N-able is the latest company looking to give MSPs the tools they need to comply with evolving cybersecurity frameworks, including the recently released Cybersecurity Maturity Model Certification (CMMC) 2.0 from the federal government.
The Burlington, Massachusetts, company is launching a number of compliance initiatives and resources aimed at ensuring that MSPs, MSSPs, and other service providers can fall in line not only with security frameworks in the United States but also those in other parts of the world.
CMMC 2.0 has been in the works for several years, with the final version being released earlier this month. It comes with a more streamlined tiering, with three levels rather than five, allows for some extent of self-assessments at Levels 1 and 2, and aligns with NIST SP 800-171 for Levels 1 and 2 and NIST SP 800-172 for Level 3.
There are other changes from CMMC 1.0 in such areas as notification requirements and milestones.
For MSPs and MSSPs and their clients working with the U.S. Defense Department (DoD) and in the Defense Industrial Base (DIB), compliance is essential. According to Carter Schoenberg, VP and chief security officer of SoundWay Consulting, more than 75,000 government contractors need a CMMC certification and about 85% of them rely on MSSPs.
The CMMC program is used to ensure that sensitive and unclassified information that the DoD shares with contractors and subcontractors – which include MSPs and MSSPs – is protected by setting out cybersecurity requirements that need to be met.
Leading the Way to Compliance
That’s why initiatives like those introduced by N-able are crucial, according to Dave MacKinnon, the company’s CSO.
“MSPs and MSSPs need to understand their customer contracts and what security provisions are either there currently or pending as a result of CMMC,” MacKinnon told MSSP Alert. “MSPs have a Swiss army knife of tooling to support their customers, and they’ll need to understand what’s in scope for CMMC and the level they’re expected to obtain.”
Other companies that work with service providers are offering similar programs. ConnectWise in August rolled out its own plans for helping MSPs meet the CMMC 2.0 requirements, starting with reaching compliance by 2025. The work the Tampa, Florida, company does to achieve compliance will help it better guide its partners through the compliance process.
It also means that MSPs will have access to ConnectWise’s CMMC-compliant products through the company’s hosted solutions.
Navigating Difficult Waters
Lazarus Alliance, a cybersecurity services company, offers CMMC 2.0 compliance services.
“MSPs’ roles are full of challenges,” the Scottsdale, Arizona, company wrote last month. “They must navigate complex and evolving cybersecurity requirements while managing their operational risks. With CMMC 2.0, MSPs are tasked with securing their infrastructure and ensuring that their clients meet the stringent cybersecurity standards the DoD sets.”
Addressing Multiple Frameworks
N-able’s efforts address not only CMMC 2.0, but other cybersecurity frameworks, including the U.S. Cybersecurity and Infrastructure Agency’s (CISA) Cyber Essentials for smaller businesses and local governments, the European Union’s NIS2 Directive, and Australia’s Essential Eight for both businesses and government.
“CMMC 2.0 is just one example of increasing focus on operating secure and being held accountable when it comes to building cyber resilience in organizations of all sizes,” MacKinnon said.
According to N-able, the set of initiatives build on the secure-by-design approach, which includes NIST 800-171 Attestation step to help MSPs meet requirements for managing controlled and unclassified information. Other steps include FIPS 140-3 expansion for building into core products federally approved encryption libraries and algorithms, audit logging to keep in line with N-able’s commitment to CISA’s Secure by Design Pledge – which the company signed in July – and separated host environments to comply with controls for CMMS 2.0 and similar regulations.
There also is product training, compliance training, and a Compliance Resource Center, which will include expert blogs, content, and resources like checklists that IT service providers can use.
“Having an understanding of the compliance requirements for the MSP, as well as their customers, will help [SMBs] to be successful in creating a secure ecosystem to support their customers,” MacKinnon said. “This isn’t about convincing anyone. It’s about continued education and enablement to and through the MSP to the organizations they serve and work to protect from cyberthreats and attacks.”
