Managed Services for Public Sector

1. Compliance and Certifications:

CMMC: MSPs are not required to be directly certified in CMMC. However, if they provide services within the scope of a CMMC assessment, your MSP will need to be included in your audit as an MSP’s environment, controls, and procedures must align with the appropriate CMMC level requirements you are targeting. Working with an MSP that is already CMMC certified provides several advantages such as streamlined compliance process, reduced risk, faster path to certification, and a true alignment with federal security standards.

NIST SP 800-171: MSPs must comply with the security requirements outlined in NIST Special Publication 800-171 R2, which provides guidelines on protecting CUI. Although NIST SP 800-171 R3 has been published, R2 version is codified in the Final Rule of CFR Title 32: Cybersecurity Maturity Model Certification Program. This compliance is foundational for CMMC and is necessary to achieve CMMC Level 2 and beyond.

Federal Risk and Authorization Management Program (FedRAMP): For CMMC, MSPs must use FedRAMP-authorized or compliant cloud service providers to handle CUI, typically requiring FedRAMP Moderate or High authorization or equivalency.

2. Experience with GCC High:

• The MSP should have a proven track record of deploying, managing, and supporting Microsoft 365 GCC High environments.

3. Security Expertise:

• Given the sensitive nature of the data, the MSP should have a strong focus on security, including:

  • Regular security audits and assessments
  • Proactive monitoring for threats and vulnerabilities.
  • Incident response capabilities.

4. Data Sovereignty:

• Ensure the MSP understands the importance of data sovereignty and can guarantee that data remains within the U.S., as required by GCC High. This includes ensuring that all support is performed by United States Citizens, who are working within United States.

5. Migration Expertise:

• If you’re transitioning from another environment, the MSP should have experience in migrating data and applications to GCC High without data loss or downtime.

6. Training and Support:

• The MSP should offer training for your staff on the GCC High environment and provide robust support, including a dedicated account manager or support team familiar with your setup.

7. Service Level Agreements (SLAs):

• Ensure the MSP offers SLAs that match your organization’s needs, especially in terms of uptime, response times, and resolution times.

8. Customization and Integration:

• The MSP should be capable of customizing the GCC High environment to suit your needs and integrate with other tools or systems you use.

9. Backup and Disaster Recovery:

• Ensure the MSP offers robust backup and disaster recovery solutions, especially given the critical nature of government data.

10. Transparent Pricing:

• The MSP should provide clear and transparent pricing, with no hidden fees. They should also be willing to discuss and negotiate terms that suit your organization’s budget and compliance goals.

11. Continuous Monitoring and Reporting:

• The MSP should offer continuous monitoring of your environment and provide regular reports on performance, security, and compliance.

12. Innovation and Future-Proofing:

• As technology and compliance requirements evolve, the MSP should demonstrate a commitment to staying updated and ensuring your environment remains compliant and efficient.