Why Your MSP Is in Scope
The majority of small and mid-sized defense contractors do not maintain a fully staffed internal IT department. They rely on Managed Service Providers to provision, manage, and secure their infrastructure. Under 32 CFR Part 170, these providers are classified as External Service Providers (ESPs), defined as "external people, technology, or facilities that an organization utilizes for the provision and management of IT and/or cybersecurity services on behalf of the organization."
A common misconception among both contractors and their service providers is that an MSP falls outside the CMMC assessment boundary if it does not directly handle CUI. This interpretation is incorrect. The mechanism that brings an MSP into scope is Security Protection Data (SPD). When an MSP deploys a Remote Monitoring and Management tool on a contractor's endpoints, that tool collects configuration data, system logs, patch status, and authentication credentials. None of this is CUI in the traditional sense. It is, however, SPD, and the presence of SPD on the MSP's infrastructure is what brings that provider into the CMMC assessment scope.
The DOD does not draw a distinction between a provider that touches CUI directly and a provider whose tools and infrastructure constitute the defensive perimeter around CUI. Both are in scope. The CMMC Level 2 Scoping Guide classifies ESP tools and services as Security Protection Assets that "provide security functions or capabilities to the contractor's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI."
The practical result is that a contractor's CMMC certification depends, in part, on the compliance posture of every ESP whose tools or services interact with the contractor's assessment boundary. During a C3PAO assessment, the assessment team will examine ESP documentation, evaluate Customer Responsibility Matrices, and may extend the assessment to include a review of ESP-controlled assets. If the ESP cannot demonstrate conformance with the applicable NIST SP 800-171 requirements, the contractor's assessment outcome is directly affected.
The ESP and CSP Distinction
A critical regulatory distinction exists between an External Service Provider and a Cloud Service Provider, and this distinction carries different compliance obligations. Under DFARS 252.204-7012, any cloud service provider used to process, store, or transmit CUI must meet security requirements equivalent to the FedRAMP Moderate baseline. An ESP is a broader category that includes any external provider of IT or cybersecurity services. All CSPs are ESPs, but not all ESPs are CSPs.
| Provider Type | Definition | Compliance Requirement |
|---|---|---|
| Cloud Service Provider (CSP) | Provider of cloud computing services (SaaS, PaaS, IaaS) meeting NIST SP 800-145 definition | FedRAMP Moderate authorization or equivalency per DFARS 252.204-7012 and the December 2023 DOD memorandum |
| Non-CSP External Service Provider | Provider of on-premises or non-cloud IT/cybersecurity services whose assets process, store, or transmit CUI or SPD | Within contractor's CMMC assessment scope. Assets assessed as CUI Assets or Security Protection Assets during C3PAO assessment. |
The regulatory consequence is that contractors must perform a classification analysis for each external provider. If the provider delivers cloud-based services meeting the NIST SP 800-145 definition, FedRAMP Moderate authorization or equivalency is required. If the provider delivers non-cloud services and its assets process, store, or transmit CUI or SPD, the provider falls within the CMMC assessment scope as an ESP.
FedRAMP Equivalency: A Higher Bar Than Most Providers Claim
The DOD FedRAMP Equivalency Memorandum, dated December 21, 2023, eliminated the ambiguity that previously allowed cloud providers to make unsubstantiated claims about their compliance posture. To be considered equivalent, a Cloud Service Offering must achieve 100 percent compliance with the current FedRAMP Moderate security control baseline through an assessment conducted by a FedRAMP-recognized Third Party Assessment Organization. The memorandum does not permit self-attestation, does not accept internal audits, and does not accept assessments performed by non-recognized organizations.
The memorandum requires that all POA&M items be fully closed before equivalency is recognized. Under standard FedRAMP authorization, an agency may grant an Authority to Operate even with open POA&M items. The DOD equivalency standard does not allow this flexibility. This is, in practical terms, a higher bar than standard FedRAMP authorization.
A vendor's claim that its platform is "built on AWS" or "hosted in Azure Government" does not satisfy this requirement. FedRAMP authorization is granted to a specific Cloud Service Offering, not to every application that runs on an authorized infrastructure. Application-level controls, access management, encryption implementation, audit logging, and incident response capabilities remain the responsibility of the application vendor.
The GRC Platform Trap
One category of cloud-based tools frequently overlooked in this analysis is the Governance, Risk, and Compliance platform. Contractors adopt cloud-hosted GRC tools to manage their CMMC compliance program, including their SSP, POA&M, evidence artifacts, and assessment documentation. These platforms are marketed as compliance enablement tools, and contractors understandably view them as part of the solution rather than part of the compliance problem.
That perception does not align with the regulatory framework. A GRC platform that processes, stores, or transmits Covered Defense Information is a Cloud Service Provider, and DFARS 252.204-7012 requires FedRAMP Moderate equivalency. The evidence artifacts that GRC platforms are designed to collect frequently include screenshots of CUI-handling systems, Active Directory exports showing CUI access, configuration exports from in-scope systems, vulnerability scan results, and audit log samples. Each of these either contains CUI directly or contains information that would enable an adversary to identify and exploit the contractor's CUI environment.
The SSP itself reinforces this conclusion. It is a detailed technical description of the contractor's security architecture, including network topology with IP addressing, asset inventories, data flow diagrams, and the specific implementation details for each of the 110 security requirements. Treating the SSP as something other than CDI requires ignoring the operational reality of what the document contains. As noted in the SPRS score accuracy analysis, data stored in a standard commercial platform is not protected by attorney-client privilege and is fully discoverable.
The Customer Responsibility Matrix
The CMMC program demands a more specific approach than the informal shared-responsibility models that have historically governed MSP relationships. A Customer Responsibility Matrix maps each of the 110 NIST SP 800-171 requirements to one of three designations: implemented by the ESP, implemented by the contractor, or shared with defined responsibilities for each party. The CRM is not optional. 32 CFR § 170.19(c)(2)(ii) requires that the use of an ESP, its relationship to the contractor, and the services provided be documented in the contractor's SSP and described in the ESP's CRM.
During a C3PAO assessment, the team will examine the CRM to determine whether each control has been assigned to a responsible party, whether the responsible party has actually implemented the control, and whether evidence supports the implementation claim. If the CRM assigns a control to the ESP and the ESP cannot produce evidence of implementation, the control is scored as not met in the contractor's assessment.
The Certification Question
Under the final rule published in October 2024, ESPs are not required to obtain their own CMMC certification. This change was welcomed by many MSPs and their clients, but its practical implications are more nuanced than the headline suggests. The removal of mandatory ESP certification did not remove the ESP from the contractor's assessment scope. The final rule states that services provided by an ESP are within the contractor's assessment scope and shall be included in the contractor's assessment.
An ESP that has independently achieved CMMC Level 2 certification provides a significant advantage: the C3PAO assessment team can accept the existing certification rather than conducting a separate evaluation of ESP assets during the contractor's assessment. This reduces assessment duration, cost, and risk. An ESP that has not achieved certification means the contractor accepts the operational risk that any ESP deficiencies will become findings against the contractor.
False Claims Act Exposure Through ESP Deficiencies
When the Affirming Official signs the annual SPRS affirmation under 32 CFR § 170.22, that official is attesting to the compliance of the entire system boundary, including all in-scope ESP assets. If the contractor's SSP documents an ESP as providing specific security controls through the CRM, and the ESP has not actually implemented those controls, the contractor's SPRS score does not accurately reflect its compliance posture. The affirmation contains a misrepresentation.
The False Claims Act framework does not require intent to defraud. Relying on an ESP's assurance that it meets CMMC requirements, without independent verification, creates precisely the kind of exposure that the "should have known" standard is designed to capture. The qui tam provisions create additional risk, as internal IT staff, compliance officers, and security personnel at both the contractor and the ESP are well-positioned to identify gaps between stated affirmations and actual implementation.
Questions for Contractor Leadership
The following represent the information a C3PAO assessment team will seek and the areas where ESP deficiencies most commonly lead to assessment findings.
| Area | Question |
|---|---|
| ESP Classification | Has each external provider been classified as a CSP, non-CSP ESP, or out of scope, with supporting documentation? |
| CRM Availability | Does the organization possess a current Customer Responsibility Matrix from each in-scope ESP that maps responsibilities at the individual control level? |
| FedRAMP Compliance | For each CSP hosting CUI, can the organization produce a current SSP, SAP, SAR from a FedRAMP-recognized 3PAO, and closed POA&M documentation? |
| ESP Certification | Has the ESP independently achieved CMMC certification, or will its assets be assessed during the contractor's assessment? |
| Evidence Availability | Can the ESP produce evidence of implementation for every control assigned to it in the CRM? |
| Contractual Protections | Do current agreements require the ESP to maintain CMMC-aligned practices, cooperate with assessments, and notify the contractor of material changes? |
| Incident Reporting | Is the ESP contractually obligated to notify the contractor of incidents in timeframes that support the 72-hour DOD reporting obligation? |
Download the Full White Paper
Includes the complete regulatory analysis with 32 CFR Part 170 citations, the FedRAMP Equivalency Memorandum requirements, Security Protection Asset scoping logic, illustrative Customer Responsibility Matrix, and full reference list.
The CMMC Decision, Second Edition
Chapter 3 ("The Cost of Compliance") addresses MSP adjustments as one of the most significant hidden costs in CMMC budgeting. Chapter 5 ("The Expertise Gap") examines the distinction between IT management and CMMC compliance expertise. Free download.
Free Download →