ON-DEMAND webinar
Co-Founder & CEO, CyberQP
Executive, HaloPSA
With the publication of the final CMMC rule on October 15th, 2024, the United States Department of Defense has made several key changes to their Cybersecurity Maturity Model Certification (CMMC) compliance framework, especially relating to Cloud Service Providers (CSPs) as Security Protection Assets (SPAs).
In order to run through these last-minute changes, CyberQP’s dedicated information security and compliance team has read the final rule and is working on the best strategy to help IT teams and channel partners who trust us follow these best practices. We’ll also give you a look at how we can help you achieve capabilities you’ll need on your compliance journey.
Prior to the final rule’s publication, any Security Protection Asset would have been required to be FedRAMP authorized – including many of the third-party cybersecurity providers that MSPs and IT professionals rely on to secure their end users and environments.
However, due to concerns that this sweeping requirements would require organizations to eliminate modern security solutions from their toolbox (and concerns about forcing contractors to rely on cost-restrictive legacy tools) led the DoD to carve out a provision clarifying that a Cloud Service Provider serving as an SPA would not have to be FedRAMP authorized.
Cybersecurity vendors that store, process or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.
While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.
In the final requirements, cloud service providers (CSPs) that do not access or transmit this information are considered out-of-scope for FedRAMP moderate requirements associated with the process of achieving CMMC Level 2 (or higher) compliance.
According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to change the definition and requirements of Security Protection Assets.
The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description and the CMMC assessment requirements have been changed to read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”
“In order to clarify and address concerns about the perceived “expansion” of requirements, the rule was revised to reflect that ESPs that only store SPD or provide an SPA and do not process, store, or transmit CUI do not require CMMC assessment or certification.”
| WHAT KIND OF SOLUTIONS REQUIRE FEDRAMP MODERATE COMPLIANCE? | |
| Required (solutions that can remotely access or collect CUI – directly or through hosts) | Not Required (CSPs that are SPAs) |
| Remote Monitoring and Management (RMM) tools with remote access to hosts with CUI Endpoint Detection and Response (EDR) providers with remote access and file collection capabilities Backup Services used to back up hosts and files containing CUI | Privileged Access Management solutions without remote access to endpoints SIEM providers that do not collect CUI in logs Managed Detection and Response (MDR) providers without remote access or file collection |
While the final rule does contain some ambiguities by stating Security Protection Data should be treated as CUI, the CyberQP compliance team consulted a Certified Third Party Assessor Organization to confirm this provision exempts CSPs as SPAs from FedRAMP authorizations if they do not access or handle CUI.
In short – during certification assessments, security providers themselves might not be evaluated if they do not store, process, or transmit CUI, but they will be in scope during assessments to evaluate the capabilities they provide to your IT team in securing digital environments and sensitive data.
Cybersecurity vendors that store, process or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.
While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.
In the final requirements, cloud service providers (CSPs) that do not access or transmit this information are considered out-of-scope for FedRAMP moderate requirements associated with the process of achieving CMMC Level 2 (or higher) compliance.
According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to change the definition and requirements of Security Protection Assets.
The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description and the CMMC assessment requirements have been changed to read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”
CyberQP does not store, process, or transmit CUI data as part of our mission to offer security by design in our platform. However, we do help partners proactively meet relevant CMMC requirements, and can participate in assets where assessors will look at your Security Protection Assets and evaluate how they help you align with CMMC controls.
When CyberQP partners prepare to validate that they meet CMMC security controls, our Privileged Access Management platform can help you align with some requirements in the Access Control (AC), Identification and Authentication (IA), and Security Assessment (CA) categories. We help IT teams align with the Principle of Least Privilege for admin access with Just-in-Time (JIT) access, and automated password management.
Here are some of the CMMC 2.0 Security Controls That CyberQP Supports:
CyberQP offers proactive access control capabilities to your help desk, and equips your technicians with the automations they need to streamline admin access management. We help organizations achieve zero standing privileges with Just-in-Time access, backed by Passwordless Technician Logins, and can help you prove you use robust privileged access management in their security program.
Ready to partner with a cybersecurity company that’s laser-focused on your success? Speak with a product specialist today.
ON-DEMAND webinar
For employees, existing remote access via virtual private networks (VPNs) may feel sufficient to keep them connected while working outside the home office, but for IT and security professionals, it’s another story: VPNs are highly susceptible to credential theft, and from this compromise, hackers are free to move laterally across the network.
What’s more, on-premises firewalls weren’t built for today’s cloud-enabled hybrid workforce, for whom the last line of defense exists at the edge.
View our latest webinar wherein Michael Garrity, Sales Engineer at CyberQP, and Jared Epstein, Head of Partnerships at Timus, walk you through concrete strategies to keep remote users securely connected, based on their own expertise doing so at their fully remote companies. You’ll also gain insight into 5 reasons MSPs partner with Timus for ZTNA and a review of CyberQP’s offerings
Manager of Sales & Success Engineering, CyberQP
Head of Partnerships, Timus
ON-DEMAND webinar
The importance of fostering productive relationships between a managed service provider (MSP) and their vendors is crucial for business expansion. Yet, as MSPs develop their ecosystem, common questions arise, such as:
Our seasoned panel of experts—Kelcye Blankenship-Lackland and Michael Garrity from CyberQp, Wayne Hunter from AvTek Solutions, and Amanda Lachapelle from B4 Networks—will answer these questions in the following webinar.
Watch now to enhance your company’s vendor relationships and to gain insight into how CyberQP’s Privileged Access Management and Helpdesk Security Automation solve common MSP problems, like end user verification and shared credentials.
President & CEO, AvTek Solutions
Manager of Sales & Success Engineering, CyberQP
Channel Development Manager, CyberQP
CyberQP, a leading provider of Privileged Access Management and Helpdesk Security Automation for Managed Service Providers (MSPs), has announced the release of Just-in-Time (JIT) privileged account creation for Active Directory. This new capability enables MSPs with more robust control over access to their privileged accounts. CyberQP has since released an in depth webinar dedicated to the process of creating these accounts and passwords on-demand when technicians need them.
With this new feature, CyberQP partners can temporarily enable and revoke privileged access as needed, offering an ideal solution for MSPs to limit exposure of their privileged accounts, prevent insider threats, and position themselves for co-managed IT agreements.
As small-and-medium sized businesses (SMBs) observe cyber criminals adopting identity-based tactics to target an organization’s administrative and privileged accounts, MSPs and SMBs need a scalable, dynamic solution that mitigates their risk and guarantees clear visibility into activity related to privileged accounts.
CyberQP’s JIT account creation feature empowers MSPs to create temporary privileged accounts for individual users, which automatically rotate credentials and disable themselves upon expiration. Moreover, JIT accounts are organized to create an easy-to-track audit log that attributes activity to individual people, enhancing accountability and compliance.
“The MSP business model is insecure by default from a standing privilege perspective,” said Jimmy Hatzell, VP of Revenue at CyberQP, “So now there is a move to ‘zero standing privilege” using Just-In-Time Accounts. Basically instead of having all these accounts active, they are only created and activated when in use, with least privilege.”
CyberQP’s latest innovation follows an announcement that the company successfully raised an additional $12 million in funding.