MSP Exec To Peers: ‘You Need To Know What Data To Protect Now And In The Future’

‘You have to understand controlled unclassified information so that you know if an entity is over-reaching you can avoid long, costly, unnecessary journeys in the Cybersecurity Maturity Model Certification ecosystem,’ says Overview Technology Solutions President and CTO Marc Menzies.

MSPs that deal with sensitive government data will sooner or later run into questions about how to handle controlled unclassified information under the Cybersecurity Maturity Model Certification and should plan on getting trained before running into security issues that could lead to business-threatening lawsuits.

That’s the word from Marc Menzies, president and CTO of Overview Technology Solutions, who told an audience of MSPs at this week’s XChange NexGen 2024 conference that they have not received enough information on controlled unclassified information, or CUI, which could lead to problems down the road when working with the government.

“My experience in the channel in the last few years is you guys have not been given the entire story on CMMC [Cybersecurity Maturity Model Certification],” Menzies said. ... You’ve been given information on sort of what CUI is. I don’t feel that I really even got it until I started doing quite a few deep dives.”

XChange NexGen is hosted by The Channel Company, parent company of CRN.

Overview Technology Solutions is a Holbrook, N.Y.-based cybersecurity-focused MSP which, in addition to having its own customer base, works with other MSPs to provide security services.

Having a good understanding of CUI is important for MSPs for several reasons, Menzies said.

“You need to know what data to protect now and in the future,” he said. “You have to understand CUI so that you know if an entity is over-reaching you can avoid long, costly, unnecessary journeys in the CMMC ecosystem. And you need to get started on the journey of being able to advocate for your clients and for yourselves by molding what the scoping of an assessment should be like so you’re not just listening to other people.”

Unlike classified information, which is never made available to civilians unless they are working in some official capacity, CUI is unclassified but nonetheless must be strictly protected, he said. CUI is limited primarily to data from the Department of Defense for now but will expand to other areas in the future depending on new rules from the National Archives and Records Administration (NARA), he said.

Menzies outlined three key things MSPs need to understand when it comes to CUI, the first of which is to understand what kinds of data need to be protected as specified by NARA. A lot is related to critical infrastructure like water, as well as things related to taxes, law enforcement and so on.

“There are a lot of things on here,” he said. “I can guarantee you, if you look through here you’re going to see stuff that a client of yours probably has. That doesn’t mean there’s any sort of law or anything that’s governing that right now, but we’re going to get there.”

The good news is that government agencies take time to specify things like CUI, Menzies said. But watching NARA will help show what is coming, he said.

“Although the government is always being criticized in some way, shape or form, a lot of times they get some things right or they guide us into the position where what they think is right is what actually happens. … All the things that NARA says is something that you have to do in the future, but for right now it’s just defense CUI as part of defense contracts.”

Remember that NARA has defined information that the government expects to give out to private citizens and that MSPs may need to protect, Menzies said.

“At some point, you should take note of that,” he said. “See what it is, see what your liability for disclosure is, and what actions you can take now to help your clients categorize their data. Watch for trends, watch reviews, watch people like me getting up and waving their hands.”

The second key to MSPs working with CUI is to understand what makes something CUI, Menzies said.

“[First] is that it was created by a contractor during the performance of a contract or in the performance of a contract that was received by the contractor from the government or a higher-tier contractor during the performance of a contract,” he said. “I’m sure you see a theme here. If it was not created during the performance of a contract, if it was not given under the terms of the contract, if it had nothing to do with the performance the contract, it really can’t be considered CUI.”

Someone at a client may say that certain data is CUI and needs to be protected but can’t remember who said it, Menzies said. In such a case, an MSP may go on a long, expensive journey to treat it as CUI.

“When you receive CUI, sometimes it’s marked, sometimes it’s not,” he said. “It’s supposed to be, but sometimes it’s not marked. You can request certain information from those that gave it to you. One of the important things that you can ask for is called the SGC, which is the security classification guide, [which] basically says this element of this document or information you’re receiving is what makes it special. If you create information with that information in it, you have to protect it. If you don’t, you probably don’t unless we tell you.”

It is important to remember that the MSP is not responsible for marking something as CUI, Menzies said.

“The government is supposed to be marking it for us,” he said. “They’re supposed to be telling you what elements are CUI. You have to defend yourself because defensibility is probably the most important thing here. If unmarked, do not mark things as CUI unless explicitly instructed to do so. Even in that case, they should probably be doing it.”

Clients or prime contractors will often point fingers at MSPs if there is a CUI issue, Menzies said.

“If you do come to a decision about what CUI is based on limited available information, you have to be sure you can defend the assessment to the federal government,” he said. “If there are some sort of false claims act brought up against you, you have to be able to defend it. You have to defend it. You have to be able to have that documentation. You have to really understand what you’re doing. Otherwise, protect it regardless.”

The third key to MSPs working with CUI is to reduce the scope of CUI where possible, Menzies said.

“Reducing your footprint is important because if you get scope, that’s expensive for you, that’s expensive for your customer,” he said. “It requires time and materials. It requires subject matter experts, and you can be open to liability if you’re not doing what the customer thinks you’re doing. So if a customer gets a fine or loses a contract or has a false claim or doesn’t get a new contract or something, you will be held liable regardless of if it’s your fault or not, regardless of what your agreement says. You can still get sued for this, especially if a client goes under because they can’t get federal contracts.”

To reduce the risk of being scoped into assessment, it is important to discuss things with clients, Menzies said.

“Understand what type of data they hold based on their vertical,” he said. “I have a client who makes communications cables that are used in submarines. They might have CUI for the Department of Defense. The client has a room that I’m not allowed in because of sensitive data. They might have CUI information. [And] reduce the data that you hold for a customer.”

Dustin Vaughn, CEO of Network Performance, an Albuquerque, N.M.-based MSP, told CRN he found Menzies’ presentation on CUI very important given that his company is now already talking with at least four clients who may have CUI.

“He actually defined quite a lot of good points in here as far as [what we would need to cover ourselves],” Vaughn said. “What I’m worried about is, honestly, what are we offering that we need to back out of to ensure that we’re not putting our ourselves out there where we don’t need to be because we’re not fully compliant? Do we need to be 100 percent compliant in this, or do we back out some of our services and share some of that with other partners so that we don’t have to?”

Network Performance works with government and Defense Department clients, as well as heavy construction contractors that often work on infrastructure for those organizations as well as other state projects, Vaughn said.

“We’ve had a lot of questions from these guys lately about CUI, and I didn’t have answers,” he said. “So this kind of helps me get my process started.”