External Providers

CMMC Compliance
What's New

What’s New — ESP / MSP / MSSP Guidance:

ESP / MSP / MSSP Guidance (CMMC 2.0 / Final Rule Update)
 
  • The DoD now formally defines External Service Providers (ESPs) — including MSPs, MSSPs, CSPs — as any third‑party providing IT or cybersecurity services on behalf of a contractor.
  • Importantly, not all ESPs are required to hold their own CMMC certification. Whether an ESP must be certified depends on whether they process, store or transmit CUI (or handle other sensitive data) on behalf of the contractor.
  • If the ESP only provides supporting security functions (e.g., monitoring, patch management, SIEM, logging) and does not itself host or process CUI, then the contractor may include those services in their own assessment — no separate certification needed.
  • For MSPs/MSSPs that do host, process or transmit CUI (or whose services are integral to CUI handling) — they must be included in the contractor’s scope and assessed to the appropriate level (typically Level 2).
  • Cloud‑based service providers (CSPs) that host CUI must meet FedRAMP Moderate (or equivalent) baseline; CSPs providing only security services for CUI-hosted environments may be scoped under the contractor’s assessment.
  • For contractors using Virtual Desktop Infrastructure (VDI) architectures — remote endpoints that only connect to a secure enclave (without processing/storing/transmitting CUI on the endpoint itself) may now be considered out-of-scope.
What this means for subcontractors and suppliers: Contractors must understand and document whether any third‑party provider (ESP, MSP, MSSP, CSP) they use touches CUI or provides security protection assets for CUI-related systems. That determination drives whether the provider must be assessed or simply included in the contractor’s environment scope.
 Why This Matters (And Why You Should Act Now)
  • Many small or mid-sized DIB contractors rely on third‑party MSPs or MSSPs for IT operations. The clarified ESP definitions and scope rules give them flexibility — compliance does not necessarily require re-certifying every MSP, reducing cost and overhead.
  • At the same time — if your MSP/MSSP or CSP handles CUI or hosts sensitive systems — you must ensure they meet the required CMMC level and that their systems are included in your compliance scope. Otherwise, you risk non-compliance when submitting to contract award or audit.
  • As a consultant / MSSP / RPO (like you are with AG Grace), this creates an opportunity: you can help clients map their third‑party relationshipsdetermine scopedocument responsibilities (Customer Responsibility Matrices / SSPs / Shared‑Responsibility Matrices), and ensure compliance — without forcing all MSPs to certify.
  • It also means that many MSPs may voluntarily seek certification or at least build compliant service offerings — making them more attractive to DoD contractors.

The new rule addresses the use of External Service Providers (ESPs) with several key updates and clarifications:

1. Reduced Assessment Requirements: ESPs that are not Cloud Service Providers (CSPs) and do not process, store, or transmit Controlled Unclassified Information (CUI) do not require a CMMC assessment or certification.

Services provided by such ESPs are included in the Organization Seeking Assessment’s (OSA) assessment scope.

2. Narrowed Definition of CSP: The definition of CSP has been narrowed and is now based on NIST SP 800-145 Sept2011, providing clearer guidelines on what constitutes a CSP and the associated requirements.

3. FedRAMP Equivalency: References to FedRAMP equivalency have been tied to DoD policy.

CSPs that process, store, or transmit CUI must meet FedRAMP Moderate Baseline standards or equivalent requirements as defined in DoD policy.

4. Clarified Requirements for CSPs at Level 3: CSPs must meet the FedRAMP Moderate Baseline or equivalent requirements if they process, store, or transmit CUI for an OSA seeking a CMMC Status of Level 3 (DIBCAC).

5. Documentation in System Security Plan (SSP): The use of an ESP, its relationship to the OSA, and the services provided need to be documented in the OSA’s SSP, including a description in the ESP’s service description and Customer Responsibility Matrix (CRM).

6. Assessment Scope: When ESPs that are not CSPs process, store, or transmit CUI, a CMMC assessment is required to verify compliance with requirements for safeguarding CUI.

Any ESP services used to meet OSA requirements are within the scope of the OSA’s CMMC assessment.

7. Voluntary Assessments for ESPs: ESPs that are not CSPs may voluntarily request a C3PAO assessment to demonstrate their compliance independently.

8. Internal ESPs: An ESP that provides staff augmentation, where the OSA provides all processes, technology, and facilities, does not need a CMMC assessment.

Alternatively, an ESP can be part of the same organizational structure but still be external to the OSA, such as a centralized Security Operations Center (SOC) or Network Operations Center (NOC) which supports multiple business units.

9. VDI Clients: The rule clarifies the requirements around the use of Virtual Desktop Infrastructure (VDI) clients, ensuring their use aligns with CMMC requirements.

​10. Conflict of Interest: The rule expands the cooling-off period for the CMMC Accreditation Body to one year and bounds the timeframe between consulting and assessing for the CMMC Ecosystem to three years, addressing potential conflicts of interest when using ESPs for consulting and assessment services.

These updates aim to streamline the use of ESPs while ensuring that they meet the necessary cybersecurity standards and reducing the burden on companies seeking CMMC certification.

;