Many of you understand what it takes to achieve CMMC (Cybersecurity Maturity Model Certification) level 3 compliance, but did you know that you could inherit some compliance based on the processes and practices that your managed service provider (msp) already gives you. Not only that, but some of your key software vendors like Microsoft have security measures in place that you can claim as inherited on your assessment.
A few examples of compliance inheritance from your MSP (Managed Service Provider) are:
- Change management process. Your managed services provider should be able to deliver you a strong change management process that is in place and a part of your current culture. If you think about it, a change is requested by a ticket you submit to your MSP, the MSP reviews the ticket to see if there are any questions or comments that should be made, they then contact the approver to ensure this work needs to be quoted, they quote it or perform the fix after advising you of any pros and cons associated with the work being performed, you agree to the risks and it is implemented, and that ticket is then closed. However, that ticket stays in the system forever and can be provided as evidence of a change management process.
- Another example might be the patch management program that your managed services provider is performing for you. They receive the patch, vet it, and then deploy the patches to the systems within your organization. They use their remote management tool to alert them to failed patches which would then go through a troubleshooting process (all of this happens behind the scenes without you having to be bothered).
- Adding, terminating and/or changing users is usually performed by your MSP, a record is kept, and you gain the benefit of trading on their Standard Operating Procedures of how to do that.
- Incident response process is another area where your MSP’s ticket system and helpdesk response team will be able to natively earn you credit. An incident from their monitoring or your reporting occurs, it is entered into the ticketing system, urgency and impact is assessed, a plan is formed, the Point of contact with the client of the Managed Service Provider approves the work to remediate, the fix is put in, and the ticket is closed but saved forever.
- These are only a few of the areas where a qualified Managed Service provider can boost your regulatory compliance maturity.
A wonderful side note, Microsoft has gapped all its product offering components from their E3 and E5 Microsoft licenses against CMMC compliance. Yes, that means that you can inherit many compliance actions through Microsoft as well. For a fun read you can look up the Microsoft “CMMC Placemat.” F1 is finishing its months-long project of mapping all the CMMC level 3 controls against the Microsoft and F1 Standard stack environments to bring you the most amount of coverage possible. Contact F1 Solutions for more information or learn about our managed IT solutions.
F1 Solutions: https://www.f1networks.com/
Jennifer VanderWier/CISO