Evaluation Criteria for MSPs Regarding DFARS and CMMC Compliance

Given today’s advanced technology and cunning cyber criminals, it’s absolutely necessary for your business to have a strong security posture. And if your company needs to comply with CMMC standards, you need to follow even more stringent procedures to make sure your data and assets are protected online. 

Oftentimes, the solutions and services needed for businesses to become and stay compliant are more than small IT teams can handle, making off-loading the bulk of the work to third-parties a more cost-effective option. That’s where an MSP (Managed Services Provider) can step in to monitor and manage security devices and systems, allowing businesses to keep functioning as usual without sacrificing their security posture. 

If you’re considering an MSP for compliance management, there are a few things to keep in mind before you commit to a provider. 

Here, we’ll break down a few key questions to evaluate your MSP:

How is your MSP storing your data?

Unfortunately, many cloud service providers (CSPs) that traditional MSPs use to store data are not compliant with NIST 800-171 and CMMC. FedRAMP (Federal Risk and Authorization Management Program) is a federal program that ensures that cloud services that hold government information maintain the proper level of security. Make sure that your MSP is using a CSP or IT infrastructure that is hosted in FedRAMP Moderate/High environments. At Hyper Vigilance, we use Azure and Amazon Web Service GovCloud, a FedRAMP High datacenter.

How are your systems monitored and accessed by your MSP?

Knowing when, where, and by whom your company’s accounts are being accessed is an important question to ask your MSP. According to NIST 800-171, all privileged administrators—MSP admins included—must have their own login credentials. Anyone working within your company’s network should also have varying levels of privilege, so that one employee doesn’t have access to all systems. MSPs should also be able to show a full audit trail of access if asked, which means that their remote monitoring systems (and who’s accessing the systems remotely) should be documented. Finally, MSPs should be using Multi-factor Authentication to login, which is required by NIST 800-171.

Who is on your MSP team?

Knowing what the hiring and training process is like at your MSP is important, since you’re leaving  your company’s valuable assets and reputation in their hands. At the end of the day, you need to trust the MSP team you’re working with. Depending on your business, you might have unique requirements for your support team—if you work with International Traffic in Arms Regulations (ITAR) data, for instance, your MSP must only have U.S. persons on your team. You should also inquire about your MSP staff’s security competencies, ongoing training, and whether or not they were required to undergo background checks. 

Find the right compliance solution with Hyper Vigilance

If you’re preparing for CMMC compliance and you’re considering an MSP, allow Hyper Vigilance to help. Our team is comprised of many former personnel from the Intelligence Community and the Department of Defense, and you can trust us with your compliance needs. With straightforward pricing on our full-service compliance management services and GuardNet Enclave Platform, you’ll get compliant quickly and efficiently, without losing productivity. 

Get in touch with us to take charge of your company’s cybersecurity foundation.