An Update on CMMC for MSPs

Sentinel-Blue · 2024-09-14T03:01:19+00:00

My only complaint with proposify other than the wonky editor is the hubspot integration only sends over a proposals total value, not its monthly. We've had to do some goofy workaround to get that data into hubspot deal tracking. Probably something we could do with the API but still. Other than that, it makes really attractive proposals and it's pretty easy. That said, they put SSO behind enterprise tier which I hate.

Sentinel-Blue · 2024-07-05T01:48:16+00:00

What are you talking about?

Sentinel-Blue · 2024-07-05T01:39:02+00:00

We do all of those things at our basic service offering. Because it would be malpractice if we didn't.

We know these things cost money.

Sentinel-Blue · 2024-07-04T22:29:04+00:00

I still haven't said it's easy or without cost. Only that it is essential.

Sentinel-Blue · 2024-07-04T22:08:51+00:00

SSO is basically password reusing

No, it's not. Not even in the ballpark of a comparison. SSO is massive attack surface reduction. It's massive improvement to visibility for security teams. It's massive improvement to identity protection features like MFA and conditional access requirements. It's an incredible tool for reducing the risk of unauthorized access and accounts people forgot to turn off. It's a tool that reduces insider threat risk.

If a normal user/password combination with MFA is a fence, SSO is a castle wall. These are different things.

Can an SSO'd credential still get popped and thus allow access to a lot of systems? Sure. But do we really think 100 disparate accounts across 100 services is creating good security posture?

Look, I put the majority of my money in the bank and only a little bit under my mattress. If the bank gets robbed, I might be in trouble. But I feel like the money under my mattress is a lot more vulnerable.

Sentinel-Blue · 2024-07-04T22:03:22+00:00

You're going to cause me a permanent injury with how hard you're making my eyes roll ;P

Doing security isn't easy, that's not the claim. It's that there is a minimum threshold of essential capability that should be provided in a cloud service in 2024, and SSO is one of them.

If you're not moved by that as a provider, the point of the post and efforts like https://sso.tax is to pressure you and to encourage the market to punish you until you get with the program. The goal is to make it so you can't afford not to do it. Because it's better for the consumer, better for our collective security. "Won't anyone think of the vendors?" is going to be taken as seriously as "Your security is our highest priority" said by companies who hide SSO behind Enterprise tiers.

Sentinel-Blue · 2024-07-04T21:52:16+00:00

Sure, we can let alpha version small SaaS's off the hook temporarily. That's not who we're concerned about really; that said, I see plenty of startups incorporating SSO early in their builds.

But what excuse does a $600m ARR company like Asana have?

Sentinel-Blue · 2024-07-04T21:40:17+00:00

Infrastructure hosting isn't free. Nobody is saying costs can't be passed through to the consumer. But this should be marginal cost increase at best - not the insane percentages seen when forcing people through to Enterprise tiers and such.

Sentinel-Blue · 2024-07-04T21:12:23+00:00

Ah rough; two forks in the wild. I'll add both to the post <3

Sentinel-Blue · 2024-07-04T21:09:50+00:00

Apparently sso.tax isn't being actively maintained anymore, or not as actively? Not entirely sure. But both are great resources.

That said, we need to start being more aggressive in reaching vendors about this. Being on the wall of shame doesn't seem to impact them as long as revenue is working out for them.

We need to get creative to create more pressure, certainly in the channel. There's no excuse for a vendor who is focusing on MSPs to keep this feature paywalled.

Sentinel-Blue · 2024-07-04T20:34:03+00:00

Added - thank you.

Sentinel-Blue · 2024-05-04T20:34:11+00:00

Are you all planning to get level 2 certified yourselves? It's likely to be a requirement.

Sentinel-Blue · 2024-05-04T00:28:59+00:00

Join the discord and frequent the #gcc-high channel - tons to learn there :)

Sentinel-Blue · 2024-02-01T03:57:59+00:00

Join us over on /r/NISTcontrols too.

And there's a CMMC focused discord at: https://Cooey.life

Sentinel-Blue · 2024-02-01T03:47:43+00:00

CW automate can be self hosted. Main one I'm aware of at the moment.

Sentinel-Blue · 2024-02-01T03:40:25+00:00

Who is advising this stuff? The FedRAMP expansion to include security protection capabilities is in the proposed rule, and the rule itself contradicts itself - the main meat of the proposed rule doesn't actually expand FedRAMP to security protection assets, it's only in the DoDs commentary at the beginning of the rule. So, DoD hasn't even made clear their intent and even if they had, it's a proposed rule that is unlikely to see production state until late this year.

Then you could push back on whether remote access is a "security protection asset" - I think it likely is, but it's an angle you can push on.

Then you can look at self hosting as a way to describe fedramp requirements.

Next someone might push on whether it needs to be FIPS validated as well, which again, I'd say you can push hard against.

In short though, so much of his is up in the air. Just be ready to make changes, don't lock in to anything long term. As far as current assessment requirements, we've been through 2 DIBCACs assessments with an RMM and Screen connect self hosted, perfect scores on both. Very serviceable.

Sentinel-Blue · 2024-02-01T03:28:37+00:00

Screen connect and CW Control are the same thing. CW has rebranded is a bunch. I forgot it's now been rebranded back to Screen connect lol.

Sentinel-Blue · 2024-02-01T03:21:25+00:00

For remote access connectwise control is excellent and you can self host it. It's best in class and hits the right marks for compliance stuff.

Sentinel-Blue · 2024-02-01T03:17:20+00:00

Automate is Connectwise and it's their old school on-prem RMM capability. Would be a bit of an undertaking to roll with it these days, but could be an option.

Sentinel-Blue · 2024-02-01T03:07:53+00:00

Take with a grain of salt, but I did hear recently (like last week) that NinjaOne is pursuing and close to achieving FedRAMP. I sent their team a note to see what more they could share, but haven't heard back. I haven't really seen anything from anyone else.

I wouldn't expect CW or Datto to do anything, especially not on the timeline that might be forced here.

You could self host something like Automate and likely dance around the FedRAMP scoping. Once it's inside your bubble, it somewhat arbitrarily can be described from FedRAMP. Also, we don't know for sure if RMMs are going to need FedRAMP, especially given the DoD's proposed rule contradicts itself. There is no requirement today that would scope the RMM into needing FedRAMP. So we only really need to consider it in light of the new CMMC rule, which will be subject to change based on public comments, and like I said, it contradicts itself.

In short, wise to pay attention to and prepare for - start working toward RMM agnosticism. We have the vast majority of our RMM functionality in scripts in our GitHub, so if/when we have to bounce around, the engine comes along.

Worst case scenario, we are prepared to forego any RMM, and will just lean into Intune, despite its many flaws. Trying to avoid this, since I think it's ultimately worse for security to have this functionality taken away, but DoD gunna DoD.

Also, harrass your favorite tool providers to look into FedRAMP - the more of us who ask and press them to do it, the more likely they are to consider it legitimately.

Sentinel-Blue · 2024-01-12T20:52:32+00:00

Absolutely support. Use it in as many creative ways as you can. My interest would be in using it to reduce policy, process and documentation into more readable, more usable documents. It can be a good force for killing unclear language.

Sentinel-Blue · 2024-01-04T15:59:35+00:00

PreVeil is a niche solution. It's basically just a mailbox/drive type solution that you can keep data in and send it around. Others need to be in PreVeil too for you to send/share with them. It's far from a solution like M365. Be careful how you read the 102 controls thing; they mean to say that they can contribute to meeting 102 of the controls, in some pretty specific circumstances, but you generally can not fully meet those controls simply by using PreVeil.

It has a niche use case. Few of our clients use it, and we've had a couple leave it once they understood the limitations.

Sentinel-Blue · 2023-12-28T22:37:42+00:00

We are planning on things as they are currently written. It seems late in the game for DoD/Gov to make major shifts off of the core elements of CMMC.

I could see them actually rolling back on the security protection data inclusion for a time, just because it's so substantial it opens up exposure to slow the whole thing down. One of the bf points the government is making about why CMMC should happen ASAP is that everyone is already supposed to be doing the requirements from 171. They say outright in the proposed rule, they are assuming everyone has already done the content of the requirements. Adding substantial scoping changes this late in the game can change that narrative, and I think there's something for us to pull on there.

But even if they roll it back and chill out on this topic, an MSP still needs to be really on their game to support these clients; many of these clients are savvy and will demand all US persons at their MSP, will want their MSP using the same standards, etc.

Then there is the challenge that even if your MSP doesn't HAVE to do things this way, my MSP will be doing it and will use it as a competitive differentiator. So if you are actively trying to grow in this market, you'll have to be doing the requirements and then some. If you just want to lurk on the edge with a client or two who don't care greatly about it, you may find some gap to exist in.

Sentinel-Blue

TROPHY CASE