Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

CISA Reminds of Risks Connected to Managed Service Providers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new  guidelines for government and private organizations to take into consideration when looking to outsource services to a Managed Service Provider (MSP).

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new  guidelines for government and private organizations to take into consideration when looking to outsource services to a Managed Service Provider (MSP).

Titled Risk Considerations for Managed Service Provider Customers, CISA’s new guidance is aimed at three decision-making groups: senior executives and boards of directors, procurement professionals, and network/system administrators and front-line cybersecurity staff.

The document includes best practices and considerations from various authoritative sources, such as the National Institute of Standards and Technology (NIST), for organizations to review their security practices and make sure they are prepared to prevent cyberattacks.

CISA explains that executives have their risk management responsibilities and should maintain awareness of the systems and technologies in use within their organizations. They should also understand the risks associated with the loss of systems, data, productivity and customer confidence, as well as of the costs associated with fines and regulatory costs.

Executives, along with staff involved in procurement, should analyze the benefits of outsourcing against enterprise risks, and should make sure that both the customer and the vendor share responsibilities when it comes to faults or failures that may impact operations and affect customers.

“In order to minimize such disruptions when outsourcing IT services, organizations can define roles and responsibilities in a vendor agreement using the Shared Responsibility Model, which articulates the vendor’s responsibilities, the customer’s responsibilities, and any responsibilities shared by both parties,” the agency notes.

Organizations should develop an enterprise cybersecurity risk management plan that takes into account the potential risks associated with using IT services provided by an MSP. Small and medium-sized businesses (SMBs) that may not be able to implement such a plan should still catalog critical assets and assess the risks to those assets, to prioritize their inclusion in vendor  agreements and develop contingency plans for incidents that affect them.

[ READ: CISA Issues Guidance on Protecting Data From Ransomware ]

A requirements management process, CISA says, should coordinate across functional areas to ensure performance, reliability, and security. Individuals in procurement roles should create and maintain a list of requirements that should include “considerations for security, operational continuity, and other core business functions,” CISA notes. Organizations should vet potential MSPs based on these requirements.

The agency also recommends that organizations make specific demands from a MSP before signing an agreement that, among others, confirms that the individual signing for the MSP is responsible for the security of the service, details incident management and remediation capabilities, and explains how data from different customers is separated on the MSPs network.

Employees responsible for monitoring and managing a MSP’s activity should set policies on the access level that any third-party vendor enjoys and organizations are encouraged to continuously re-evaluate access requirements. When possible, privilege and access levels should be defined prior to signing a contract, to make sure the vendor can meet service requirements.

Furthermore, organizations are advised to maintain offsite backups of essential records and network logs, to help with recovery in the event of an incident at the MSP and to authenticate vendor activity. Per NIST’s recommendations, businesses should include vendors such as MSPs in their incident response plans and should regularly update those plans.

“NIST also recommends organizations and vendors establish clear protocols for vulnerability disclosure, incident notification, and communication with any external stakeholders during an incident. Organizations and vendors should also establish clear authorization protocols for threat hunting and incident response procedures on customer networks,” CISA notes.

SMBs that outsource IT services to an MSP, seeking increased efficiency and cost savings, should maintain full control of access to their systems, should be aware of vendor access, and should keep network logs, as well as offsite backups of all critical data, the Agency says.

Related: CISA Expands ‘Bad Practices’ List With Single-Factor Authentication

Related: CISA Issues Guidance on Protecting Data From Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.