Improving Cybersecurity of Managed Service Providers

Current Status

We have released a draft project description, Improving Cybersecurity of Managed Service Providers. The public comment period closed on November 8, 2019 and the received comments are now being reviewed.

For questions or to join the Community of Interest, please email



Many small and medium sized businesses use managed service providers (MSPs) to remotely manage their organization’s IT infrastructure, cybersecurity, and related business operations. As a result, MSPs have become an attractive target for cyber criminals. When an MSP is vulnerable to a cyber attack, it also increases the vulnerability to the small or medium sized business that it supports. This project will provide guidance to MSPs on how to improve cybersecurity by implementing a secure IT architecture that reduces vulnerabilities to attacks such as ransomware.

This project will also provide MSPs with informed guidance that will enable them to adopt cybersecurity technologies and techniques that result in better security for themselves and their SMB customers. The goal of this project is to provide a cybersecurity reference model that MSPs can customize to fit their cybersecurity program needs. In the laboratory, the NCCoE will build a standards-based, modular, and end-to-end example solution(s) that will address a set of cybersecurity challenges aligned to the NIST Cybersecurity Framework v1.1. The approach may include architectural model definition, logical design, build development, test and evaluation, and security control mapping.

This project will result in a publicly available NIST Cybersecurity Practice Guide, a detailed implementation guide of the practical steps needed to implement a cybersecurity reference architecture model that addresses the challenge.