By Scott M. McAuliffe, CPA, CISA, CFE, Partner, Risk Advisory Services
What Managed Service Providers Need to Know for CMMC Compliance
The Department of Defense (DoD) and Cyber AB have indicated at recent webinars that if a Managed Service Provider (MSP) is involved in processing, transmitting, or storing CUI for an Organization Seeking Certification (OSC), the OSC will be required to provide the CMMC Third-Party Assessment Organization (C3PAO) with a body of evidence from the MSP to support its compliance with Federal Risk and Authorization Management Program (FedRAMP) Moderate equivalency requirement as part of its CMMC Level 2 Certification assessment process.
Department of Defense Guidance
The DoD has issued a Frequently Asked Questions (FAQs) document that addresses questions relating to the Safeguarding of Covered Defense Information and Cyber Incident Reporting. Moreover, the DoD has recently cited FAQ115 within the FAQs document as the answer to the body of evidence requirements for cloud service providers. FAQ115 provides examples of items that could be included in a body of evidence which includes an MSP’s system security plan (SSP) that describes the system environment, system responsibilities, and the current status of the Moderate baseline controls required for the system, and a Customer Implementation Summary/Customer Responsibility Matrix (CIS/CRM) that summarizes how each control is met and which party is responsible for maintaining that control.
In addition to the DoD’s guidance, the Cyber AB recently released a pre-decisional draft of the CMMC Assessment Process (CAP) document that C3PAOs will use when performing CMMC Level 2 Assessments. The CAP provides specific details for determining whether the External Cloud Service Provider meets the FedRAMP moderate equivalency requirement. The CAP states that the C3PAO Assessment Team shall examine whether the OSC has met the following two criteria: 1) the OSC or the External Cloud Service Provider has provided a body of evidence documenting how the External Cloud Service Provider’s security controls are equivalent to those provided by the FedRAMP Moderate baseline standard; and 2) said body of evidence has been attested to by an independent, credible, professional source.
MSP and OSC Impact
For anyone familiar with CMMC, the development of an SSP, CIS/CRM, and having an independent attestation can be a huge undertaking. Not only for the time and resources to prepare the documents and supporting evidence but also the time and resources needed to correct any gaps. This is unwelcome news to most MSPs.
For MSPs that want to work with DoD contractors, it looks like there will be many important strategic decisions that will need to be made in the next few months. For MSPs that serve a limited number of DoD contractors, they will need to determine if the revenues generated from these companies exceeds the costs of compliance with CMMC. Or alternatively, identify solutions so that the MSP does not process, transmit, or store CUI.
OSCs also have important decisions to make. They need to determine if their MSPs have a body of evidence to support FedRAMP Moderate equivalency. If their MSP has not begun that process, an OSC needs to determine if it makes sense to change to a provider that has already gone through the process and not risk failing their CMMC Level 2 Assessment.
Although the CMMC rules are still being finalized, thankfully there is more clarity on the impact to MSPs and the decisions that MSPs and OSCs need to start making.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.