Summary

In September 2021, the National Risk Management Center (NRMC) at the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published a risk considerations report for Managed Service Providers (MSPs) and MSP customers.

MSPs offer customers technical services that can reduce costs and play a critical role supporting efficient IT operations for organizations of all sizes. Outsourcing IT services does not absolve an organization from risk management responsibilities. MSP efforts to assist customers may introduce unanticipated risks. MSP customers must weigh risks, proactively manage cybersecurity threats and collaborate with their MSPs to jointly reduce vulnerabilities.

OVERVIEW

MSPs offer customers technical services that can reduce costs and play a critical role supporting efficient IT operations for organizations of all sizes. Outsourcing IT services does not absolve an organization from risk management responsibilities. MSP efforts to assist customers may introduce unanticipated risks. MSP customers must weigh risks, proactively manage cybersecurity threats and collaborate with their MSPs to jointly reduce vulnerabilities.

SELECT HIGHLIGHTS

The CISA Insights Report published multiple recommendations for MSP customers, including:

• MSP customers must balance cost effectiveness and efficiency with reliability and security when considering whether to outsource IT services.
• MSP customers must understand the risks from potential loss of core organizational systems and services, loss of confidentiality, integrity and availability of data, loss of consumer and market confidence, loss of productivity due to operational disruption and other adverse financial impacts.
• To minimize disruptions, an MSP customer should define technical roles and responsibilities within its MSP vendor agreement and apply the Shared Responsibility Model and the Principal of Least Privilege.
• MSP customers should develop and maintain cybersecurity risk management plans that list critical organizational assets, prioritizes these assets‘ protection and defines shared responsibilities, among other actions. CISA’s Cyber Essentials resources can help.
• Coordinating procurement, operations, continuity and security requirements with MSPs helps MSP customers decrease supply chain risk and improve system performance.
• MSP contracts should clearly articulate requirements and responsibilities, including detailed guidelines for incident management, common operational procedures and transition (onboarding) plans.
• An MSP customer should identify specific personnel responsible for monitoring and managing the MSP’s day-to-day activities.

The purpose of this one-page document is to generate awareness of the CISA Insights Report and should not be interpreted as a summary of the official government information presented therein.