CyberQP

How CyberQP Helps Partners Align with the CMMC Framework

CyberQP is assisting IT teams and channel partners in navigating the updated October 15, 2024 final CMMC rule by clarifying that Cloud Service Providers acting as Security Protection Assets are not required to be FedRAMP authorized unless they handle Controlled Unclassified Information, thereby helping vendors understand when they fall within CMMC audit scope and how to achieve compliance without unnecessary burdens.

With the publication of the final CMMC rule on October 15th, 2024, the United States Department of Defense has made several key changes to their Cybersecurity Maturity Model Certification (CMMC) compliance framework, especially relating to Cloud Service Providers (CSPs) as Security Protection Assets (SPAs).

In order to address these last-minute changes, CyberQP’s information security and compliance team has reviewed the final rule and is working on strategies to help IT teams and channel partners follow best practices. This includes guidance on achieving the necessary capabilities for compliance.

When Does a Vendor Become Part of a CMMC Audit’s Scope?

Prior to the final rule’s publication, any Security Protection Asset would have been required to be FedRAMP authorized—including many third-party cybersecurity providers that MSPs and IT professionals rely on. However, concerns about eliminating modern security solutions and forcing contractors to use cost-restrictive legacy tools led the DoD to clarify that a Cloud Service Provider serving as an SPA would not have to be FedRAMP authorized.

Cybersecurity vendors that store, process, or transmit Controlled Unclassified Information (CUI) fall into the scope of a CMMC certification process and would be required to achieve FedRAMP Moderate compliance.

While proposed changes to the CMMC framework would have required Security Protection Assets (SPAs) to also align with the 110 CMMC requirements, the final CMMC rule does not require vendors to achieve FedRAMP Moderate status.

In the final requirements, cloud service providers (CSPs) that do not access or transmit CUI are considered out-of-scope for FedRAMP moderate requirements associated with achieving CMMC Level 2 (or higher) compliance.

According to the final rule, “the requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” The rule has been updated to change the definition and requirements of Security Protection Assets. The phrase “irrespective of whether or not these assets process, store, or transmit CUI” has been removed from the SPA description, and the CMMC assessment requirements now read, “Assess against CMMC security requirements that are relevant to the capabilities provided.”

“In order to clarify and address concerns about the perceived ‘expansion’ of requirements, the rule was revised to reflect that ESPs that only store SPD or provide an SPA and do not process, store, or transmit CUI do not require CMMC assessment or certification.”

— 32 CFR Part 170, CMMC Rule

What Kind of Solutions Require FedRAMP Moderate Compliance?

  • Required (solutions that can remotely access or collect CUI – directly or through hosts):
    • Remote Monitoring and Management (RMM) tools with remote access to hosts with CUI
    • Endpoint Detection and Response (EDR) providers with remote access and file collection capabilities
    • Backup Services used to back up hosts and files containing CUI
  • Not Required (CSPs that are SPAs):
    • Privileged Access Management solutions without remote access to endpoints
    • SIEM providers that do not collect CUI in logs
    • Managed Detection and Response (MDR) providers without remote access or file collection

While the final rule contains some ambiguities by stating Security Protection Data should be treated as CUI, the CyberQP compliance team consulted a Certified Third Party Assessor Organization to confirm that CSPs as SPAs are exempt from FedRAMP authorizations if they do not access or handle CUI.

In short, during certification assessments, security providers themselves might not be evaluated if they do not store, process, or transmit CUI, but they will be in scope during assessments to evaluate the capabilities they provide to your IT team in securing digital environments and sensitive data.

How We Help MSPs Align with CMMC

CyberQP does not store, process, or transmit CUI data as part of our mission to offer security by design in our platform. However, we help partners proactively meet relevant CMMC requirements and can participate in assets where assessors will look at your Security Protection Assets and evaluate how they help you align with CMMC controls.

When CyberQP partners prepare to validate that they meet CMMC security controls, our Privileged Access Management platform can help align with requirements in the Access Control (AC), Identification and Authentication (IA), and Security Assessment (CA) categories. We help IT teams align with the Principle of Least Privilege for admin access with Just-in-Time (JIT) access and automated password management.

Here are some of the CMMC 2.0 Security Controls That CyberQP Supports:

  • Access Control (AC):
    • AC.L2-3.1.1: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
    • AC.L2-3.1.2: Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
    • AC.L2-3.1.5: Employ the principle of least privilege, including for specific security functions and privileged accounts.
  • Identification and Authentication (IA):
    • IA.L2-3.5.1: Identify information system users, processes acting on behalf of users, or devices.
    • IA.L2-3.5.2: Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
    • IA.L2-3.5.3: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
  • Security Assessment (CA):
    • CA.L2-3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.

Defend Your Sensitive Data with Confidence

CyberQP offers proactive access control capabilities to your help desk and equips your technicians with the automations they need to streamline admin access management. We help organizations achieve zero standing privileges with Just-in-Time access, backed by Passwordless Technician Logins, and can help you prove you use robust privileged access management in your security program.

Ready to partner with a cybersecurity company that’s focused on your success? Speak with a product specialist today.