Top 10 Questions to Properly Vet Your Next Managed Service Provider

1. Are they FedRAMP Moderate or Equivalent?

A provider must be FedRAMP Moderate or equivalent to meet CMMC requirements. FedRAMP-Moderate cloud offerings can be seen on the FedRAMP Marketplace.

2. What is their experience implementing NIST SP 800-171 in other small businesses your size?

A provider should have references  for implementing NIST SP 800-171 for similar businesses.

Why is this important? If you’re a healthcare organization, you may want to seek out resources that understand the flow of patient information: who requires access to the actual medical records, and why.  

The provider should have NO questions about what it takes to implement each of the 110 security controls for NIST SP 800-171, which have been the law for five years.

3. What are their CMMC certifications?

A provider should have certifications — such as CISSP, CISA, or CEH — to prove they are cybersecurity professionals. Be aware that some certifications are entry level, like Security+, CSX, and MTA. Confirm at the CMMC-AB Marketplace website that the provider has received the appropriate training and certification to be competent in their role.  

4. What are their affiliations with cybersecurity vendors? 

Ensure the provider is credible and possesses the breadth and depth of resources required to perform the work. For example, check to see if they are affiliated with industry leaders such as Microsoft, Amazon, Google, etc.   

5. Does the provider ask questions to understand and respect your business model?

Respect is an essential component of a successful partnership. A lack of it will stifle teamwork and undermine performance. 

Observe if the provider creates a healthy environment in which stakeholders feel heard and engaged. The provider should be asking questions to identify networks, storage locations for physical information, relevant wireless access points, and the flow of all information on your system.

6. What are they (and you) going to do if your company gets hacked?

Be clear on scope boundaries. You want established Service Level Agreements (SLAs) in place to address protocols for when an incident occurs. A provider should have logs that document the way they will respond to your systems, networks, and devices. You should be able to request logs that capture activities on endpoints, routers, application events, proxies, and Internet-of-Things (IoT) devices.

7. What are they (and you) going to do when you get audited? 

An ideal provider will either be present or available during an audit and will assist with documentation requests. Confirm whether remediation efforts are included in the initial cost or come at an additional fee. 

8. How are they going to handle on-premises activities that need to be accomplished?

Be sure to clarify on-site and offsite services. Assessments can leverage virtual components, including screen sharing and video conferences. This information should be clearly documented within the agreed-upon Scope of Work (SOW). If travel costs are involved, be sure they are consistent with government travel policies.  

9. How will they test the cybersecurity they implement for your business?

Testing protocols — and evidence of such — should be clearly documented in the Statement of work (SOW). These protocols should be discussed during the Intake and Planning process and approved by both the Organization Seeking Certification (OSC) and vendor of choice.  

10. What is their availability and proposed schedule to implement NIST SP 800-171 for your business?

Assuming a “go” decision is made, the Lead Assessor and OSC should determine jointly what the scope, boundaries, staffing, dates, duration, scheduling dependencies, and pricing should be. All parties should agree and sign the official Work Plan.