Compliance

How to Offboard Your Managed Services Provider

/ Compliance, Managed Services, NIST 800-171, Vendor Security Management / By

For any of a variety of reasons including lack of communication, slow response times, or prolonged downtime, your organization has decided to change your managed service provider (MSP). Whether you have already signed an agreement with a new MSP or you are actively looking for a replacement, now is the time to take important steps to ensure that the transition to your new provider is a smooth one.

Tips on Getting Offboarding Started

  • Maintain communication – In terms of your outgoing MSP, one adage rings true–don’t burn bridges. The company you are letting go is a key to your success moving forward. Severing all ties prematurely could leave your company stranded, unsupportable, and looking at a larger bill to recover data, admin credentials, and backups, as well as negatively impact your overall business.
  • Transfer knowledge – While CyberSheath or another onboarding MSP has no authority to require the outbound MSP supply the needed information to manage the infrastructure effectively, performing knowledge transfer with your outgoing MSP can assist with all entities involved working as a team.
  • Include key details in release letter – Note that it is essential to have these expectations listed in your release letter. It is also a great idea to have the leaving MSP sign off and agree to participate in this process. Without these items, your new MSP will have the daunting task of figuring out your infrastructure and credentials.
  • Don’t delete a Global Admin account – Have you ever not had the global admin account for your domain controller or active directory? You will not do much without it. Deleting one of these accounts could have down-stream effects on your infrastructure and access that could require significant recovery efforts, which means considerable expense.
  • Ensure outgoing MSP participation in process – It is also a great idea to have the leaving MSP signoff and agree to participate in the offboarding process. Without this input, your incoming MSP will have a daunting task of figuring out your infrastructure and credentials, which not an easy task without certain information.

Key Information to Document

Remember that the outgoing service provider was a partner in your network and infrastructure, and therefore possesses information that is vital in supporting the success of your new service provider.

Below is an initial list of important information to record as you prepare to offboard your exiting MSP. Keep in mind that your company may have unique situations requiring additional information be turned over.

  1. All admin credentials for all in-scope devices used in the course of business. These include but not limited to servers, routers, firewalls, storage devices, and applications used by your company. It is a good idea to maintain a list of these even if you are not transitioning to a new MSP. MSPs often create accounts for themselves within your infrastructure. These are now keys to your environment, so it is a good practice to keep a list of who has access.
  2. All intellectual property (IP) needed to maintain current business practices and processes. MSPs often acquire a lot of knowledge about your company in their day-to-day operations of supporting your company. While it may be impractical to truly download everything your outgoing MSP knows about your company, it is a good idea to have a non-disclosure agreement (NDA) in place to ensure that information stays confidential.
  3. Complete list of all assets currently managed. This will help your new MSP understand your environment.
  4. Network topology diagram to include current IP mappings and ports used for day-to-day operations. CyberSheath recommends that you review this diagram on a quarterly basis or as you change components within your infrastructure. For example, if you moved on-premise servers to the cloud, be sure to ask for an updated diagram.
  5. Knowledge base information specific to or used in the support of your company’s infrastructure. The importance of this cannot be overstated. All companies have IT skeletons in their closets. Moving to a new MSP and not helping them with understanding the unexpected, sets the stage for failure.
  6. Backup schedules and access to the location where backup data is stored. Also be sure to have access to credentials to retrieve those backups and applications used to perform these tasks, as well as the most recent full backup.
  7. Licenses schedule and account information associated with those licenses so that the licenses can be transferred to your onboarding MSP. Companies should always document and maintain this information. You cannot renew or transfer software licenses without a company’s account number and approval. It is also recommended to have a quarterly review of your licensing footprint as unused licenses incur unnoticed expenses.
  8. Technical Point of Contact (TPOC) that can be available for the dates of the transition (usually 30 to 60 days). It is important that the person in this role understands technical issues to ensure the onboarding company has access to the client’s IT dependencies.

If you are still searching for your new MSP, CyberSheath offers a unique managed service combining security and IT services, which bring our customers a complete, protected service solution. Our MSP offering is secure, contains no ransomware, and allows our customers to keep their data.

We keep our customers up and running. Learn more about our managed services to help you with CMMC compliance, DFARS/NIST 800-171 compliance, or managed IT for defense contractors.

Join our May 29th 12 pm ET webinar Mastering CUI Boundaries: A Comprehensive Guide to Scoping, SPRS Input and Audit Navigation.
Register Now
This is default text for notification bar
Learn more