Managed Service Providers (MSP) and Managed Security Service Providers (MSSP), commonly referred to as External Service Providers (ESP), are key players in facilitating IT, cybersecurity, and supply chain risk management across critical infrastructure sectors, the federal contracting base, and especially in the Defense Industrial Base (DIB).
Small and medium-sized businesses (SMBs) comprise over 75% of the Defense Industrial Base. The Department of Defense (DoD) estimates that at least 80,000 companies will be required to achieve CMMC Level 2 certification. Therefore, CMMC Level 2 certification for 60,000 SMBs is a conservative estimate.

Most SMBs leverage ESPs because it simply makes good business sense. SMBs typically have neither in-house IT and security expertise, nor the time, budget, and resources required to recruit, develop, and sustain such a team. If 50% - 70% of SMBs requiring CMMC Level 2 certification leverage ESPs, then upwards of 30,000 – 40,000 DoD suppliers and their Controlled Unclassified Information depend entirely on the quality of the external IT and security service providers.
It is common for an ESP supporting the DIB to be directly responsible for 40% - 70% of the IT and cybersecurity requirements that must be implemented and maintained to achieve CMMC Level 2 certification.

In addition, ESPs are key threat vectors for malicious actors to scale cybercrime, ransomware, and state-sponsored cyber espionage. ESPs are essential, but they are also a potential weak point in the protection of the DIB due to the consolidated privileged access that they may have, which may extend to multiple DIB members. While it is possible to limit and compartmentalize privileged access across numerous customers, it is not uncommon for an ESP to support 100s of companies with their consolidated infrastructure. Because of the enormous potential attack surface ESPs create, a worst-case scenario could see an ESP capable of compromising 100s of DIB members and their CUI data with a single attack.

Unfortunately, even though ESPs are essential in support of critical infrastructure, standards, regulations, and certification programs have routinely failed to acknowledge, account for, or control their systemic importance.

Sector Coordinating Agencies (e.g., DoD, DHS), Sector Coordinating Councils (e.g., DIB-SCC), organizations such as National Defense Information Sharing and Analysis Center (ND-ISAC), and even elements of the government such as NIST and the Office of the National Cyber Director (ONCD) have failed to take the initiative and use ESPs as cybersecurity leverage points to advance the security of critical infrastructure sectors and their data flows.

Sadly, previous efforts to normalize a regulatory understanding of ESPs and standardize basic security best practices for ESP use cases were abandoned in 2019. Since then, regulators have drifted toward conflating cloud service providers (CSPs) and managed IT and security service providers – typically only because cloud-focused cybersecurity standards such a FedRAMP exist while ESP-focused security standards do not.

Meanwhile, existing definitions of covered systems and organizations need to account for the unique nature of managed services. As a result, regulatory efforts such as CMMC are often hamstrung by inadequate source materials and authoritative references.  

Worst of all, myopic supply chain cybersecurity strategies based on the idea of government-provided cloud enclaves are gaining support even though such solutions need to correctly address the ESP service model and adequately control the unique nature of ESP interfaces woven throughout the supply chain.

As a result of these issues, we desire to collaborate with Congress, DoD, the Cyber AB, state legislatures, and the broader critical infrastructure ecosystem to provide insight into the importance of external service providers in securing critical infrastructure, the federal contracting base, and especially the Defense Industrial Base. 

Our recommendations for the CyberAB, the DoD, and Congress are all borne from a desire to help secure the Defense Industrial Base, support the warfighter, and improve national security. Our companies stand ready to support and will continue to work with government, industry, and academia to put appropriate technology, processes, and capabilities in place to ensure that we stay a step ahead of the aggressors. Protection of our national intellectual property is paramount to ensuring we can continue to thrive as a nation.

Due to the potential risk, it would be prudent for the Department of Defense to identify minimum requirements for ESPs that exceed the minimum requirements for CUI protection as defined in DFARS 252.204-7012 / NIST SP.800-171. This requires significant long-term collaboration to create the groundwork for minimum standards that regulators can have confidence in, which may include:

• NIST SP 800-171 r2 Assessment for ESPs
• CMMC Scoping Guidance applicable to ESP Service Delivery
• NIST SP 800-172 Assessment for ESPs
• A NIST Cybersecurity Framework (CSF) Profile for ESPs
• A NIST SP 800-53 Overlay for ESPs

In the meantime, efforts can focus on adequately leveraging existing standards. The specific standard for what ESPs should meet is a tradeoff to prioritize growing the ecosystem with a long-term goal of having the most secure ecosystem possible. To that end, the initial requirements for an ESP should be a CMMC Third Party Assessment Organization (C3PAO) validation of NIST SP 800-171 r2. This should be the minimum acceptable baseline for an ESP working in the DIB.

ESPs who meet the cybersecurity requirements outlined in NIST SP 800-171 r2 and who subsequently achieve the corresponding CMMC Level 2 certification from a C3PAO and (when available) a CMMC Level 3 certification should be preferred due to the dramatically higher assurance against Advanced Persistent Threats (APTs).

Ultimately, ESPs should be required to meet a tailored version of NIST SP.800-53 explicitly built to cover the complete Confidentiality, Integrity, and Availability triad and customized to the specific risks that ESPs present. This specifically tailored version of NIST SP.800-53 should be developed by NIST   for use by Critical Infrastructure ESPs. 

The Department of Defense implemented the DFARS 252.204-7012 requirements in 2016/2017 to ensure the DIB appropriately implemented the necessary controls to protect CUI in their internal IT environments. Unfortunately, the DIB largely ignored the rollout of this requirement due to the cost of implementation - even though these organizations are self-attesting to meet the requirements on their contracts. 

While DIB organizations would like to improve their cybersecurity posture, the competitive pricing environment fostered by the government and prime contractors results in many of the small businesses in the DIB running on thin margins, which constrains necessary cyber investment. Additionally, due to a lack of enforcement from the DoD of the standard, those companies that have invested find themselves at a competitive and financial disadvantage.

We understand that proposals are in review by Congress that include DoD appropriations for grants to DIB organizations that would help offset the necessary one-time investment in getting the DIB to CMMC compliance. We support this effort, and we would like to propose some ideas for how this should be implemented.

Existing OSCs with DFARS 252.204-7012, DFARS 252.204-7019, and DFARS 252.204-7020 clauses in their contracts or sub-contracts should be provided a grant to implement the CMMC L2 requirements. OSCs would only be eligible for the grant if they use a CyberAB RPO with the enhanced certification requirements identified in our Certification position statement or by an authorized C3PAO. This would ensure that the OSC is receiving accurate and appropriate consultation and implementation assistance for their organization. Once the OSC completes its CMMC L2 assessment with a C3PAO, it will be eligible for a second grant. This provides an enticement to complete the certification and validation process that they have met the DoD's requirements for handling CUI. Suppose an organization has already implemented the CMMC L2 standard and completes its C3PAO assessment without taking the first grant. In that case, it should be eligible to receive both the first and second grants upon the culmination of its CMMC L2 assessment.

Our members all engage with the CyberAB and the developing ecosystem created by the CMMC program. Through our experience in this ecosystem, we have identified several issues that must be addressed to improve the DIB and the CyberAB ecosystem.  

One of the areas needing improvement within the CyberAB's ecosystem is the Registered Provider Organization (RPO) program. The requirements to become an RPO are low and are limited to paying a fee to the CyberAB in exchange for status and badge. 

Very little due diligence is done to establish the competency and skills these organizations possess. It is common to see RPOs distributing inaccurate and potentially harmful information to OSCs through their marketing materials and consulting practices. Additionally, the consequences of receiving improper guidance could include additional costs, lost opportunity, and an extended timeline to achieve compliance. These bad practices undermine trust in the RPO program and OSC's progress toward compliance and ultimately sidetrack the overarching mission of the CyberAB to secure the DIB.  

We suggest significant changes to the RPO program to increase trust  within the ecosystem. This mission can be accomplished by modifying the RPO program to enhance the requirements to become a credentialed RPO. Doing this will raise professionalism and consulting amongst RPOs, ensuring that OSCs receive accurate and constructive information and guidance when engaging with an RPO.

First, each candidate RPO should demonstrate their ability to establish a security baseline equivalent to the levels at which they would provide consultation services. This could be done by requiring an RPO to achieve CMMC L2 by validating an approved CMMC 3rd Party Assessor Organization (C3PAO). 

• This will prove to the CyberAB that the RPO has the necessary process and technology knowledge to appropriately implement an environment suitable for handling CUI. This knowledge should be required before they can consult with OSCs on their security program.  

• Second, each RPO should be required to maintain a minimum of 1 Certified CMMC Assessor (CCA)  and 1 Registered Practitioner Advanced (RPA) on full-time W2 staff. This will ensure that the consulting provided by the RPO is accurate and vetted across multiple levels of CMMC credentialed expertise within the candidate RPO. These types of minimum certification requirements for organizations are very common among partner programs within the industry.
•  

MSPs and MSSPs that support clients in the Defense Industrial Base should prove their ability to provide adequate protection of their client environment and support CMMC capabilities in their delivery of services. As such, the MSP or MSSP should be required to undergo their own CMMC L2 assessment, validated by an authorized C3PAO, and they should be listed in the Cyber AB marketplace as a vetted ESP.

Determining the scope of the assessment for an MSP or MSSP is essential, as the CMMC L2 certification would carry with it the intention of inheritance for a standardized Shared Responsibility Matrix (SRM) applicable to their client environments. Any deviation from the certified SRM with the OSC would need to be called out on a NIST 800-171A Practice and Assessment Objective basis in the OSC SSP.

MSPs and MSSPs likely will not be directly processing, storing, or transmitting CUI for their DIB clients. According to the SR, the scope of their CMMC L2 certification should encompass the people, processes, and technology leveraged in delivering services to the OSC. CMMC L2 Scoping categorization of assets would be referenced to determine applicable controls for users, applications, systems, or devices leveraged to provide security functions to an OSC whose systems or users process, store, or transmit CUI.  

Accordingly, the MSPs or MSSPs who leverage Non US Persons for services that are delivered to OSCs who have ITAR, EAR or NOFORN data need to prove they have removed physical and logical access to those OSC environments and provide for an alternate means of US-person based service delivery for those capabilities as if they are a CUI asset.

For further guidance on program and scoping recommendations supporting the validation of a Service Provider's qualifications, refer to this MSP Collective Paper:
External Service Provider Scoping and CMMC L2 Assessment Program Recommendations