The federal government is handing MSPs big opportunities to make money with regulated clients. A new HIPAA law rewards healthcare providers, and the business associates they work with, if they implement the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). A new Department of Defense (DoD) rule requires defense contractors to re-evaluate their cybersecurity if they want new defense contracts or renewals of existing contracts.
Helping healthcare organizations reduce millions of dollars of risk and defense contractors earn millions of dollars in new business is an easy way for MSPs to get past price objections and resistance to cybersecurity.
HIPAA Safe Harbor Law
In January 2021, the HIPAA Safe Harbor law was enacted, providing “safe harbor” for healthcare providers and business associates if they have implemented a government-recognized cybersecurity framework for the previous 12 months. NIST was specifically mentioned. “Safe harbor” means that if the organization can provide evidence of its implementation, it will be rewarded by reduced HIPAA fines and corrective actions if it has a breach or compliance violation. If an organization is selected for a random HIPAA audit, the audit will be immediately terminated once the evidence of NIST CSF implementation for 12 months is validated. This can save a HIPAA-covered entity or business associate millions of dollars.
The HIPAA Safe Harbor law must go through a rulemaking process that may take up to a year before it is fully in effect, but because it looks back 12 months, MSPs have immediate opportunities to help clients now. If MSPs begin implementing the NIST CSF at healthcare providers and business associates, they will be ready to take advantage of the law’s benefits as soon as it takes effect.
CMMC, NIST 800-171, and the DFARS Interim Rule
The Cybersecurity Maturity Model Certification (CMMC) is a hot topic because it requires independent assessments of over 300,000 defense contractors to validate their cybersecurity implementation. Entire businesses will be at risk if they don’t implement one of the five CMMC levels, based on the requirements in their contracts. The CMMC requirements come from NIST’s Special Publication 800-171 and some levels include additional requirements.
CMMC is rolling out over five years because it necessitates the build-out of a completely new assessment program. It will take time to build out the CMMC Accreditation Body (CMMC-AB), create training materials, train independent assessors, and conduct over 300,000 assessments. A small pilot program is testing the process, but CMMC will not be required in all defense contracts until 2025.