C3 has merged with Ingalls Read Press Release >>

Insights from Bob Metzger: CMMC & its impact on MSPs and MSSPs

Bob Metzger chats with C3 CRO Bill Wootton about the prevalence of MSPs and MSSPs and their role in CMMC, cybersecurity, & FedRAMP.

The information provided in this video does not, and is not intended to, constitute legal advice; instead, all information, content, and opinions expressed in this video should be considered discussion for the purposes of public interest only


Bill Wootton: Hi, I’m Bill Wootton, Chief Revenue Officer with C3 Integrated Solutions, and recently I had the pleasure of sitting down with the legendary Bob Metzger, a well-respected authority on government security laws and regulations related to the defense industrial base, as well as CMMC.

Now, as a member of C3’s Board of Directors, Bob’s already provided us a tremendous amount of value towards our strategy and direction, and we thought it’d be great to give him the opportunity to do the same for you. Let’s listen in on what Bob had to say about the impact of CMMC to MSPs who serve the defense industrial base market.

So CMMC is a particular challenge for managed services and managed security service providers.

Can you talk a little bit about why that’s so challenging?

Bob Metzger: Well, much of the challenge is that neither the 7012 regulation nor the CMMC documentation thus far really seemed to give much guidance to MSPs or MSSPs or to the potential clients of MSSPs. It’s a major oversight in my view. I’ve come to learn that a very large proportion of the DIB relies upon MSPs and a smaller portion on MSSPs.

As to MSPs, it should be no surprise to anyone that commercial organizations have found it too difficult to run on premises IT and to make it secure and to help their personnel. That’s why there’s been such enormous growth in the market for MSPs. Similarly, companies who want more sophisticated security services, such as security, incident, and event management, they may not want to do that full time themselves and carry that cost when the need may be only occasional, so they like to look to third parties for that kind of help. Well, in a sense, neither 7012 nor 171 Rev 2 are written in contemplation of those market conditions.

All we have in 7012 is this language that says if you use a cloud service provider, it should meet the security requirements of FedRAMP moderate or equivalent. That’s it. Well, an MSP typically may have some of its services hosted in the cloud. It may rely on certain applications hosted in the cloud. It might perhaps set up enclaves that are hosted in the cloud.

There’s so many varieties of service delivery models, but none of those fit exactly, you know, into the language or contemplation of the regulation, and they don’t fit especially well, or at least clearly into the CMMC guidance documentation so far. I am concerned that there will be features in the proposed rule, which will be well intended, which will gravitate towards FedRAMP moderate, but will prove to be extraordinarily difficult, if not impossible, for all but a tiny number of MSPs and MSSPs to satisfy.

I’m very familiar with FedRAMP, I think, and pretty familiar with its DoD counterpart in the Security Requirements Guide. There’s a lot to like there. But over the years of FedRAMP, I think it’s been about seven, there’s only been 320 services authorized [corrected]. It is a laborious, time consuming and very expensive process, and it may be required for agencies to satisfy federal statutes when they use cloud services.

But those provisions of those federal statutes don’t apply to commercial organizations. So FedRAMP is more than necessary in terms of security controls, way more than possible in terms of expense and the length of the process. It’s overkill. And it will not help DoD or its contractors or the service community, if the rules come out expecting more from MSPs than is needed or that they can provide.

Let me mention that there are some MSPs who offer FedRAMP accredited products. I’ve been reading recently of the, a new product from Sierra Nevada, for example. And there are a number of MSSPs who have FedRAMP products. Quzara is en route to FedRAMP High. That’s great. Those are terrific products. I’ve looked at both.

There’s much to appreciate in them. But most of the companies in the DIB are not going to be able to afford those services, I believe. And I suspect that only a modest number would really need them. So while there is certainly a place for the more sophisticated and more financially strong companies to use FedRAMP MSPs or MSSPs, the bigger market needs the innovation, ingenuity, flexibility and competitive pricing, you know, from a less regulated, less burden set of MSPs and even MSSPs in my view.

I mean, this to me, this is the biggest risk area in the new rules. And as I may have said to you separately, this is a committee product, and some of the committee, you know, want to demand more. I think it’s too easy to default to FedRAMP, and too few of those people actually have any understanding what it’s like. I spent half my day yesterday worrying about FedRAMP for a company, you know well. I spent, I’ve spent a fair amount of my time in the last week or two dealing with one FedRAMP issue or another.

FedRAMP is, you know, not the, you know, the peak of the mountain place that is the only way to establish security.

Bill Wootton: Do you see any difference between how the DoD should treat either MSPs as opposed to MSSPs, or do you think that those roles will kind of wind up being similar for both?

Bob Metzger: The first question for MSPs is what’s the baseline security expected of them and how can it be demonstrated? MSPs, as you know very well, Bill, do different things for different customers. There are some who are essentially managing the IT backbone, handling the servers, updating the software, being a helpdesk, and providing training and security features. Well, typically in that role, an MSP is going to have at least occasional access to sensitive information at the client, even controlled unclassified information. Well, if there was a successful attack upon an MSP, or if its software were to be corrupted, you can see a risk that the consequence would not be limited to one client but could spread to many.

And this was the experience that we saw in the Kaseya breach a couple of years ago, and there are others like it. So we do need to be attentive to the security of MSPs, and we have to also be alert to personnel and staffing. So to me, the baseline for MSPs for now should be SP 800 171 Rev 2. And I think it’s advisable for MSPs to work towards the ability to demonstrate that they would satisfy the assessment requirements for Level 2 if and when the time comes.

But here’s a critical problem. MSPs are not government contractors, typically. They are not vendors to government contractors. They don’t get flow down from their government contractor clients. The challenge is that their clients, when they are assessed, may be required to demonstrate that the MSP is secure. Under the present version of the CMMC level 2 scoping guide, MSPs likely are going to be considered a security protection assets and those fall within the responsibility of the organization being assessed to demonstrate compliance with 171 and CMMC Level 2. Well Bill, your company is an MSP, but I do not believe it’s possible for you to receive a formal joint surveillance assessment. You’re not a contractor, and I don’t see any present way for the new regulations to enable you to be assessed. So this is kind of a conundrum, isn’t it? Your clients will want confidence that you, as part of their security, satisfy 171, but you cannot be assessed formally to demonstrate it. We’re going to have to solve that, and I think DoD needs to help us solve that, perhaps by working with the AB and encouraging a form of parallel assessment that is optimized for MSPs, and differently for MSSPs, they are different.

So that, you know, so that there is a documented basis for confidence on the part of MSP clients that the MSP they choose will pass muster when the time comes for a CMMC assessment of the client.

Bill Wootton: I think you’re right. It’s so important that in a lot of ways, as an MSP, we act as a force multiplier. We can support the underlying compliance for dozens, hundreds of clients.

Do you think there’s any chance that not only will an MSP have the opportunity to get that joint surveillance assessment, but also maybe even be prioritized in order for us to be able to support the greater market in an accelerated fashion?

Bob Metzger: Well, I, I think it’s a good idea, but I’m not sure it can be done legally.

After all, the CMMC 2.0 requirements are authorized by regulation and will be imposed by contract. And if you, as a company, such as C3I, if you don’t have a defense contract, then you may be supporting the efforts of those who are under contract, but you don’t have the contract yourself.

You know, ultimately, the product of assessments will be put into a government information system called eMASS. And I would be very surprised if eMASS is configured to allow any inputs for any company other than those who have DOD contracts. This is a problem that can be solved. DOD or DIBCAC or the AB or some combination of those could say we’re going to come up with a mechanism to do a sufficiency assessment versus 171 for MSPs.

And we’re going to start at a fairly low bar, close to the plain words of level, of level two. Because we know that MSPs need to have a documented basis for their credentials as satisfying CMMC requirements. We can’t require the same level of assessment now. The assessment of an MSP isn’t going to be the same as for an individual company.

Some of the issues will be different and the practices are much different. And we have to appreciate that there’s so many varieties of business approach taken by MSPs, some of whom run only on premises with their own equipment. Some use FedRAMP Cloud, some don’t. We can’t set up a system that is idealized and perfect on paper, but simply won’t fit MSPs.

It’s my impression that most MSPs are small business, and that there are literally thousands of them serving, not just DIB contractors, but also the commercial markets. So we’ve got to be careful about how we approach this and not, you know, throw some set of barriers up there that would deny companies access to capable MSPs.

And the reason we really have to be careful is that I believe a very high percentage of DIB companies already do rely on MSPs. And if you were to suddenly create barriers for them to use MSPs, it will not make it easier for them to comply. They may attempt to move stuff back on premises. But if they didn’t have the technical resources, the personnel, or the funding earlier to do it within their own premises, they’re unlikely to have it now.

I think the business model of MSPs works. I think there’s room and need to create a system for confidence and assurance of MSPs. But we’re going to have to take that in steps and be sensible and make sure that it’s a successful approach.

Bill Wootton: So such good information. And I want to point out the fact that, you know, this is still just table stakes for an MSP.

When we get involved with our clients, we’re performing a lot of objectives. A lot of the assessment objectives are ones we perform from a day to day basis, so it is just the ability to kind of get into into the relationship. We’re still also going to need to prove that we are accomplishing the assessment objectives on behalf of our clients when we have that outsourced relationship with them.