With the publication of the final CMMC rule on October 15th, 2024, the United States Department of Defense has made several key changes to their Cybersecurity Maturity Model Certification (CMMC) compliance framework, especially relating to Cloud Service Providers (CSPs) as Security Protection Assets (SPAs).

In order to run through these last-minute changes, CyberQP’s dedicated information security and compliance team has read the final rule and is working on the best strategy to help IT teams and channel partners who trust us follow these best practices. We’ll also give you a look at how we can help you achieve capabilities you’ll need on your compliance journey.

Prior to the final rule’s publication, any Security Protection Asset would have been required to be FedRAMP authorized – including many of the third-party cybersecurity providers that MSPs and IT professionals rely on to secure their end users and environments.  

However, due to concerns that this sweeping requirements would require organizations to eliminate modern security solutions from their toolbox (and concerns about forcing contractors to rely on cost-restrictive legacy tools) led the DoD to carve out a provision clarifying that a Cloud Service Provider serving as an SPA would not have to be FedRAMP authorized.  

Cybersecurity vendors that store, process or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.  

While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.  

In the final requirements, cloud service providers (CSPs) that do not access or transmit this information are considered out-of-scope for FedRAMP moderate requirements associated with the process of achieving CMMC Level 2 (or higher) compliance.  

According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to change the definition and requirements of Security Protection Assets.  

The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description and the CMMC assessment requirements have been changed to read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”  

• 32 CFR Part 170, CMMC Rule 

While the final rule does contain some ambiguities by stating Security Protection Data should be treated as CUI, the CyberQP compliance team consulted a Certified Third Party Assessor Organization to confirm this provision exempts CSPs as SPAs from FedRAMP authorizations if they do not access or handle CUI.  

In short – during certification assessments, security providers themselves might not be evaluated if they do not store, process, or transmit CUI, but they will be in scope during assessments to evaluate the capabilities they provide to your IT team in securing digital environments and sensitive data. 

Cybersecurity vendors that store, process or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.

While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.

In the final requirements, cloud service providers (CSPs) that do not access or transmit this information are considered out-of-scope for FedRAMP moderate requirements associated with the process of achieving CMMC Level 2 (or higher) compliance.

According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated in table 3 to § 170.19(c)(1) and table 5 to § 170.19(d)(1) to change the definition and requirements of Security Protection Assets.

The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description and the CMMC assessment requirements have been changed to read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”

CyberQP does not store, process, or transmit CUI data as part of our mission to offer security by design in our platform. However, we do help partners proactively meet relevant CMMC requirements, and can participate in assets where assessors will look at your Security Protection Assets and evaluate how they help you align with CMMC controls.  

When CyberQP partners prepare to validate that they meet CMMC security controls, our Privileged Access Management platform can help you align with some requirements in the Access Control (AC), Identification and Authentication (IA), and Security Assessment (CA) categories. We help IT teams align with the Principle of Least Privilege for admin access with Just-in-Time (JIT) access, and automated password management.  

Here are some of the CMMC 2.0 Security Controls That CyberQP Supports: 

• Access Control (AC): 

• AC.L2-3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). 

• AC.L2-3.1.2: Limit information system access to the types of transactions and functions that authorized users are permitted to execute. 

• AC.L2-3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts. 

• Identification and Authentication (IA): 

• IA.L2-3.5.1: Identify information system users, processes acting on behalf of users, or devices. 

• IA.L2-3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational information systems. 

• IA.L2-3.5.3: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. 

• Security Assessment (CA): 

• CA.L2-3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. 

CyberQP offers proactive access control capabilities to your help desk, and equips your technicians with the automations they need to streamline admin access management. We help organizations achieve zero standing privileges with Just-in-Time access, backed by Passwordless Technician Logins, and can help you prove you use robust privileged access management in their security program.  

Ready to partner with a cybersecurity company that’s laser-focused on your success? Speak with a product specialist today.

Leaving the passwords for privileged accounts static and configuring them to never expire is convenient and ensures that any system that depends on these accounts will continue to run without any intervention. For MSPs doing this can leave your company and your customers at risk from credential stealing. According to ZDNet the PyXie RAT malware can steal passwords from technicians through keylogging and recorded videos.

Targeted phishing attacks can also obtain administrative credentials by impersonating login portals for online accounts such as Office 365 and Azure AD and having technicians willingly provide privileged credentials without realizing it. Static passwords are easier to crack since they never change and if re-used from another online system, they are at risk of being hacked from a security breach.

Lastly, threats can also be found internally from technicians who are laid off or fired and have access to privileged credentials with malicious intentions. According to Huntress Labs a former MSP technician attempted to sell all their customer administrator credentials on the dark web to the highest bidder.

Why rotate passwords when you use MFA?

MFA (Multi factor authentication) is an essential tool to use that adds an extra layer of security to protect your privileged credentials. Some argue that using MFA eliminates the need to rotate passwords. That being said there is mounting evidence that MFA too can be hacked in a number of different ways including man in the middle attacks and network session hijacks according to Secureworld. Also, most recently it was discovered by Proofpoint that a new vulnerability in Microsoft 365 allows an attacker to bypass MFA. Thus, MFA alone is not a silver bullet and MSPs and IT departments should consider it as one layer in a layered security strategy.

How often should I rotate passwords?

Ideally passwords for privileged accounts should be rotated every time they are used or accessed by a technician or at the very minimum when a technician leaves or is fired. This covers internal threats from malicious technicians either employed or fired by an MSP. However, this does not cover if the password was hacked from a keylogging malware or phishing attack. Thus, the need to rotate passwords more frequently such as daily or weekly on a scheduled basis becomes much more essential.

How much does it cost to rotate passwords manually?

The concept of rotating privileged account passwords makes a lot of sense but rotating all these passwords manually can be costly. Let us break this down. Here are the general steps a technician must do when they rotate a password for a privileged account in Active Directory or Azure AD (Office 365).

1. Look up documentation for current resource password.
2. Access the resource via remote control solution or web browser
3. Login
4. Open Active Directory Users and Computers or Azure AD
5. Locate the account to reset
6. Choose a new password
7. Perform the reset
8. Update the password on the windows service or scheduled task (if applicable)
9. Update the documentation
10. Repeat steps 1 – 9 for the next privileged account.

Let’s assume this takes an average of 1 mins per password. According to Forester research the average cost in technician time and resources is $25 per 15 mins or $100 per hour USD. Then the average cost of a manual password reset is $1.67. Here is how much it would cost every time you need to manually rotate all your privileged account passwords. If your numbers are slightly different feel free to input your own numbers for average time and cost to see where you land.

ou could argue that if you had to rotate passwords once a quarter or a year that you would just suck it up and assign the work to a technician. But if you need to do this daily or weekly costs would quickly spiral out of control and let’s be honest no one in their right mind would do this daily or weekly if it was a manual process. Also, when things are busy this is the first task that would get postponed and therefore may be skipped and forgotten.

Why should I automate password rotation?

The numbers don’t lie. If you had to rotate all your privileged account passwords in Active Directory or Azure AD (Office 365) daily, weekly or monthly it would be cost prohibitive or worse would not get done leaving your MSP or enterprise exposed even if you use MFA.

Being able to automate these password rotations in a set it and forget it manner ensures it gets done without manual intervention for a substantial savings and protection your MSP or IT Department needs.