Tips for Small Businesses: Can I keep my MSP?
Many small businesses face an IT challenge: to have that knowledge in-house or outsource it to a Managed Service Provider (MSP). An MSP can provide valuable support: patch servers, set up new computers, help users when they lose their password or can't connect to a printer. The list is endless.
Let's say that you've chosen the MSP route, and everything is going great. You have come to rely on your MSP. They always respond when you need them. But what happens when you receive a contract from the DoD that requires you to store and process Controlled Unclassified Information (CUI)? What does that mean for your MSP relationship? Do they now have to meet the same requirements you do?
Find an MSP who is familiar with NIST SP 800-171
If you are subject to DFARS 252.204-7012, chances are you will receive or create CUI on a project for a DoD customer. The Government requires that you safeguard that information. You'll want to find an MSP familiar with NIST SP 800-171: that doesn't mean just reading it once. They should have extensive knowledge of your security and assessment requirements (including NIST SP 800-171A). Because if they do, they will know the right technologies to use to ensure your compliance. A knowledgeable MSP will also know what restrictions they must place on themselves and their access.
Control what your MSP has access to
Chances are, your MSP doesn't need access to your government project data, nor should they want that liability. However, if the MSP can access your CUI, then they are subject to the exact requirements you are under the DFARS, including incident reporting. Managing an MSP can be a big ask for small businesses. Your sweet spot is your service offering, not security and IT. It might be necessary to hire a consultant who can speak both your and the MSP's languages.
Require your MPS to use MFA to access your system
This should be a non-issue for MSPs familiar with NIST SP 800-171. Typically, an MSP will have elevated access, which is sometimes needed to support you. But that also means if their account gets compromised, an adversary will have the same elevated access into your system. Least privilege is vital for all users, including the MSP.
Ask to review the MSPs policies and procedures
In compliance, documentation is key. "Take our word for it" is not acceptable evidence of your password policy. You must talk the talk and walk the walk. Reviewing MSP policies, procedures, Terms of Service, and/or Service Level Agreements will shed light on their responsibilities in supporting you. Do these align with the NIST requirements? If your MSP supports your system that contains CUI, you need to know.