Learn how End User Elevation allows you and your techs to issue time-limited administrator access to your end users, balancing workplace efficiency with responsible security.
QElevate Partners can approve or reject elevation requests, and issue secure activation links to end users so they can make necessary system changes and close tickets faster.
These links allow end users to activate their elevations on their own time, without having to rely on a technician to call back, or manually intervene. Once an end user’s time limit expires, CyberQP’s automations will seamlessly remove the temporary privileges from the end user, ensuring you can follow the Principle of Least Privilege (PoLP).
This minimizes the amount of stress our partners have while using multiple agents on endpoints by consolidating capabilities in one agent.
Simplify your workforce verification process! With CyberQP’s new integration with Microsoft Authenticator, partners can now quickly and securely verify end-user identities. It’s a faster, more reliable way to keep your team and data protected.
In today’s cybersecurity landscape, there are a lot of vendors focused on threat detection, or a reactive cybersecurity solution. CyberQP and Todyl have joined forces to educate you on proactive threat defense solutions to stop threats before they reach your MSP ecosystem. In our session, “The Power of Two: Defend-in-Depth,” you can expect security experts with 30+ years of combined experience to shed light on implementing a strong security posture before an attack. You can’t protect what you don’t know exists!
As Managed Service Providers face a macroeconomic landscape favoring business consolidation, and an exponentially growing cyber threat landscape, they need scalable frameworks to drive their business and their cybersecurity practices. Join HaloPSA and CyberQP for a live session, where we’ll do a deep dive into the ITIL framework and CIS Security Controls to accelerate your technician team’s efficiency and security in tandem.
With the publication of the final CMMC rule on October 15th, 2024, the United States Department of Defense has made several key changes to their Cybersecurity Maturity Model Certification (CMMC) compliance framework, especially relating to Cloud Service Providers (CSPs) as Security Protection Assets (SPAs).
In order to run through these last-minute changes, CyberQP’s dedicated information security and compliance team has read the final rule and is working on the best strategy to help IT teams and channel partners who trust us follow these best practices. We’ll also give you a look at how we can help you achieve capabilities you’ll need on your compliance journey.
When Does a Vendor Become Part of a CMMC Audit’s Scope?
Prior to the final rule’s publication, any Security Protection Asset would have been required to be FedRAMP authorized – including many of the third-party cybersecurity providers that MSPs and IT professionals rely on to secure their end users and environments.
However, due to concerns that this sweeping requirements would require organizations to eliminate modern security solutions from their toolbox (and concerns about forcing contractors to rely on cost-restrictive legacy tools) led the DoD to carve out a provision clarifying that a Cloud Service Provider serving as an SPA would not have to be FedRAMP authorized.
Cybersecurity vendors that store, process or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.
While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.
In the final requirements, cloud service providers (CSPs) that do not access or transmit this information are considered out-of-scope for FedRAMP moderate requirements associated with the process of achieving CMMC Level 2 (or higher) compliance.
According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to change the definition and requirements of Security Protection Assets.
The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description and the CMMC assessment requirements have been changed to read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”
“In order to clarify and address concerns about the perceived “expansion” of requirements, the rule was revised to reflect that ESPs that only store SPD or provide an SPA and do not process, store, or transmit CUI do not require CMMC assessment or certification.”
32 CFR Part 170, CMMC Rule
WHAT KIND OF SOLUTIONS REQUIRE FEDRAMP MODERATE COMPLIANCE?
Required (solutions that can remotely access or collect CUI – directly or through hosts)
Not Required (CSPs that are SPAs)
Remote Monitoring and Management (RMM) tools with remote access to hosts with CUI Endpoint Detection and Response (EDR) providers with remote access and file collection capabilities Backup Services used to back up hosts and files containing CUI
Privileged Access Management solutions without remote access to endpoints SIEM providers that do not collect CUI in logs Managed Detection and Response (MDR) providers without remote access or file collection
While the final rule does contain some ambiguities by stating Security Protection Data should be treated as CUI, the CyberQP compliance team consulted a Certified Third Party Assessor Organization to confirm this provision exempts CSPs as SPAs from FedRAMP authorizations if they do not access or handle CUI.
In short – during certification assessments, security providers themselves might not be evaluated if they do not store, process, or transmit CUI, but they will be in scope during assessments to evaluate the capabilities they provide to your IT team in securing digital environments and sensitive data.
Cybersecurity vendors that store, process or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.
While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.
In the final requirements, cloud service providers (CSPs) that do not access or transmit this information are considered out-of-scope for FedRAMP moderate requirements associated with the process of achieving CMMC Level 2 (or higher) compliance.
According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to change the definition and requirements of Security Protection Assets.
The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description and the CMMC assessment requirements have been changed to read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”
How We Help MSPs Align with CMMC
CyberQP does not store, process, or transmit CUI data as part of our mission to offer security by design in our platform. However, we do help partners proactively meet relevant CMMC requirements, and can participate in assets where assessors will look at your Security Protection Assets and evaluate how they help you align with CMMC controls.
When CyberQP partners prepare to validate that they meet CMMC security controls, our Privileged Access Management platform can help you align with some requirements in the Access Control (AC), Identification and Authentication (IA), and Security Assessment (CA) categories. We help IT teams align with the Principle of Least Privilege for admin access with Just-in-Time (JIT) access, and automated password management.
Here are some of the CMMC 2.0 Security Controls That CyberQP Supports:
Access Control (AC):
AC.L2-3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.L2-3.1.2: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
AC.L2-3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
Identification and Authentication (IA):
IA.L2-3.5.1: Identify information system users, processes acting on behalf of users, or devices.
IA.L2-3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
IA.L2-3.5.3: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Security Assessment (CA):
CA.L2-3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Defend Your Sensitive Data with Confidence
CyberQP offers proactive access control capabilities to your help desk, and equips your technicians with the automations they need to streamline admin access management. We help organizations achieve zero standing privileges with Just-in-Time access, backed by Passwordless Technician Logins, and can help you prove you use robust privileged access management in their security program.
Discover the latest trends in Privileged Access Management for MSPs. Learn how evolving threats target compromised credentials and how to strengthen your cybersecurity strategy. Download our free eBook today.
