Choosing an MSP is hard.  Let us help make that choice easier.

We have been working with federally regulated verticals since our inception in 2015 - we're quite familiar with NIST 800-171, NIST 800-53, DFARS 7012, and CMMC.  We're looking to get CMMC certified ourselves, and are willing to accept a DFARS 7012 flowdown from your contracts into our own.

2 – To which security framework do you align?

We align our systems to NIST 800-171, and our clients to NIST CSF, unless there are additional compliance requirements.

3 – Do you have a Customer Responsibility Matrix (CRM)?

We do!  We build out a customized responsibility matrix for each client we onboard, as there are different requirements for different industries!

4 – Are all people working for your company U.S. Persons?

Yes!  Due to our work in the compliance verticals, we only employ US Persons, and utilize third-party contractors who do the same.

5 – If any of my data is stored on your information systems, where are those systems geolocated?

While all of our information systems are located within the Continental United States, we do not store any of our client's data in our systems.

6 – Where does my data exist in your environment?

Your data does not exist in our environment.  All of your data is owned by you!

7 – What is your data retention policy?

We retain data for our clients who do not need to meet compliance standards for 5 years.  For those that have federally regulated compliance requirements, we store data for 10 years.

8 – Is MFA enforced for administrator access? For Remote Access? For applications?

Multi-Factor Authentication through FIDO-2 Hardware Tokens is utilized on all available systems, including when accessing our desktops and laptops.  There are no exceptions to this.

9 – How does your team access my environment?

For our customers who are not federally regulated, we utilize Datto RMM.  For clients in GCC environments, we require Intune Remote Access licensing, and for GCC High environments, we only provide remote access through secured bastion terminals into the client's secure enclave.

10 – Do you outsource anything to subcontractors?

Sometimes we do outsource project work to subcontractors, and when we do, they're vetted and background checked.  Additionally we ensure that third-party companies (for cabling, etc.) only hire US persons, and utilize equipment (security cameras, door lock systems, etc.) that are not on the US Government Ban List for our compliance customers.

11 – Do you have a Security Operation Center (SOC) or Security Information and Event Management
(SIEM)?

Yes, if necessary, we implement Azure Sentinel within a customer environment, and we currently utilize a security operations center for all of our commercial clients.

12 – What internal governing policies does the MSP have in place?

We follow the NIST 800 series for guidance on internal policies and adhere to the CMMC Code of Conduct.

13 – What risk assessment are you performing on tools that you add to your environment that support my organization?

Again, the customer owns the tools and resultant risks assessments. Most of them are cloud tools where the risks are mitigated by the SaaS providers. We use Greenbone Security Manager as a vulnerability scanner for environments if necessary.

14 – How do you manage our passwords?

We utilize password management systems (like Keeper, or Keepass) and will not store your passwords anywhere else.  While we do utilize documentation systems like Hudu, Passportal or ITGlue, we do not store any client passwords in that system.

15 – Do you perform Incident Response support for our systems?

Yes, that is included with even our most basic Managed IT and Security Services plan.

16 – What is your company’s (the MSP’s) Incident Response Plan?

We follow internally and practice for our customers the NIST 800-61 Incident Handling guide

17 – Can you expand on your hiring and termination practices?

We only hire US citizens that successfully pass a background check.

18 – Can you tell me about your ideal client?

We're currently looking for clients who are 15 to 100 employees in size, in one of the following verticals: Automotive Dealers, Manufacturing (including Defense Industrial Base Manufacturers), Financial Services, and Healthcare.

19 - Will you share your SSP with me?

Yes, once we sign a mutual non-disclosure agreement, we will share our SSP with you.

20 – Are you a reseller of services, or provide direct?

We are a software reseller and provide direct services to our customers for the products we resell.

21 – Do you carry cyber insurance?

Of course!

22 – [If supplying hardware/network infrastructure] Is the product FIPS-Validated?

We offer FIPS Validated hardware, however the final decision is ultimately that of our clients.

23 – Is company familiar (and compliant) with FAR Rule Section 889, the National Defense Authorization Act for Fiscal Year 2020 (NDAA 2020) and the prohibited vendor list?

Yes, we are familiar.  We also do not utilize, nor do our contractors utilize any vendors from the prohibited vendor list.

24 – Has your company undergone any audits or assessments, and what was the result?

We have not, but we are currently working to achieve CMMC Maturity Level 2.

25 – How long have you been in business?

We first opened in July of 2015!

26 – Can you share references?

Absolutely.

27 – Is MSP DUNS number (or UEI) on DnB or SAM.gov?

Yes, it is!  You can find us on both Dun & Bradstreet as well as sam.gov!  We will provide our D-U-N-S number as well as our SAM.gov UEID upon request.

28 – Have you changed ownership or management in the last 12 months?

No, we have been under the same ownership/management since our start in July of 2015!