The evolving Cybersecurity Maturity Model Certification (CMMC) framework introduces a critical dialogue among government contractors, particularly about the role and eligibility of Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) within this new regulatory environment. As we delve into this discussion, it’s essential to consider the nuanced perspectives and interpretations of current regulations and their implications for service providers in the defense sector.
Eligibility and Applicability Concerns
There is a prevailing notion that MSPs and MSSPs will need to obtain CMMC Level 2 Certification if they process or store CUI on their systems as part of service to the DoD contract holder. While this may be true, it is unclear how exactly this will be accomplished from a practical and technical perspective without additional guidance and clarification in the CMMC Proposed Rule. Our interpretation suggests that under the current language of the CMMC, MSPs, and MSSPs do not specifically qualify for certification unless they are direct holders or subcontractors of a Department of Defense (DoD) contract involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). This viewpoint stems from a careful examination of the CMMC’s stipulations and the specific mentions—or lack thereof—regarding External Service Providers (ESPs), MSPs, and MSSPs in the proposed rule’s applicability section.
As CMMC is currently written, it seems inaccurate to claim that MSPs/MSSPs are eligible for CMMC certification, unless they themselves are a direct contract holder or sub-contract holder for a DoD Contract with FCI/CUI. Subpart C of the proposed rule doesn’t mention MSPs/MSSPs for applicability; it does mention CMMC ecosystem titles and roles and does explicitly require that the CMMC Accreditation Body (AB) become certified at CMMC Level 2 through DIBCAC.
The response to public comments on the question seems to lend support to our interpretation, excerpt provided below:
1. Service Providers
Comment: Multiple commenters asked about the applicability of the CMMC Program to a variety of service providers. One commenter requested clarification regarding how CUI controls apply to Internet Service Providers and their globally sourced service support because of the prohibition of foreign dissemination for CUI. Two commenters suggested that common carrier telecommunications (often termed Plain-Old-Telephone-Services (POTS)) and similar commercial services (cloud services, external service providers) should be treated as commercial off-the-shelf (COTS), and so excluded from CMMC certification requirements. One commenter expressed concerns about the impact of the rule on the telecom industry. One commenter recommended that to limit the burden of CMMC implementation, contractors providing commercial services to support COTS items, such as technical support for software, should receive the same exceptions as other COTS contracts.
Response: The CMMC Program will result in cybersecurity protection and assessment requirements for defense contractors and subcontractors. CMMC Level requirements will apply only if a defense contractor or subcontractor handles FCI or CUI on its own contractor information systems. If so, then under CMMC, the contractor or subcontractor will be required to comply with the cybersecurity protection and assessment requirements associated with the appropriate Level. As such, CMMC Level requirements will not apply to internet Service Providers or other telecommunications service providers ( i.e., common carriers), unless those entities themselves are or intend to become defense contractors or subcontractors. In addition, there is no general prohibition of foreign dissemination for CUI, although certain CUI may be subject to export restrictions. Commercial item determinations per 48 CFR 15, including those relating to common carrier telecommunications or cloud services, are not defined by CMMC. Concerning the CMMC Assessment Scope, although they provide connectivity for contractor systems, and the common carrier link is within the boundary of the contractor’s system, the common carrier’s information system is not within the contractor’s CMMC Assessment Scope as long as CUI is encrypted during transport across the common carrier’s information system.
For the entire proposed rule on Federal Register please visit: Cybersecurity Maturity Model Certification CMMC Program.
Our Comment
We submitted the following comment to the Federal Register and are awaiting a response:
Regarding the applicability of CMMC to Service Providers, specifically External Services Providers (ESPs) such as Managed Service Providers and Managed Security Service Providers MSSPs, can you please clarify if these ESPs will be required to obtain CMMC Level 2 Certification and how that will be accomplished if they are not themselves DoD contract holders or subcontractors on a DoD contract? The current response seems to say ONLY DoD contractors will have CMMC Certification Requirements which implies this would exclude ESPs such as MSPs and MSSPs who are not themselves on a DoD contract – “CMMC Level requirements will apply only if a defense contractor or subcontractor handles FCI or CUI on its own contractor information systems.”
It is not clear from this response how CMMC will or will not apply to ESPs such as MSPs and MSSPs. The response does indicate CSPs and Telecom Commercial Services will not be required to become certified if they are not themselves DoD contractors or pursuing DoD contracts. Later on, it is mentioned these CSPs may be utilized even if their systems are not certified FedRamp Moderate or above so long as the system has FedRamp equivalent security measures (SSP, evidence showing they conform to security standards, etc). Does this mean a similar level of security would be acceptable for other ESPs such as MSPs and MSSPs in providing service to a DoD contractor?
In another section, ESPs are specifically mentioned with regards to CMMC Level 2 Certification- however, the wording is confusing in that most ESPs we know of are using a larger CSP, such as Microsoft, to store and manage client information, and are acting as custodians in those systems without owning those assets.
It also says in the same paragraph “If the ESP is internal to the OSA” which appears contradictory language – by nature, an ESP is “external” to an OSA, so how can it be “internal to the OSA” at the same time? Can you please provide clarity on the intent of these sections?
The Case for Cybersecurity Standards
While a debate on direct CMMC applicability continues, there is certainly consensus on the necessity for MSPs and MSSPs to adhere to robust cybersecurity standards. By no means should MSPs/MSSPs ignore cyber security standards. Recognizing the critical role these providers play in the broader defense supply chain underscores the importance of maintaining a high level of cyber maturity and security, whether through ISO standards, ITIL, or other recognized frameworks.
Other comments on the Proposed Rule such as this one suggest MSPs would be better assessed against a sub-set of NIST 800-171 controls that apply to their specific service areas provided: https://www.regulations.gov/comment/DOD-2023-OS-0063-0191
Regulatory Interpretations and Future Directions
The ongoing discussion is further enriched by the responses in the Federal Register, where the absence of explicit terminology for ESPs in the applicability sections of CMMC raises questions about the intended scope and reach of the certification for these types of entities. This scenario invites speculation on potential future clarifications or adjustments to the rule, aiming to more clearly define the pathway for MSPs and MSSPs within the CMMC framework.
Given the substantial number of DoD contractors and subcontractors that may be “in line” for CMMC Certification, it would present a practical concern how MSPs and MSSPs would be able to become certified before or alongside DoD contract holders in a timely manner, even were possible for them to do so without access to SPRS and other government contract holder information systems.
Navigating CMMC Complexity with Collaborative Expertise
As the defense community grapples with these uncertainties, the dialogue opens up possibilities for evolving interpretations and policy adjustments. For MSPs and MSSPs, a requirement for compliance and certification under CMMC is not present in the proposed rule language. The eventual clarification and adaptation of the CMMC framework will undoubtedly shape the role of these pivotal service providers in securing the defense industrial base. Engaging with experts and staying informed on these developments is crucial for navigating the complexities ahead, with resources like Mission Compliant offering valuable guidance and insight into these critical discussions.
