The Cybersecurity and Infrastructure Security Agency (CISA) (in collaboration with the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) with contributions from industry members of the Joint Cyber Defense Collaborative (JCDC)) has issued a Joint Cybersecurity Advisory (CSA) specifically tailored for both Managed Service Providers (MSPs) and their customers to reduce their risk of falling victim to cyber intrusion.
The issuing bodies of this advisory expect malicious actors to increase their targeting of MSPs to exploit provider-customer network trust relationships. Because of the access MSPs are privileged to with their customers, a successful attack has the potential to produce cascading effects on MSPs and their customer base.
This CSA (AA22-131A) is designed to provide best practices for information and communications technology (ICT) services and functions in order to create blueprints for transparent and informed discussions between MSPs and their customers surrounding how to further secure their sensitive data. These discussions should ignite the evaluation of security processes and contractual commitments between the parties to further align them with the organization's risk tolerance level.
You can view the full Joint Cybersecurity Advisory here: Protecting Against Cyber Threats to Managed Service Providers and their Customers
Many of the mitigation actions recommended by this CSA map directly to NIST 800-171 and CMMC security controls. Further, many mitigation actions can be implemented through a single platform and/or solution (e.g., External Service Provider (ESP)). Microsoft’s 365 GCC High Platform is an ESP widely utilized by the Defense Industrial Base (DIB) due to the volume of shared responsibilities that can bring their systems up to the NIST 800-171 and CMMC standards.
Below you will find the mitigation actions included in this advisory, their applicable NIST 800-171 and CMMC security controls, and solution recommendations based on Summit 7’s experience with Microsoft’s 365 GCC High Platform and other complementary technologies.
It is important to note that installation of the recommended technologies listed does not fully remediate the actions they are intended to prevent. An organization must have compliance processes in place that effectively leverage the technologies that mitigate the risks associated with these recommendations. Further, a successful cyber security program will leverage technologies and platforms that provide shared responsibilities between the organization and the solution. This way IT Teams can focus on the security of the infrastructure and be better equipped to quickly respond to incidents and remediate issues. After all, the CSA’s intent is to identify the most urgent threats, therefore, empowering organizations to respond effectively.
To satisfy requirements for NIST 800-171 Control 3.14.1, Identify, report, and correct system flaws in a timely manner. Organizations must identify flaws and vulnerabilities from multiple sources such as threat intelligence reports and analysis, risk assessments, and vulnerability scanning. Once identified, the organization must correct the flaws in a timely manner.
For more information about NIST 800-171 or CMMC Compliance contact Summit 7 here.