The government doesn’t fully “get” MSPs and the role they play in securing small and medium defense contractors. The MSP Collective aims to change that.
Small and medium businesses working with the U.S. Department of Defense (DoD) and its contractors are required to earn a high-level cybersecurity certification to handle sensitive information. At least half of those SMBs depend on IT providers such as MSPs and MSSPs to manage and protect their IT environments, according to MSPs for the Protection of Critical Infrastructure (also known as MSP Collective, founded in 2023).
Despite their critical role in supporting those SMBs, the role of MSPs and MSSPs isn’t fully understood by the government. Standards, regulations and certification programs routinely fail to acknowledge the role of MSPs and MSSPs, usually conflating them with cloud providers, the MSP Collective contends. This creates potential vulnerabilities that attackers can exploit, and it needs to change, the collective says.
“When we began MSPs for the Protection of Critical Infrastructure, it was clear to me that we needed an organization focused on educating government and industry about the tremendous responsibility that MSPs and MSSPs have,” says MSP Collective Executive Director Scott Edwards, who is also CEO and president of Summit 7 Systems, an MSP specializing in DoD contractors.
“As a whole, MSPs and MSSPs are completely absent when it comes to federal regulation or visibility even though they literally hold the keys to the kingdoms for pretty much all of our critical infrastructure sectors,” Edwards says.
MSP Collective’s Mission to Inform and Educate
The collective’s mission is to inform and educate the government and critical infrastructure industries about the work of MSPs and MSSPs in “maintaining a secure, functioning, and resilient critical infrastructure.”
This includes making recommendations to Congress, local and federal governments, the DoD and the Cyber AB (the Cybersecurity Maturity Model Certification Accreditation Body) to help secure the Defense Industrial Base, support military personnel, and improve national security.
Cyber AB is a nonprofit entity that manages CMMC (Cybersecurity Maturity Model Certification). CMMC Level 2 certification is the certification the DoD is requiring for companies that handle sensitive data designated as Controlled Unclassified Information (CUI). CUI refers to information that requires safeguarding or dissemination controls according to law, regulation, or government-wide policy, but is not classified.
The collective estimates those companies include some 60,000 SMBs, at least half of which work with MSPs and MSSPs. Part of the collective’s mission is to educate MSPs about CMMC and compliance with NIST 800-171, a framework with regulations on how to handle CUI.
No ‘Easy Button’ for MSPs and CMMC Compliance
The collective maintains a directory on its website of MSPs and MSSPs that already earned CMMC Level 2 certification so businesses know where to find qualified providers to work with them.
Joy Beland, vice president of ecosystem relations for the MSP Collective, and VP of cybersecurity compliance at Summit 7, says the group wants to dispel the notion of an “easy button” to achieve compliance. Providers need to understand that activities they perform involving CUI, such as deploying systems, adding software, and capturing and auditing security logs, must be done in compliance with the framework’s requirements.
“Not knowing those requirements can easily cause a failure in their customer’s compliance posture, so investing in the right policy and procedure implementation, training and tools to use, and skilled technicians is crucial in conducting regular MSP/MSSP daily activities,” she says.
Collective Members Hope to Shape Practical CMMC Policies
Providers interested in joining the collective can get information on its website. Four membership options are available. “The MSP Collective is growing quickly, as more MSPs see the value in the work we do and understand our mission,” Beland says.
Bobby Guerra, CEO of Axiom, an MSP serving government contractors, is a member. He joined so he could take part in the conversation with like-minded peers about critical issues such as achieving CMMC Level 2 certification.
“I believe the collective will eventually have a significant impact on legislative issues by bringing real-world insights from the front lines of implementing CMMC. The collective will provide a much-needed perspective and voice to help shape effective and practical policies throughout this evolving process,” he says.
For more on compliance, see Kaseya’s Multimillion-Dollar FedRAMP Commitment Aims To Position MSPs For Future Opportunities.
