Last Updated on January 19, 2024
As CMMC 2.0 and NIST 800-171 compliance efforts gather steam, managed service providers (MSPs) and managed security service providers (MSSPs) in defense and other US government supply chains need to look carefully at whether/how they are storing, transmitting or processing controlled unclassified information (CUI) on behalf of clients.
If CUI enters the MSP environment or a client-side environment that the MSP controls or manages on their behalf, CUI protection requirements (e.g., CMMC 2.0 compliance) “flow down” to the MSP automatically per contract clauses like DFARS 7012.
To illuminate critical CUI compliance issues for MSPs/MSSPs, a recent episode of The Virtual CISO Podcast features Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Go with the flow(down)
If an MSP/MSSP is handling CUI in any capacity, the CUI protection requirements that their client is responsible for “flow down” to the third party automatically. But a CMMC auditor won’t directly check the MSP’s compliance during the client’s certification audit. Likewise, the client doesn’t have a legal requirement within CMMC or NIST 800-171 to ensure that their MSP has a CMMC certification or a perfect score in the DoD’s SPRS database.
Caleb explains: “If you’re [auditing] an OSC [Organization Seeking Certification] and they’re sending CUI to an MSP, do you then gather evidence and make sure that MSP has a CMMC Level 2 certification? Not during that assessment, you don’t. Because that’s really adding requirements, right? The OSC right now doesn’t have a legal obligation or requirement within the CMMC framework or NIST 800-171, which is what is being assessed, to ensure that a third party has a CMMC certification or NIST 800-171 compliance. That’s really between [the third party] and the government.”
“Even the flowdown is all from a contractual perspective,” continues Caleb. “So, a commercial assessor doesn’t have the authority or the obligation to pursue that avenue much further. You can ask during an assessment, ‘Hey did you check to see if that organization has a score in SPRS?’ ‘Yep, we did, and they sent us a letter that said they’re compliant.’ It really would be adding to the requirements for CMMC or NIST 800-171 to pursue that a lot further, and it’s really a government function at that point.”
To sum up, from an assessment perspective the auditor isn’t looking at the OSC’s vendors’ compliance. What’s being assessed for compliance are the functions, people and resources that MSPs and other vendors are providing in the OSC’s environment that relate to CUI.
Validating MSP compliance
So, is this all a check-the-box exercise where MSPs will never be held accountable for their CUI protection postures?
To address flowdown concerns, the DoD currently relies on the DFARS 7020 clause, which includes a requirement that OCSs can’t award subcontracts where CUI is involved without validating that the subcontractor has a score in SPRS. From there, compliance is enforced either through False Claims Act/whistleblower lawsuits courtesy of the Department of Justice or via a Defense Contract Management Agency (DCMA) audit or contract clause compliance assessment.
However, OSCs themselves are likely to put MSPs under greater scrutiny and accountability out of concern for their own legal and compliance risk. MSPs should be prepared to demonstrate robust CUI protections for their clients’ peace of mind. If your organization handles CUI and other sensitive data on behalf of others, you need to make the same investment they are making to protect it.
What’s next?
To catch the complete podcast episode with Caleb Leidy, click here.
That does CMMC 2.0 really mean for government contractors and their vendors? This podcast episode leaves no stone unturned: EP#71 – Caleb Leidy & George Perezdiaz – CMMC 2.0 is Here! Find Out What It Really Means for DIB and Non-DIB USG Contractors