Many defense contractors outsource their IT to a Managed Service Provider (MSP), who generally deliver the IT required and allows a business to focus on their core competency. IT managed services through MSP’s have been around for a long time now and rarely include service or commitments to meet compliance requirements like the Cybersecurity Maturity Model Certification (CMMC). It has only been in the last several years that MSPs have moved into the cybersecurity space to expand on their IT service offerings. At best, the MSP market for defense contractors offers IT and cybersecurity in one provider but completely ignores CMMC compliance requirements. This is a big problem, and Department of Defense (DOD) contractors, as their future revenue opportunities are dependent upon achieving compliance.
Most MSP’s are brand new to CMMC but unfortunately for their customers’ asset management, patching, and media sanitization stand in the way of CMMC compliance and DOD revenue opportunities. Defense contractors who have an MSP, or are looking at an MSP, are putting their revenue opportunities in the hands of a third party. It is time to rethink your MSP relationship and possibly start searching for alternatives.
The Role of IT in achieving CMMC
Much of the thinking to date around MSP’s and CMMC gets into nuanced legal issues around the MSP’s access to Controlled Unclassified Information (CUI). Still, the real problem is much more fundamental and easy to understand. Your MSP is responsible for many of the requirements tied to your eventual CMMC objective. If your MSP is not delivering their services in a way that produces evidence of compliance with CMMC you won’t achieve certification; it is truly that simple. Many of the requirements of CMMC fall into the information technology category when it comes to delivering them on a day-to-day basis. All of the attention so far has been focused on the cybersecurity requirements of CMMC. Still, as anybody in an operational role knows, much of CMMC falls to the IT delivery organization. If your IT delivery organization is an MSP, are you comfortable trusting them with your future revenue opportunities? Will they learn about the CMMC on your dime? Do they even mention CMMC services on their current website?
You need an MSP that can marry the delivery of IT, cybersecurity, and governance in one comprehensive, measurable package to ensure compliance. CMMC stands in the way of all future revenue opportunities with the DOD; it is too important to be an add-on to your existing MSP services.
A potentially worse scenario is having one vendor do your IT services delivery as an MSP, and another vendor responsible for cybersecurity as your MSSP, with you, stuck in the middle playing referee. There is no way around it; achieving CMMC is difficult, costs money, and requires the coordination of IT, cybersecurity, and governance activities. Most small to medium businesses don’t have the resources to coordinate or even know how to evaluate vendor claims around CMMC. Asking an MSP to unpack the nuances and complexities of NIST 800-171, SPRS submission, and CMMC is generally a bridge too far for any MSP that wasn’t created exclusively to service the defense industrial base and their unique regulatory requirements.
So, what should small and mid-sized defense contractors do?
At our upcoming webinar, we will talk about bringing order to the chaos of achieving NIST 800-171 and CMMC compliance. We discuss strategies through the lens of working with an MSP because few are equipped to meet all NIST 800-171 and CMMC requirements on their own. We will detail solutions to key pain points felt by defense contractors contractually obligated to meet DOD requirements giving you insights into implementing these solutions with internal resources or through your MSP.
No matter where you are on your path to compliance – calculating your assessment scores, navigating SPRS, implementing the controls, or shopping for an MSP – this webinar will accelerate your journey. Register Now.