The Importance of the Shared Responsibility Model
For decades MSPs have used the adage "We take care of IT so you don’t have to." Back when MSP services included remote monitoring and management, managed AV, and managed firewall services, this was largely a legitimate claim. The MSP was analogous to the HVAC company. Nobody on staff was typically responsible for the heat or AC system.
In today's world, where cyber security is integral to the management of IT systems this is no longer the case. Customers hold some of the responsibility in maintaining the security of their networks. However many organizations do not understand the responsibilities they hold. And many MSPs are not forthcoming about the expectations they have of their clients in holding up their end of the bargain.
In reality, cybersecurity is a "shared responsibility" between the MSP and their client. MSPs may put countermeasures in place to thwart cyberthreats, but without active client participation those countermeasures become ineffective. Take end user security awareness training for example. The MSP may implement a comprehensive training and testing platform, but if the client is not monitoring their employees compliance on the platform, the program is useless. Likewise, the MSP may employ a robust access control system but if the client is not proactively working with the MSP to remove access when employees leave the company accounts may be left open to exploit.
This is especially true for clients in regulated industries. Medical and health insurance providers are bound to HIPAA requirements, financial institutions are governed by FTC rules and others, and any business processing credit card transactions must follow PCI guidelines. Most of these organizations do not have a deep understanding of the technical requirements of these regulations and rely on their MSP to provide guidance. Many organization are under the mistaken impression that their MSP is, in fact, entirely responsible for meeting the requirements. In reality, the covered entity is solely responsible for meeting the requirements. The MSP is simply providing the technology and support. In the event of a breach, the governing body of the regulation will be looking to the covered entity to provide evidence of due diligence in ensuring the MSP is providing appropriate technology and services to meet the regulations.
However, a new regulation, the Cybersecurity Maturity Model Certification (CMMC) program, is changing the game. CMMC applies to any company doing business within the Defense Industrial Base (DIB). This includes contractors and subcontractors throughout the Department of Defense supply chain. CMMC is the first such regulation that, not only requires the covered entity (contractor) to certify compliance with the requirements prior to accepting a contract, but also includes any MSP-provided services that are related to required controls. The MSP services are considered within the scope of the CMMC Assessment. Therefore MSPs will need to provide evidence of compliance for those services.
One of the requirements of CMMC is for the Organization Seeking Certification (OSC) to produce a "Customer Responsibility Matrix"(CRM), more commonly known as a "Shared Responsibility Matrix (SRM). In this process the responsibilities of each party (OSC, MSP, other third party vendors, etc.) are articulated for each control and assessment objective. This demonstrates that the third party takes responsibility for meeting the requirements of the control. The third party must be able to produce a written policy on how the control is implemented to meet the requirement. The third must also produce evidence and artifacts that prove the policy is being followed. This includes written procedures, log files, audit reports, training records and other information. Should the third party fail to provide adequate evidence of compliance, the OSC is in danger of failing their assessment. CMMC is a high stakes game and the Shared Responsibility Matrix and a crucial part of demonstrating compliance.
The Shared Responsibility Matrix is a requirement under CMMC. But MSPs should adopt this as a best practice with all of their customers. They should prepare a SRM for each client specifically stating how their services fulfill the requirements of the regulations applicable to the client. They also articulate any responsibilities the client holds in meeting requirements. This establishes a clear delineation of which party is responsible for each task. It also demonstrates an understanding by the MSP of the regulatory requirements of the client. But what about unregulated clients? In this case, the MSP can use a common cybersecurity framework such as CIS or NIST CSF. Simply identify those controls within the framework that are addressed through the services they provide.
By sitting with a client and reviewing the Shared Responsibility Matrix the MSP gains instant credibility as either understanding the regulatory requirements of the client's industry or demonstrating a formal approach to cybersecurity. In either case, the MSP is differentiating their approach from the competition and providing additional value. This process can be reinforced on an annual basis as part of a Quarterly Business Review. The vCIO or Strategic Account Manager can review the SRM and remind the client of the services the MSP is providing and review the client responsibilities.
The SRM can also be used as a sales tool. By mapping MSP services to regulatory requirements or a formal set of cybersecurity best practices, the MSP provides more tangible reasons the services are necessary. This also provides great confidence the MSP understands their industry and follows a formal approach to security.
So, what should MSPs do?
Identify those clients within their current book of business impacted by regulatory requirements.
Review and understand the regulatory requirements for those industries that are impacted by the services you provide
For those clients in unregulated industries, select a common cyber security framework for reference
Ensure the services you provide meet the requirements of those regulations or framework
Document your policies, procedures, and audit procedures to ensure compliance
Determine what is expected of the client to maintain compliance
Create a Shared Responsibility Matrix for each regulation and framework
Train your sales team and vCIOs on how to present the SRM clients and prospects
As mentioned above, this is a requirement for any clients in DIB. However, this can be a powerful tool for use with any client.
Be aware that, under CMMC MSPs are not required to certify their practice for CMMC, however for all intents and purposes most DIB contractors will be requiring their MSPs to become certified as a condition of doing business. They will not risk having the MSP show up at their assessment unprepared and put their own certification in jeopardy. Therefore any MSP with a book that includes significant revenue tied to contractors in the DIB should be considering full CMMC certification.
OTX Roundtable GRC
Beyond simply adhering to the specific requirements for their services, MSP can go one step further in making sure that their entire practice achieves compliance with a cyber security framework. But regardless of the framework, the adoption of a formal cybersecurity framework is a lengthy and laborious task. It is difficult to keep the goal front and center in the unpredictable nature of the MSP industry. OTX Roundtable GRC was created to offer a supportive environment for MSPs to create a security and compliance-centric culture within their practice. Members are committed to achieving compliance, support each other in the effort, and hold each other accountable to meeting the requirements. Find out more about joining OTX Roundtable GRC here.