The federal government is handing MSPs big opportunities to make money with regulated clients. A new HIPAA law rewards healthcare providers, and the business associates they work with, if they implement the National Institute of Standards and Technology’s (NIST), Cybersecurity Framework (CSF). A new Department of Defense (DoD) rule requires defense contractors to re-evaluate their cybersecurity if they want new defense contracts or renewals of existing contracts.
Helping healthcare organizations reduce millions of dollars of risk and defense contractors earn millions of dollars in new business is an easy way for MSPs to get past price objections and resistance to cybersecurity.
HIPAA Safe Harbor Law
In January 2021, the HIPAA Safe Harbor law was enacted, providing “safe harbor” for healthcare providers and business associates if they have implemented a government-recognized cybersecurity framework for the previous 12 months. NIST was specifically mentioned. “Safe harbor” means that if the organization can provide evidence of its implementation, it will be rewarded by reduced HIPAA fines and corrective actions if it has a breach or compliance violation. If an organization is selected for a random HIPAA audit, the audit will be immediately terminated once the evidence of NIST CSF implementation for 12 months is validated. This can save a HIPAA-covered entity or business associate millions of dollars.
The HIPAA Safe Harbor law must go through a rulemaking process that may take up to a year before it is fully in effect, but because it looks back 12 months, MSPs have immediate opportunities to help clients now. If MSPs begin implementing the NIST CSF at healthcare providers and business associates, they will be ready to take advantage of the law’s benefits as soon as it takes effect.
CMMC, NIST 800-171, and the DFARS Interim Rule
The Cybersecurity Maturity Model Certification (CMMC) is a hot topic because it requires independent assessments of over 300,000 defense contractors to validate their cybersecurity implementation. Entire businesses will be at risk if they don’t implement one of the five CMMC levels, based on the requirements in their contracts. The CMMC requirements come from NIST’s Special Publication 800-171 and some levels include additional requirements.
CMMC is rolling out over five years because it necessitates the build-out of a completely new assessment program. It will take time to build out the CMMC Accreditation Body (CMMC-AB), create training materials, train independent assessors, and conduct over 300,000 assessments. A small pilot program is testing the process, but CMMC will not be required in all defense contracts until 2025.
In the meantime, the Defense Federal Acquisition Regulation Supplement (DFARS) purchasing requirements were updated with an interim rule that went into effect at the end of November 2020.
Most defense contracts have included a DFARS requirement for cybersecurity that required contractors to implement the 110 cybersecurity controls in NIST SP 800-171 by the end of 2017. This requirement was largely ignored by many contractors.
The interim rule now requires contractors to upload a self-assessment score into a DoD database to qualify for new defense contracts and renewals of existing contracts. Contractors are subject to audit by the DoD and must be ready with specific documentation and evidence of their compliance.
The interim rule is a huge opportunity for MSPs. If defense contractors fail to comply, they will not qualify for new contracts or contract renewals. If they post a false score, and fail a DoD audit, their defense contracts—in many cases their main source of income—can be cancelled. They can also be banned from future contracts and sued by the government under the federal False Claims Act for three times what they have been paid by the DoD. False attestations can also be prosecuted criminally.
Start with NIST
MSPs need to prepare before jumping on these opportunities:
- Build a good foundation of services to help businesses implement either the NIST CSF’s 98 cybersecurity controls or NIST 800-171’s 110 controls for defense contractors. Many of the requirements in the NIST frameworks are similar, so it’s not difficult to develop managed services and compliance services that align with both.
- Take time to really understand the healthcare and defense requirements. You don’t need to become an expert, which could take years, but you should be able to speak knowledgeably with prospects and clients. When I started in compliance, I had to blaze a new trail by learning everything and then figuring out what I needed to do as an MSP to help clients. To help you accelerate your success, I developed Semel Systems’ NIST CSF System, HIPAA for Profit, and CMMC Compliance for Profit.
- Reduce your risks and your liability by protecting your MSP business and your investment. Check out my article “MSP Sued! Are You Ready?”
Don’t miss these huge opportunities to differentiate your company, help your clients, and make lots of money.
MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.
