Do Cybersecurity Firms Need Security?

Unless you have been marooned on an island or are just coming out of a coma, you are probably aware that supply chain cyber-attacks are becoming increasingly more pervasive. So much so that the insurance industry now questions applicants directly pertaining to this threat. Furthermore, the U.S. Government has been progressively cognizant of these threats, resulting in a barrage of Presidential Executive Orders and formal certifications by third parties.

What is interesting about this scenario is the fact that the goals and objectives for which you seek cybersecurity consultants and companies, have a high likelihood of needing to demonstrate the same to you.  Some examples include the use of a Managed Security Services Provider (MSSP), outsourcing of cybersecurity functions (think vCISO), or even the use of traditional cybersecurity firms (vulnerability assessments, pentesting, etc.)  

Here are a few of the responses I received over the past month when I asked companies and clients “What is your company’s pathway for CMMC?” or “Do you have a Report of Compliance by a Third Party you can share?” (No these are not made up!)

  • I am waiting for my clients to require this of me.
  • We are a cyber firm; we are already good.
  • My solution is hosted in a FedRAMP enclave, so its good.

Let’s take a moment to examine each of these responses.

When Hubris Runs Amuck  

To start with, the fact that a company sells cybersecurity services and solutions does not automatically mean they are secured.  While one would think that would be the case, the quality of each firm varies about as much as the quality controls applied to a new Mercedes when compared to a 1976 Ford Pinto.

Data shows that with new and upcoming supply chain risk management obligations, outsourcing of mission critical tasks will increase. Having said that, if you use an MSSP, how do you prevent harm stemming from them?

  • To the first response: “I am waiting for my clients to require this of me”.

It is important to recognize and acknowledge that the clients you are supporting rarely know what to ask, let alone understand that they don’t know what they don’t know. This leads me to conclude that MSSPs and other cybersecurity service providers will not update/improve their Terms and Conditions or Service Level Agreements unless/until forced to do so at the request of their clients for fear of losing them. 

  • To the second response: “We are a cyber firm, we are already good.”

Wonderful news. Based on what criteria? Other than a wild boast, how would you prove it? Do you have a third-party Independent Validation and Verification (IV&V)?  Case in point, I have worked for firms that marketed themselves as cybersecurity firms, but they themselves had extremely poor technical and operational security controls employed and even poorer approaches to investment strategies to improve their cyber posture.

  • To the third response: “My solution is hosted in a FedRAMP enclave, we are good”.

One could actually argue the merits of this statement, but context is critical. Yes, the enclave you are in may be FedRAMP-certified but is your “solution”? One of our first clients was a client awarded with a USAF SBIR hosted in AWS GovCloud IL2.  It was a software solution that had never undergone an independent security assessment because there was a categorical misunderstanding by the Government’s acquisition workforce on what would be required to support the SBIR, let alone finance these enhanced cyber risk mitigation activities. Ultimately, the client ran into a glass ceiling until such IV&V was completed by the Government.

Access to Sensitive Data vs. Administrative Access

Under the current CMMC model and approach, when a third party provides a security protection asset and/or monitors/manages it, they fall into the scope of Government Contractors (GovCons) requiring a CMMC L2 certification.  This is not necessarily tied to whether information they have access to is Controlled Unclassified Information (CUI), but rather does the third party have privileged access?  This pertains to not only MSSPs but any third-party providing services where the goal and objective of a security control is co-shared between the GovCon and the service provider.

How to Mitigate Exposure

The first step in solving any problem is acknowledging that the problem exists. I believe this article demonstrates that to be true. So, now the big question is … where can GovCons and other enterprises start to limit these exposures? While it does not cover every scenario, the National Institute of Standards and Technology posted a “how to” document that provides a step-by-step means of what you should think about, and even provides language that can be included for contractual provisioning.


To learn more about how SoundWay can assist you to mitigate these exposures with third-party security firms, contact us for a free consultation.  Simply email or call (571) 210-0624.