CMMC MSP Partner – Why Giga-Green
- Home
- CMMC MSP Partner – Why Giga-Green
The National Defense Information Sharing and Analysis Center (ND-ISAC) is a partnership between the U.S. Department of Defense (DoD) and private sector organizations. Its primary purpose is to enhance the security and resilience of the nation’s defense infrastructure by facilitating the sharing of information related to cybersecurity threats and vulnerabilities.
ND-ISAC collects, analyzes, and disseminates threat intelligence to its members, which include defense contractors, government entities, and other stakeholders. The center helps organizations prepare for and respond to cyber threats, fosters collaboration, and promotes best practices in cybersecurity.
They release a document for what to look for with a Managed Services Partner that can be found here: NDISAC-SMB-WG-MSP-Shopping-Questionnaire-Rev-4.5.pdf
To instill confidence in our customers, we compiled their questions and our answers for your review! Need more detail? Reach out and we will discuss how we keep your environment and data safe!
ND-ISAC Questions for Managed Service Providers
1 – Are you familiar with NIST 800-171, DFARS 7012, and CMMC?
Giga-Green: Yes, very! We have been working with critical infrastructure and sensitive data since 2016! We’ve been diligently following CMMC even through its first revision and are excited about the final ruling!
Historically, we anticipated needing CMMC certification, but our model does not require us to be certified as an External Service Provider because we will never house your CUI data directly.
2 – To which security framework do you align?
Giga-Green: Most closely to NIST 800-53 and NIST 800-171.
3 – Do you have a Customer Responsibility Matrix (CRM)?
Giga-Green: We do! We have a standard CRM for most customer scenarios but build them custom to the customers workloads/environment
4 – Are all people working for your company U.S. Persons?
Giga-Green: Yes!
5 – If any of my data is stored on your information systems, where are those systems geolocated?
Giga-Green: We do not store any of your data within our systems outside of what is given to us to provide superb support.
6 – Where does my data exist in your environment?
Giga-Green: We do not store your data within our environment, you, the customer owns all software and infrastructure, we simply manage it for you.
7 – What is your data retention policy?
Giga-Green: Our internal data retention policy is 7 years.
8 – Is MFA enforced for administrator access? For Remote Access? For applications?
Giga-Green: Everywhere feasible.
9 – How does your team access my environment?
Giga-Green: We utilize Splashtop SOS with FIPS-mode enabled with only attended user access to non-server workloads.
10 – Do you outsource anything to subcontractors?
Giga-Green: Yes, some of our boots on the ground employees are vetted and background checked contractors to match customer needs
11 – Do you have a Security Operation Center (SOC) or Security Information and Event Management
(SIEM)?
Giga-Green: Yes, if necessary, we implement Azure Sentinel within a customer environment
12 – What internal governing policies does the MSP have in place?
Giga-Green: We follow the NIST 800 series for guidance on internal policies and adhere to the CMMC Code of Conduct.
13 – What risk assessment are you performing on tools that you add to your environment that support my organization?
Giga-Green: Again, the customer owns the tools and resultant risks assessments. Most of them are cloud tools where the risks are mitigated by the SaaS providers. We use Greenbone Security Manager as a vulnerability scanner for environments if necessary.
14 – How do you manage our passwords?
Giga-Green: We provision only minimal admin accounts provisioned to named internal users. We insist the customer has at least one admin account themselves to all platforms/tools. Any other passwords are stored in a password vault and monitored for usage.
15 – Do you perform Incident Response support for our systems?
Giga-Green: Yes! This is part of our Managed Security Solutions that is paired with our Managed IT Solutions.
16 – What is your company’s (the MSP’s) Incident Response Plan?
Giga-Green: We follow internally and practice for our customers the NIST 800-61 Incident Handling guide
17 – Can you expand on your hiring and termination practices?
Giga-Green: We only hire US citizens that successfully pass a background check.
18 – Can you tell me about your ideal client?
Giga-Green: We are looking for customers ranging from 25 to 75 (100) users. We have a specialty for remote and distributed workforces but also have vetted personnel in many cities across the US.
19 – Will you share your SSP with me?
Giga-Green: Yes, but our environment is not in scope of your assessment and largely mirrors the organizations SSP as we administrate it.
20 – Are you a reseller of services, or provide direct?
Giga-Green: We are a software reseller and provide direct services to our customers for the products we resell.
21 – Do you carry cyber insurance?
Giga-Green: Of course!
22 – [If supplying hardware/network infrastructure] Is the product FIPS-Validated?
Giga-Green: Customer chooses equipment, but yes, we offer FIPS-Validated hardware options
23 – Is company familiar (and compliant) with FAR Rule Section 889, the National Defense Authorization
Act for Fiscal Year 2020 (NDAA 2020) and the prohibited vendor list?
Giga-Green: We do not use any vendors known to be detrimental or found here: Federal Register :: Federal Acquisition Regulation: Prohibition on Contracting With Entities Using Certain Telecommunications and Video Surveillance Services or Equipment
24 – Has your company undergone any audits or assessments, and what was the result?
Giga-Green: We have not, but we are continuously evaluating ourselves and services against the frameworks named above.
25 – How long have you been in business?
Giga-Green: 2016
26 – Can you share references?
Giga-Green: Absolutely!
27 – Is MSP DUNS number (or UEI) on DnB or SAM.gov?
Giga-Green: No, we do not contract with the government directly but rather act as technical advocates for our DIB customers.
28 – Have you changed ownership or management in the last 12 months?
Giga-Green: Nope!