Governance, Risk and Compliance, MSP, Content, Vertical markets

Kaseya Enhances Compliance Manager for Federal Government MSPs


Kaseya is rolling out enhancements to its Compliance Manager for CMMC compliance process automation platform that will help SMBs and MSPs that work with the Department of Defense (DoD) remain in compliance with new federal cybersecurity requirements, the IT management and MSP software company says.

A new federal mandate, announced November 30, 2020, states that non-federal organizations that comprise the Defense Industrial Base will be required to obtain the new Cybersecurity Maturity Model Certification (CMMC) at one of five levels dependent on their specific contract by October 31, 2025.

In the interim, all defense contractors, including many MSPs and SMBs, must perform self-assessments on the 110 security controls of NIST SP 800-171 and then upload those results to the DoD to remain in compliance, Kaseya asserts.

NIST 800-171 refers to National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations.

Kaseya Enhances Compliance Manager for CMMC: Bridging the Gap

To bridge the gap until CMMC is completely rolled out over the next five years, the Department of Defense (DOD) released an interim rule that went into effect November 30 designed to improve the reporting and compliance requirements of the current DoD cybersecurity standard in place by leveraging NIST (SP) 800-171.

Kaseya’s enhancements to its Compliance Manager for CMMC compliance process automation platform will help MSP and SMB defense contractors and subcontractors through the now mandatory NIST (SP) 800-171 Self-Assessment, which covers 110 security controls. The software then automatically scores the assessment using the DoD’s proprietary scoring rubric and generates the required System Security Plan (SSP), which must be uploaded to the federal government’s SPRS system, according to Kaseya.

Kaseya Compliance Manager guides MSPs and SMBs through the same vetting process performed during the third-party assessment. As the requirements of each CMMC level build on those of the previous level, Compliance Manager for CMMC allows MSPs and SMBs to perform each individual assessment in sequential order to identify and remediate issues before the actual certification audit.

Kaseya Compliance Manager is updated continuously to keep pace with the ongoing roll-out of the various CMMC developments, according to Kaseya. Currently, Compliance Manager supports the NIST (SP) 800-171 self-assessment and CMMC Level 1 and Level 2 assessments with CMMC Level 3 assessment to be available in Q1 2021. CMMC for 800-171 assessments, including the automatic scoring engine, automated SSP documentation and the required Plan of Action and Milestones (POAM), all will be available in December 2020, Kaseya said.

Kaseya Compliance Manager for CMMC: Federal Requirements' Sweeping Consequences

Max Pruger, general manager compliance, Kaseya
Max Pruger, general manager compliance, Kaseya

“The impact of the DOD’s new interim ruling has sweeping consequences. Every contractor and subcontractor who does business with the DoD must perform the NIST (SP) 800-171 compliance assessment using the DoD’s scoring methodology if they want to continue doing work with 7019/7020 clauses,” said Max Pruger, general manager compliance practice at Kaseya. “Performing and documenting the required self-assessment is a tremendous undertaking that most SMBs are not equipped to do on their own. As such, MSPs have a unique opportunity to help these businesses perform their interim assessments, and prepare for their CMMC third-party audit at the same time. With Kaseya Compliance Manager for CMMC, MSPs can collaborate with their clients to manage the compliance process, offer remediation services for vulnerabilities found during the self-assessment, and provide evidence of compliance for the third-party auditor."

“The DOD plans to release more Requests for Information and Requests for Proposals with CMMC requirements each year, starting with fifteen in 2021 to, eventually, all of them by 2025,” added Pruger. “As a result, those contractors and subcontractors who achieve CMMC certification earlier have the best chance to win more contracts. In some cases, the MSPs themselves may also be required to obtain CMMC certification if they service clients with Controlled Unclassified Information (CUI). Kaseya Compliance Manager for CMMC is purpose-built to automate the rigorous cybersecurity assessment and documentation process outlined by the DoD so that SMBs and MSPs can proactively ready themselves to bid for these highly competitive contracts.”