If you are a government agency or one of 350,000 contractors in the U.S DoD supply chain, you might be aware of DFARS and CMMC for DoD contractors. The Department of Defense first released the first version of CMMC or Cybersecurity Maturity Model Certification in January 2020. The release came out after a large-scale exfiltration of defense information was made. The cybercriminals targeted the data kept on the contractor information systems. Although DoD released CMMC compliance recently, all the DIB supply chain contractors are required to take necessary measures to protect controlled unclassified information since 2017. 

The five maturity levels of the Cybersecurity Maturity Model Certification include the security requirements mentioned in NIST SP 800 171. It should be mentioned that DFARS compliance requires compliance to all the 110 security measures included in NIST 800 171. Another crucial thing is that contractors will have to go through a third-party audit to acquire compliance certification. The DoD is going to roll out the compliance requirement gradually. This means that companies will have to be CMMC compliant to be able to grab government contracts.

This leaves government contractors and businesses with the task of finding managed services providers that can help them with CMMC cybersecurity compliance.

In this blog, we have listed down a few points to keep in mind when looking for an MSP.

  1. What measures have the MSP taken to become CMMC compliant?

When looking for the right managed services provider, make sure you ask your prospect MSP whether they can achieve CMMC compliance for their DIB clients?

CMMC compliance requires following the path of the Controlled Unclassified Information. If a company is awarded a government contract and uses an MSP to process and host data, the MSP will also have to fulfill CMMC compliance requirements.

Another critical thing to think about is if the MSP will accept a DFARS flow-down or not. If the MSP is ready to accept the contractual obligation to protect and secure CUI same as you, it indicates that the MSP is willing to support customer requirements.

  1. Is the MSP experienced and capable of fulfilling compliance requirements?

When accessing the ability of your prospective MSP in fulfilling compliance requirements, ask how many clients have to undergo similar requirements. It’s best to determine whether the MSP has any experience in consulting and expertise in compliance.

  1. How will the MSP support your company during the audit process?

Is the MSP confident that their cybersecurity processes and practices effectively safeguard the CUI of their clients? Whoever you decide to partner with should be by your side when you are being audited for the certification.

  1. Are the systems used to access the client’s environment compliant with CMMC and DFARS?

When it comes to selecting a reliable managed services provider, you should ask plenty of technical questions. Ask about their cybersecurity practices and systems. Determine whether they conform to the compliance requirements included in the CMMC DFARS regulations. If the MSP used cloud-hosted data centers, do they meet the FedRAMP moderate baseline? Besides this, there are several other technical questions you should ask your MSP before making an informed decision.