Many small to medium sized businesses outsource their help-desk and IT support for strategic fiscal and operational purposes, but these services are directly impactful on the compliance posture of a business. Not only do third-party IT support services impact compliance, an MSP can jeopardize multiple businesses by falling victim to a single cybersecurity incident. The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is developing a guide for MSPs to limit these security and compliance risk factors. Authors, Karen Waltermire of NCCoE and Harry Perper of The MITRE Corporation, released an initial draft publication for public review and feedback. This new guide will focus on the Cybersecurity Framework Functions (i.e., Identify, Protect, and Detect).
The guide conceptually will cover many of the same practices found in NIST 800-171 and required by DFARS 7012 for Aerospace and Defense companies. However, the guide will incorporate the unique threat vectors associated with a shared resources model of MSPs. The overarching theme is reminiscent of the age old airline instruction "apply your own oxygen mask first before assisting others'. If an MSP is not running proper audits and logs on its own systems, then your systems can be compromised.
According to a recent study on the Defense Industrial Base (DIB) conducted by NDIA, more than 25 percent of industry professionals work for firms that have experienced a cyber attack. The attack surface of an MSP increases with every added company and user, which in turn also increases the amount of damage an attacker can inflict along with the amount of data that can be compromised.
MSPs must treat each data estate separately from an architectural stand point, but some resources will be shared regardless. IT support processes must be streamlined to make MSP offerings affordable and standardization must rise to the highest requirements. Managing a support ticket for instance has several security and compliance implications: where is ticket information stored and on what servers, what virtual desktop software is being used, how are corrective activities logged and what system changes are documented, what citizenship status do MSP employees possess, who responds to incidences according to DFARS 7012, etc.
Components being considered for all MSP scenarios and associated 'projects' to be implemented:
- mobile and desktop devices
- cloud application and directory services
- mobile-device manager (cloud service)
- on-premise applications
- on-premise IT infrastructure
- security incident and event management (SIEM) i
- identity and access management capabilities
- identity store
- access rights management (role-based)
- authentication and authorization
- network segmentation capabilities
- encryption capabilities–disk level
- network monitoring capabilities
- asset management capabilities
- vulnerability scanning
- automated update
- asset identification
- RMM capabilities
- PSA capabilities
Regardless of your MSP considering the above components, your leadership needs to have a plan or strategy around the above bullets. Many of these would be found in your System Security Plan (SSP). One interesting requirement to note is less about security and more about operational risk management and continuity - backups. Much like the recently published Cybersecurity Maturity Model Certification (CMMC) documentation for Aerospace and Defense companies, this set of guidelines for MSP's also makes mention of secure backups: "Backups of information are conducted, maintained, and tested."
As the Federal Government expands its cybersecurity and IT requirements to the supply chain, the level of maturity will naturally need to rise. It will be incumbent upon internal or external teams to give serious consideration to existing capabilities. IT teams will need to be adept at technology, security, process, compliance, and the intersections of all four.
Shameless plug: Summit 7 offers MSP services for Aerospace and Defense companies. It's really good. Shameless plug over.