What does it mean to be an MSP supporting the Defense Industrial Base (DIB)? (Part 1) 

Brian Hubbard | January 08, 2024 11:19 AM 

What does it mean to be an MSP supporting the Defense Industrial Base (DIB)? 

What it doesn’t mean is purely selling more product and service to increase MRR.

If you are an MSP supporting the DIB … BUCKLE UP!  Be ready to invest time and energy!

Even though just a proposed rule, the DoD has proposed a rule (32 CFR Part 170) that makes it clear that MSPs supporting the Defense Industrial Base (DIB) will need to comply fully with NIST 800-171 and be assessed by an independent third party (aka. A CMMC Third Party Assessment Organization (C3PAO). 

If you are storing, processing, or transmitting CUI for your customers, then you are most definitely in scope, and will be required to be CMMC Level 2 certified. 

If you are providing more typical services like configuration management, security operations center (SOC) services, access management, change management, systems maintenance, etc.  You will be in scope of your customers assessment as a Security Protection Asset (SPA) and you will need to be CMMC Level 2 certified.

It means being truly vested in supporting your DIB customers in their cybersecurity compliance journey. 

It is time – maybe past time – to get started!  How do you start?  How do you best support your customers efforts now?  What will your customers need from you?  What do you need to do to survive?  How can you turn this into an opportunity to substantially grow? 

The vast majority of the DIB companies are small to medium size businesses, they either outsource the entirety of their IT needs or some key portions of it, or as they start on their CMMC journey, they will need to buy services from an MSP or MSSP.

Now is the time to explore your direction, set your strategy and move out on implementation. 

What are some strategy questions you need to ask yourself?  Here are a few:

1.      What services do I expect to provide my DIB customers? (Help desk, system administration, SOC SEIM, vulnerability management, etc.)

2.      How will I provide those services?  (e.g., my own staff, sell through services, staff augmentation)

3.      What do I need to do to be able to provide those services?

The 3rd question is a meaty one.  The question also goes hand-in-hand with the questions:

How do I help my customer comply with CMMC and other regulatory requirements?

What do I have to do internally to ensure I don’t adversely impact my customers compliance?

How do I differentiate myself in this marketplace?

The 3rd question will lead most MSPs to a lot of introspection about their ability to stay in the game. 

Here are a few recommendations to consider:

a)     Start with an assessment of how well you stack up against the CMMC requirements internally.

b)     Inventory the tools and providers you use to provide your services.

c)      Assess those tools and providers against the requirements.

d)     Adjust.  (e.g., if the providers and products you use are not going to help the customer comply, throw them out)

This is a hard journey to take alone, so the MSP Cybersecurity Exchange  is focused on learning how to best support the DIB, develop strategies, and drive the market has formed the MSP Cybersecurity Exchange.  Keep participating in the community.