Vendor Requirements for CMMC Compliance

CMMC Vendor Requirements

Every vendor, supplier, subcontractor, and service provider you use to support your DoD contract or secure your IT environment must be qualified, and it’s your responsibility to ensure this.

What are the CMMC Requirements Vendors and Suppliers need to be Compliant with?

Subcontractor Flow-down:

Subcontractors or vendors you use to help you fulfill the product or service requirements in your contract must also be CMMC certified if CUI will be passed to the subcontractor/vendor.

External Service Providers (ESP) Requirements:

Vendors of products or services you use to secure your environment to meet NIST 800-171 controls. These could include a managed service provider (MSP), or a cloud service provider (CSP). Together, these service providers are referred to as external services providers (ESPs).

How Does Vendor Compliance Impact Your Company’s CMMC Certification?

The obligation falls on you to verify that these third parties comply with CMMC standards, ensuring that they contribute to your organization’s overall compliance efforts.

By making sure your suppliers and subcontractors are qualified, certified, and compliant, you uphold the integrity and standards of your business, safeguarding its certification status and contributing to a secure, reliable operational environment.

Where are the Subcontractor Flow-Down Requirements Found?

According to DFARS 252.204-7012:

m)  Subcontracts.

• • “The Contractor shall—Include this clause, including this paragraph (m), in subcontracts, …for which subcontract performance will involve covered defense information (aka “CUI”)….”
  • “The Contractor shall determine if the information required for subcontractor performance retains its identity as covered defense information (i.e. CUI) and will require protection under this clause….”
  • This clause must be included in subcontracts if the performance involves covered defense information (CUI).
  • If you’re sending CUI to a vendor for a product or service, you must include the entire DFARS 252.204-7012 clause in your contract with that vendor.

For instance, if you’re buying parts or outsourcing assembly/testing and need to share CUI like drawings or specs, this clause must be included. This ensures your vendor meets the same security requirements as you.

What do Vendors Need to do based on the Flow-Down when it comes to DFARS 7012?

What DFARS 7012 Requires:

• • Secure CUI with adequate protections, including NIST SP 800-171 controls.
  • Use FedRAMP, Moderate cloud providers.
  • Investigate and report cyber incidents within 72 hours.
  • Preserve system images and relevant data for 90 days.
  • Flow down the clause to their subcontractors and notify the prime contractor of any issues with NIST SP 800-171 compliance or cyber incidents. **

How do the Subcontractor Flow-Down Requirements Apply to a Company’s Purchasing Process and Vendors?

These requirements apply to you as well since DFARS 7012 is in your contract. Flow-down must continue through the supply chain as long as CUI is involved. However, if you extract specific requirements from the CUI into your own specs and they are no longer CUI, the flow-down isn’t necessary.

Do CMMC Requirements Flow-Down to Vendors in the Supply Chain?

Yes. But in this case, it is the certification requirement that is being passed along.

– CMMC 2.0

o § 170.23 Application to subcontractors.
o “CMMC Level requirements apply to prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit FCI or CUI on contractor information systems in the performance of the contract or subcontract. Prime contractors shall comply and shall require subcontractor compliance throughout the supply chain at all tiers with the applicable CMMC level for each subcontract.”

Who do these CMMC Requirements Apply to and Why?

All subcontractors handling FCI and/or CUI must be certified to the same level as the prime contractor, depending on the documentation involved.

The logistics of this roll-out will become clearer when CMMC goes live after the first of the year.

Currently, it’s important to ensure your vendors involved in defense contracts are working toward certification.

How can a Company Confirm Vendor Implementation of the CMMC Requirements?

There are several ways to confirm implementation:

• • Send a questionnaire to check their status.
  • Request their SPRS score (self-assessment of NIST SP 800-171 compliance), which ranges from 110 to -203.
  • Regularly request updated SPRS scores as part of your supplier management process.
  • Review the vendor’s SSP, POAM, audit reports, and incident response plans.
  • Get a letter of commitment from the vendor or their C3PAO showing their certification timeline.
  • Review results from cybersecurity audits and 3rd-party assessments.
  • Include vendors in your company’s risk assessments (NIST 800-171 3.11.1).
  • Confirm your vendors’ CMMC certification when available.

Your company is responsible for ensuring vendor compliance with DFARS, NIST, and CMMC. Regular follow-ups are crucial to confirm compliance and certification.

When it comes to CMMC, and DFARS Compliance, who are External Providers?

External providers are those vendors we depend on to secure FCI or CUI. This includes cloud systems, software providers, IT services, and similar vendors.

The requirements for these are outlined in the CMMC 2.0 regulations:

External Service Provider (ESP)

• “External Service Provider (ESP) means external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization.”

Examples:

• Managed Service Provider (MSP) – outsourced IT
• Managed Security Service Provider (MSSP) – outsourced cyber security
• Cloud Service Provider (CSP)

• • “Cloud Service Provider (CSP) means an external company that provides a platform, infrastructure, applications, and/or storage services for its clients.”

• Examples:

  • MS 365
  • AWS GovCloud
  • Google Cloud
  • SIEM (Security Information and Event Management) tools
  • SOC (Security Operations Center)
  • RMM (Remote Monitoring and Management) tools
  • Antivirus/EDR (Endpoint Detection and Response)

Put simply, any 3rd-party provider of services or cloud systems used to operate, secure, or maintain your protected IT system, must meet specific requirements found in CMMC 2.0.

A lot of small businesses rely on External Service Providers (or ESPs) such as MSPs and MSSPs because they don’t have their own internal IT staff.

What are the CMMC Requirements for using External Service Providers (ESPs)?

Managed Service Provider (MSP):

• • • Third-party companies providing a range of IT services such as network monitoring, data backup, cloud services, and general IT support.
    • For CMMC, MSPs may also maintain cybersecurity, implementing and managing security controls.
    • If you outsource IT, you’re using an MSP.

Managed Security Service Provider (MSSP):

• • • Focuses on security-related services like monitoring security systems, incident response, vulnerability assessments, and compliance management.
    • MSSPs specialize solely in security services.

Both MSPs and MSSPs are essential for CMMC compliance. They ensure your IT systems are secure and meet technical requirements, but they also need protection as they can be targets for cyberattacks. Think of them as the “back door.”

Specific CMMC requirements pertain to using MSPs and MSSPs, and you are responsible for ensuring they comply. As ESPs, they help you meet DFARS and CMMC requirements.

What are the Requirements that ESPs Need to Meet and How do we Implement them?

The ESP requirements are simple to understand, but not so simple to implement.

CMMC 2.0

“If an OSC (Organization Seeking Certification) utilizes an ESP, other than a Cloud Service Provider (CSP), the ESP must have a CMMC certification level equal to or greater than the certification level the OSC is seeking. For example, if an OSC is seeking a CMMC Level 2 Certification Assessment the ESP must have either a CMMC Level 2 Certification Assessment or a CMMC Level 3 Certification Assessment.”

• • If you’re using an MSP or MSSP, they need to be fully CMMC certified at the time of your certification.
  • This creates a timing dilemma since the DoD has not yet clarified when ESPs can pursue certification. Currently, under the DIBCAC NIST SP 800-171 assessment program, companies must hold a defense contract to participate, which most MSPs and MSSPs do not.
  • Hopefully, the final rule for CMMC 2.0, expected later this year, will clarify this dependency. We’ll have to wait and see.

For now, it’s critical to ensure that any MSP you’re working with is actively working toward their certification.

Do we Expect all MSPs to get CMMC Certified?

This could be a major issue. With around 40,000 MSPs in the US, many of which are small businesses, it’s unrealistic to expect all to get CMMC certified, especially if they have few defense clients. Many MSPs may leave their defense clients if certification is required.

Challenges for MSPs include:

• • Properly segregating systems and controlling access.
  • Meeting the 110 NIST requirements.
  • Integrating these controls into client systems.
  • Having a strong incident response plan.
  • Getting CMMC certified.

It’s hard to predict how many MSPs will seek certification. If your company uses an MSP or MSSP, discuss their certification plans now.

If they don’t get certified, you may need to find another MSP or rethink how to keep CUI off your network and devices.

It is common for companies to use cloud services as part of their “IT stack.”

What are the CMMC and DFARS requirements for Cloud Service Providers (CSPs)?

This situation differs from ESPs. CSPs can host your data (like MS 365 or AWS) or monitor your IT system (like SIEM, SOC, or RMM tools). To use these services for protecting CUI, you need to meet two key requirements:

FedRAMP Standards:

The CSP must meet FedRAMP standards. FedRAMP (Federal Risk and Authorization Management Program) is a security requirement for cloud services used by the Federal Government. CSPs must receive an “ATO” (Authority to Operate) designation to be considered “FedRAMP Authorized” and listed on the FedRAMP Marketplace.

Go here to find out more: https://marketplace.fedramp.gov/products

If not selling directly to the Federal Government, CSPs must meet requirements equivalent to FedRAMP Moderate baseline. If using a non-FedRAMP Marketplace CSP, request a “Body of Evidence” showing they meet FedRAMP equivalency.

This includes:

• • System Security Plan (SSP) meeting NIST SP 800-53 requirements.
  • No open POAM items.
  • Shared Responsibility Matrix.
  • Incident Response Plan compliance with DFARS 7012.

The critical issue is proving your CSPs meet FedRAMP compliance requirements. If not, it will impact your ability to become CMMC certified.
With an MSP, you have to make sure they are CMMC certified and with a CSP you have to make sure they are FedRAMP qualified.

What happens if your MSP is managing your CSPs, so you’re using both?

Then you must be sure they all meet CMMC and FedRAMP requirements. You are accountable for confirming and monitoring those qualifications.

Using 3rd parties and outsourced systems can certainly be helpful to get CMMC certified, but you have to be careful.

Many small companies don’t have IT staff or even the expertise for all of this. It seems the more we learn about CMMC, the more intimidating it seems.

What is the Easiest Path for a Small Business to get CMMC Certified?

For many small businesses, the simplest path is to use a cloud enclave to host and manage their CUI. This way, you have a single vendor to manage.

The enclave provider ensures that all IT systems and CSPs used for the enclave are properly qualified and managed.

This “one-stop-shop” approach simplifies the process of achieving CMMC certification.

Who Can Use a Cloud-Enclave and What Do You Need to Look for When Shopping for One?

Here are three approaches to securing CUI:

1. Securing your entire network.
2. Creating an internal enclave.
3. Utilizing a cloud-based enclave.

Entire Network Strategy:

Requires meeting 110 NIST controls, ensuring FedRAMP compliance for cloud providers, and CMMC certification for your MSP.

Internal Enclave:

Same vendor compliance requirements apply, including FedRAMP compliance and CMMC certification for any ESP tools or MSPs managing the environment.

Cloud-Based Enclave:

Outsources both the system and vendor compliance responsibilities. For example, our CORE Vault provides a secure cloud enclave that meets NIST and CMMC requirements, acting as both a CSP and an MSP.

What is a Cloud Service Provider?

“Cloud Service Provider (CSP) means an external company that provides a platform, infrastructure, applications, and/or storage services for its clients.”

What is an External Service Provider?

“External Service Provider (ESP) means external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization.”

CORE Vault is a CSP (Cloud Service Provider):

We offer platform, infrastructure, applications, and storage services.

And also an ESP (External Service Provider):

We provide IT and cybersecurity services.

As the CSP, we ensure FedRAMP authorization for all tools and systems. As the MSP for CORE Vault, we handle the necessary people, technology, and facilities, ensuring compliance with NIST SP 800-171 and future CMMC 2.0 certification.

A cloud enclave like CORE Vault simplifies vendor compliance and CMMC certification, with only one External Service Provider to manage.

When it comes to Vendor Compliance, what will a C3PAO look for when they conduct their assessment?

For MSPs and MSSPs, the assessor will verify they hold a valid CMMC 2.0 certification.

For CSPs, they’ll ensure they are listed on the FedRAMP Marketplace or have sufficient “Body of Evidence” for FedRAMP equivalency.

For subcontractors, they’ll check that you have properly flowed down the DFARS requirements into your contracts and that they meet the required CMMC certification level.

While a cloud enclave isn’t suitable for every company, it can help those with only a few defense contracts or limited CUI handlers to minimize the effort and expense of achieving CMMC certification.