No business or organization wants to be the victim of a cybersecurity attack. Adversaries target organizations of all sizes and in every industry, so cyber security is not just a large business problem. They often try to breach an organization’s systems through weak spots or entry points outside the direct control of organizations, such as via third-party vendors. Therefore, it’s no longer enough for organizations to secure their data and information systems; they must also encourage enhanced cybersecurity practices of their managed service providers (MSPs).


To help mitigate these risks, the Cybersecurity and Infrastructure Security Agency (CISA) released a new CISA Insights titled, Risk Considerations for Managed Service Provider Customers. This resource provides a framework that government and private sector organizations (to include small and medium-sized businesses) outsourcing some level of IT support to MSPs can use to better mitigate against third-party risk. The framework includes best practices and considerations from the National Institute of Standards and Technology and other authoritative sources with guidance geared to the three main organizational levels that play a role in reducing overall risk:

  1. Senior executives and boards of directors
  2. Procurement professionals
  3. Network administrators, systems administrators, and front-line cybersecurity staff


The bottom line is that outsourcing IT services provides both increased benefits and risks to an organization. Key responsible individuals should take a step back to look at the security practices in place across their enterprise to answer:

  • Who is responsible for security and operations when outsourcing IT services to an MSP?
  • What are the most critical assets that we must protect, and how do we protect them?
  • What should an MSP provide to an organization in advance of a contract award to demonstrate security controls in place?
  • What network and system access levels are appropriate for third-party service providers?


It will require effort and time upfront for an organization to review its security practices and answer these types of questions. But, in the long run, it will help them spot pockets of risk from third-party vendors and improve their overall security and resilience.


To read/download this resource, visit: CISA.gov/publication/risk-considerations-msp-customers


For supply chain, risk management information and resources, visit: CISA.gov/ict-supply-chain-library