With the publication of the final CMMC rule on October 15th, 2024, the United States Department of Defense has made several key changes to their Cybersecurity Maturity Model Certification (CMMC) compliance framework, especially relating to Cloud Service Providers (CSPs) as Security Protection Assets (SPAs).
In order to run through these last-minute changes, CyberQP’s dedicated information security and compliance team has read the final rule and is working on the best strategy to help IT teams and channel partners who trust us follow these best practices. We’ll also give you a look at how we can help you achieve capabilities you’ll need on your compliance journey.
When Does a Vendor Become Part of a CMMC Audit’s Scope?
Prior to the final rule’s publication, any Security Protection Asset would have been required to be FedRAMP authorized – including many of the third-party cybersecurity providers that MSPs and IT professionals rely on to secure their end users and environments.
However, due to concerns that this sweeping requirements would require organizations to eliminate modern security solutions from their toolbox (and concerns about forcing contractors to rely on cost-restrictive legacy tools) led the DoD to carve out a provision clarifying that a Cloud Service Provider serving as an SPA would not have to be FedRAMP authorized.
Cybersecurity vendors that store, process or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.
While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.
In the final requirements, cloud service providers (CSPs) that do not access or transmit this information are considered out-of-scope for FedRAMP moderate requirements associated with the process of achieving CMMC Level 2 (or higher) compliance.
According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to change the definition and requirements of Security Protection Assets.
The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description and the CMMC assessment requirements have been changed to read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”
- 32 CFR Part 170, CMMC Rule
| WHAT KIND OF SOLUTIONS REQUIRE FEDRAMP MODERATE COMPLIANCE? | |
| Required (solutions that can remotely access or collect CUI – directly or through hosts) | Not Required (CSPs that are SPAs) |
| Remote Monitoring and Management (RMM) tools with remote access to hosts with CUI Endpoint Detection and Response (EDR) providers with remote access and file collection capabilities Backup Services used to back up hosts and files containing CUI | Privileged Access Management solutions without remote access to endpoints SIEM providers that do not collect CUI in logs Managed Detection and Response (MDR) providers without remote access or file collection |
While the final rule does contain some ambiguities by stating Security Protection Data should be treated as CUI, the CyberQP compliance team consulted a Certified Third Party Assessor Organization to confirm this provision exempts CSPs as SPAs from FedRAMP authorizations if they do not access or handle CUI.
In short – during certification assessments, security providers themselves might not be evaluated if they do not store, process, or transmit CUI, but they will be in scope during assessments to evaluate the capabilities they provide to your IT team in securing digital environments and sensitive data.
How We Help MSPs Align with CMMC
CyberQP does not store, process, or transmit CUI data as part of our mission to offer security by design in our platform. However, we do help partners proactively meet relevant CMMC requirements, and can participate in assets where assessors will look at your Security Protection Assets and evaluate how they help you align with CMMC controls.
When CyberQP partners prepare to validate that they meet CMMC security controls, our Privileged Access Management platform can help you align with some requirements in the Access Control (AC), Identification and Authentication (IA), and Security Assessment (CA) categories. We help IT teams align with the Principle of Least Privilege for admin access with Just-in-Time (JIT) access, and automated password management.
Here are some of the CMMC 2.0 Security Controls That CyberQP Supports:
- Access Control (AC):
- AC.L2-3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- AC.L2-3.1.2: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.L2-3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
- Identification and Authentication (IA):
- IA.L2-3.5.1: Identify information system users, processes acting on behalf of users, or devices.
- IA.L2-3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- IA.L2-3.5.3: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- Security Assessment (CA):
- CA.L2-3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Defend Your Sensitive Data with Confidence
CyberQP offers proactive access control capabilities to your help desk, and equips your technicians with the automations they need to streamline admin access management. We help organizations achieve zero standing privileges with Just-in-Time access, backed by Passwordless Technician Logins, and can help you prove you use robust privileged access management in their security program.
Ready to partner with a cybersecurity company that’s laser-focused on your success? Speak with a product specialist today.
