By Connor Payne

With CMMC generally consisting of a “follow the data” exercise, DoD contractors often underestimate their reliance on third-party vendors to store, protect, process, or transmit CUI data. Many small and midsize businesses (SMBs) rely heavily on managed service providers (MSPs) and even more refined services such as managed security service providers (MSSPs), software as a service (SaaS), and infrastructure as a service (SaaS) providers. SMBs are responsible for ensuring that each provider protects the CUI that SMBs create or process on behalf of the government according to CMMC requirements. How do SMBs find the time and resources to manage these third parties? 

Managed Services Providers (MSPs)

SMBs frequently outsource IT Services and measure success with costs, Service Level Agreements (SLAs), and customer service. Typically, what isn’t considered are current and future compliance needs and the MSP’s ability to consistently meet these needs.  Security frameworks require specific types of processes and formalization that are burdensome, especially for smaller service providers.

Managed Security Service Providers (MssPs)

With SMBs having a smaller IT team, if any, there is a reliance on third-party providers for security services. While these services usually offer all of the latest technology advancements, compliance often gets overlooked. When these services are used, they can become in-scope for CMMC requirements under “Security Protection Assets.” Contractors do not typically consider the compliance needs for the acquired service.

Cloud Service Providers

As cloud providers become more prominent in the industry, CUI protection requirements are often overlooked and overruled by business needs. Requirements identified by DFARS 252.204-7012 (referenced in Cybersecurity Maturity Model Certification (CMMC) Model Overview v2.0) state that “If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.” This results in contractors needing to vet their cloud service providers to ensure FedRAMP moderate equivalency and ensure the provider meets all DFARS 252.204-7012 requirements necessary.



Software as a Service (SaaS)

To address the requirements above, contractors often turn to SaaS solutions for storing and processing CUI data.  Contractors are responsible for ensuring selected SaaS solutions meet security requirements.  SaaS providers are responsible or share responsibility for most security framework controls, which creates a relentless business requirement for them to meet.

Platform as a Service (PaaS)

Since PaaS provides a platform for contractors to manage applications, many security controls become a shared responsibility. While utilizing a PaaS can save money and time from deploying complex infrastructure, defining security roles and responsibilities is often an overlooked undertaking.

Infrastructure as a Service (IaaS)

As the number of in-scope controls decrease, it is more than likely that your IaaS provider is meeting or has the capability to meet the controls necessary due to the variety of clientele and industry standards. IaaS’s responsibilities will primarily focus on physical security and physical access controls.

How can a Contractor Manage All of these Shared Responsibilities with Vendors?

With many different “hands” being responsible for your security controls, contractors will need to define responsibilities for each control. This is formally done with a responsibility assignment matrix (RACI) and contractual agreements with the vendors. A RACI identifies who is responsible, accountable, consulted, and informed for a process. Utilizing this established practice gives contractors the ability to clearly define who is responsible for each CMMC control within the scope of their identified boundary.

 Rizkly lets you track shared responsibilities when pursuing compliance through inherited controls

Are you overwhelmed yet? SecureIT provides a compliance and risk management software, Rizkly, to streamline cybersecurity compliance efforts. Together with with our expert advisory services, Rizkly accelerates your compliance success while managing third-party reliance. Rizkly allows contractors to easily identify, define, and assign responsibilities to different vendors, employees, or points of contact in conjunction with security control implementations.  Choosing SecureIT enables organizations with a complex network of third party vendors to achieve certainty in their CMMC compliance efforts.  Contact us today to learn more.