The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

The Defense Compliance Report — independent trade publication on CMMC 2.0 and DIB compliance

By The Defense Compliance Report Editorial Team · Last reviewed: · Last verified:

CMMC Cloud Service Provider Requirements: CSP, ESP, and FedRAMP Rules, Explained

Bottom line up front

The CMMC cloud service provider requirements come down to one question — what does the provider actually touch? If a cloud service provider (CSP) stores, processes, or transmits Controlled Unclassified Information (CUI), the contractor must require and ensure that cloud meets security requirements equivalent to the FedRAMP Moderate baseline — either FedRAMP Authorized at Moderate or higher on the FedRAMP Marketplace (now called FedRAMP Certified — Class Cunder the June 25, 2026 Consolidated Rules for 2026), or an equivalent standard demonstrated by a complete Body of Evidence from a FedRAMP-recognized third-party assessor. If the cloud handles only Security Protection Data and not CUI, FedRAMP does not apply — but the cloud is in your CMMC assessment scope as a Security Protection Asset. If the provider handles neither, it generally isn’t a CMMC ESP.

That’s the whole rule in three sentences. Everything else on this page is about the traps hiding inside it — because the words “CMMC compliant cloud” that your vendor put in a sales deck are not the requirement, and mistaking one for the other is how contractors fail a scoping review or overspend on cloud they didn’t need.

The 2026 FedRAMP rename — why this matters now: On , FedRAMP launched its Consolidated Rules for 2026 (CR26), which renamed the very label this rule depends on. The former “FedRAMP Moderate Authorized” is now expressed as “FedRAMP Certified — Class C.”The security bar for CUI did not change; the labels and the process did. A 2026 vendor claim can use new words for the same requirement — and a stale reader can misread it in both directions. This page uses both the legacy and current terminology so you recognize either.

This is for you if you’re a DIB prime, subcontractor, IT director, compliance lead, vCISO, FSO, or CEO of a small defense supplier trying to figure out whether your cloud, SaaS, MSP, MSSP, backup, email, or security tool will survive a CMMC Level 2 assessment — before you migrate, buy, or schedule anything.

This is not for you if you’re looking for a step-by-step SSP writing tutorial or a line-by-line NIST SP 800-171 control walkthrough. We link to those. This page does one job: it tells you which requirement attaches to which kind of provider, who has to prove it, and what to collect.

What we actually verified for this guide

We read the primary sources, not summaries of them, and dated each check:

This is educational research, not legal, contractual, or compliance advice. Last reviewed: .

CMMC cloud service provider requirements at a glance

The CMMC cloud service provider requirements depend on two facts: whether the provider is a CSP or a non-cloud ESP, and whether it handles CUI, Security Protection Data (SPD), both, or neither. A CSP that handles CUI must be FedRAMP Moderate authorized (Class C) or FedRAMP Moderate equivalent under DFARS 252.204-7012. A CSP or ESP that handles only SPD is assessed inside your CMMC scope as a Security Protection Asset. A provider that handles neither CUI nor SPD is generally not an ESP at all.

Here’s the four-line version. If you only read one thing, read this.

CMMC cloud provider requirement by situation — source: DFARS 252.204-7012; 32 CFR § 170.19
Your situationThe requirementSource
Cloud provider (CSP) stores/processes/transmits CUIMust be FedRAMP Moderate Authorized (Class C) or FedRAMP Moderate equivalentDFARS 252.204-7012; 32 CFR § 170.19
Non-cloud ESP (e.g., an MSP) handles your CUIAssessed as part of your CMMC assessment — the ESP does not need its own certification first32 CFR § 170.19; CMMC FAQ v5, E-Q3
CSP or ESP handles Security Protection Data only (logs/config), no CUIAssessed in your scope as a Security Protection Asset — CMMC requirements apply, not FedRAMP32 CFR § 170.19; CMMC L2 Scoping Guide
Provider touches neither CUI nor SPD and protects no CUI assetGenerally not an ESP under CMMC — but document why32 CFR § 170.19

Before you request a single quote, run each cloud, SaaS, or managed-service provider through the full matrix in the next section. It takes about two minutes per provider and tells you the exact requirement, who’s responsible, and what evidence to collect.

Not sure which row your provider falls in?Tell us your level, CUI scope, cloud environment, and timeline. We’ll map you to the right provider category — not a named-provider ranking. Do not enter CUI, drawings, or sensitive contract details.

Find My CMMC Path →
The right provider isn’t the same for every contractor. The category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use the Find My CMMC Path tool above to map your situation — it will point you to the provider category you likely need, not a vendor ranking.

The full CMMC Cloud Provider Requirement Matrix

This is the classification most contractors are missing. Find the row that matches your provider. Each row tells you what standard applies, whether the provider needs its own certification, what evidence to collect, and the mistake we see most often. Built from 32 CFR § 170.19, DFARS 252.204-7012, CMMC FAQ v5, and the December 2023 equivalency memo.

CMMC cloud provider classification matrix — source: 32 CFR § 170.19; DFARS 252.204-7012; CMMC FAQ v5
Provider scenarioWhat it touchesProvider typeRequirement triggeredOwn CMMC cert?Evidence to requestMost common mistake
SaaS, IaaS, PaaS, file-sharing, backup, email, or collaboration tool stores/processes/transmits CUICUI (± SPD)CSPFedRAMP Moderate Authorized (Class C) or equivalent (DFARS 7012)Usually no — but CSP evidence must support your assessmentMarketplace listing or equivalency Body of Evidence; service boundary; CRM; SSP mapping; incident-reporting supportChasing a “CMMC-compliant cloud” instead of FedRAMP Moderate/equivalency
A FedRAMP Moderate (or higher) Authorized cloud offering handles CUICUICSPThe existing authorization covers the CSP’s controls if the exact offering and boundary are coveredNo separate CSP cert requiredMarketplace package ID; authorization boundary; CRM; inherited-vs-customer controlsAssuming every product from that vendor is covered by one authorization
A cloud offering not on the Marketplace claims “FedRAMP equivalent” for CUICUICSPEquivalency is allowed, but you must verify it — no public registry of “equivalent” cloudsNot automatic; the evidence burden is higherFull Body of Evidence (SSP/SAP/SAR/POA&M, conmon summaries, pen test); 3PAO assessment; CRMAccepting a sales claim, a SOC 2 report, or “we run on Azure” as proof of equivalency
Cloud tool handles only logs, EDR/SIEM telemetry, or configuration data — no CUISPD onlyCSP or ESPIn your scope as a Security Protection Asset — CMMC requirements, not FedRAMPNoAsset treatment; data-flow diagram; security-function description; relevant control evidence; CRMTreating security tools as out of scope because they hold no CUI
MSP stores CUI in its own (non-cloud) systemCUIESP, not CSPServices assessed as part of your assessmentNo — the MSP may voluntarily get assessed to ease client auditsService description; CRM; asset boundary; evidence for applicable controlsBelieving every MSP must hold its own CMMC certificate
MSP administers your cloud tenant that you license/subscribeCUI or SPD, by roleMSP/ESP — not the CSPThe MSP may be an ESP; the underlying cloud is the CSPNo automatic MSP cert; depends on CUI/SPD and accessAdmin-access model; privileged-access process; access logs; CRM; data-flow evidenceAssuming the MSP becomes the CSP just because it resells or administers the tenant
MSP contracts with a CSP, modifies the service, owns/subdivides the tenant, and sells it onCUI possibleMSP may become a CSPIf CUI is handled, FedRAMP Moderate/equivalency attaches to that offeringNot the key question — CSP + scope evidence isContract structure; service boundary; FedRAMP/equivalency evidence; CRMMissing that the MSP crossed from “administrator” to “cloud service provider”
Vendor handles neither CUI nor SPD and protects no CUI assetNeitherNot an ESP under CMMCNo ESP scoping treatmentNoKeep a data-flow rationale in case it’s challengedOver-scoping every vendor and inflating assessment burden
GCC High, AWS GovCloud, Azure Government, or Google Assured Workloads handles CUICUICSPFedRAMP Moderate is the stated baseline; these commonly carry FedRAMP High. Higher/government cloud may be required by contract, ITAR/export needs, or architectureNo automatic “CMMC certification” from the platformMarketplace/boundary proof for the exact offering; configuration baseline; CRM; tenant controlsBelieving a government cloud alone makes you CMMC compliant
CUI enclave or managed-compliance platform stores/processes CUI for youCUICSP or ESP (by architecture)Classify by the actual cloud model; FedRAMP/equivalency if it’s a CSP with CUIProvider’s own status may help, but does not replace your scope, responsibilities, or evidenceArchitecture diagram; data-flow map; CRM; FedRAMP/equivalency or ESP evidence; SSP integrationBuying an enclave without confirming the assessment boundary and responsibility split

Source: 32 CFR § 170.19; DFARS 252.204-7012; CMMC FAQ v5 (E-Q3, E-Q4, E-Q5); December 2023 DoD CIO FedRAMP Equivalency memo. Last verified: .

A note that resolves half the confusion: administering a tenant is not the same as providing the cloud. If you own the subscription and a vendor merely manages it for you, that vendor is usually an ESP, not a CSP. If the vendor provides or modifies the cloud service itself, it can be a CSP — and the FedRAMP rule attaches. That distinction is defined at 32 CFR § 170.4 and confirmed in the CMMC FAQ (E-Q5). Our full ESP scoping guide covers every MSP/MSSP/SOC scenario in a separate decision matrix.

Is your provider a CSP, an ESP, or neither?

A Cloud Service Provider (CSP) offers on-demand cloud services — SaaS, IaaS, PaaS, hosted storage, cloud email, or cloud collaboration — as defined in 32 CFR § 170.4. An External Service Provider (ESP) is external people, technology, or facilities you use to run IT or cybersecurity services, where CUI or Security Protection Data actually resides on the provider’s assets. A vendor that neither handles that data nor protects a CUI asset generally falls outside the CMMC ESP definition. Get this classification right first, because it decides every downstream requirement.

The official definition is deliberately data-driven. Per the DoD CMMC Level 2 Scoping Guide, to be an ESP, “data (specifically CUI or Security Protection Data, e.g., log data, configuration data) must reside on the ESP assets.” No data on their assets, no ESP status. The DoD looks at what the provider touches, not what its marketing says.

Cloud Service Provider (CSP)

Think Microsoft 365, a hosted ERP, cloud file storage, cloud backup, a SaaS ticketing system, or an IaaS/PaaS platform you build on. If your CUI lives there, FedRAMP is in play.

External Service Provider (ESP)

Think MSP, MSSP, outsourced SOC, a hosted SIEM/MDR service, or a compliance-evidence platform that supports your environment and touches CUI or SPD. Some ESPs are also CSPs; the labels aren’t mutually exclusive.

Not an ESP for CMMC scoping

A vendor that handles no CUI, no SPD, and provides no security protection for a CUI asset. Keep a short written rationale anyway — assessors appreciate a clean scope story.

The gray area everyone gets stuck on — MSP, reseller, administrator, or cloud provider?

The CMMC FAQ (E-Q5) settles it: if the cloud tenant is subscribed or licensed to you (the Organization Seeking Assessment), even if the MSP resells the service, the MSP is not the CSP. But if the MSP contracts with the CSP directly and modifies or subdivides the base cloud service, the MSP may itself be a CSP — and then FedRAMP/equivalency applies to what it provides.

When does a cloud provider need FedRAMP Moderate (or equivalent)?

A cloud provider needs FedRAMP Moderate authorization or FedRAMP Moderate equivalency when it stores, processes, or transmits CUI for a covered DoD contract. This flows from DFARS 252.204-7012, which requires a contractor using an external cloud service for covered defense information to “require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the FedRAMP Moderate baseline.” If CUI is not in the cloud, FedRAMP is not required solelyfor CMMC — though the service may still be in scope as a Security Protection Asset if it handles SPD.

The rule text is not ambiguous. The Federal Register CMMC Program Rule states plainly that defense contractors “must confirm that any Cloud Service Providers (CSPs) used by the contractor to handle CUI meet Federal Risk and Authorization Management Program (FedRAMP) Moderate Baseline or the equivalent requirements.” And the official CMMC FAQ (E-Q1) asks the question directly — must my CSP meet FedRAMP Moderate if it processes, stores, or transmits CUI? — and answers: Yes.

Two forks decide what happens next:

  • If the cloud is FedRAMP Moderate (or higher) Authorized on the FedRAMP Marketplace: you’re in the easier lane. The cloud’s controls are the cloud’s problem — but you still own provider selection, your configuration, your shared-responsibility documentation, your SSP and CRM evidence, and the DFARS 7012 incident-reporting obligations that ride alongside the clause.
  • If the cloud is not authorized: you own the burden. The Program Rule makes the contractor “responsible for determining if the CSP meets the requirements for FedRAMP Moderate equivalency.” That’s a heavier lift than most teams expect, and we break it down two sections from now.

The encrypted-CUI trap

Encrypting CUI does not exempt the cloud from the requirement. A common argument — “we encrypt everything before it hits the cloud, so FedRAMP shouldn’t apply” — is explicitly rejected by DoD. The CMMC FAQ states that under 32 CFR Part 2002, CUI “remains controlled until it is formally decontrolled,” and encrypted CUI “retains the control designation given to the plain text counterpart.” FAQ item E-Q2 asks whether a non-FedRAMP Moderate cloud can store encrypted CUI, and the answer is no.

The practical consequence: if any CUI, plaintext or ciphertext, lives in a cloud, that cloud needs FedRAMP Moderate authorization or equivalency. Full stop.

If your cloud handles only Security Protection Data

A cloud that handles only Security Protection Data — logs, configuration, security telemetry used to protect your environment — but does not process, store, or transmit CUI is treated as a Security Protection Asset and assessed against the relevant CMMC Level 2 requirements. It follows CMMC requirements, not FedRAMP. This is one of the most-missed distinctions in the whole program, and it cuts both ways: forcing a FedRAMP requirement onto an SPD-only cloud is over-scoping, and ignoring the SPD-only cloud entirely is under-scoping.

Per the CMMC Level 2 Scoping Guide, a Security Protection Asset — for example, a cloud SIEM that never touches CUI but contributes to meeting CMMC requirements — is in your assessment scope and assessed against the Level 2 requirements relevant to its function. You document it with a service description and a Customer Responsibility Matrix. You do not need a FedRAMP Body of Evidence for an SPD-only service.

If your commercial cloud or SaaS is holding CUI right now,that’s exactly the situation this rule was written for — and the fix (a scoped enclave, a compliant environment, or a documented migration) is a real decision with real cost, not a five-minute setting change. We’ll point you to the enclave, MSP/MSSP, or readiness category that fits your scope — before you overbuy.

Map my CUI to the right provider category →

What “FedRAMP Moderate equivalent” actually requires

Per the DoD CIO memo dated December 21, 2023, “FedRAMP Moderate equivalent” means the cloud offering achieves 100% of the FedRAMP Moderate baseline, assessed by a FedRAMP-recognized Third-Party Assessment Organization (3PAO), with no Plan of Action and Milestones (POA&M) items remaining from that assessment, documented in a complete Body of Evidence (BoE). Self-attestation does not count. The BoE is handed to your C3PAO or DIBCAC on demand during your assessment.

If you take one thing from this section, take the scale. The FedRAMP Moderate baseline is the full NIST SP 800-53 Rev. 5 Moderate control set — many times larger than the 110 requirements in NIST SP 800-171 Rev. 2that you implement for CMMC Level 2. Equivalency asks a cloud to prove that bigger set, at 100%, with zero assessment findings. That’s why so few “equivalent” claims hold up.

What the December 21, 2023 memo actually demands:

FedRAMP Moderate equivalency requirements — source: DoD CIO memo, December 21, 2023
RequirementDetail
100% of the baselineEvery control in the current FedRAMP Moderate baseline, fully implemented — not “mostly.”
3PAO assessmentValidated by a FedRAMP-recognized third-party assessor. No self-attestation.
No assessment POA&MsThe 3PAO assessment must show no open control-implementation gaps. (Routine operational POA&Ms for ongoing maintenance are permitted — but they cannot paper over a failed control.)
A Body of EvidenceSystem Security Plan, Security Assessment Plan, Security Assessment Report, POA&M, continuous-monitoring monthly summaries validated annually, and an annual penetration test.
Ongoing validationEquivalency is not a one-time snapshot; the BoE is maintained and re-validated.

One more nuance: “equivalency” is heavier than a standard FedRAMP authorization in one specific way. A full FedRAMP authorization has a government authorizing official who can accept some risk via POA&Ms. Equivalency has no such official — so DoD’s answer is that no implementation gaps are allowed. It is, in effect, the stricter of the two on that point.

FedRAMP “Authorized” vs “Equivalent” vs the 2026 “Certified Class C”

On , FedRAMP launched its Consolidated Rules for 2026 (CR26), which replace the old impact-level names with Certification Classes and shift the label from “FedRAMP Authorized” to “FedRAMP Certified.” The former Moderate baseline — the one that satisfies the CMMC/DFARS cloud requirement for CUI — is now expressed as Class C. The security bar for CUI did not change; the labels and the process did.

Under CR26, Class C includes the current Moderate baseline and Class D includes the current High baseline. FedRAMP is explicit that a Certification Class describes the scope and assurance of the assessment — not a one-for-one stand-in for a system’s impact level— so match the offering to your actual CUI need and verify the exact Marketplace listing and boundary, not the label alone.

Dates a CMMC buyer should hold in mind, all from FedRAMP’s CR26 timeline:

  • — Consolidated Rules for 2026 launched.
  • — Marketplace listings open for the initial implementation stage.
  • — “FedRAMP Ready” goes Legacy; no new FedRAMP Ready submissions after this date.
  • — CR26 becomes mandatory for all stakeholders; current Rev5 certifications must adopt the new rules.
  • — FedRAMP stops accepting applications for new Rev5 certifications.

And one distinction worth locking in: FedRAMP Moderate “equivalency” is a DoD evidence path, not a FedRAMP designation. It is defined by DoD’s December 21, 2023 memo for CMMC/DFARS purposes — it is not a FedRAMP Marketplace authorization or certification, and it does not put a listing on the Marketplace. Equivalency remains a valid path for CUI, but you (or your assessor) must review the complete Body of Evidence to rely on it.

Here’s the translation table. Pin it to your vendor-evaluation checklist.

FedRAMP label translation table (legacy labels → CR26 labels) — source: FedRAMP Consolidated Rules for 2026 (June 25, 2026)
Label a vendor shows youWhat it means under CR26What it means for your CUI / CMMCHow to verify
FedRAMP Moderate AuthorizedExpressed as FedRAMP Certified — Class CSatisfies the DFARS 7012 cloud requirement for CUI (the CSP’s controls are covered)FedRAMP Marketplace listing (exact offering + boundary, dated)
FedRAMP Moderate EquivalentA DoD evidence path, not a FedRAMP designationA valid CMMC/DFARS path only with a complete 3PAO Body of Evidence — but it is not a FedRAMP listingReview the full 3PAO BoE yourself; don’t rely on the word “equivalent”
FedRAMP High AuthorizedExpressed as FedRAMP Certified — Class DExceeds Moderate; acceptable for CUI (where GCC High, GovCloud, Azure Gov, Google Assured Workloads commonly sit)FedRAMP Marketplace listing (exact offering, dated)
FedRAMP ReadyGoing Legacy as of Not an authorization. Does not satisfy the CUI cloud requirementDo not accept “Ready” as compliance
“FedRAMP compliant” / “government-grade” / “800-171 aligned”Not a FedRAMP designation at allMarketing language — meaningless unless backed by a Marketplace listing or a complete BoEAsk for the listing or the BoE; if neither exists, it fails

Does your cloud provider need its own CMMC certification?

Usually not — and this is the single most expensive myth in the market. A CSP that handles CUI must meet FedRAMP Moderate or equivalency; it does not “get CMMC certified.” A non-cloud ESP that handles CUI is assessed as part of your assessment — the CMMC Final Rule specifically removed the proposed-rule requirement that ESPs be certified before serving you. An ESP may still choose to get assessed to make client audits easier, but it is not required to.

The authority here is the rule itself. Under the CMMC Final Rule (32 CFR § 170.19), a non-cloud ESP’s CUI-handling services are assessed within the contractor’s scope, and the official CMMC FAQ (E-Q3) confirms the common case directly: a non-cloud MSP storing your CUI does not require its own CMMC assessment. This reversed the proposed rule, and a big reason a lot of 2023-era advice is now simply wrong.

So what does a CSP’s own certificate actually prove for you? Less than you’d hope. It does not prove your scope is right, your configuration is correct, your users are controlled, or your SSP, CRM, and evidence are in order. Those are yours. A contractor cannot fully outsource CMMC to a provider, and a provider cannot fulfill CMMC on the contractor’s behalf. It’s shared — and the parts that fail assessments are almost always the contractor’s parts.

One guardrail on independence. The organization that helps you get ready (an RPO or MSP doing remediation) and the C3PAO that assesses you must stay appropriately separate — the Cyber AB’s C3PAO authorization requirements include impartiality and conflict-of-interest controls. Keep readiness help and formal assessment in different lanes.

What about MSPs, MSSPs, SIEM/SOC, and helpdesk tools?

If an MSP or MSSP stores, processes, or transmits your CUI and is not a CSP, its in-scope systems are assessed inside your assessment boundary unless it holds its own CMMC certification. If it handles only Security Protection Data, it’s a Security Protection Asset in your scope, and it owes you a Customer Responsibility Matrix. A workstation that can process, store, or transmit CUI by connecting to a CUI cloud is in scope — with one carve-out for properly configured virtual desktops.

The CMMC FAQ (E-Q4) addresses the very common setup where your IT support is one ESP and your security tools are managed by a different MSSP: both are ESPs, and both are evaluated during your assessment. Per the Technical Application slides, when an MSP stores CUI on its own systems, how you draw the scoping boundary “depends on the degree of isolation between the OSA’s enclave and the rest of the MSP’s infrastructure.” Isolation is your friend; sprawl is your enemy.

The VDI carve-out worth knowing

A workstation that connects to a CUI cloud is normally in scope — but 32 CFR § 170.19 and the CMMC FAQ allow an endpoint hosting a virtual desktop (VDI) client to be treated as out of scope if it’s configured so that no CUI is processed, stored, or transmitted locally — only keyboard, video, and mouse pass to the client, with copy/paste, file transfer, printing, and screen capture blocked, verified server-side. Get the configuration wrong and the endpoint is back in scope.

  • SIEM, MDR, EDR, SOC. Usually ESPs handling SPD. That makes them in-scope Security Protection Assets — but it does not automatically trigger FedRAMP, because FedRAMP attaches to a CSP handling CUI, not to SPD.
  • Ticketing and helpdesk. Innocuous until someone pastes a drawing, a spec, a screenshot, or contract details into a ticket. The moment CUI lands there, that system is handling CUI. Treat ticketing as a CUI risk and configure/monitor accordingly.
  • Backups and email filtering. If CUI flows through them, they’re in scope like any other CUI-touching service. “In scope” follows the data, not the label.

What evidence should you request before trusting a provider with CUI?

Before you rely on any cloud provider for CUI, get evidence that proves the exact service, boundary, responsibility split, and assessment support — not a marketing claim.The essential artifacts are the FedRAMP authorization or equivalency Body of Evidence, the Customer Responsibility Matrix, a service description, SSP mapping, a data-flow diagram, and incident-reporting support language. If a provider can’t produce these, that’s your answer.

Here’s the exact ask-list. Send it to your provider and watch how they respond — the response is the signal.

Cloud-provider evidence checklist — request before assessment
Evidence itemAsk the providerWhy it matters
FedRAMP Marketplace listing / package ID“Which exact offering and boundary are authorized?”Stops you from assuming every service from a vendor is covered by one authorization.
FedRAMP equivalency Body of Evidence“Can our assessor review the full BoE under NDA?”There is no public registry of “equivalent” clouds — the BoE is the proof.
Customer Responsibility Matrix (CRM)“Which controls are inherited, shared, or ours to own?”Your SSP has to show how your responsibilities are met, mapped to the 320 CMMC Level 2 assessment objectives, not just the 110 practices (NIST SP 800-171A).
Service description“What exactly is the provider delivering?”Required to document the ESP relationship and services in your SSP.
Data-flow diagram“Where does CUI or SPD enter, persist, replicate, or leave?”Classification depends on actual process/store/transmit paths — including backups and logs.
Incident-reporting support“How do you support DFARS 7012 paragraphs (c)–(g)?”The cloud clause includes cyber-incident-reporting, media-preservation, and forensic-access obligations.
Admin / support access model“Can support staff reach CUI, keys, logs, tickets, or configuration?”Support access can pull a provider into scope and change your evidence needs.
Subprocessor list“Who else can access, store, process, or transmit our data?”Hidden fourth parties become hidden scope problems.
Export-control / data-residency statement“Can this environment support our contract’s data categories (e.g., ITAR)?”Some requirements come from the contract and data category, not generic CMMC.
Assessor-access process“What evidence can be shown to our C3PAO or DIBCAC?”Evidence that can’t be shown may not be usable at assessment.

Steal this: a cloud-provider evidence-request email

Copy, paste, fill in the brackets, and send it to any cloud, SaaS, or managed-service provider that touches your CUI. If they can answer all ten cleanly, you have a provider you can document. If they can’t, you have your answer early — which is exactly when you want it.

Subject: CMMC / DFARS 252.204-7012 evidence request — [your company]

Hi [name], we’re preparing for a CMMC Level 2 assessment and need to document your service in our System Security Plan. Please confirm the following for the specific offering we use:

  1. FedRAMP status of the exact service offering and its Marketplace package ID (or, if not on the Marketplace, whether a FedRAMP Moderate equivalency Body of Evidence is available for our assessor to review under NDA).
  2. The authorization/certification boundary — what’s covered and what isn’t.
  3. Your Customer Responsibility Matrix, mapped to NIST SP 800-171 Rev. 2 / the CMMC Level 2 assessment objectives.
  4. A service description we can reference in our SSP.
  5. Where our CUI or Security Protection Data is processed, stored, transmitted, and replicated (including backups and logs).
  6. How you support DFARS 252.204-7012 incident reporting and related obligations (paragraphs (c)–(g)).
  7. Your support/admin access model — who can reach CUI, keys, configuration, or tickets.
  8. A list of subprocessors or fourth parties that can access our data.
  9. Data residency / U.S.-person handling relevant to our contract’s data categories (e.g., ITAR).
  10. What evidence you can provide to our C3PAO or DIBCAC assessor, and in what format.

Please don’t include any CUI in your reply. Thank you — [you]

The honest part: a “CMMC compliant” claim is not enough

A vendor’s “CMMC ready,” “government cloud,” or “FedRAMP equivalent” claim may not answer the assessment question at all — and worse, even a fully FedRAMP-authorized cloud does not make youcompliant. FedRAMP covers the cloud’s controls; the shared-responsibility model still leaves configuration, access control, multifactor authentication, and evidence to you.

32 CFR § 170.19requires the ESP relationship, service description, and Customer Responsibility Matrix to be documented — so if a provider won’t supply the CRM or assessment-usable evidence, you may simply lack the documentation your assessment requires. Treat a vendor that won’t hand over a CRM or a Body of Evidence as disqualifying, not as a paperwork snag.

Get matched with source-checked provider options.Tell us your level, cloud model, CUI scope, and timeline. We’ll map you to the right category — RPO, MSP/MSSP, CUI enclave, GRC platform, or assessment path — so you request the right kind of help first, not another vague quote.

Get matched with provider options →

How C3PAO and DIBCAC assessors actually check your cloud

During a CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) assessment, the assessor checks each in-scope cloud against the FedRAMP Marketplace; if a cloud isn’t listed, they request its full Body of Evidence and verify completeness and 100% implementation. A cloud that inherits controls from its host platform without documenting them can fall short — and the failure lands on the contractor, not the vendor.

Rule vs. assessor reality — how the equivalency gap gets flagged
What the rule saysWhat an assessor actually does
“The Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to the FedRAMP Moderate baseline.” (DFARS 7012)Checks each in-scope cloud against the FedRAMP Marketplace; if it’s not listed, requests the full Body of Evidence and reviews it for completeness, currency, and 100% implementation.
Equivalency = 100% of the baseline, 3PAO-assessed, no assessment POA&Ms, with a BoE. (Dec 2023 memo)Looks for gaps. A cloud that has most BoE elements but inherited some controls from its host without documenting them falls short of 100% — and can fail the contractor’s assessment.
The ESP relationship must be documented in the SSP with a CRM. (32 CFR § 170.19)Reads your SSP; expects a service description and CRM that cleanly split responsibilities; treats a CUI-connected workstation as in scope unless it’s a properly configured VDI endpoint.

A real example, not a hypothetical. Advisory firm Baker Tilly documented an engagementin which a contractor checked each in-scope CSP against the FedRAMP Marketplace and, for those not listed, requested the Body of Evidence per the DoD memo. One CSP had most BoE elements — but had inherited some FedRAMP requirements from Azure without documenting them, falling short of 100% compliance. Under the equivalency standard, that gap is enough to jeopardize the assessment.

The equivalency path has been walked successfully. Secure-collaboration provider PreVeil states it was the first cloud service provider to meet the DoD’s FedRAMP Moderate Equivalency requirement, after a DIBCAC team reviewed its 3PAO Body of Evidence. This is a company-stated example of what clearing the bar looks like, not an endorsement; verify any provider’s current status directly on the FedRAMP Marketplace and via a current Body of Evidence before you rely on it.

Which cloud environments meet the CMMC cloud requirement?

For CUI, the environments most defense contractors use commonly carry FedRAMP High or Moderate. The critical discipline: FedRAMP authorization attaches to a specific service offering and boundary, not to a brand. Verify the exact offering, package, class, and boundary on the FedRAMP Marketplace — the product family name alone is not proof. A government cloud can carry a lot of the load — but it never makes you compliant on its own.

The snapshot below reflects our review of provider documentation and the FedRAMP Marketplace as of . Statuses change; confirm each before you rely on it.

Named cloud environment FedRAMP status snapshot — (verify current status on the FedRAMP Marketplace before relying on it)
EnvironmentFedRAMP status (verify the exact offering)What to confirm / what’s not covered
Microsoft GCC HighCommonly FedRAMP HighRuns on Azure Government; U.S.-person-only access; common for export-controlled / ITAR CUI. Confirm the exact services in scope.
AWS GovCloud (US)Commonly FedRAMP HighIsolated U.S. regions; broad CMMC/NIST 800-171 inheritance via the AWS customer package. Confirm which services you use are in the boundary.
Azure GovernmentCommonly FedRAMP HighPhysically separated from commercial Azure. Not every commercial service has a Government equivalent — confirm coverage.
Google Assured WorkloadsCommonly FedRAMP HighData-boundary controls; U.S.-only regions for in-scope CUI. Confirm the specific in-scope services.
Microsoft GCC (standard)Commonly FedRAMP ModerateMeets the Moderate bar for many CUI categories, but runs on shared commercial infrastructure and does not enforce U.S.-person-only access.
Standard Microsoft 365 CommercialNot FedRAMP Moderate/HighNot acceptable for CUI. Storing, processing, or transmitting CUI in a standard commercial plan under DFARS 7012 is non-compliant and disqualifying at assessment.
CUI enclave providersVaries (authorization or equivalency)Purpose-built to shrink scope; verify each provider’s exact status, boundary, and Body of Evidence.

We do not rank or endorse providers — these are factual authorization examples, and status can change. The standard-M365 line is the one to internalize: before the December 2023 memo, some contractors argued standard M365 was “equivalent” on the strength of Microsoft’s general security posture; that argument is no longer defensible. Verify everything on the FedRAMP Marketplace before you rely on it.

If your CUI is scattered across email, files, endpoints, and a few SaaS tools, an enclave is often a cheaper path to compliance than dragging your whole environment up to the bar. Our CUI enclave guide goes deeper.

Does this change by CMMC level and assessment type?

The cloud-provider logic is consistent across Level 2 self-assessment and Level 2 C3PAO assessment — a CSP handling CUI needs FedRAMP Moderate or equivalency either way. What changes is scrutiny and evidence pressure. Level 2 maps to the 110 requirements of NIST SP 800-171 Rev. 2 and may be self-assessed or independently assessed by a C3PAO depending on your solicitation; Level 3 requires a prior Final Level 2 (C3PAO) for the same scope plus selected requirements from NIST SP 800-172, assessed by DIBCAC.

Cloud-provider impact by CMMC level and assessment path
Your CMMC situationCloud-provider impact
Level 1 (FCI only)Focus is FCI systems and the 15 safeguards in FAR 52.204-21. FedRAMP Moderate isn’t triggered by CMMC unless other contract or data requirements apply.
Level 2 Self-AssessmentCSP/ESP classification fully applies; your evidence must support the self-assessment and the SPRS affirmation.
Level 2 C3PAOSame facts, higher scrutiny. Expect assessor review of scope, SSP, CRM, and the CSP’s Body of Evidence.
Level 3 (DIBCAC)The 110 NIST SP 800-171 Rev. 2 requirements plus 24 selected NIST SP 800-172 requirements — a 134-requirement model assessed by DIBCAC after a Level 2 C3PAO assessment. Cloud evidence must survive the toughest review.

Source: 32 CFR §§ 170.3(e), 170.14; DFARS 252.204-7012; DFARS 252.204-7021.

Two dates worth holding in mind: the DFARS acquisition rule took effect , opening Phase 1 (Level 1 and Level 2 self-assessments appearing in contracts), and Phase 2 begins , when applicable solicitations begin requiring Level 2 C3PAO certification (32 CFR § 170.3(e)). And if your contract already contains DFARS 252.204-7012, your NIST SP 800-171 obligation exists now— CMMC just verifies it.

How to document cloud providers in your scope and SSP

For CMMC Level 2, you must specify your assessment scope before the assessment, document every asset that processes, stores, or transmits CUI in your asset inventory, SSP, and network diagram, and document each ESP’s relationship and services in your SSP with a Customer Responsibility Matrix. The rule (32 CFR § 170.19(c)(2)(ii)) requires the ESP relationship to be “documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix.” No CRM, no clean assessment.

A simple, non-legal SSP pattern that assessors can follow:

“Provider X is used for [service]. The service [does / does not] process, store, or transmit CUI. The service [does / does not] process, store, or transmit Security Protection Data. Responsibilities are documented in [CRM name, version, date].”

Three habits that save assessments:

  • Label every asset. CSP, ESP, Security Protection Asset, Contractor Risk Managed Asset, or out-of-scope — and keep the rationale.
  • Draw real data-flow diagrams. Show where CUI and SPD enter, persist, replicate, and leave — not just boxes and arrows.
  • Version your CRM. Provider documents change; a dated, versioned CRM is what you’ll defend at assessment.

Which provider category fits your situation?

The right provider category depends on your required level, CUI scope, cloud model, assessment type, current IT maturity, and contract timeline. The table below maps a situation to a provider category, not a named provider. It is not a score, a provider ranking, a legal opinion, or a compliance determination.

The CMMC Path Framework — situation to provider-category routing
If this is youCategory to evaluate firstNot the right first move
You don’t know whether your cloud/SaaS/MSP is even in scopeRPO / RP or a CMMC scoping advisorGetting a C3PAO quote before your scope is defined
CUI is spread across email, files, endpoints, and SaaSCUI enclave or managed-compliance environmentBuying random point tools
An MSP manages your cloud and security stackCMMC-focused MSP/MSSP or RPO-led readinessAssuming the MSP’s marketing claim is enough
You have tools but no evidence workflowGRC / evidence platform (as a supporting layer, not the whole solution)Waiting until the assessor asks
You’re implemented and assessment-readyC3PAO assessment pathA remediation vendor that creates a conflict or delay

Map your level, CUI scope, cloud environment, and timeline to the right provider category— before you request quotes. Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

Common CMMC cloud provider mistakes

Nearly every cloud mistake in CMMC comes from confusing labels with evidence.“FedRAMP,” “GovCloud,” “GCC High,” “CMMC ready,” “encrypted,” and “secure” mean nothing unless the exact service, boundary, data flow, CRM, and customer responsibilities match your CUI scope. The six below are the highest-risk mistakes because each one maps to a specific, source-backed scoping or evidence failure.

  1. Assuming one FedRAMP authorization covers a vendor’s whole catalog. Verify the exact offering and boundary on the Marketplace.
  2. Believing encryption exempts a cloud. It doesn’t — encrypted CUI is still CUI (CMMC FAQ E-Q2).
  3. Treating security logs as out of scope. SPD makes a service an in-scope Security Protection Asset.
  4. Thinking every MSP needs its own CMMC certificate. Non-cloud MSPs are assessed inside your scope; their own assessment is optional (CMMC FAQ E-Q3).
  5. Buying GCC High or GovCloud before scoping your CUI. Map the data first, then choose architecture — you may need far less than you think.
  6. Forgetting tickets, screenshots, support sessions, and backups. CUI leaks into all of them; include them in the data-flow review.

Frequently asked questions about CMMC cloud service provider requirements

Do all CMMC cloud service providers need FedRAMP?

No. FedRAMP Moderate or equivalency is triggered when a cloud service provider stores, processes, or transmits CUI for a covered DoD contract, per DFARS 252.204-7012. A cloud or ESP that handles only Security Protection Data is assessed in your CMMC scope as a Security Protection Asset instead of being required to hold FedRAMP authorization.

Does my cloud provider need to be CMMC certified?

Usually the key requirement is FedRAMP Moderate or equivalency for a CSP handling CUI, not the provider’s own CMMC certification. Non-cloud external service providers are assessed as part of your assessment under 32 CFR § 170.19, and may voluntarily obtain a CMMC assessment to ease client audits.

Can encrypted CUI be stored in a non-FedRAMP cloud?

No. The official CMMC FAQ states that CUI remains controlled until formally decontrolled, and encrypted CUI retains the control designation of its plaintext. A non-FedRAMP Moderate cloud offering cannot store encrypted CUI (FAQ item E-Q2); encryption is a required control, not an exemption.

Does FedRAMP Moderate equal CMMC Level 2?

No. FedRAMP Moderate can satisfy the cloud-provider baseline for a CSP handling CUI, but the contractor still owns its own CMMC Level 2 obligations under NIST SP 800-171 Rev. 2 — configuration, users, SSP, evidence, and assessment. They are different standards that meet at the cloud boundary.

Is FedRAMP High required for CMMC Level 2?

Not as the generic baseline. FedRAMP Moderate or equivalency is the recurring DFARS/CMMC cloud threshold for a CSP handling CUI. FedRAMP High or a government cloud may be driven by contract terms, data category, or ITAR/export-control needs — not by CMMC Level 2 alone.

Does my MSP need to be CMMC compliant?

It depends on what the MSP does and what data it touches. A non-cloud MSP storing CUI does not automatically need its own CMMC assessment, but its services are assessed as part of your scope. MSPs and MSSPs handling Security Protection Data can also qualify as in-scope external service providers (CMMC FAQ E-Q3 and E-Q4). For the full matrix, see our CMMC external service provider assessment guide.

Is an MSP a CSP if it resells Microsoft, AWS, or Google?

Not automatically. Per the CMMC FAQ (E-Q5), if the cloud tenant is subscribed or licensed to you, the MSP is not the CSP even if it resells the service. If the MSP contracts with the CSP and modifies or subdivides the base cloud service, it may become a CSP — and FedRAMP or equivalency then applies to what it provides.

Does a SIEM, MDR, EDR, or SOC provider count as an external service provider?

Often yes, if it handles Security Protection Data or provides security functions for your CMMC environment. That makes it an in-scope Security Protection Asset — but it does not automatically require FedRAMP, which attaches only to a cloud service provider handling CUI.

Does Microsoft GCC High or AWS GovCloud make us CMMC compliant?

No. A FedRAMP-authorized government cloud can satisfy the cloud-provider piece and let you inherit many controls, but you still own configuration, users, endpoints, policies, your SSP, evidence, incident processes, and assessment readiness. Verify current authorization for the exact offering on the FedRAMP Marketplace.

Did FedRAMP change its levels in 2026?

Yes. FedRAMP launched its Consolidated Rules for 2026 (CR26) on , replacing impact-level names with Certification Classes — the former Moderate baseline is now expressed as Class C — and shifting the label to “FedRAMP Certified.” The security bar for CUI is unchanged. FedRAMP Ready goes Legacy on , and CR26 becomes mandatory .

Do I upload cloud-provider evidence to SPRS?

No. The Supplier Performance Risk System (SPRS) is where your current self-assessment results and annual affirmations are recorded for applicable CMMC unique identifiers, as required under DFARS 252.204-7021. Your cloud-provider evidence — FedRAMP Marketplace proof or equivalency Body of Evidence, the CRM, service descriptions, asset inventory, and data-flow diagrams — lives in your SSP and assessment package, not in SPRS.

What should I ask a SaaS vendor before putting CUI in it?

Ask whether the exact offering is FedRAMP Moderate Authorized or equivalent, whether the boundary covers your use case, whether they provide a Customer Responsibility Matrix, whether CUI appears in backups/logs/support tickets, and whether assessor-usable evidence is available under NDA. The evidence-request email above covers all ten questions.

What if a vendor refuses to provide a CRM or Body of Evidence?

Treat it as disqualifying. Escalate for a restricted or NDA evidence package, exclude CUI from that tool, choose another service, or move that workflow into a CUI enclave. Assessors need that documentation; a vendor that won’t provide it can’t support your assessment.

Do subcontractors have the same cloud provider requirements?

Yes, when the subcontract requires them to process, store, or transmit FCI or CUI. CMMC requirements flow down at the applicable level and assessment type under 32 CFR § 170.23 and DFARS 252.204-7021. The CSP/FedRAMP logic matters when CUI is involved; FCI-only, Level 1 work follows the FAR 52.204-21 path unless another clause or data category adds a cloud requirement.

Does CMMC Level 2 use NIST SP 800-171 Revision 2 or Revision 3?

Current CMMC Level 2 requirements use NIST SP 800-171 Revision 2 — the 110 requirements across 14 control families — unless DoD amends the CMMC rule and its implementation documents. Do not assume Revision 3 applies to CMMC.

Your next step

You now have what most contractors are missing: a way to classify any cloud, SaaS, or managed-service provider, the exact evidence to demand, and the primary source behind every answer. The move that protects you is to do this beforeyour assessment or your next migration. It’s far cheaper than rushed rework — and it catches the cloud and ESP evidence gaps this page is built to expose.

Need help deciding what type of CMMC provider you need?Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find My CMMC Path →

Do not submit CUI, drawings, export-controlled files, or sensitive contract details.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page is educational research, not legal, contractual, or compliance advice. See our corrections policy if you spot something that needs fixing.

Related from The Defense Compliance Report