CMMC Final Rule: Does My MSP or CSP Need to be CMMC Compliant?

The final version of the US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) program was published on October 15, 2024. The 470-page document includes important changes and clarifications to the CMMC proposed rule from December 2, 2023, reflecting hundreds of public comment submissions.  

Among the most welcome of these changes for defense industrial base (DIB) suppliers is reduced assessment requirements for External Service Providers (ESPs), which can include managed service providers (MSPs), managed security service providers (MSSPs), and cloud service providers (CSPs). An organization seeking certification (OSC) can now optionally include an ESP in its system security plan, to be assessed for CMMC compliance alongside the OSC rather than needing an independent CMMC certification.  

This article examines these final rule changes and their implications for DIB companies seeking CMMC certification. 

How does CMMC define an ESP? 

The definition of an ESP remains unchanged in the CMMC final rule. ESPs are “external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization.” 

Any third-party vendor that delivers a service impacting the confidentiality, integrity, and/or availability of controlled unclassified information (CUI) shared with an OSC in fulfillment of a DoD contract probably qualifies as an ESP. This can include a wide range of service providers that may participate in an OSC’s cybersecurity program, such as: 

• MSPs or managed security service providers (MSSPs) 

• CSPs or SaaS providers 

• IT management or IT support consultants 

• Cybersecurity monitoring or incident response specialists 

ESPs often play a key part in helping OSCs keep sensitive data and IT services secure. These critical services commonly include data storage, data backup/recovery, firewall management, endpoint security, security information and event management (SIEM), intrusion detection, patch management, and compliance management

However, not all third-party vendors are defined as ESPs. Importantly: 

• Service providers that require only temporary access to an OSC’s CMMC environment, such as for network vulnerability assessment, penetration testing services, or incident response/forensics, are not considered ESPs and are not deemed to handle CUI.  
• Agencies that provide staff augmentation in scenarios where the OSC provides the equipment, facilities, etc. are not considered ESPs and do not require assessment against CMMC requirements. 

CMMC’s goal is to ensure that ESPs can safeguard CUI and security protection data (SPD) like logs and similar artifacts from cyber threats in compliance with CMMC requirements alongside their DIB clients, while giving defense suppliers peace of mind that their outsourced services and associated data are secure. ESPs can demonstrate compliance by attaining CMMC Level 2 certification themselves, or by participating in OSCs’ CMMC Level 2 assessments in relation to their role as defined in the OSC’s SSP and other documentation.  

How does CMMC define a CSP? 

Per the CMMC final rule, a CSP is defined as an external entity that provides cloud-based computing services to OSCs. These services can include hosted cloud infrastructure (IaaS), platform-as-a-service (PaaS) tools for software development and deployment, browser-based application access (SaaS), and/or cloud storage.

In short, a CSP for CMMC purposes is any third party that provides computing services using a cloud-based platform that involves storing, processing, and/or transmitting CUI or SPD. As noted below, organizations that fit the CMMC definition of a CSP and handle CUI need a FedRAMP Moderate Authority to Operate (ATO) or must demonstrate a FedRAMP Moderate equivalent cybersecurity posture per the DoD’s equivalency memo from December 21, 2023.  

What are the CMMC final rule requirements for ESPs? 

The CMMC final rule clarifies the circumstances under which an ESP needs to independently meet DoD requirements, and when its services can be assessed as part of the OSC’s assessment scope. These are the key points to know: 

• CSPs are a special case among ESPs. As elsewhere in the US federal government, a CSP that processes, stores, or transmits CUI must comply with FedRAMP Moderate requirements per 48 CFR 252.204-7012. However, if a CSP handles only SPD, its services can be assessed within the OSC’s assessment scope. 

• For ESPs other than CSPs that handle CUI, their services can be assessed within the OSC’s assessment scope. 

The CMMC final rule contains the following chart (Table 4, 32 CFR §170.19(c)(2)(i)) to help you determine the requirements that pertain to your ESPs:

In some cases, the above changes will significantly reduce the cost and effort for an OSC and its ESPs to demonstrate CMMC compliance and achieve CMMC certification. OSCs should systematically review their data interchange or sharing with all vendors that might handle sensitive data as a first step in establishing compliance with CMMC controls.  

Do in-scope ESPs need to achieve CMMC Level 2 certification? 

To help lower costs and enable more vendors to serve OSCs, the CMMC final rule does not require all ESPs that handle CUI to attain their own CMMC Level 2 certification. But if CUI flows from the OSC to the ESP, the ESP’s services will be in scope for the CMMC Level 2 assessment. This puts the onus of responsibility for CMMC compliance on the OSC.  

Likewise, if an ESP handles only SPD and/or delivers services—including cloud services—that qualify as Security Protection Assets (SPAs), such as multifactor authentication services, SIEM, or antivirus/anti-malware, these services are in scope for the CMMC assessment.  

What does it mean for an ESP to be part of an OSC’s CMMC assessment? Basically, the ESP and OSC must collectively show the assessors that they are operating appropriate NIST 800-171 controls for the services involved.

For ESPs with only one or a few DIB clients, participating in each client’s CMMC assessment might not be overly burdensome. But ESPs with many defense clients are probably better served by achieving their own CMMC Level 2 certification—especially since it is a competitive differentiator by virtue of simplifying compliance for all involved.  

What is the takeaway on this topic for OSCs?  Sanjeev Verma, Chairman and co-founder at PreVeil, states: “Careful design of your CMMC program to minimize the exposure from ESPs and minimize the access they have is the prudent thing to do.” 

What about VDI services? 

An area that parallels ESPs and cloud services that the CMMC final rule also clarifies is scoping for virtual desktop infrastructure (VDI). Host computers accessing and displaying CUI from a CMMC compliant VDI environment via keyboard, video, or mouse may be considered out of scope for CMMC assessments. 

However, the VDI infrastructure itself, which is typically cloud-based, is in scope and must fully comply with CMMC, including applicable endpoint controls.  

This rationalization simplifies CMMC compliance by taking host computers/endpoints that access VDI out of scope. But the VDI service and associated OSC infrastructure remain in scope. 

Take the case where an ESP uses an OSC’s VDI environment to access CUI and/or SPD. The computer they use to access the VDI is out of scope for CMMC. But the ESP is still part of the assessment. Likewise, if you take CUI or SPD out of the VDI and process it on another workstation, that endpoint is in scope for CMMC. 

What’s next? 

For more guidance on this topic, listen to Episode 145 of The Virtual CISO Podcast with guest Sanjeev Verma, Chairman and co-founder at PreVeil.