as the CMMC-AB can publish and process these applications.
PreVeil: Switching gears, do you see MSPs and MSSPs will need to focus on achieving L4 or 5 compliance in order to stay ahead?
MAD Security: Managed service providers are typically very mature by their nature with processes and security. That being said getting to Level 4 or 5 should not be hard for them.
For example, our security operations center has been running for several years now with very well documented processes and practices. It is a requirement for us to be efficient and consistent, and we must prove our maturity through documentation to demonstrate that we can provide a high level of security for our clients.
It is achievable for our DIB clients to get to CMMC L4 or L5. Rather than do a “check the box” approach, if they integrate with us as an MSSP they will get a customized playbook and map policies and procedures to the requirements and practices. They can take advantage of practices we have matured with time and focus, such as anomaly detection, incident response, and threat intelligence to achieve these higher levels through integration.
Building that level of maturity from scratch is tough. It took us many years to build our SOC, so when people talk about building mature processes in six months it seems more than most can pull off and do correctly.
It won’t be difficult for us to help DIB companies to get to Level 4 or 5, but we don’t believe that many will want to do that unless required. Will they see it as a differentiator? That’s going to be for individual companies to figure out.
PreVeil: What up front work should a DIB company do before hiring an MSP or MSSP?
MAD Security: Some MSSPs are focused on the defense industry, some are focused on the financial vertical, and some on healthcare. If we were a defense contractor and faced with CMMC compliance and looking for an MSP or MSSP, then we would ask questions like:
PreVeil: How should companies prepare on their end to work with an MSP or MSSP to get ready for CMMC?
MAD Security: The DIB customer needs to understand what level they will require and where they are currently. They should communicate their CMMC requirements to their MSP and MSSP to make sure that those requirements are fully understood. A gap assessment should be conducted to identify any gaps, and a Plan of Action and Milestones should be developed as the foundation of a roadmap. Then, the organization should work with the MSP and MSSP to implement that roadmap with action, putting timelines, resources, milestones, and checks on it.
And then continuous consulting over time and compliance management. So, we at MAD Security continuously work with them over a 3-year time span. We have a minimum relationship requirement of 1 year but optimally, we work with a company over 3 years. We have found that our long-term relationships benefit not only MAD Security’s ability to deliver a mature service, but our clients’ ability to rest assured that security is being handled while they focus on doing what they do best.
“The CMMC AB has stated that if you are going to need CMMC L3 compliance, give yourself at least 6 months. Our experience shows that six months is a bit of a fire drill and can be a very costly one at that. A 12 months plan out is much better.”
The CMMC AB has stated that if you are going to need CMMC L3 compliance, give yourself at least 6 months. Our experience shows that six months is a bit of a fire drill and can be a very costly one at that. A 12 months plan out is much better. That keeps everyone at a steady pace rather than at a sprint, and gives the opportunity to show maturity while keeping an eye on costs and resources.
PreVeil: Well thank you MAD Security. Really appreciate your taking the time to talk to us.