Important Questions to Evaluate MSP Compliance and Security

For a long time, the US defense industry has faced immense security threats from unmonitored defense contractors and vendors. The majority of defense contractors don’t have well-monitored IT infrastructure. They are more vulnerable to becoming prey to cybercriminals. Given the increase in cyberattack incidents, the Federal Acquisition Regulation and the General Services Acquisition Regulation have added multiple data protection requirements, including Cybersecurity Maturity Model Certification. Since CMMC is new and not many organizations are aware of the compliance requirements, the demand for CMMC consulting firms has gone up. 

This blog will highlight a few methods to evaluate a managed service provider’s compliance status. 

Question 1: Does your Managed Service Provider use cloud-based IT infrastructure to ensure the security of your data. If they do, make sure they have configured that environment to DFARS compliance standards. 

 Most cloud services, if not all, are not hosted in FedRAMP High datacenters. And there are very few data centers that are built in accordance with the NIST 800 171 controls. Thus, it’s essential that you ask if your MSP uses a compliant environment to store their data. 

Before finalizing your MSP partner, ask whether they manage vulnerability and virus data. Most systems that process or store vulnerability information fall under CUI data, and they must be stored in a DFARS compliant ecosystem.

It’s essential to ask your MSP where they are storing your data backup. Find out whether your MSP uses a FedRAMP Moderate environment to store your data backups. 

Question 2: How to determine a plan for MSP to access your network?

Before finalizing your MSP, understand how they will access your system. Will they use a share account or have their own account to access and monitor your IT environment. When it comes to auditing the system, every personnel should have their own accounts to log into the system and perform their activities. If every administrator logs in via a shared account, it will be challenging to keep track of who logged into the system. 

Determine if everyone in your organization can access the system at the same level. Ensure that the MSP you have partnered with doesn’t give access to all your systems to just one personnel. Besides this, your MSP must be able to identify changeable roles within your organization.  

 How does your managed service provider access your servers and systems remotely? Make sure your MSP’s monitoring system offers an audit trail of access to the network. Are you aware of who has access to each of your systems? When evaluating your MSP partner, one of the essential components to check is whether they are able to support your IT system remotely. The NIST 800-171 compliance norms require that your MSP access log can be properly audited. 

Question 3: What is the process of training the MSP support staff?

If you deal with ITAR data in your IT environment, your MSP should only recruit US persons on your support staff. 

While IT monitoring is a highly specialized job, most MSPs don’t require their team certification. However, CMMC compliance requires that every support staff with access to your system has acquired a minimum level of competence in data security.