Attention MSPs with DoD Clients – Understanding Compliance and Risks For Your Clients

Managed Services Providers (MSPs) fill an important role in providing IT services and support for businesses across multiple industries.  For MSPs supporting Department of Defense (DoD) contractors and subcontractors, existing and evolving cybersecurity regulations may pose significant risks heading into 2023.

Companies must have a plan in order to meet these challenges, and many will look to their trusted MSP partners for help. But do MSPs fully understand these DoD requirements and are they prepared to advise and assist their clients in achieving compliance?

In this article, we’ll review the evolving DoD requirements, what MSPs should consider with respect to their current partnerships and how best to support them moving forward.

Requirements are getting stronger…

Since becoming law in 2017, NIST 800-171 has governed the protection of Controlled Unclassified Information (CUI) by DoD contractors and subcontractors. Companies must adhere to the specific 110 controls of NIST 800-171 in order to be eligible for and complete government projects that involve CUI.  Some examples of CUI include:

• Emails
• Electronic Files
• Blueprints or Drawings
• Sales or Purchase Orders
• Contracts

While companies may have been able to ‘’self-attest’’ to NIST 800-171 requirements in the past, the DoD has strengthened its review and enforcement. With the implementation of the DFARS Interim Final Rule in 2020, companies are now required to submit a scored self-assessment into the DOD’s Supplier Performance Risk System (SPRS) based on their compliance with the 110 requirements of NIST 800-171.

And, later this year as currently outlined by the DOD, Defense contractors and subcontractors will have to certify—and potentially overhaul—their cybersecurity controls and policies to comply with Cybersecurity Maturity Model Certification (CMMC). Companies that fail to abide by the cybersecurity standards required by their contracts may face hefty penalties. Penalty fines, which can be as much as the entire contract value, combined with the potential loss of government contracts, could create substantial risks to businesses’ revenue streams.

Are MSPs prepared?

MSPs, as trusted advisors, are often tasked with assisting their clients with assessing and planning for compliance. What many companies (and their MSP partners) fail to realize is that in addition to having the right cybersecurity tools in place, having a documented System Security Plan (SSP) with Plans of Action and Milestones (POAMs) for any unmet controls is essential. Without this documentation, NIST 800-171 self-assessments would be considered invalid, the company not in compliance and upcoming CMMC audits would be failed.

Key questions every MSP should ask themselves when supporting DOD Clients:

• Does your client have a System Security Plan (SSP)?
• Has your client submitted a scored NIST 800-171 self-assessment to the DoD? Did you assist in preparing this submission?
• Could your client provide documentation (SSP and POAMs) supporting their compliance to the DoD upon request?
• Do you know what your client needs (think policies, procedures, processes to ensure compliance, tools, monitoring, on-going evidence collection, etc.) to meet requirements and do you have the expertise to help them?

If you answered ‘’no’’ to any of the above, seeking assistance from outside expertise could be invaluable to protecting your and your clients’ existing revenue and mitigating potential risks.

SSE can help MSPs help their DoD clients…

In addition to being a MSP, SSE is also a DoD contractor. We have managed our and our clients’ networks to both NIST 800-171 as well as NIST 800-53 standards since 2009. We have assisted dozens of companies in assessing their current state and developing a customized compliance plan based on their specific needs. It all starts with an assessment.

SSE’s NIST 800-171 and CMMC Gap Assessment is a detailed evidence collection, assessment and analysis of a company’s environment and its readiness state for an audit or assessment submission. It includes:

• Verification against all 110 NIST 800-171 and CMMC 2.0 Level 2 (includes Level 1) practices
• Review and verification of existing IT tools
• Review of any existing System Security Plan (SSP)
• Review of any existing Plans of Action and Milestones (POAMs)
• Review of any existing policies/procedures and physical security practices

The output is the identification and documentation of all gaps in the form of a complete Security Assessment Report (SAR) that includes the following deliverables:

• DoD NIST 800-171 Assessment and Scoring
• Detailed Compliance Matrix for both NIST 800-171 and CMMC Levels 1 and 2
• Security Findings Traceability Matrix – information for a SSP
• Plans of Action and Milestones (POAMs) for all unmet requirements

With the compliance gaps identified and documentation in place, SSE’s Cybersecurity as a Service offering can be customized and added to the existing IT and cybersecurity services provided by MSPs in order for their clients to meet requirements. SSE has also developed Model Policy Templates for customization to a client’s environment for all IT and non-IT controls. These services were vetted to ensure compliance with the 110 controls defined by NIST 800-171 requirements and scoped to meet the evolving CMMC standards in a cost effective manner.

With the complexities around NIST 800-171, the DFARS Interim Final Rule and CMMC, SSE can help supplement your existing service offerings and validate your approach to meeting your clients’ NIST 800-171 and CMMC compliance needs.

SSE has been accredited by the Cyber AB (formerly the CMMC Accreditation Body) as a Registered Provider Organization (RPO). Let us demonstrate how we can help.  Schedule an initial consultation with our team to get started.