The new rule addresses the use of External Service Providers (ESPs) with several key updates and clarifications:
1. Reduced Assessment Requirements: ESPs that are not Cloud Service Providers (CSPs) and do not process, store, or transmit Controlled Unclassified Information (CUI) do not require a CMMC assessment or certification.
Services provided by such ESPs are included in the Organization Seeking Assessment’s (OSA) assessment scope.
2. Narrowed Definition of CSP: The definition of CSP has been narrowed and is now based on NIST SP 800-145 Sept2011, providing clearer guidelines on what constitutes a CSP and the associated requirements.
3. FedRAMP Equivalency: References to FedRAMP equivalency have been tied to DoD policy.
CSPs that process, store, or transmit CUI must meet FedRAMP Moderate Baseline standards or equivalent requirements as defined in DoD policy.
4. Clarified Requirements for CSPs at Level 3: CSPs must meet the FedRAMP Moderate Baseline or equivalent requirements if they process, store, or transmit CUI for an OSA seeking a CMMC Status of Level 3 (DIBCAC).
5. Documentation in System Security Plan (SSP): The use of an ESP, its relationship to the OSA, and the services provided need to be documented in the OSA’s SSP, including a description in the ESP’s service description and Customer Responsibility Matrix (CRM).
6. Assessment Scope: When ESPs that are not CSPs process, store, or transmit CUI, a CMMC assessment is required to verify compliance with requirements for safeguarding CUI.
Any ESP services used to meet OSA requirements are within the scope of the OSA’s CMMC assessment.
7. Voluntary Assessments for ESPs: ESPs that are not CSPs may voluntarily request a C3PAO assessment to demonstrate their compliance independently.
8. Internal ESPs: An ESP that provides staff augmentation, where the OSA provides all processes, technology, and facilities, does not need a CMMC assessment.
Alternatively, an ESP can be part of the same organizational structure but still be external to the OSA, such as a centralized Security Operations Center (SOC) or Network Operations Center (NOC) which supports multiple business units.
9. VDI Clients: The rule clarifies the requirements around the use of Virtual Desktop Infrastructure (VDI) clients, ensuring their use aligns with CMMC requirements.
10. Conflict of Interest: The rule expands the cooling-off period for the CMMC Accreditation Body to one year and bounds the timeframe between consulting and assessing for the CMMC Ecosystem to three years, addressing potential conflicts of interest when using ESPs for consulting and assessment services.
These updates aim to streamline the use of ESPs while ensuring that they meet the necessary cybersecurity standards and reducing the burden on companies seeking CMMC certification.