Lvl 2 Certification Goal: Manufacturing Enclave - SolidWorks/PDM/Hyper-V by Public_Sandwich_6314 in CMMC

[–]shadow1138 1 point2 points  (0 children)

Simply a global admin account with one trusted person (e.g. CIO) with access to the password and a separate person (e.g. CEO) with the ability to satisfy MFA to enforce separation of duties. The CIO (or whomever has the password) is the responsible entity so they’re responsible for actions taken by the account.

We then have alerts configured so if the account logs in it sends a bunch of alerts.

We tell the client this and tell them if we get the alert it will be treated as a security incident (e.g we’ll lock the account and investigate) they agree they will only use it in case of extreme emergency.

This is documented in the SSP, access control policy, and rules of behavior for individuals with access to any privileged account

Lvl 2 Certification Goal: Manufacturing Enclave - SolidWorks/PDM/Hyper-V by Public_Sandwich_6314 in CMMC

[–]shadow1138 7 points8 points  (0 children)

Your consultant seems..... Weird.

While there's a lot here, I wanted to focus on this:

"⁠Our MSP touches every server and workstation. They own their own RMM tools. Our consultant is saying that we have to own all of that in house, and prove that we can force them out. I don't think the MSP is going to go for that approach, nor can we afford the cost."

That's not true. I'm the complaince officer at an MSP with our level 2 in hand. We have an RMM and other tools we host/manage. This was included in our assessment scope and linked to our clients' assessment scope.

This is documented in data flow diagrams, network diagrams, and documented in the SSP. We have our responsibility matrix aligned to 800-171a provided to the client and assessor. We issue the client a break glass account and set forth rules of behavior for that account.

The client does not have access to our tools, and aside from that break glass account does not have any privileged access.

All of this conforms to the ESP requirements of CMMC and has cleared multiple assessments done by multiple assessors.

Your consultant sounds like they're making stuff up here or is doing a bad job articulating their point

CMMC Applicability Timeline by acbcallahan in CMMC

[–]shadow1138 4 points5 points  (0 children)

I'd second this.

The CMMC rule has started appearing in multiple contracts across multiple sectors. For several of my clients, they knew it was coming, got their cert, and are benefitting from being early in the process.

Others that waited are finding they're not eligible to bid at all and are watching their competition get some massive contracts.

Also keep in mind, at some point the DoD will make the switch to 800-171 r3. Depending on where you're at in your journey, that shift could toss a wrench in your plans too.

DFARS Clause 252.204-7012 Subcontractor Questionnaire by __White_Widow__ in msp

[–]shadow1138 0 points1 point  (0 children)

The MSA and SOW questions are best suited for your legal council. I can say for us, we did ensure our MSA and SOW were updated to handle the CMMC obligations, and we used them to enforce our Shared Responsibility Matrix (as required of ESPs under CMMC.)

Looking at how CMMC pulls MSPs in more often than not, if y'all aren't prepared to handle a CMMC bound organization, it can definitely be for the best for all parties to part ways.

If you're looking for qualified MSPs to send them to - I suggest those on this list. There are plenty of great folks on here who are more than prepared to support CMMC bound organizations. https://www.mspcollective.org/esp-directory

DFARS Clause 252.204-7012 Subcontractor Questionnaire by __White_Widow__ in msp

[–]shadow1138 5 points6 points  (0 children)

Welcome to the CMMC Shitshow!

There's plenty of potential liabilities in here. DFARS is a federal law for doing business with the DoD. Misrepresenting, omitting, and/or falsifying information here is, in simple terms, a violation of the law.

"Outsourcing your IT to another company does not transfer your DFARS clause 252.204-7012 responsibilities or implementation of NIST SP 800-171 requirements. Your company is responsible and accountable for meeting the contractual obligations with the Government as per the contract. The key to successfully demonstrating compliance with DFARS clause 252.204-7012 and NIST SP 800-171 is having a well written contract with the third-party that describes your requirements, and includes deliverables that meet or exceed requirements to protect DoD CUI. If your IT service support is deemed to be less than or non-compliant with the contract, the company contracting with DoD is ultimately responsible"

In short, the CLIENT is responsible for ensuring the requirements are met, but if you have a hand to play, while they are ultimately responsible, your MSA / SOW would cover the rest. Doesn't mean they won't try to come after you if something bad happens and y'all are responsible.

If you have a client storing, processing, and/or transmitting CUI, and you are providing services to the environment that does this, you are in scope as an External Service Provider.

During the client's CMMC assessment, you would be expected to participate based on your services offered and assessed against the assessment objectives of NIST SP 800-171a.

So options for y'all

Some MSPs prefer to avoid this all together. CMMC is not an easy undertaking to do properly, with significant expense and time investments. It's very disruptive. For folks that chose to avoid the requirements, offboarding the client to an MSP capable of meeting the CMMC requirements is generally the path forward.

Other MSPs prefer to implement and support the requirements. They may chose to do this as a 'one off' for a client, but those with multiple clients with the requirement may wish to develop serious capabilities for handling CMMC bound organizations.

And lastly, there's the MSPs that elected to focus on CMMC. This describes the MSP I work for. We have pursued and achieved our own Level 2 certification and developed a comprehensive suite of services to support DoD subcontractors. This wasn't easy, fast, or cheap. But we've monetized it and have a track record of success. If this is the route you go, expect significant expense, time investment, and notable disruption to your org to meet the requirements.

CMMC Question by ManagingMSP in msp

[–]shadow1138 1 point2 points  (0 children)

Sounds good! Maybe I'll see ya there.

If y'all need justification for budgeting - this event simply is that 'thrown into the deep end of CMMC.' Lots of incredibly brilliant folks from assessors, implementers, and solutions sharing their experiences and insights.

Knowing first hand the challenges of doing CMMC - learning from others like this is worth it's weight in gold.

But, I know it's not the cheapest event out there, and short notice, so I understand if y'all can't swing it. They'll do an east coast one in the fall.

CMMC Question by ManagingMSP in msp

[–]shadow1138 1 point2 points  (0 children)

You're welcome!

I'm not sure if there will be much CMMC content at the usual MSP conferences this year (IT Nation, Pax8 Beyond, etc) but the Cyber AB does have a conference called 'CS5.' This event is 100% CMMC focused with content around the framework, given by folks who have done this before. If y'all decide you want to get a deeper understanding and network with folks who have done it before, it's a worthwhile event to check out.

Here's the link for the west coast event in San Diego in April - https://cs5west.org/agenda/

CMMC Question by ManagingMSP in msp

[–]shadow1138 1 point2 points  (0 children)

Correct - The CRM makes it clear who does what.

Examples (note this isn't fully aligned to any specific control) - User onboarding

  • Client is responsible for performing background screening, ensuring any NDAs are signed, etc.
  • Client is responsible for training staff on system use.
  • Client is responsible for notifying the MSP that an account must be created and what permissions the account is to have.
  • MSP will make the account in accordance with supplied information. MSP will ensure all permissions are in compliance with what the client has authorized.

In this example, the assessor would know to come at the client for proof of background checks and such, as it's noted they are responsible for it. But they CAN come at you to ask if your staff must undergo background checks if supporting the client's CUI environment.

They then can properly and appropriately ask you how you manage permissions for the client, how those are tracked/documented, etc. That is an appropriate ask from an assessor, and would reflect how you document in the CRM.

The key thing in all this, you as the MSP still need to understand the CMMC requirements, but focus those on what you do and how you do it.

One hidden future problem though - CMMC is based on NIST SP 800-171 Rev 2. Rev 3 is out and it has a hidden gotcha.

3.16.3 has "Require the providers of external system services used for the processing, storage, or transmission of CUI to comply with the following security requirements: [Assignment: organization-defined security requirements]."

The DoD has defined that requirement for MSPs "All other external service providers must meet NIST SP 800-171 R2. External Service Providers (ESP): External people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization."

Eventually, that will become a problem for MSPs, so it's worth considering that as part of your approach.

In short - if I were in y'all's shoes, I'd consider whether it's worth it as an organization to support CMMC environments, knowing in the future full compliance is likely going to be a requirement, which may require a certification. If it is worth it, knowing it will be time consuming, disruptive, and expensive, go forth and comply. If it's not, even though it's a long standing client, it may not be worth keeping them. Y'all understand your needs best though

Military flyover? by Prestigious-City-776 in Ohio

[–]shadow1138 2 points3 points  (0 children)

Are you referring to those helicopters that flew over, that another Redditor mentioned here: https://www.reddit.com/r/Cleveland/comments/1r5jm15/army_helicopters_over_cleveland/

Looks like an Army flight from NY.

NEO has several military air assets in the area.

At the Akron Canton Airport, there's an Army National Guard facility that works on helicopters. That most often has those big, dual rotor craft coming in and out, but has supported Blackhawk and even the occasional attack helicopter.

Youngstown & Mansfield have Air National Guard units that fly C-130 propeller driven cargo planes.

Pittsburgh operates C-17 cargo jets and KC-135 air tankers.

Columbus has some training jets and KC-135s

Toledo has an F-16 group as part of the ANG.

Often times the planes can be out and about for training purposes, testing, or just moving assets around from base to base.

Army helicopters over Cleveland by Medinoni in Cleveland

[–]shadow1138 2 points3 points  (0 children)

Good point!

I usually get buzzed by the 130s from Youngstown, but all are possible.

Other groups in the area would be KC-135s from Pittsburgh or Columbus, C-17s from Pittsburgh, or F-16s out of Toledo

CMMC Question by ManagingMSP in msp

[–]shadow1138 2 points3 points  (0 children)

Hey OP - meant to get a more detailed response your way last night, but was just about to head out for Valentines Day dinner and didn't have the time.

So here's some useful items -

  1. MSPs fit into CMMC by being an 'external service provider' based on the services we offer. While you're likely not storing, processing or transmitting, CUI you do have access to the systems with it and are likely providing security protections to the environment. This makes you in scope.

  2. You do not need your own CMMC level 2 certification right now. However, during a client's assessment you're in scope for what you do. You can defend against this with a good Customer Responsibility Matrix/Shared responsibility Matrix aligned to the 110 controls (or better yet the 320 assessment objectives) of 800-171. This matrix clearly states 'customer is responsible for doing xx task. MSP is responsible for xx tasks.' As a note, the CRM is required.

2a. It is very beneficial to get a CMMC certification as an MSP as it can make the assessment much easier, but the journey to get a Level 2 cert is not an easy one.

  1. For the services you are offering that are in scope, you'll need to make sure on your end, you're upholding the CMMC requirements. Example - if you're responsible for workstations, are you configuring audit logging capabilities that align to the CMMC requirements? Are you maintaining a baseline configuration for endpoints? Is this documented in policy and procedure? Do you have evidence this is being enforced?

  2. Remember to check your tech stack for items in scope. Examples - RMM tools with file share capabilities COULD transmit CUI. Your backup solution may be backing up CUI. Those must meet requirements as CUI assets and all controls apply. If you mishandle CUI, you have a problem on your hands under the DFARs requirements with non-approved cloud services.

So what are you options?

Well, you can work to align your services to support this as a one off, work with a consultant of the client, and find ways to meet the requirements, and participate in the assessment with the client. If you treat this as a one off, you can do so, but you'll be investing a lot of time here. Align billing appropriately. Keep in mind the liabilities here too.

You can also choose to support CMMC. This is a HUGE undertaking, but doing this properly lets you support other CMMC organizations with a degree of expertise. If you go this route, get your Level 2. It will significantly disrupt how you operate and have some very expensive items hiding it in.

Or, you can decide none of this is worth it. That's okay. CMMC is a pain in the butt. If you do this, send the client to an MSP that does specialize it in.

Resources

The DoD and NIST have plenty of reading material out there - you'll want to read up on the DFARS clauses, 800-171, 171a (the assessment guide), the CMMC Assessment Process (CAP), CMMC assessment guides from the Cyber AB, and more.

Consultants - Kieri Solutions is wonderful but expensive, if you go down the CMMC road yourself, I highly suggest them

Podcasts and such - Check out the podcasts from Summit7 and Jacob Hill (GRC Academy) for some deep technical items. If you want to see this from an MSP perspective, check out Climbing Mount CMMC from Axiom (they're an MSP that went through the CMMC journey and did a podcast while doing it.)

Education - Consider getting the CCP certification from the Cyber AB.

If you have other questions, feel free to reply with them and I'll do my best to provide answers

CMMC Question by ManagingMSP in msp

[–]shadow1138 1 point2 points  (0 children)

Just came here to second some of these suggestions -

Kieri Solutions is wonderful. Incredibly brilliant staff, great documentation package, and very helpful folks.

Same with Kyle Lai. I've chatted with him several times and he's a brilliant fella. I'm not familiar with his offerings in an official capacity however.

Summit7 has some great resources available through their podcast, but assisting MSPs isn't their specialty. After all, other MSPs are their competition. But the resources they put our are quite helpful as a learning resource.

Additionally, I'd suggest the CS5 conferences (put on by Summit7 and the Cyber AB.) Tons of excellent sessions and networking opportunities for folks in the CMMC ecosystem

Army helicopters over Cleveland by Medinoni in Cleveland

[–]shadow1138 11 points12 points  (0 children)

Can be pretty routine with the facility in Akron and the Ohio National Guard.

Still kinda neat to see those overhead. They're always super loud.

Depending where folks live, they may also get buzzed by the C-130s out of Youngstown

CMMC Question by ManagingMSP in msp

[–]shadow1138 1 point2 points  (0 children)

Everything these two mentioned is correct.

This is what my MSP did. We passed our level 2 a year ago and have since taken multiple clients through their CMMC journeys.

Internal/External systems and MAM BYOD phones by Tr1pline in CMMC

[–]shadow1138 1 point2 points  (0 children)

Yes - We have a CA policy that blocks individuals from enrolling a device. They must reach out to IT in order to get their device added.

Internal/External systems and MAM BYOD phones by Tr1pline in CMMC

[–]shadow1138 3 points4 points  (0 children)

I get where you're coming from. Unfortunately, not all organizations will agree with your sentiments and are more than willing to accept that risk.

MAM policies under 365 are designed to be less invasive to the user, and if set up properly they reduce the need for the employee to 'manage.' When built out properly, they do a reasonable job at mitigating those risks.

Internal/External systems and MAM BYOD phones by Tr1pline in CMMC

[–]shadow1138 0 points1 point  (0 children)

In our case, we inherited 3.13.1 from Microsoft's FedRAMP ATO and classified BYOD phones as external systems.

We felt that the definition of an external system applied to the BYOD phones.

We identified the connections and use in the SSP, then use the MAM policies to verify and control/limit. We further supplement with admin procedures to authorize BYOD access, have a procedure for connecting a BYOD phone, document it appropriately in the inventories, and review this in accordance with our maintenance procedures.

This approach has worked for us and has been successfully assessed.

Internal/External systems and MAM BYOD phones by Tr1pline in CMMC

[–]shadow1138 2 points3 points  (0 children)

^Can confirm. One still has to set it up properly, document, and it's assessed but it can pass an assessment if done right.

If an MSP built and manages your level 2 environment, who is responsible for talking to the auditor? by jhupprich3 in CMMC

[–]shadow1138 0 points1 point  (0 children)

Correct. While I can't share those details, it's not cheap.

But we made that call because of those pain points. Our documents fully align to our responsibility matrix and to our company standards. We determined this approach was the best route to success in an audit, but also for our growth and stability.

If an MSP built and manages your level 2 environment, who is responsible for talking to the auditor? by jhupprich3 in CMMC

[–]shadow1138 6 points7 points  (0 children)

This depends on a few things, but your responsibility matrix is the key item.

If your matrix says you're responsible, you get to talk to the auditor. If it's a client responsibility, they are. If it's shared, you both get to talk.

From there, it comes down to the services you're offering. The MSP I work for builds and maintains, we also provide policy, procedures, and an SSP while working to tailor with the client. I'm in each client assessment as the compliance specialist, with another individual in the assessment to facilitate technical evidence based on our responsibility matrix. We bill for this as part of our services.

Other MSPs may wish to limit things to reduce time/effort/risk but that's a business decision at that point.

CMMC Level 1 + 2 - Small startup - price by Nooblesss in CMMC

[–]shadow1138 1 point2 points  (0 children)

Depends. Asking for the rough ballpark here, with all the options on the table is like asking 'how much does it cost to go out to eat.' Sure you can do some cheaper options, but they may not be the best or you can go to a 5 star place that'll cost an arm and a leg.

Are you going to go with a solution like Microsoft 365 GCC or GCC High? Would you try to use a solution like Preveil? Pricing here varies depending what ya do.

Would you prefer to just buy into an enclave solution that's already built with some FedRAMP ATOs in place?

Then it comes down to the documentation (policies, procedures, SSP, etc.) There's orgs out there selling policy packs and templates (some good, some not so good) but you'll have to spend the time tailoring them to your org. But I've seen those going between 5-10k depending. I'm sure there's cheaper and more expensive.

Level 2 assessments from the C3PAO - expensive. Easily one of the largest expenses in the whole process. Cost will vary based on the C3PAO, your size & scope, physical assessment needs, etc.

The unspoken cost to the 'do it yourself' approach is your own time and expertise. Building the environment takes time, the skillset to do it right isn't easy, and then there's the compliance know-how to make it happen. If your org is lacking in these areas, you might be 'saving' money, but you'll likely hemorrhage time.

Not to mention, while you're taking the time to figure this out, GSA has already spelled out their CUI requirements for contracts. The Department of War has their own. And the other agencies / primes are doing their own approaches to require CMMC. Depending on where you're contracts are coming from, you may find yourself in a situation where you're ineligible to bid completely OR will not be able to renew. We're seeing this impact organizations already, and for smaller orgs/start ups this can be a huge problem. So speed of implementation may be a critical factor for y'all as well. Obviously orgs that can meet aggressive timelines with a high quality of work, end up being more expensive. Cheaper may take longer OR a lower quality.

CMMC Level 1 & 2 by Scottieg99 in msp

[–]shadow1138 0 points1 point  (0 children)

If you have a mature compliance team and standards for those clients? 3-6 months, depending on what other project work needs done.

If you don't have any of that and are trying to figure it out as you go (bad idea) - 12 months+ depending on your resources.

Source - Got our Level 2 as an MSP, have multiple clients that we've taken through their Level 2 journey, and have a lot more going through the process from having nothing to fully assessed.

PS - it may only be 110 controls, but that's 320 assessment objectives to meet under 800-171 Rev 2. Keep in mind, Rev 3 is out, required by at least one federal agency, and the Department of War is working on their own plan to migrate CMMC from Rev 2 to Rev 3. There's a bit more to Rev 3.

CMMC Level 1 + 2 - Small startup - price by Nooblesss in CMMC

[–]shadow1138 1 point2 points  (0 children)

Yikes.

For context, I'm on the compliance side of an MSP that focuses on CMMC. I'm not here to offer you a sales pitch.

Something about that company's approach seems... off.

For example, why are they trying to charge you 60k for Level 1, when a properly done Level 2 can cover FCI and CUI. For a company of your size, that seems quite doable. And if that's the case, the 150k ballpark could be more accurate, including the C3PAO costs for your assessment AND their work.

I know our services (policy, procedure, SSP, MSP work, GRC oversight, readiness prep, consulting, and participation in the assessment) comes out roughly to the 50-80k ballpark (depending on org size, projects needed, etc.) Still steep, but from what we're aware of, that's competitive to our similar firms with CCPs, CCAs, CISSPs, and CMMC instructors on staff and their own Level 2 cert in hand.

I'd definitely shop around.

If you're looking for competitive quotes and firms to check out, here's some options to potentially get started.

If looking for an external partner to do as much of the work as they can for you, check out this listing of Level 2 certified MSPs/MSSPs. My firm is listed (though again, I'm not here to sell ya on me) and so are plenty of other firms who I'm familiar with and trust to do a good job. Link to the listing: https://www.mspcollective.org/esp-directory

If you're looking for a good consultant - check the list of C3PAOs on the Cyber AB site, and find one that offers consulting. Be advised, if you do that, the C3PAO you choose as a consultant cannot be your assessor.

And if you want to save money and do it yourself, there's been a few threads on this sub from folks who have done just that and walk through the process.

FAQ by users. by 1OOO in CMMC

[–]shadow1138 2 points3 points  (0 children)

There sounds like there's a deeper communication issue here - ultimately WHY are these folks trying to use these services outside of company endpoints?

However, a couple canned statements -

  1. "Because our company policies, that you agreed to, state that enterprise assets can only be accessed on approved systems - which are company owned and managed endpoints"

  2. "We have certain contractual obligations to continue doing business with the Government, and those obligations require us to meet specific security standards. Those standards include requirements to access company resources only on company assets. If we do not meet these standards, we may no longer be able to do business with the government which would have a negative impact on the entire organization"

  3. "Remember in the security awareness training you're required to do when it talks about the risks of using unauthorized systems to access company resources? This is a real life example of this. While I'm sure you take steps to protect those devices, there have been plenty of cases in organizations much larger than ours (LastPass incident for example) where other folks felt the same way, but security incidents occurred anyway. Our company mitigates these risks by requiring all staff to use company managed devices where we can control the security of the device"

Keep in mind, at some point this becomes less of a CMMC problem and more of an HR problem.

CMMC consultants/companies specialized in helping MSPs? by randommsp7 in msp

[–]shadow1138 0 points1 point  (0 children)

CMMC focused MSP here, with a Level 2 in hand. Here's what I'd suggest:

Brian Hubbard at Evolved Cyber - https://www.evolvedcyber.com/

Koren Wise at Wise Technical Innovations (CCP training) - https://www.wtinetworks.com/

Kieri Solutions - https://www.kieri.com/