On Tuesday October 15, 32 CFR, the law that defines the CMMC program was officially written to the Federal Register. The CMMC program and all of it requirements are baked! What is not quite finished baking, but will be shortly, is the 48 CFR law which defines how the CMMC requirements will appear in contracts issued by the Department of Defense. That is expected to be finalized early to mid-2025.

So there is no more speculation as to whether or not CMMC will actually happen. It is here. And the clock is ticking with regard to actually getting certification. We now know exactly what is required to certify. And we also now have clarity as to how external service providers, which include MSPs, fit into the flow-down requirements. Succinctly, if an MSP is providing managed services for an organization required to certify at CMMC levels 1, 2, or 3, the MSP must be certified at that same level. MSPs are already seeing questionnaires or contract provisions requesting information about their CMMC preparedness.

Litigation has always been a risk in the MSP industry. Often the allegations made by the plaintiff are based on an assumption the MSP was providing services that they, in fact, were not. Two recent events provide lessons for MSPs to be very clear with their clients on the services they are providing, the services they are not providing, and the responsibilities the client holds…

Organizations struggle to implement and maintain a cyber security posture that is appropriate for today's threat landscape. They implement policies and procedures with the intent of protecting their data. Under the assumption that policy violations are typically the result of ignorance or malicious behavior, they strive to educate our workforce on the importance of adhering to the policy and the ramifications of a violation. However, most of these efforts fail to accomplish the goal of improved security. A recent study in the Harvard Business Review indicates that other factors come into play when users are faced with compliance tasks. In the study, which focused on remote workers during the pandemic, it was found that most policy infractions were the result of intentional yet non-malicious violations, largely driven by employee stress.

In the past the Managed Service Provider could typically deliver a complete service without engaging with other partners. By deploying a fault-tolerant system, protected behind a good firewall, and managed by a good RMM, the MSP pretty much had their clients covered.

However, those days are over. The landscape has changed dramatically in the past ten years. Even the smallest clients require services that span beyond what most MSPs can deliver alone. Many of the services offered by MSPs today are hosted by major cloud service providers. Even basic cybersecurity services require technical skills beyond what many MSPs have on staff. And most MSPs are not adequately equipped to properly respond to a sophisticated cyber attack.

MSPs now must determine which services they can deliver with their own in-house talent and those they should use an external partner to provide.

For many MSPs, the word "compliance" conjures up images of intrusive bureaucracy and major expense. Although the reality may not be too far from that, compliance has inevitably become a concern for MSPs (whether they realize it or not).

Over the past 15 years or so, the workflow of the MSP has become more and more intertwined with that of the client. As the MSP takes on services such as backing the client's data up to the cloud, on-boarding and off-boarding employees, or completely hosting the client’s data in the cloud, the regulatory compliance of the client is dependent on the MSPs processes and procedures meeting the requirements.

But fundamentally, what does it mean to be compliant? In many cases, the MSP is already providing services that meet the requirements. However, they are probably not well documented and are not audited on a regular basis. To prove that your practices meet regulatory standards, the processes and procedures must be documented and audited. Evidence must be produced and preserved that proves that policies are being followed.

Let's look at what the entire process of implementing complaint practices looks like.

The clock is ticking on the implementation of the new FTC Safeguards Rule. The June 9, 2023 deadline has already been pushed back from the original date of December 9, 2022. If organizations have not already begun tackling the new requirements, it is unlikely they could meet them in time at this point. However, organizations with a relationship with an MSP may be close to compliance already and just need to fill in a few gaps.

As cyber insurance becomes a necessity rather than a luxury, our clients are increasingly asked to answer lengthy questionnaires regarding their cyber security measures. They often approach their MSP for assistance in filling out the questionnaire. After all, they depend on their MSP to manage their network.

Most MSPs are happy to help their clients with this as they see it as a value-add. Also, first party cyber insurance carried by their client is a benefit to the MSP as it shields the MSP from potential primary claims in the event of a breach. In fact, many MSPs are now requiring their client to hold first party cyber insurance within their Master Services Agreement (MSA).

At our recent offsite in Dallas, Texas OTX Roundtable members discussed the practice and some of the precautions they should be taking when assisting client with cyber insurance questionnaires.

A recent lawsuit, Traveler's Insurance vs. International Control Services drives the point home. In this case, Travelers did not simply deny a cyber insurance claim, they sued the client to nullify the policy. The insurance company cited the fact that ICS claimed is had implemented Multi-Factor Authentication on their questionnaire. However, after a breach was investigated, it was discovered that ICS had only implemented MFA on portions of their network, not every ingress point. Travelers prevailed in the lawsuit nullifying the policy and likely recovering legal fees.

The worst time to develop your Cyber Security Incident Response Policy (CSIRP) is after the incident has happened, or "right of the boom". Without a well-crafted and tested strategy, precious time will be wasted and costly mistakes will be made.

As a Managed Service Provider, when developing a comprehensive Incident Response Plan many factors must be considered. The MSP must first have a CSIRP for any potential breach that may occur on their own internal network. Then they must work with their clients to develop a CSIRP for breaches that may involve a breach on one of their networks.

The five important aspects of the Cyber Security Incident Response Policy are:

Technical preparedness and response

Reviewing tech E&O/cyber insurance implications

Understanding regulatory reporting requirements

Relationships with local and federal law enforcement

Controlling messaging 

Many employees tend to think of security and compliance as the responsibility of the IT department or the Security Team. Managed Service Providers know that is not the case. However, what are MSPs doing to ensure that end users are doing their part in maintaining compliance?

Compliance is all about data processing and privacy. That entails the Confidentiality, Integrity, and Availability (CIA) of the data. The IT department bears the bulk of the responsibility for maintaining the Integrity and Availability of the information. They put in place all of the systems that prevent access to the data by malevolent actors. They monitor the system for malicious activity to ensure integrity of the data. They build redundant and resilient systems to make sure the system is always available.

But when it comes to the confidentiality of the data, the end user has a large role to play. Employees must access confidential and protected information as a matter of course in their daily duties. Those in in the healthcare industry must access patient records containing Protected Health Information (PHI) covered by HIPAA guidelines. Financial workers must protect Personally Identifiable Information (PII) under GLBA. Defense department contractors must protect Controlled Unclassified Information (CUI) governed by the coming CMMC. And now, virtually every industry is falling under some form of data processing regulation based on a person's location of residency or citizenship as is evidenced by the California Consumer Privacy Act (CCPA) and the European Union's GDPR among other.

For the past three years Department of Defense contractors and the MSPs that serve them have been facing the inevitable need to meet Cybersecurity Model Certification (CMMC) requirements. There has been a lot wringing of hands and gnashing of teeth regarding the relatively new model. The goalposts have moved a few times and the messaging has been unclear from the Department of Defense. That is until now…

When we were teenagers we were taught not to succumb to peer pressure. As our friends were pushing us to try cigarettes or drink alcohol, we were told to hold fast and resist the temptation. Peer pressure, back then, was generally a bad thing full of negative consequences.

In adulthood, however, peer pressure can be a force for good that can motivate us and hold us accountable to our goals. Within the MSP industry there are many peer groups where members share goals of growing their business and meeting certain metrics. These are usually financial benchmarks around maximizing profits and improving performance. Members report progress towards those goals at quarterly meetings. Members hold each other accountable to meeting those goals and contributing to the collective success of the group. You don’t want to be the member that is not hitting their goals or at least making progress. In fact, in some cases, members that consistently miss their goals risk being expelled from the group. This peer pressure keeps members on task and forces them to prioritize profits and performance ahead of the day-to-day distractions that we all face…

Over the past two decades there has been an ever increasing amount of regulation regarding data privacy. Organizations are held to a much higher standards in terms of the protections they must put in place to ensure that personal data remains confidential. At the same time, the market on the dark web for personal data has exploded.

The list of data privacy regulations is long and touches most industries. The alphabet soup includes HIPAA, GLBA, SOX, FERPA, COPPA, etc. Other regulations are geography based, GDPR (EU) and CCPA (California) for example. Many other states are working on their own versions of CCPA as well.

Our clients may be subject to one or more data privacy regulations as a function of the business they are in. Some are obvious such as the fact that all medical practices are subject to HIPAA by default. However, many organizations not directly involved in the delivery of healthcare services may store Protected Health Information(PHI) for reasons not so obvious. Those organizations are bound to HIPAA rules as any other healthcare institution.

Geography based regulations can apply to any industry. They typically aim to protect the Personally Identifiable Information (PII) of the citizens of that region…