Trends in Tech: Why MSPs and MSSPs Should Be Separate Entities: An In-depth Analysis Based on NIST Guidelines

August 7, 2023

by Jason Caras, CEO

In the realm of IT, ensuring the security and integrity of systems is paramount. The National Institute of Standards and Technology (NIST), a beacon of standardization and guidance in the technology world, has given clear directives on best practices that lead to the most secure environments. One of its significant recommendations, which has reverberated across the IT industry, pertains to the separation of duties within an IT ecosystem.

According to NIST 800-171 and CMMC L2, there is a pointed requirement (AC.L2-3.1.4) to “Separate the duties of individuals to reduce the risk of malevolent activity without collusion.” This is particularly pertinent when dealing with roles like the system owner, system security officer, and system administrator.

The Fox Guarding the Hen House

Drawing from this directive, a critical insight emerges: Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) ought to be different entities altogether. Think of it this way: if the same organization that manages your everyday IT infrastructure also oversees its security, isn’t that akin to “the fox guarding the hen house”?

The Ideal Collaboration: Integrating MSP and MSSP

The true hallmark of a great MSP is its ability to serve as the single point of contact while also seamlessly integrating with an MSSP. This collaboration is built around well-structured internal processes that encompass ticket sharing, efficient escalation methodologies, and correlating root causes.

Such an integrated approach ensures clients experience the best of both worlds:

  • They have a dedicated team (the MSP) overseeing the regular IT infrastructure and operations.
  • At the same time, they benefit from a specialized entity (the MSSP) dedicated to ensuring the highest level of security, all while maintaining streamlined communication and processes.

This tight integration and collaboration means that clients don’t have to sacrifice the convenience of having a single point of contact for the specialized benefits of both an MSP and an MSSP.

Implications of Merging MSP and MSSP Roles

Companies that combine MSP and MSSP roles under a single umbrella are inadvertently setting a potentially risky precedent. Here are some ramifications of such a merger:

  • False Security: Customers might believe they are acquiring a comprehensive solution that encompasses both management and security. However, in reality, they are investing in an organization that may lack the necessary detachment to scrutinize and challenge its own processes and systems critically.
  • Industry Cannibalization: When companies promote themselves as an MSP/MSSP combination, they aren’t just misleading clients; they’re eating into the very fabric of the industry. Profits diminish, and the essence of specialization that differentiates MSPs from MSSPs erodes, leading to potential service quality degradation.
  • Dilution of Expertise: Fusing MSP and MSSP roles may lead to a dilution of expertise. Separate entities ensure that each has a razor-sharp focus on their domain, whether it’s system management or security.

IT Authorities: Upholding the NIST Vision

At IT Authorities, we’ve always recognized the importance of clarity, specialization, and the separation of roles. We understand the delicate balance needed to manage IT infrastructures and the equally intricate nuances involved in securing them. Our commitment is to be transparent stewards of our client’s trust, ensuring they are equipped with the best, most specialized services.

In conclusion, while the allure of a one-stop-shop solution might seem appealing, customers must be educated about the potential pitfalls. It’s essential to have separate guards and watchmen. One to ensure the operations run smoothly and another to ensure those operations are secure. Anything less is not just compromising the customer, but the entire industry’s future.


IT Authorities Professional Services Team Small


IT Authorities Professional Services customer projects include:

      • Network design, configuration, implementation and installation of new hardware and software.

      • Network architecture

      • System infrastructure

      • Network security and cyber security

      • Network refresh

      • On-site implementation and maintenance

      • Creating new environments to support hybrid, remote and in-person work spaces

      • Utilizing new hardware from Palo Alto and Cisco Meraki to support secure environments

      • Email migrations to O365

      • Cloud solutions migrating infrastructure and systems to Azure and AWS

      • Implementing Intune Best Practices

      • Implementing end-point security for today’s mobile work force

      • Defining and Implementing Intune solutions (Microsoft Endpoint Manager)

    To schedule an assessment of your network requirements, contact us.

    About Our Professional Services Team: Modernize your infrastructure for a more agile, reliable, and stress-free workplace.

    Since 2006, our technology service professionals have been simplifying IT with proven methodologies that reduce risk and delays. With our guidance, you’ll be able to choose the right technologies according to your organization’s budget and needs. Contact our team to start seeing tangible results that align with your business priorities.

    #ProfessionalServices #NetworkArchitecture #ITANetworkProtection #Microsoft #ManagedServices

    #ITAuthorities is a #WidePoint company.


    For a financial customer, IT Authorities and our partner, CyberSafe Solutions, deployed comprehensive managed services and implemented real-time continuous security monitoring services on a tight deadline

    For a financial customer, IT Authorities and our partner, CyberSafe Solutions, deployed comprehensive managed services and implemented real-time continuous security monitoring services on a tight deadline