Mar 21 2024

Do MSPs or MSSPs have to be CMMC certified if their clients are required to be?

A question keeps coming up, “Do MSPs or MSSPs have to be CMMC certified if their clients are required to be?”

As with all things government, the answer is not abundantly clear.  However, our reading of the tea leaves is that, “Yes, MSPs and MSSPs will need to be eventually certified, or at least, they will need a certified enclave.”

The draft CMMC rule does not directly address MSPs or MSSPs except by defining the acronym. They are considered “External Service Providers (ESP).  Specifically, “External people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization. 

Additionally “CUI or Security Protection Data (e.g. log data, configuration data) must be processed, stored, or transmitted on ESP assets to be considered an ESP. Organizations who qualify as ESPs must be certified at the same CMMC level or higher, as their client organization needs to be.

The public comment period (where the government solicits comments / concerns before creating rules) resulted in 368 publicly viewable comments, at least 50 of which mention MSPs. Many were requesting clarification about exactly how the CMMC requirements would be applied to MSPs.

Would their entire organization be required to be compliant, or can they create an enclave just for need customers? Will there be any reciprocity for their clients or will the MSP have to go through the process each time one of their clients does? 

A number of MSPs / MSSPs were also requesting a phase in period to allow more time for them to become certified, as they were not tracking this requirement previously. Finally, there is concern that there will not be enough C3PAOs to certify the MSPs /MSSPs as well as the DIB companies. All of these comments will have to be addressed, though not necessarily agreed with, before the rule can be finalized.

So, while the rule for MSPs / MSSPs is not in place today, our view is that eventually, there will be a requirement.

Please let us know if you have any questions.