New MSP Collective works on advancing MSPs, MSSPs to build secure, resilient critical infrastructure

MSPs for the Protection of Critical Infrastructure (The MSP Collective) launched Monday an initiative to inform the U.S. government and critical infrastructure industries on topics related to Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). The aim is to establish standards that ensure services meet or exceed government regulations while working towards the national security mission of maintaining a secure, functioning, and resilient critical infrastructure. 

Founding members of the non-profit entity MSP Collective include Summit 7 Systems, NeoSystems, and Quzara LLC. MSPs and MSSPs that share a commitment to the organization’s mission and who meet its membership qualifications are encouraged to join. 

The MSP Collective offers three types of membership – regular, associate, and special. A regular member is an MSP/MSSP fully dedicated and focused on the mission; while an associate member includes a MSP/MSSP not necessarily fully dedicated or focused on the mission, but is nonetheless interested in supporting the mission. A special member is an individual or organization Interested in supporting the mission but is not part of an MSP or MSSP which is focused on the mission or is part of an existing associate or regular member MSP or MSSP.

“Despite critical role MSPs and MSSPs play, no standards or certification programs exist to qualify Service Providers’ understanding of applicable government regulations or the alignment of the services they provide with those regulations,” Scott Edwards, executive director of the MSP Collective and CEO of Summit 7 Systems, said in a media statement. “An important element of our mission is to participate in the establishment of suitable standards to address this concern.”

“Cybersecurity and compliance come at a cost,” said Stuart Itkin, a director of the MSP Collective and senior vice president of NeoSystems. “For some smaller companies, the one-time and ongoing costs of getting and staying compliant can be a barrier. As the government considers programs to ease the financial burden on these companies, we hope to inform the government and offer ideas for the implementation of these programs.”

The MSP Collective desires to collaborate with the U.S. Congress, the Department of Defense (DoD), the Cyber AB, state legislatures, and the broader critical infrastructure ecosystem to provide insight into the importance of external service providers in securing critical infrastructure, the federal contracting base, and especially the Defense Industrial Base (DIB). The CyberAB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) ecosystem and the sole authorized non-governmental partner of the DoD when it comes to implementing and overseeing the CMMC conformance regime.

“Our recommendations for the CyberAB, the DoD, and Congress are all borne from a desire to help secure the Defense Industrial Base, support the warfighter, and improve national security,” according to the MSP Collective. “Our companies stand ready to support and will continue to work with government, industry, and academia to put appropriate technology, processes, and capabilities in place to ensure that we stay a step ahead of the aggressors. Protection of our national intellectual property is paramount to ensuring we can continue to thrive as a nation.”

The move identifies that MSPs and MSSPs, commonly referred to as External Service Providers (ESP), are key players in facilitating IT, cybersecurity, and supply chain risk management across critical infrastructure sectors, the federal contracting base, and especially in the DIB. Within the DIB, MSPs, and MSSPs are commonly responsible for roughly 40 to 70 percent of the IT and cybersecurity requirements that must be implemented and maintained to satisfy DoD regulations. Furthermore, to achieve certification at Level 2 under the CMMC program.

Additionally, small and medium-sized businesses (SMBs) comprise over 75 percent of the DIB, the MSP Collective data revealed. “The Department of Defense (DoD) estimates that at least 80,000 companies will be required to achieve CMMC Level 2 certification. Therefore, CMMC Level 2 certification for 60,000 SMBs is a conservative estimate,” it added.

At present, the interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to the requirements outlined in the regulation.

The publication of materials relating to CMMC 2.0 reflects the Department’s intent concerning the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take up to 24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.

Most SMBs leverage ESPs because it simply makes good business sense. SMBs typically have neither in-house IT and security expertise, nor the time, budget, and resources required to recruit, develop, and sustain such a team. The MSP Collective assessed that if 50 percent to 70 percent of SMBs requiring CMMC Level 2 certification leverage ESPs, then upwards of 30,000 – 40,000 DoD suppliers and their Controlled Unclassified Information depend entirely on the quality of the external IT and security service providers.

In addition, ESPs are key threat vectors for malicious actors to scale cybercrime, ransomware, and state-sponsored cyber espionage. ESPs are essential, but they are also a potential weak point in the protection of the DIB due to the consolidated privileged access that they may have, which may extend to multiple DIB members. 

“While it is possible to limit and compartmentalize privileged access across numerous customers, it is not uncommon for an ESP to support 100s of companies with their consolidated infrastructure,” according to The MSP Collective. “Because of the enormous potential attack surface ESPs create, a worst-case scenario could see an ESP capable of compromising 100s of DIB members and their CUI data with a single attack.”

Unfortunately, even though ESPs are essential in support of critical infrastructure, standards, regulations, and certification programs have routinely failed to acknowledge, account for, or control their systemic importance, it added.

Due to the potential risk, it would be prudent for the DoD to identify minimum requirements for ESPs that exceed the minimum requirements for CUI protection as defined in DFARS 252.204-7012/NIST SP.800-171. This requires significant long-term collaboration to create the groundwork for minimum standards that regulators can have confidence in, which may include NIST SP 800-171 r2 Assessment for ESPs; CMMC Scoping Guidance applicable to ESP Service Delivery; NIST SP 800-172 Assessment for ESPs; a NIST Cybersecurity Framework (CSF) profile for ESPs; and a NIST SP 800-53 Overlay for ESPs.

In the meantime, the MSP Collective said that efforts can focus on adequately leveraging existing standards. “The specific standard for what ESPs should meet is a tradeoff to prioritize growing the ecosystem with a long-term goal of having the most secure ecosystem possible. To that end, the initial requirements for an ESP should be a CMMC Third Party Assessment Organization (C3PAO) validation of NIST SP 800-171 r2. This should be the minimum acceptable baseline for an ESP working in the DIB,” it added.

“ESPs who meet the cybersecurity requirements outlined in NIST SP 800-171 r2 and who subsequently achieve the corresponding CMMC Level 2 certification from a C3PAO and (when available) a CMMC Level 3 certification should be preferred due to the dramatically higher assurance against Advanced Persistent Threats (APTs),” according to the entity. “Ultimately, ESPs should be required to meet a tailored version of NIST SP.800-53 explicitly built to cover the complete Confidentiality, Integrity, and Availability triad and customized to the specific risks that ESPs present. This specifically tailored version of NIST SP.800-53 should be developed by NIST for use by Critical Infrastructure ESPs.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.