The CISA (Cybersecurity and Infrastructure Security Agency) has released a new framework for government and private sector organizations on how to engage with managed security service providers (MSSPs) and managed service providers (MSPs) to minimize supply risk and improve their overall security.
The document, entitled, Risk Considerations for Managed Service Provider Customers, serves as a guidebook for organizations outsourcing IT security and other responsibilities to managed security service providers (MSSPs) and managed service providers (MSPs). It presents a comprehensive checklist on IT management planning, best practices and tools, specifically tailored for:
- Strategic decision-makers: Senior executives, boards of directors.
- Operational decision-makers: Procurement professionals.
- Tactical decision makers: Network administrators, systems administrators, front-line cybersecurity staff.
Best practices and considerations from the National Institute of Standards and Technology (NIST) and other authoritative sources are integrated into the document.
Why is this Document Important for MSSPs?
To be clear, MSSPs, although not directly named in the document, are front and center on these issues. The CISA resource provides a thorough list of action items for MSSPs to ensure their internal systems are airtight and they are fully knowledgeable of customer considerations.
“The bottom line is that outsourcing IT services provides both increased benefits and risk to an organization,” CISA said in a blog post. According to the report, key players within a customer’s organization should be able to answer the following questions prior to working with an MSSP or MSP:
- Who is responsible for security and operations when outsourcing IT services to an MSSP and MSP?
- What are the most critical assets that we must protect and how do we protect them?
- What should an MSSP or MSP provide to an organization in advance of a contract award to demonstrate security controls in place?
- What network and system access levels are appropriate for third-party service providers?
“It will require effort and time upfront for an organization to review their security practices and answer these types of questions,” CISA said. “But, in the long run, it will help them spot pockets of risk from third-party vendors and improve their overall security and resilience.”
Key Supply Chain Security Considerations
Here’s the Risk Considerations checklist, segmented by customer role:
Considerations for strategic decision makers:
- Establish a supply chain risk council that includes executives from across the organization and represents all relevant business units and organizational functions.
- Define roles and responsibilities in a vendor agreement using the Shared Responsibility Model to articulate the MSP’s responsibilities, the customer’s responsibilities, and any responsibilities shared by both parties.
- Develop and maintain an enterprise cybersecurity risk management plan that includes security, legal, and procurement priorities as well as an IT services supply chain risk assessment.
- Develop, maintain, and exercise incident response plans, including senior leadership playbooks.
- Hold regular cybersecurity threat briefings for C-suite executives and the board of directors.
- Provide cybersecurity incident reporting, including mitigation and lessons learned analysis, to C-suite executives and the board of directors.
Considerations for operators:
- Solicit a list of requirements from departments who will use the services being considered and maintain a requirements master list.
- Request the following from an MSSP or MSP before signing a contract:
- Specific performance-related service level agreements.
- Confirmation that the individual signing for the MSSP or MSP is responsible for the product’s security or service and a requirement to notify the customer of any change of MSSP or MSP ownership or leadership.
- Detailed guidelines for incident management.
- Remediation acceptance criteria that define the steps the MSSP or MSP will take to mitigate known risks.
- Statement from vendor on how data from different clients will be segmented or separated on the vendor’s networks.
- Detailed guidelines for log and records maintenance.
- Documentation of vetting of employees to minimize risks of intellectual property theft, manipulations, or operational disruptions.
- Transition plan to support a smooth integration of the MSSP's or MSP’s services.
- Notification of any sub-contracts that would potentially expose the organization’s data to another external party.
- Protocol for planned network outages or other maintenance activities that could interrupt business operations.
- Documentation of the MSSP's or MSP’s financial health, performance record for other clients, and disclosure of any previous legal issues.
Considerations for tacticians:
- Define the MSSP's or MSP’s expected privilege and access levels prior to contract award.
- Apply a Zero Trust security model, including the Principle of Least Privilege, to any MSSP or MSP or affiliated sub-contractor and assign only the minimum necessary rights for the shortest necessary duration.
- Review and verify connections between MSSP or MSP and internal systems.
- Restrict Virtual Private Network traffic to and from an MSSP or MSP to a dedicated VPN connection.
- Implement strong operational controls, manage authentication, authorization, and accounting procedures, and ensure managed service providers’ accounts are not assigned to administrator groups and restrict those accounts to only systems they manage.
- Maintain offsite backups of essential records and network activity logs.
- Validate logs of MSSP or MSP activity on network and across the IT enterprise.
- Include key suppliers in organizations’ incident response, business continuity, and other contingency planning.
- Establish clear protocols for vulnerability disclosure, incident notification, and communication with any external stakeholders during an incident.
- Include the MSSP or MSP in after-action and lessons learned.
“It’s no longer enough for organizations to focus on securing their own data and information systems,” CISA said. “They must also encourage enhanced cybersecurity practices of their managed service providers.”