Quarter 2/3, 2024
MSPCyberX Files
Latest News from the Corners
Issue #2
MSPCyberX Incorporates as a Non-Profit
News from Town Square
Ellicott City, MD - MSPCyberX was founded to serve the MSP community through cybersecurity education and community involvement. MSPCyberX is about bringing MSPs together with cybersecurity professionals and other MSPs working toward cybersecurity compliance. In April, 2024 the leadership of MSPCyberX fully embraced this charitable mission by incorporating as the MSP Cybersecurity Exchange Corp, a Maryland nonprofit corporation and begin operating under the governing IRS 501(c)(3) rules and regulations.
Establishing MSPCyberX as a nonprofit, provides the organization even more opportunities to bring exciting programs to MSPs. Because the MSP industry is critical to the security of most small businesses, it is beginning to come under more and more regulatory scrutiny. As such the U.S. Government is beginning to recognize that MSPs need to be supported. As a nonprofit, we will be able to pursue grants from Government agencies to provide education and support to the MSP Industry.
Explore membership options, visit MSPCyberX's website (MSPCyberX.com).
MSPCyberX is building a network of MSPs and Cybersecurity professionals focused on the success of the MSP Industry
Membership Sores Over White House Goals
National News
In December 2023 the National Cyber Director, Harry Coker, Jr. announced MSPCyberX as an important initiative that support the National Cyber Workforce and Education Strategy (NCWES). At the time of the announcement, the founders of the MSP Cybersecurity Exchange at Evolved Cyber, LLC. committed to the White House that MSPCyberX would launch in February of 2024 and reach 100 members by the end of 2024.
MSPCyberX was launched on February 14, 2024, as a special project under the management of Evolved Cyber. In April 2024, MSP Cybersecurity Corp was formed as a standalone Maryland Non-profit Corporation. In June, we formed our Board of Directors.
By the end of the 2nd quarter of 2024, we had reached a total membership of over 150. Far exceeding our commitment to the White House. We aren’t satisfied and are now targeting 200 members by the end of 2024.
To this end, Active Members can get an incentive discount for any referrals they make. For every new Active Member they refer, they will receive a credit worth 1-month of the new active member’s dues. So, with 12 referrals of new members at your current Active member level, you can get your entire year’s membership dues paid for.
The more members we have in the community, the more great programs we can offer the membership.
CMMC Proposed Rule Speeding Along
Spotlight
The CMMC Program rule is in the final stretch of being released as a final rule.
On December 23rd, 2023, the Government published a proposed rule that details the Cybersecurity Maturity Model Certification (CMMC) program. The rule was subject to a 60-day comment period. The Department of Defense CMMC Program Management Office then had to adjudicate the public comments and send a final rule to Office of Information and Regulatory Affairs (OIRA) for review. Once this review is completed the rule will be published in the Federal Register and CMMC certification assessments can begin. (by the way, this is a very, very abridged summary of the process, there are a lot of steps that the rule goes through before being published)
The rule is expected to be published as soon as November of this year. The rule will become part of the Code of Federal Regulations (CFR) under Title 32, Part 170 (short hand is 32 CFR 170).
So, what does this mean for the MSP community?
Under the CMMC program, Defense Industrial Base (DIB) contractors will be required to conform to the requirements
NIST Special Publication 800-171. Their conformance will be verified either through a self-affirmation, or through a formal certification assessment, depending on the requirements of a particular contract.
For the contractor to be certified, any External Service Provider (ESP) that performs work for them will have to be certified at or above the level of the contractor. An ESP is defined in the rule as follows:
“External Service Provider (ESP) means external people, technology, or facilities that an organization utilizes for provision and management of comprehensive IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”
In other words, an MSP or MSSP is an ESP.
To support the DIB, an MSP will be required at a minimum to conform to CMMC Level 1. If the DIB contractor is themselves required to or plans to achieve level 2, an MSP supporting them will have to be certified at CMMC Level 2 themselves.
This is a very heavy lift for MSPs. Many of our members are in the process of preparing to be certified once the rule is final, and they will attest to that fact.
What is the pay off?
The DIB consists of over 200,000 companies. The vast majority of (well over 140,000) are small businesses. Each of these companies will have to conform to CMMC at some level to continue doing business with the DoD. It is estimated that over 80% of the DIB companies use an ESP in some capacity.
If your MSP is certified against CMMC Level 2, you will be in a position for exponential growth.
Further, this is just the beginning. The rest of the Federal Government is expected to follow suit within the next 2-3 years, increasing the number of impacted contractor companies to over 1 million.
Obviously, CMMC will be a major focus within MSPCyberX for some time. We will continue to track and keep our members informed on developments in the program and continue to coach members on their compliance journeys.
Corner Focus
Slack Environment Facelift
Slack uses a flat list of channels as its normal navigation method. This makes it difficult to organize information into the appropriate section of our MSPCyberX community. We wanted a concept that made it easy for members to find out for example about all the projects going on in the Workshop, or what the latest discussions are on CMMC Corner or in the Diner.
We have adopted a tool known as Canvas in Slack to visually pull all that information into one place. Using canvases, we alert members to new activity, provide additional detail.
CMMC Corner
Weekly CMMC Office Hours
Brian Hubbard, a Certified CMMC Assessor and Instructor, holds weekly office hours to address and discuss your questions and concerns. Sessions are now every Wednesday (except the 3rd Wednesday, when we hold the MSPCyberX Townhall).
To date, sessions have been lively with good dialog and sharing of experiences among the members, in addition to Brian sharing what he knows about CMMC. Other CMMC experts and cybersecurity professionals have been joining as well to share their experiences and knowledge.
Members view this as an hour of free consulting. This form of consulting normally would cost a company between $350 and $500 an hour.
Sessions are open to all Active members. Come join in on these sessions and bring your questions. Even if you can’t attend, there is a slack channel to post questions to be addressed at office hours. All sessions are recorded and available to all Active members.
MSPCyberX Board of Directors Elected
MSPCyberX Governance Corner
As a nonprofit entity, MSPCyberX requires a solid Board of Directors, dedicated to the success of our core mission. In composing our inaugural Board of Directors, we sought out individuals who are dedicated to the success of the MSP community and have a solid foundation in cybersecurity. We believe that we have found this in our officers and board members: Brian Hubbard, President; Toby Musser, Secretary; Shel Philips, Treasurer; Matt Lee; Curt Dukes; and Max Pruger.
The Boards first act was to enact a set of bylaws that govern the behavior of MSPCyberX and ensure it stays focused on its primary mission.
Read a bit more about our board members.
Brian Hubbard, President, is a cybersecurity veteran with 40+ years of experience in the field. As the President of Evolved Cyber, LLC, he is dedicated to developing cost-effective cybersecurity programs for small to medium-sized businesses. He is a Certified CMMC Assessor (CCA) and Instructor for the Cybersecurity Maturity Model Certification (CMMC) program. Brian has worked on some of the toughest cybersecurity challenges in the nation and is a strategic business leader with extensive experience in architecting, designing, and developing solutions to address these challenges. He is a trusted advisor for organizations looking to improve their cybersecurity posture.
Tobias Musser, Treasurer, is the CEO of MNS Group - who specializes in Security and Compliance services and IT implementation for government contractors based in Harford County, Maryland. MNS Group is a CMMC Registered Provider Organization (RPO) and Authorized C3PAO, that provides assessments, readiness, and preparation practices. A cybersecurity evangelist, he has served as a beta tester and consultant to various security and compliance software developers. He is a founding member of the Baltimore Cyber Range Consortium, the first company in the United States to provide cybersecurity range training specifically for workforce development. He is a member of the Harford Community College Cybersecurity Curriculum Advisory Committee. Toby has worked in Workgroups under the Secretary of the State of Maryland, as a board member in the University of Maryland Medical Systems and the Board of Technology Subcommittee for Aberdeen Proving Ground Federal Credit Union.
Shel Philips, Secretary, is a PMP and CCP working in the CMMC trenches to raise the level of security for the Defense Industrial Base and the MSPs providing support. As a 45+ year veteran in the technical project management business, he has added subject matter expertise in cybersecurity and specifically CMMC to the mix to attack the challenges we face. Shel trains other MSPs in cybersecurity policy development through one of the major software license vendors and works to help the industry reach critical mass for secure IT support.
Matt Lee has dedicated the last 13 years to raising the cyber security tide in the SMB, and MSP markets. His efforts have served in every capacity in a growing MSP that grew to support 20,000 endpoints. His leadership around technology direction, and security/compliance, protected and elevated over 17,000 people in Small to midsize businesses in five states. He has since taken on a deep role as a force multiplier as the Security and Compliance Senior Director at Pax8. He is driving external thought leadership to empower MSPs to continue to grow in their security knowledge, operability, and capabilities. He is a known speaker, and subject matter focused contributor to Zero Trust, Framework Centric Security Program approaches, and one of the chief editors on a new project classifying ISV, SaaS, and Service Providers along the CIS Framework taxonomy. He lives to ensure his children maintain the same quality of life we do around technology, which is imperiled daily by threat actors.
Curtis (Curt) Dukes is the Executive Vice President for Security Best Practices at the Center for Internet Security (CIS). CIS is headquartered in Albany, NY, with a satellite office in Washington, DC. Curt leads development of security best practices for protecting information technology systems. CIS’ two primary products: Security benchmarks and the critical security controls, are global industry best practices endorsed by leading IT security vendors and governing bodies. In his prior role, Curt led the Information Assurance mission at the National Security Agency. He was charged with the security of National Security Systems, which include systems that handle classified information or are otherwise critical to the military and intelligence activities. Curt is an avid speaker at both national and international cybersecurity events and serves on a number of advisory boards.
Max Pruger has been a pioneer in the managed services industry since the late 1990s. He currently serves as General Manager Audit & Compliance at Kaseya. Max’s first stint with Kaseya spanned nearly a decade, before he left to become the Chief Revenue Officer of CloudJumper (acquired by NetApp). Max began his MSP career at USWeb as a founding member of that company’s managed service division. He has also held the position of Senior Architect at IBM. Max holds a BS in Computer Science from American University and an MBA from the University of Maryland - Robert H. Smith School of Business.
