3 questions to help you assess if an IT Managed Service Provider (MSP) will help you maintain (or damage) your DFARS 7012 Compliance for Federal Contracting.
I speak with multiple customers a day regarding DFARS 7012, NIST 800-171 and protecting CUI data. The requirements to protect data are expanding and it is only going to continue as the Federal Acquisition Regulation (FAR) and the General Services Acquisition Regulation (GSAR) are adding data protection requirements in 2020. The Defense Industry has always worried about security around products and services. However, the business systems and IT infrastructure that supported those defense contractors were not monitored or evaluated and many are vulnerable to attack.
Deputy Defense Secretary Patrick Shanahan spoke at the Armed Forces Communications and Electronics Association (AFCEA) on Feb 6, 2018 and said, “The culture we need to get to [around IT security] is that we’re going to defend ourselves and that we want the bar to be so high that it becomes a condition of doing business.”
DFARS 7012 identifies compliance with NIST SP 800-171, Protecting Unclassified Information in Non-federal Information Systems and Organizations, as the standard for defense contractors handling CUI data. As such, compliance with NIST 800-171 is now essential for winning and sustaining contracts.
In response to this, organizations must understand all the potential vectors for attack and data leakage of CUI data including Personally Identifiable Information (PII), financial information and something that many don’t think too much about, IT security and vulnerability information. Regulatory compliance is a tough pill to swallow because it can be complicated and expensive to implement, and the government isn’t directly providing the funding to meet the new requirements. However, these data security requirements are designed to protect corporate and government data from real threats and they are no longer optional.
What is a Managed Services Provider (MSP)?
Internal IT departments exist to manage the hardware, software, and information technology services related to the internal business functions of a business. However, small businesses with one or two IT staff members can no longer provide the necessary skills to support the desktop support environment, the network infrastructure, the ubiquitous mobile devices and the ever expanding cloud-based environments while also maintaining the security and compliance programs required by the government. No matter how qualified or knowledgeable, a small team will not have time or the breadth of skills to architect, administer and manage these environments in a secure manner.
Therefore, many businesses look to outsource their IT requirements through a Managed Service Provider (MSP). Effective MSPs take care of these IT requirements and allow a business to focus on their core competency with a newfound vigor. While this is great from a focus standpoint for an organization, it can introduce its own set of issues, vulnerabilities and compliance headaches if the MSP is not properly equipped to manage data and processes in a highly compliant manner. With the MSP handling most every piece of hardware, data, and IT services - an organization wishing to outsource their IT must assess the security practices of their MSP to ensure there are no unexpected risks.
Our Organization is DFARS 7012 Complaint. Is it Safe to use a MSP?
Investing in compliance with DFARS 7012 and NIST 800-171 is a big effort because it now includes line of business systems including finance, personnel and IT vulnerability information. While MSPs are valuable partners who reduce overhead costs and enable businesses to stay focused on their core mission, it is important to remember that MSPs will have access to documents, CUI, and data including passwords, access codes and vulnerability information about their IT environment. Because MSPs have this kind of sensitive data in their possession, it is critical that they make the same investment in NIST 800-171 to ensure that you stay compliant and properly manage CUI information and the security of your IT environment.
3 Important Questions to Evaluate MSP Compliance and Security
Below are three important questions that you can use as indicators to help assess the compliance and security level of your MSP. These are especially important if you have a requirement to maintain NIST 800-171 compliance.
Does the MSP leverage FedRAMP Moderate or FedRAMP High cloud-based environments that meets the security needs for holding the information about your environment (vulnerabilities, system documentation, tickets, etc)? If so, are they configuring those environments to the NIST 800-171 standard?
- Are they using Dropbox, iCloud, etc.? While there are a few FedRAMP High datacenters like Azure and AWS, the majority of cloud services are not hosted in FedRAMP Moderate/High environments and even fewer are built to NIST 800-171 or NIST 800-53 security controls. It is important to ask your MSP if their data is stored in a compliant environment. You can check their provider at the FedRAMP website: https://marketplace.fedramp.gov/#/products?sort=productName
- How does your MSP manage virus’ and vulnerability information? Any system that tracks vulnerability information like anti-virus, missing patches, or operating system levels may fall under the classification of CUI data and require storage in a DFARS 7012/NIST 800-171 compliant environment.
- When you backup your data, where is that data going? Is your MSP leveraging a backup solution that ensures your data is stored in a FedRAMP Moderate environment and secured to NIST 800-171? It is one thing to make sure you are handling your data properly in your email and collaboration system, but that same data is in your backup environment as well.
How does your MSP access and monitor your systems?
- Does each MSP administrator use a separate account to access your environment, or do they use a shared account? It is very important from an audit standpoint that all individuals, especially privileged administrators, are logging in with an individual account when performing activities in your environment. Without it, it is not possible to properly audit the actions that your MSP admins are taking. This is a requirement within NIST 800-171.
- Does everyone have the same level of access to systems? Just like Kentucky Fried Chicken (KFC) doesn’t let one plant process all the ingredients to their secret batter to maintain secrecy, your MSP shouldn’t allow one employee access to all systems. Help your (and your clients’) secret sauce stay secret. Your MSP should identify varying roles within your IT infrastructure and no one individual should have access to control everything within your environment. This is a requirement within NIST 800-171.
- How do the MSP administrators remotely access your workstations, servers and networks? Does their remote monitoring and management system provide a full audit trail of access? Do you know who accesses each of your systems and when they do it? Supporting your environment remotely is a crucial component of MSP services. You must ensure that they are accessing the environment in a way that is clearly audited.
- Do they leverage Multifactor Authentication (MFA) for access to both internal and client systems? Multifactor Authentication is a required NIST 800-171 control that ensures that an account that has had their username and password compromised cannot access your environment. This is done by forcing a second authentication check to a predetermined device, phone number or application. This provides the assurance that individuals are properly authenticated to gain access to your systems, documents and data.
How does your MSP hire and train their support staff?
- Are all members of the support team at your MSP considered US Persons? If you have ITAR data anywhere within your environment, it is critical that your MSP ensure that only US persons are on your support team.
- What skills and certifications does the MSP team have? This seems obvious but it is surprising how many MSPs do not require certifications of their staff. It is a requirement to ensure that everyone having access to your environment has a minimum level of competence in the realm of security, such as the IAT-2 (Information Assurance Technician) level certifications as defined by DoD Directive 8570.1. These include CompTIA Security+ CE, GSEC, CSA+, CCNA Security, GICSP or SSCP. In addition to these IAT certifications, you should look for at least one technical certification for the platforms that they are managing for you.
- How does the MSP ensure individuals touching your system are trustworthy? As an example, Microsoft provides extensive background checks on all individuals with administrative access to the Office 365 GCC High and DoD environments. What does your MSP provide? You can find the details at this link: https://technet.microsoft.com/en-us/library/mt774968.aspx
- Does your MSP require their staff to do yearly Security and Awareness training as required by the Department of Defense and NIST 800-171? Ensuring that the administrative team with access to your most important data is properly briefed on topics such as Insider Threat, CUI, ITAR and other relevant government security is critical.
- What kind of physical security does the MSP maintain? MSP facilities should comply with NIST physical security requirements which can include maintaining audit logs of visitors, visitor escort and monitoring their physical facility.
Where to Go From Here
The three questions above, and all of their sub questions are a great way to help you evaluate whether or not a MSP is the right MSP to help you maintain your DFARS 7012 and NIST 800-171 compliance. If you would like to do a formal evaluation, you might find that the NIST SP 800-171 self assessment guide is helpful in your evaluation of your provider (https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf)
There are hundreds and hundreds of great MSPs across the country. Some industries use them very heavily, especially industries like Healthcare, Legal, Financial Services and Manufacturing. Now that there is a strong movement among the Aerospace and Commercial Defense sector to outsource services to MSPs, it is critical that you do the necessary due diligence to ensure that you are entrusting your data and your organizational IT environment to the RIGHT MSP.
If you find the right partner, outsourcing your IT services to an MSP can be a rewarding and cost-effective method to stay competitive in the government contracting space. Additionally, it can help you minimize overhead while providing your employees with a great user experience.