As the channel prepares for the United States to formally implement the CMMC framework in the near future, Managed Service Providers need to understand where they’re compliant, and how to align with best practices in time. They may be asking questions like: 

•  If I’m FedRAMP Moderate compliant, is my MSP good to go? 

• Where do I stand if I align with NIST SP 800-171? 

• What about DFARS-252.204-7012? 

• Does anyone else have to copy paste these acronyms and numbers because it’s impossible to sort through them all, or is it just me? 

In this post, we’ll walk through the differences between CMMC and FedRAMP, how they’re related to other common compliance requirements, and why this matters to MSPs.

The Cybersecurity Maturity Model Certification (CMMC) gives defense contractors for the federal government a five-level compliance framework (with Level 1 representing the lowest maturity level, and Level 5 representing the highest) outlined by the United States Department of Defense.  

Under these regulations, certified third-party assessment organizations (which the DoD refers to as C3PAOs in the CMMC framework) would evaluate defense contractors or other organizations looking to become a contractors based on their security posture.  

When evaluating candidates for government defense contracts, the US federal government will use the CMMC framework to determine whether an organization is aligning with best practices and prepared to prevent data exfiltration and potential incidents, especially for contracts that involve Controlled Unclassified Information (CUI), or information that isn’t formally classified but should be protected against foreign interests or malicious actors.  

NIST SP 800-171 is a framework that outlines best practices that government contractors must take to secure controlled unclassified information (CUI).   

So Why Am I Hearing About DFARS and NIST When We’re Talking About CMMC? 

The CMMC framework expands on DFARS 252.204-7012, a previous compliance standard that requires defense contractors handling CUI to comply with the guidelines under NIST 800-171, and offers a way to enforce these requirements, after relying on companies to certify themselves was leading to $600 billion a year in losses due to data breaches, according to a 2019 report. 

While the Department of Defense has not formally implemented CMMC, organizations are already concerned about complying with CMMC, and industry experts indicate that questions about how well contractors can comply with CMMC and reach (at least) Maturity Levels 2 or 3 are already appearing in RFI processes. Moreover, external service providers (a CMMC classification that covers MSPs) will be required to provide cybersecurity measures like a SIEM service that also comply with the CMMC’s requirements. 

Unlike CMMC, which only applies to defense contractors, the FedRAMP compliance program offers a list of cybersecurity best practices and requirements that applies to cloud-based service providers to ensure their software and services meet the minimum requirements to support and secure federal agencies and government contractors.  

However, despite these key differences, CMMC does require defense contractors using or storing CUI in a cloud environment to certify that the cloud provider behind the environment is FedRAMP Moderate certified, which means vendors must help maintain confidentiality, integrity, and availability, or create “significant operational damage to agency assets, financial loss, or individual harm that is not loss of life or serious life threatening injuries,” according to FedRAMP’s baselines.   

This creates an overwhelming level of compliance requirements, which may require MSPs to re-evaluate their technology stack and identify new partners to offer tooling that complies with CMMC best practices.  

• Work with your technology partners and vendors to establish your current security posture, and what security controls you can currently support. 

• Determine your strategy for delivering services to organizations that will need to comply with CMMC – are there on-premises alternatives to your MSP tools? Will you end up creating dedicated tenants or instances of different tools for these compliant clients? 

• If your MSP has not already implemented security solutions to align with CMMC security controls (such as an incident response partner, a SOC, or log/network monitoring) to provide the security services the framework requires, implement them immediately – even if CMMC doesn’t require them, more and more MSPs are offering cybersecurity services as part of their portfolio.  

• Notes and Reference Materials:  

  • Brunsman, Joseph E. “CMMC (Cybersecurity Maturity Certification Model): Explained (so far) – from the book Damage Control: Cyber Insurance and Compliance.” Chesapeake Professional Liability Brokers, Inc. Last modified March 15, 2020. https://old.reddit.com/r/msp/comments/f40kj7/cmmc_cybersecurity_maturity_certification_model/. 
  • https://www.regulations.gov/docket/DOD-2023-OS-0063/unified-agenda
  • https://www.federalregister.gov/documents/2023/12/26/2023-27280/cybersecurity-maturity-model-certification-cmmc-program
  • https://old.reddit.com/r/msp/comments/18t24j9/addressing_cmmc_as_an_msp

CyberQP redefines Zero Trust Helpdesk Security with leading-edge Privileged Access Management (PAM) and End-User Access Management (EUAM) solutions. Our platform enables secure elevated access for both technicians and end users, along with robust self-serve and identity verification capabilities. Backed by SOC 2 Type 2 certification, we empower IT professionals to eliminate identity and privileged access security risks, enforce compliance, and enhance operational efficiency. Our mission is simple: “Empowering Access, Redefining Privilege” for help desks around the globe. To learn more visit: https://cyberqp.com/tours

Password security for Active Directory is becoming extremely important for companies across the globe due to the proliferation of ransomware and security breaches. One area that may not get a lot of attention but is equally important to have a solution for are service accounts.

Since manually resetting service account passwords and having to make sure you update the password anywhere the account is being used can be a lot of work, most IT companies just do not do it. There are however some alternative approaches you can take to manually rotating service account passwords. Each method has some pros and cons.

Pros

• Removes the manual effort for the taks required after resetting the service account password
• Free

Cons

• Requires you to create and maintain your own script which takes time and testing
• Still need to manually reset the service account password in Active Directory

Pros

• Adds an additional level of security to your windows account
• Don’t need to worry about changing passwords and updating the password in Windows services and scheduled tasks

Cons

• Cost. You will need to pay per user per month for a third party hosted MFA solution
• Must enter the username, password, and MFA code every time you login unless you have a push notification solution which is generally more costly
• Even though you have MFA it is still possible to hack and if they do and the password never changes then you may be an easier target
• Does not cover when technicians leave your company. Even with MFA on the account you would at the very least want to reset the password then

Pros

• Never need to reset the password
• Password is difficult to hack since it’s very long and complex
• Access to the password is limited to only a few people
• Password is only accessible by the users who have permission to the vault and know the secret passphrase

Cons

• Only a limited number of users will have access to the password if it is needed. Requires those users share the password with other technicians when needed
• The password never changes and even though it is long and limited users have access if those users get infected with key logging malware the password can still be hacked

Pros

• Password rotation is handled automatically by Active Directory
• Automated process
• Passwords are automatically updated in Windows Services

Cons

• Does not support scheduled tasks
• Setup time required with PowerShell
• Cannot span multiple computers. It cannot be installed on more than one computer at once
• Must be supported by the application that uses the Window Service

Pros

• Complete automated solution
• Supports Windows Services and Scheduled Tasks
• Easy setup. No scripting knowledge required
• Integrates with IT Glue password manager
• Saves time and money

Cons

• Paid solution

Service Management Console

A service account is an Active Directory account that is used to authenticate a process that runs on a Windows Server or PC such as an accounting system or for SQL databases processes.

Windows Services are managed in the Services Management Console shown below.

When you open an individual Windows Service and click on the ‘Log On’ tab you can review which account is used to authenticate that Windows Service.

When you review which accounts that are used for authenticating Windows Services you will notice that some use the Local System account while others are using a specific Active Directory account with a password.

If the Local System account is specified there is no password used and therefore no password to rotate. The Local System account is a highly privileged account that is used by a number of Windows Services but is not suitable for all Windows Services.

‍

Scheduled Tasks

Service Accounts can also be used for authenticating Windows Scheduled Tasks that are accessed within the Task Scheduler application.

Similar to Windows Services in the Services Management Console you can use the Local System Account or a specific Active Directory domain account to authenticate the Scheduled Task.

This is a very important question. The answer is it depends on the circumstance. Active Directory accounts used for Windows Services and Scheduled tasks can be hacked just like any other account. In a lot of cases the accounts used for Windows Services and scheduled tasks have elevated permissions and therefore pose a greater risk if the account is breached.

Service Management Console

When you reset a service account password you must also update the password in either the Windows Services Management Console or in the Scheduled Task that uses the account. If you do not do this the process that the Windows Service manages will eventually stop when the process needs to re-authenticate or when you need to restart the service whichever comes first. For the scheduled task, the task will fail to run at the next scheduled time.  

This is a manual process to open the Windows Service, click on the Log On tab, enter the updated password, click apply then restart the service for the changes to take effect.

Scheduled Tasks

For Scheduled tasks you must open the scheduled task click OK then type in the updated password in the pop-up window then click Ok to complete the change.

If you would like to find out more about CyberQP’ Password Rotation solution, I encourage you to visit this page. If you have any questions or would like to proceed, book a demo with a CyberQP representative.

A report from Troy Hunt, the creator of the website Have I Been Pwned, alerted readers to a major data leak from Naz.API, a database containing data from over 70 million accounts and over a billion unique records. Hunt’s investigation has revealed “a significant volume of new data” and newly compromised accounts, and these accounts’ owners are at risk.

According to the report, a “well-known,” unnamed technology firm discovered the dataset in a hacking forum post published in September 2023, through a bug bounty submission, and contacted Hunt with these details. 

An investigation into these findings revealed that 34.97% (over one-third) of the email addresses in this dataset were new, and not available in Have I Been Pwned’s database. The report’s findings indicate that these credentials were compiled from infostealers exfiltrating  credentials from compromised endpoints and environments, and data stolen in several credential stuffing attacks and previous breaches. (In fact, Hunt also recognized his own information from an illegal website that allowed threat actors to search for people’s data.) 

The report also shared a screenshot of the stealer logs, which contained a URL to login, an email address to log in, and the password in his findings.

In total, Hunt identified 319 files, with a total file size of 104 GB. He was also able to verify that the credentials were real by contacting several people listed in these infostealer logs, and by using website password request forms or registration forms to confirm that the email address exists in their account bases.

Are You Rotating Your Credentials?

The size of this data leak poses a major risk to MSPs and end users alike, and truly emphasizes the risks associated with stale or reused credentials and standing privilege, such as persistent admin accounts. 

Are You Implementing Zero Standing Privilege?

That’s why security best practices require individuals and organizations to mitigate their risk by regularly rotating critical credentials, and limiting privileged access through solutions like Just-in-Time access.

CyberQP’s security experts recommend that concerned MSPs and end users take the following actions to mitigate their risk:

• Check if your data has been compromised with a service like Have I Been Pwned.
• Add another layer of protection to your key accounts, including complex passwords or passphrases and multi-factor authentication (2FA/MFA).
• For privileged accounts, utilize a password vault and implement additional protection, such as end user identity verification. 
• MSPs can implement a moving target defense for their privileged accounts by regularly rotating credentials to deter threat actors and prevent them from achieving a foothold in your environment or executing lateral movement attacks.  
• MSPs can also reduce their attack surface with Just-in-Time accounts that only grant privileged access for the amount of time a user needs it. Solutions like these also enable them to meet compliance and cyber insurance best practices by achieving zero standing privilege. 

CyberQP redefines Zero Trust Helpdesk Security with leading-edge Privileged Access Management (PAM) and End-User Access Management (EUAM) solutions. Our platform enables secure elevated access for both technicians and end users, along with robust self-serve and identity verification capabilities. Backed by SOC 2 Type 2 certification, we empower IT professionals to eliminate identity and privileged access security risks, enforce compliance, and enhance operational efficiency. Our mission is simple: “Empowering Access, Redefining Privilege” for help desks around the globe. To learn more visit: https://cyberqp.com/tours