Many small to medium sized businesses outsource their help-desk and IT support for strategic fiscal and operational purposes, but these services are directly impactful on the compliance posture of a business. Not only do third-party IT support services impact compliance, an MSP can jeopardize multiple businesses by falling victim to a single cybersecurity incident. The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is developing a guide for MSPs to limit these security and compliance risk factors. Authors, Karen Waltermire of NCCoE and Harry Perper of The MITRE Corporation, released an initial draft publication for public review and feedback. This new guide will focus on the Cybersecurity Framework Functions (i.e., Identify, Protect, and Detect).

The guide conceptually will cover many of the same practices found in NIST 800-171 and required by DFARS 7012 for Aerospace and Defense companies. However, the guide will incorporate the unique threat vectors associated with a shared resources model of MSPs. The overarching theme is reminiscent of the age old airline instruction "apply your own oxygen mask first before assisting others'. If an MSP is not running proper audits and logs on its own systems, then your systems can be compromised.

According to a recent study on the Defense Industrial Base (DIB) conducted by NDIA, more than 25 percent of industry professionals work for firms that have experienced a cyber attack. The attack surface of an MSP increases with every added company and user, which in turn also increases the amount of damage an attacker can inflict along with the amount of data that can be compromised.

MSPs must treat each data estate separately from an architectural stand point, but some resources will be shared regardless. IT support processes must be streamlined to make MSP offerings affordable and standardization must rise to the highest requirements. Managing a support ticket for instance has several security and compliance implications: where is ticket information stored and on what servers, what virtual desktop software is being used, how are corrective activities logged and what system changes are documented, what citizenship status do MSP employees possess, who responds to incidences according to DFARS 7012, etc.

Components being considered for all MSP scenarios and associated 'projects' to be implemented: