FAQs about MSPs & CMMC

October 7, 2021 Sophia Palmira

In this fourth installment, we break down MSPs in relation to CMMC assessments.

Today, most companies rely on some form of third-party assistance, whether from a Cloud Service Provider (CSP) or a Managed Service Provider (MSP).

Outsourcing IT or cybersecurity services to a third-party provider can provide quality services that a company cannot afford with an on-premise solution, and for lower overall cost. Outsourcing to an MSP can provide significant cost savings for Organizations Seeking Certification (OSCs). In this installment of CMMC-Spin, we cover MSP requirements with respect to CMMC.

Recently we have been receiving questions about MSPs and CMMC compliance. In this newsletter, we will provide some basic answers to your MSP questions with respect to CMMC. However, it is highly recommended you consult cybersecurity professionals to continue with your preparation for a CMMC assessment. Please note, we cannot cover all aspects of MSP compliance in a newsletter. Each organization is different and each organization has its own nuances with respect to its third-party providers.

Q: What Are the Benefits of Using an MSP?

A: MSPs come in different flavors and sizes. The OSC will need to determine what is required of their current MSP or for future MSPs with respect to meeting CMMC requirements to protect Controlled Unclassified Information (CUI). OSCs may outsource to an MSP that provides solely or a combination of:

  • IT infrastructure
  • Endpoint provisioning and management
  • Policies and procedures Security Operations Center (SOC) and Security Information and Event Management (SIEM)
  • Vulnerability management
  • Audit log reviews
  • Incident response

While the OSC can benefit from cost savings, the OSC also transfers risk to the MSP. As such, the MSP has responsibilities to meet CMMC requirements. In any case, both the MSP and OSC must prove CUI is adequately protected from both parties.

Q: What Level of Certification Does an MSP Require for CMMC?

A: Note that those services are mapped to security domains within the CMMC framework and would be a part of the OSC’s assessment for CMMC Level 3 certifications. This includes all requirements, whether it's policies, processes, procedures, or technical implementation of the CMMC requirements.

A shared responsibility matrix between the MSP and OSC will clearly document the specific areas of responsibility. We cannot overstate the importance of a responsibility traceability matrix!

Q: Is an MSP a Part of the CMMC Assessment Process?

A: Yes, if the services are a part of the MSP CMMC authorized service and the OSC is using that service. The OSC would inherit any applicable services that the MSP is providing to the OSC to protect CUI. In other words, the OSC cannot simply state that “they are good, so we are good, too”.

Once again, depending on the sharing agreements, the MSP may require a CMMC Level 3 certification in its own right or it may provide inherited services to the OSC.

We recommend contacting experts with respect to federal, DoD, and CMMC requirements to help navigate you through your path to preparing for CMMC.

How Can Redspin Help >>

If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, click the button below to schedule a call.


Additional CMMC resources can be found on our website.

The Redspin Team

© Copyright 2021 Redspin - A Division of CynergisTek

Previous Article
The Importance of choosing an LTP for CMMC Training
The Importance of choosing an LTP for CMMC Training

The CMMC-AB has limited organizations that can provide CMMC training under the established, Licensed Traini...

Next Article
Cloud Service Providers & CMMC: Do they Mix?
Cloud Service Providers & CMMC: Do they Mix?

We break down CSPs, what they are and how they can help achieve your organization's goals. In this edition,...