As you work to better manage your company’s cybersecurity and continue on your path to meeting the requirements of NIST 800-171, chances are you have considered engaging with a managed service provider (MSP) to help you on your journey.
Be aware that every situation is unique and you may have some specific business requirements, but at a broad level, these are the minimum things you should look for in an MSP.
U.S. data sovereignty delivered by U.S. citizens
Look for an MSP that abides by U.S. data privacy regulations, best practices, and guidelines in how it stores intellectual property and customer information. Further protection is provided via ensuring that services are delivered by U.S.-only security/IT operations and maintenance personnel.
Annual assessment of NIST 800-171/CMMC
Cybersecurity is a perishable capability. It’s important to work with an MSP that helps you reassess your company on an annual basis to understand where you are in respect to your compliance with the controls outlined in NIST 800-171/CMMC. The dynamic nature of your cybersecurity practices is critical to monitor so that you can continue to address deficiencies as your organization matures.
Annual SPRS scoring and submittal
Your progress toward improving your cybersecurity should be visible. Once you have assessed your current security posture, your MSP should also work with you to log your score in SPRS each year. If you’ve made progress and closed gaps, you can take credit for getting more secure and therefore more compliant. When your business goes to bid on contracts, and the government looks to use SPRS cybersecurity scores as a discriminator, you are putting your business in a better competitive position.
Annual incident response tabletop
There are headlines about data breaches every day, with recent incidents happening to the U.S. Marshall, the FBI, and the healthcare provider for Congress. One way to minimize the damage of these breaches is to work with an MSP that annually conducts an organized exercise that tests your incident response. That way when you have to respond to an actual breach, you’ve got processes in place for escalation, including the directives for your technical, legal, and communications teams.
One simple fixed price bill, inclusive of license and consumption
From a cost containment perspective, you want to make sure that you have a structure that provides you a firm fixed price bill on a recurring basis. You should also know how the cost and capabilities of your MSP provider scale to meet changes in your business.