The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

The Defense Compliance Report — independent trade publication on CMMC 2.0 and DIB compliance

By The Defense Compliance Report Editorial Team · Last reviewed: · Last verified:

CMMC External Service Provider Assessment: How ESPs Are Scoped — and When They Need Their Own

Here is the short version, because you clicked for an answer, not a warm-up act. A CMMC external service provider assessment almost never means your MSP has to go get its own certification. Under the CMMC Program Rule at 32 CFR § 170.19, an External Service Provider (ESP) — external people, technology, or facilities you use to provide or manage IT or cybersecurity services, where your Controlled Unclassified Information (CUI) or Security Protection Data (SPD) lands on its systems — is assessed inside your CMMC assessment, not in a separate one of its own. The exception is a cloud service provider (CSP) that handles your CUI: that path triggers FedRAMP Moderate (or equivalency), not a separate CMMC assessment.

That’s the bottom line. Now here’s the part nobody selling you an assessment wants to say out loud, and it’s the reason most contractors get this expensive decision wrong: the deciding factor isn’t what your vendor calls itself. It’s what data lands on whose systems.Get that one variable right and the entire ESP question resolves. Get it wrong and you can pay a C3PAO to assess a relationship you never should have brought into scope — or fail because you left one out.

Which providers this applies to: MSPs, MSSPs, SOC/SIEM services, RMM and EDR platforms, GRC tools, backup and DR providers, cloud administrators, CUI enclave operators — any outside party that processes, stores, transmits, or protects your CUI or the data used to protect it.

Which it doesn’t: Vendors that never touch CUI or security data (a break/fix shop that never logs in, a payroll SaaS, an office-supply reseller). Under the rule, they don’t meet the CMMC ESP definition. Don’t over-scope them.

The 30-second scoping table

Use this to place any provider before you read further. Every outcome below is straight from 32 CFR § 170.19, Table 4.

ESP scope outcomes by data type — source: 32 CFR § 170.19 Table 4
What the provider touchesIf the provider is a CSPIf the provider is not a CSPYour next move
CUI (with or without SPD)Must meet FedRAMP Moderate or equivalent under DFARS 252.204-7012Its services are in your assessment scope and assessed as part of your assessmentDocument it in your SSP + CRM; collect evidence
SPD only (logs, configs, alerts, admin credentials)Assessed as a Security Protection Asset in your scopeAssessed as a Security Protection Asset in your scopeDocument the relevant security capabilities
Neither CUI nor SPDNot a CMMC ESPNot a CMMC ESPKeep proof there’s no CUI/SPD path
You’re not sureTreat as unresolved scope riskTreat as unresolved scope riskMap it before you request quotes

Source: 32 CFR § 170.19, Table 4 (eCFR, current as of ).

Not sure which row your provider falls in?That’s the whole point of mapping before you buy. Answer a few scoping questions and we’ll point you to the provider category you likely need. Do not submit CUI, drawings, or contract-sensitive details.

Find My CMMC Path →

Disclosure: provider matching may generate referral, sponsorship, or partner compensation when disclosed. It never controls our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Do external service providers need their own CMMC assessment?

Usually, no. The DoD CIO’s CMMC FAQ (Section E, answer E-A3) states plainly that an MSP storing your CUI in a system it provides is not required to have its own CMMC assessment — though it may elect to self-assess or pursue certification to simplify your assessment. When a non-cloud ESP touches your CUI or SPD, its relevant services are assessed as part of your assessment against the applicable security requirements (32 CFR § 170.19).

This is the single most misreported fact in the CMMC ecosystem. Search the CMMC Program Rule for “MSP” and you won’t find the acronym once. The Department of Defense uses one umbrella term — External Service Provider— to cover managed service providers, managed security service providers, cloud administrators, and the tooling they run. What matters is not the label on the invoice. It’s the answer to three questions.

The three-question test: CUI, SPD, or CSP?

Before you can decide how a provider is handled, you answer these in order. This is the logic baked into Table 4 of the rule.

  1. Does the provider process, store, or transmit your CUI? CUI is information the government creates or possesses — or that a company creates or possesses for the government — that a law, regulation, or government-wide policy requires or permits an agency to protect with safeguarding or dissemination controls (32 CFR 2002.4). Common examples: export-controlled technical data, contract data, engineering drawings, and specifications related to defense work.
  2. Does it process, store, or transmit your SPD? Security Protection Data is the supporting data used to protect your environment — log files, configuration data, the vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment (32 CFR § 170.4).
  3. Is the provider actually a Cloud Service Provider?A CSP delivers cloud computing services under the NIST SP 800-145 definition. Reselling licenses or logging into your cloud does not automatically make a vendor a CSP — more on that below.

If the answer to both 1 and 2 is no, the provider does not meet the CMMC ESP definition and drops out of this entire framework. If yesto either, it’s an ESP, and the treatment depends on the CSP question.

The one variable that decides it: whose systems hold the CUI?

Here’s the distinction that resolves nearly every argument. The regulation and the DoD FAQ point the same direction:

  • CUI stays on your systems; the MSP only administers them remotely. The MSP’s administrative access is in scope and assessed inside your assessment, but no CUI resides on the MSP’s own systems — so the MSP needs no separate certification.
  • CUI actually resides on the MSP’s own systems. Now the MSP is a non-CSP ESP that processes, stores, or transmits your CUI. Per DoD CMMC FAQ E-A3 it still isn’t required to hold its own certification — but the ESP services used to meet your requirements are in your assessment scope and assessed as part of your assessment against all Level 2 requirements, which is a heavier lift for everyone involved.

Either way, the burden lands on you to document the relationship and prove the controls.

What a voluntary ESP certification can — and can’t — do

An ESP is allowed to voluntarily undergo a CMMC assessment. If it does, the assessment level and type must be at least equal to what your contract requires and must cover the assets in scope for your assessment (32 CFR § 170.19(c)(2)(ii); DoD CMMC FAQ E-A3). It can reduce friction: a certified ESP’s validated controls can be inherited through your CRM, so it doesn’t have to participate directly in your assessment for those objectives. It cannotcertify you — that certification is yours to earn.

A certified MSP does not make you compliant, and it does not remove that MSP’s services from your assessment scope. You, the contractor, remain accountable for all 110 NIST SP 800-171 Revision 2 security requirements and all 320 assessment objectives in NIST SP 800-171A. We flag this because contractors routinely treat a vendor’s certificate as a finish line and discover, during a readiness review, that their own tenant configuration, user management, and customer-owned controls were never mapped.

Realized your provider relationships need to be documented and defensible?That’s readiness work, and it’s dramatically cheaper before an assessor is on the clock. Compare provider categories and see whether your next step is readiness help, managed security, a CUI enclave, or a GRC platform.

Compare provider categories →

The CMMC ESP Assessment Decision Matrix: which provider scenarios are in scope?

The safe way to answer ESP scope is by scenario, not by vendor label. What does the provider actually do, what data lands on its systems, is the service cloud-based, and which assessment type does your contract require? The matrix below is built from 32 CFR § 170.19, the DoD CIO CMMC FAQ Section E, and the DoD CIO technical ESP guidance. It is a scoping triage tool, not a compliance determination.

MSP, help desk, and IT administration

MSP / help desk / IT administration scenarios
ScenarioCUI on provider’s systems?SPD on provider’s systems?CSP?How it’s treatedOwn CMMC cert required?Key evidence to collectCommon mistake
On-site IT contractor uses only your devices and accountsUsually noMaybeNoPeople/process in your scope; verify no provider system stores CUI/SPDNoAccount list, access procedures, contract terms, SSP role descriptionAssuming “contractor” means out of scope
Remote help desk stores admin passwords in its own password managerNoYesUsually noESP handling SPD; assessed as a Security Protection AssetNoPassword-vault boundary, CRM, access paths, SSP entryMissing that admin passwords are SPD
MSP remotely administers your CUI environment; CUI never resides on MSP systemsNoYesNoAdmin services assessed inside your assessmentNoAdmin role list, CRM, remote-access diagramTreating “no CUI on us” as “not in scope”
MSP hosts your CUI file share or RDS on its own (non-cloud) hardwareYesMaybeUsually noNon-CSP ESP with CUI; services assessed in your scope vs. all Level 2 requirementsNo (voluntary)Hosting boundary, physical/logical separation, CRM, evidence packageBuying hosting before deciding CSP vs. ESP
MSP ticketing system contains CUI (screenshots, drawings, excerpts)YesMaybeIf SaaS, maybeCUI path; non-CSP ESP in your scope, or CSP/FedRAMP if it’s cloudDependsTicket-data policy, redaction rules, data-flow diagram, CRMLetting CUI leak into tickets

Source: 32 CFR § 170.19 (eCFR); DoD CIO CMMC FAQ E-A3, E-A4.

MSSP, SOC, SIEM, and security tooling

MSSP / SOC / SIEM / security tooling scenarios
ScenarioCUI on provider’s systems?SPD on provider’s systems?CSP?How it’s treatedOwn CMMC cert required?Key evidence to collectCommon mistake
MSSP/SOC ingests logs from your CUI environmentNoYesCould beESP handling SPD; assessed as a Security Protection AssetNoLog-flow diagram, SOC responsibilities, CRM, SSPForgetting logs and configs are SPD
SIEM hosted inside your tenant; MSSP views alertsNo provider storage if configured that wayAccess to SPDNo/dependsSIEM is an SPA; MSSP access in scopeNoSIEM architecture, access roles, CRMAssuming “hosted in our tenant” removes the ESP question
Provider-hosted SIEM stores your logsUsually noYesOften cloudCSP/ESP handling SPD; assessed as an SPANoData residency, CRM, access-control evidenceConfusing FedRAMP-for-CUI rules with SPD-only rules
RMM/EDR console stores endpoint telemetry and configurationUsually noYesOften SaaSSPD path; relevant services assessed as SPAsNoTool architecture, privileged access, CRMMissing the tool console’s scope
Vulnerability scanner stores scan resultsNoYesOften SaaSSPD/SPA pathNoResult storage, retention, CRMTreating scan results as harmless

Source: 32 CFR §§ 170.4, 170.19; DoD CIO CMMC FAQ E-A4.

Cloud, CSP, GovCloud, and CUI enclave

Cloud / CSP / GovCloud / CUI enclave scenarios
ScenarioCUI on provider’s systems?SPD on provider’s systems?CSP?How it’s treatedOwn CMMC cert required?Key evidence to collectCommon mistake
SaaS file-sharing or collaboration tool stores your CUIYesMaybeUsually yesCSP handling CUI; FedRAMP Moderate or equivalent requiredA CMMC cert alone is not enoughFedRAMP authorization or equivalency BoE, CRM“It’s encrypted, so it’s fine” (it isn’t)
You own the GCC/GCC High tenant; MSP administers itCUI in tenant, not on MSP assetsOften, yesMSP is not the CSP (DoD FAQ E-A5)MSP may still be an ESP for its admin/SPD accessNoTenant ownership proof, admin role list, CRM, SSPCalling the MSP the CSP because it resold licenses
MSP contracts with the CSP and modifies/subdivides the cloud serviceYes, if CUI stored thereMaybeMay be a CSP (DoD FAQ E-A5)CSP/FedRAMP path if CUI is involvedCMMC is not a substitute for FedRAMPCSP agreement chain, FedRAMP package, CRMMissing the “MSP may be the CSP” branch
Backup/DR provider stores your CUI (even encrypted)YesMaybeOften cloudCSP handling CUI; FedRAMP Moderate or equivalentA CMMC cert alone is not enoughBackup architecture, encryption, FedRAMP evidence, CRMThinking encryption removes the FedRAMP requirement
CUI enclave provider stores and operates your CUI environmentYesYesCSP or ESP depending on modelFedRAMP/CSP path, or non-CSP ESP path; the CRM is centralNo (unless voluntary)CRM, SSP, FedRAMP evidence if cloud, service boundaryAssuming the enclave vendor makes you compliant

Source: 32 CFR § 170.19 Table 4; DFARS 252.204-7012; DoD CIO CMMC FAQ E-A2, E-A5.

GRC platforms, documentation, and edge cases

GRC / documentation / edge-case scenarios
ScenarioCUI on provider’s systems?SPD on provider’s systems?CSP?How it’s treatedOwn CMMC cert required?Key evidence to collectCommon mistake
GRC tool stores only policies and control notesUsually noMaybeUsually SaaSIf it stores SPD, SPA/ESP treatment; if neither, not an ESPNoData classification, upload policy, CRMCasually uploading CUI evidence into it
GRC tool stores CUI screenshots as evidenceYesMaybeUsually yesCSP/CUI path; FedRAMP Moderate or equivalent if cloudA CMMC cert alone is not enoughFedRAMP evidence, evidence-handling policy, CRMTreating GRC as “just paperwork”
Incident response/forensics firm retains images and logsLikely yesYesDependsIn-scope provider relationship for the engagementNoIR statement of work, data-handling terms, chain of custodyWaiting until an incident to approve CUI handling
Colocation facility hosts your owned hardwareMaybe, on your hardwareMaybeUsually noFacilities/physical scoping neededNoFacility responsibility matrix, physical access controls, SSPTreating colocation like an ordinary vendor
Parent-company or shared corporate SOC serves a subsidiaryNoYesUsually noShared service can operate like an ESP/SPA for the assessed scopeNoShared-service agreement, SOC scope, responsibility matrixAssuming “internal corporate” makes it invisible
Procurement-only reseller buys licenses, no system accessNoNoNoDoes not meet the CMMC ESP definitionNoContract showing no access, procurement-only roleOver-scoping every vendor you pay
Subcontractor receives your CUI to perform contract workYesMaybeNoNot just an ESP — a subcontractor flow-down analysisContract-dependentSubcontract flow-down clause, required CMMC level, CUI data flowTreating a true subcontractor as a mere service provider

Source: 32 CFR §§ 170.4, 170.19 (eCFR); DFARS 252.204-7021; DoD CIO CMMC FAQ Section E.

Turn your provider stack into an evidence list before an assessor asks for it.When you want your specific stack mapped to the category and evidence you’ll need, map it with Find My CMMC Path. No CUI required.

Map your provider stack →

What is an External Service Provider under CMMC?

An ESP is external people, technology, or facilities you use to provide or manage IT or cybersecurity services — but under CMMC, the provider counts as an ESP only if your CUI or SPD is processed, stored, or transmitted on its assets (32 CFR § 170.4). The provider’s label matters less than what it actually does and where your data lands.

That definition does real work. It’s the reason a payroll SaaS or a break/fix technician who never logs into a CUI system isn’t an ESP, while a SOC that only ever sees your logs is one. Two clarifications save contractors the most grief.

ESP vs. a normal vendor

If a vendor never touches your CUI and never handles your security data, it isn’t a CMMC ESP. Office suppliers, generic marketing tools, and procurement-only resellers don’t get pulled into scope just because you pay them. The test is data flow, not a purchase order — resist the urge to over-scope every line item in your budget.

ESP vs. subcontractor

If another company receives your FCI or CUI to perform contract work, that’s a subcontractor flow-down question, not merely an ESP question. Under DFARS 252.204-7021and the CMMC Program Rule, prime contractors must flow the appropriate CMMC level down to subcontractors that will process, store, or transmit FCI or CUI. A subcontractor implements and validates its own CMMC status; an ESP’s services are assessed inside yours. Confusing the two is a scoping and contracting error with real consequences.

ESP vs. CSP

Every CSP that touches your CUI or SPD is an ESP, but CSPs are the special case with their own rulebook (FedRAMP, covered below). The DoD CIO’s FAQ (E-A5) draws the line clearly: if the cloud tenant is subscribed or licensed to you, an MSP that merely administers it is notthe CSP — even if the MSP resold you the licenses. If the MSP contracts with the CSP directly and modifies the base cloud service, then the MSP itself may be a CSP and must meet FedRAMP requirements.

ESP vs. an RPO/RP readiness consultant

A readiness advisor — a Registered Provider Organization (RPO) or Registered Practitioner (RP) helping you prepare — should not receive CUI through intake forms or casual uploads unless the engagement is explicitly scoped and built for it. Kept clean, an advisory relationship generally doesn’t make the consultant an ESP. Send them CUI through an unsecured portal, and you’ve created a scoping problem where none needed to exist.

Are MSPs and MSSPs assessed during a CMMC Level 2 assessment?

Yes — when their services process, store, transmit, or protect CUI or SPD in your assessed environment, even if you never send CUI to them. The DoD CIO CMMC FAQ (E-A4) gives the direct example: where an MSP handles IT support and an MSSP manages your security tools, bothqualify as ESPs and are assessed as part of your assessment against the applicable requirements — and neither is required to hold its own CMMC certification.

CMMC Level 2 is built on the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families, and assessed against the 320 objectives in NIST SP 800-171A (32 CFR § 170.14). When your MSP or MSSP is part of how those controls get met, the assessor will look at how their services contribute — and may interview their personnel directly.

MSP with admin credentials

The DoD CIO’s technical guidance treats offsite technicians or MSPs holding passwords to your equipment as handling SPD — those admin credentials are Security Protection Data. That alone can bring the provider into scope even when no CUI ever crosses to their systems. Document the access, define it in the CRM, and be ready to show it.

MSSP running a SOC or SIEM

Log monitoring, SIEM, and security operations commonly involve Security Protection Assets and SPD. Expect the assessor to want your asset inventory, SSP treatment, a network diagram, and evidence for the requirements relevant to what the SOC actually provides. Under the current rule, an MSSP handling only your SPD (not CUI) is assessed within your scope as a Security Protection Asset — it is not required to certify on its own, though many do to reduce the burden of joining each client’s assessment (DoD CMMC FAQ E-A4).

RMM, EDR, DLP, backup, ticketing, and remote access

The practical rule: any tool that stores logs, configurations, access paths, alerts, endpoint telemetry, admin credentials, scan results, or CUI-containing tickets needs a data-flow and responsibility analysis. Don’t scope by product category — scope by what data the tool holds and who can reach it.

What if your MSP refuses to provide evidence?

It happens, and it’s a planning problem, not an assessment-week surprise. Your options, roughly in order of preference:

  • Get the provider evidence-ready — request a CRM or Shared Responsibility Matrix (SRM) and the artifacts for its responsibilities.
  • Reduce CUI/SPD exposure — move CUI, tickets, logs, backups, and admin paths into controlled boundaries so less of the provider’s footprint is in scope.
  • Change provider category — if the MSP can’t support evidence, a CMMC-focused MSP/MSSP, a CUI enclave, or a GRC platform may fit the gap better.
  • Delay the formal assessment — if provider evidence doesn’t exist, a Level 2 C3PAO assessment is premature.

An MSP can be excellent at uptime and still be a poor CMMC fit if it can’t produce assessment evidence. That doesn’t mean you need the most expensive provider — it means you need one whose role, data boundary, CRM, and evidence package match your contract requirement. It helps to see how ESP scope actually moves CMMC readiness and assessment cost before you ask anyone for quotes.

If your MSP is part of the assessment story,decide whether the next step is readiness help, managed security, a CUI enclave, or a C3PAO — before you request quotes.

Compare provider categories →

When is an MSP a Cloud Service Provider instead of just an ESP?

It depends on the relationship among the CSP, the MSP, and you. Per the DoD CIO CMMC FAQ (E-A5): if the cloud tenant is subscribed or licensed to you — even if the MSP resells the service — the MSP is not the CSP. If the MSP contracts with the CSP and modifies the basic cloud service, then the MSP may be a CSP and must meet the applicable FedRAMP or equivalency requirements.

This distinction has real money attached, because the CSP path (FedRAMP) is a different and heavier obligation than the ESP path (assessed inside your assessment).

You own the tenant; the MSP administers it

Here the MSP typically isn’t the CSP. But it may still be an ESP because of its administrative access or the SPD it handles. Keep proof of tenant ownership in your evidence packet, list the admin roles, and define responsibilities in the CRM.

The MSP owns or modifies the cloud service

Now the MSP may become the CSP, and if CUI is processed, stored, or transmitted there, FedRAMP requirements apply. You cannot lean on “it’s managed by a CMMC-aware MSP” as a substitute for the platform’s authorization.

FedRAMP Moderate, FedRAMP equivalency, and encrypted CUI

The rule here is firm. Under DFARS 252.204-7012, if you use a CSP to store, process, or transmit CUI, you must require and ensure the CSP meets security requirements equivalent to the FedRAMP Moderate baseline. The Department’s December 2023 FedRAMP Moderate Equivalency memo sets a high bar: to be considered equivalent, a cloud offering must achieve 100 percent of the FedRAMP Moderate controls through an assessment by a FedRAMP-recognized Third Party Assessment Organization (3PAO), backed by a body of evidence including an SSP and a CRM (DoD CMMC FAQ E-A1).

And here’s the trap the DoD FAQ (E-A2) closes explicitly: encrypting CUI does not let you store it in a non-FedRAMP cloud. CUI stays controlled regardless of encryption state. A non-FedRAMP-authorized platform can’t hold your encrypted CUI and claim the encryption erased the authorization requirement. The fastest way to check a cloud vendor is to search the exact offering — not just the vendor name — on the FedRAMP Marketplace, then confirm your specific license is for that authorized offering, because standard commercial tiers usually aren’t. For Microsoft environments specifically, that typically means a U.S. Government cloud such as GCC Highrather than commercial Microsoft 365; verify the exact service boundary against Microsoft’s own current documentation before you rely on it.

Before you sign a cloud, enclave, or managed-service contract,make sure the relationship model doesn’t create a FedRAMP or assessment gap you didn’t budget for. The wrong model can manufacture assessment work out of thin air.

Check the CSP-vs-ESP path →

What documents should you collect from an ESP before assessment?

At minimum: the ESP’s service description, a Customer Responsibility Matrix (CRM) or Shared Responsibility Matrix (SRM), SSP language, data-flow and asset boundaries, access paths, and the evidence package for the provider’s responsibilities. 32 CFR § 170.19(c)(2)(ii)requires the ESP’s use, relationship, and services to be documented in your SSP and described in the ESP’s service description and CRM.

The CRM is the linchpin. Assessors verify it, and they may interview your provider on the specific controls the CRM assigns to it — so vague, aspirational language won’t survive contact.

Customer Responsibility Matrix / Shared Responsibility Matrix

Structure it so every requirement has a named owner and a traceable artifact:

CRM row template — one row per NIST requirement
Requirement / controlYour responsibilityESP responsibilityEvidence ownerArtifact locationNotes
AC.L2-3.1.1 (access control)Define access policyEnforce in RMMESPRMM config exportInherited via CRM v1.2

SSP language for an ESP (fill-in template)

“The [OSA] uses [provider / category] to provide [service]. The provider [does / does not] process, store, or transmit CUI. The provider [does / does not] process, store, or transmit Security Protection Data. Responsibilities are documented in [CRM/SRM name, version, date]. Connecting infrastructure and access paths are shown in [network diagram name, version, date].”

Network diagram and asset inventory

Map, and label, the following: CUI assets, Security Protection Assets, provider-managed systems, remote admin paths, cloud tenant ownership, and every ticketing, logging, or evidence repository. An assessor who can trace CUI and SPD across your diagram is an assessor who moves quickly.

The evidence-request email to send your MSP or MSSP (copy/paste)

Subject: CMMC scoping — external service provider documentation request

We’re finalizing our CMMC assessment scope and need to document every external service provider that processes, stores, transmits, or protects our CUI or Security Protection Data. Please send: (1) your current service description; (2) your Customer Responsibility Matrix or Shared Responsibility Matrix; (3) a data-flow diagram for our environment; (4) the list of tools you use to administer or monitor our systems; (5) the evidence you can support for the applicable responsibilities; and (6) confirmation of whether any CUI or SPD is stored on your systems. Please do not include any CUI in your response.

The email plus the CRM and SSP templates above are the free head start.When you’d rather have your specific stack mapped to the provider category and evidence you’ll need, use Find My CMMC Path to build your ESP evidence list.

Build your ESP evidence list →

How does ESP assessment change for Level 1, Level 2 (Self), Level 2 (C3PAO), and Level 3?

Your contract clause sets the required level and assessment type — and that, in turn, sets the minimum for your ESPs. Level 2 is assessed against NIST SP 800-171 Revision 2; Level 3 requires a Final Level 2 (C3PAO) status first and is assessed by DCMA DIBCAC. An ESP’s minimum assessment type follows your DoD contract requirement (32 CFR §§ 170.16–170.19). For a deeper split of the two Level 2 paths, see our guide on CMMC Level 2 self-assessment vs. C3PAO certification.

ESP assessment implications by CMMC level and path
Level / pathData triggerAssessment typeESP implicationCommon mistake
Level 1FCI onlyAnnual self-assessment (15 FAR 52.204-21 requirements)Consider ESPs that process/store/transmit FCIIgnoring FCI systems because there’s no CUI
Level 2 (Self)CUI; contract allows self-assessmentSelf-assessment every 3 years; score posted to SPRSNon-CSP ESP with CUI/SPD is in your scopeThinking “no C3PAO” means “no ESP evidence”
Level 2 (C3PAO)CUI; contract requires third-partyAssessment by an authorized C3PAO; result in CMMC eMASSESP evidence can be examined in a formal assessmentAsking the C3PAO to fix your scoping too late
Level 3High-value/critical CUIDCMA DIBCAC, after a Level 2 (C3PAO)ESP scope must align to the Level 2/Level 3 boundaryAttempting Level 3 before Level 2 scope is clean

Source: 32 CFR §§ 170.3(e), 170.14, 170.16–170.19; DoD final-rule analysis.

DoD’s final-rule analysis estimated that most of the Defense Industrial Base — on the order of 63% — falls under Level 1 self-assessment, with roughly 35% needing Level 2 (C3PAO) certification and small shares for Level 2 self-assessment and Level 3. It’s a useful gut check on where most contractors, and their ESPs, will land.

Level 2 (Self) vs. Level 2 (C3PAO): where the evidence goes

Self-assessment scores are submitted to the Supplier Performance Risk System (SPRS). C3PAO results are uploaded into the CMMC instance of eMASS and flow to SPRS. The ESP evidence expectation is the same in spirit — a current CRM, documented services, and defensible controls — but a third-party assessment means an assessor may test those CRM inheritance claims directly.

Level 3 ESP scope

The Level 3 CMMC Assessment Scope must be equal to or a subset of your Level 2 scope, and any Level 2 POA&M items must be closed before the Level 3 certification assessment begins (32 CFR § 170.19(e)). Level 3 adds 24 enhanced requirements selected from NIST SP 800-172 on top of Level 2. If your ESP touches the Level 3 enclave, its services are assessed against the applicable Level 2 and Level 3 requirements.

Why the timing matters right now

The CMMC Program Rule (32 CFR Part 170) took effect December 16, 2024. The DFARS acquisition rule that puts CMMC into contracts became effective November 10, 2025, kicking off a four-phase, three-year rollout under 32 CFR § 170.3(e).

  • Phase 1 (November 10, 2025 – November 9, 2026): DoD includes Level 1 (Self) or Level 2 (Self) in applicable solicitations and contracts, and may at its discretion require a Level 2 (C3PAO).
  • Phase 2 (begins November 10, 2026): DoD intends to include Level 2 (C3PAO) certification in applicable new solicitations as a condition of award, though it may delay to a contract option period.
  • Phase 3 (November 10, 2027): Across-the-board “all applicable” Level 2 (C3PAO) requirement, plus Level 3 (DIBCAC).
  • Phase 4 (November 10, 2028): Full implementation.

That timeline is not a marketing countdown — it’s a capacity problem. DoD estimated roughly 8,350 medium and large entities alone would need a Level 2 (C3PAO) assessment as a condition of award, part of a far larger pool of CUI-handling contractors. As of , the Cyber AB Marketplace listed 103 authorized C3PAOs to assess all of them. Assessment slots fill from the front of that line, and getting your ESP scope clean is what lets you get in it.

How should you scope tools like GRC, SIEM, EDR, RMM, and backup?

Follow the data, not the product name. If the tool stores your CUI, the CUI/CSP analysis applies. If it stores logs, configurations, admin credentials, vulnerabilities, or alerts for your CUI environment, it’s likely handling SPD and is treated as a Security Protection Asset. If it handles neither, it may not be a CMMC ESP at all (32 CFR § 170.19, Table 4).

  • GRC platforms. Great for organizing evidence — but the moment CUI screenshots land in a non-authorized GRC cloud, you’ve created a CSP/CUI problem. Keep CUI out unless the platform is FedRAMP-appropriate.
  • SIEM and SOC tooling. SPD by nature; expect Security Protection Asset treatment and evidence for the requirements the service actually supports.
  • EDR / RMM / admin tooling. Map telemetry, privileged access, and configuration state. The console is in scope even when CUI never touches it.
  • Backup and disaster recovery. Separate backup metadata from stored CUI. Cloud backup of encrypted CUI still triggers the CSP/FedRAMP analysis — encryption doesn’t exempt it.
  • Vulnerability scanning and pen-test artifacts. Scan results and findings are security-sensitive and generally SPD. Store and share them accordingly.

A reminder worth its own line: software alone does not make you CMMC compliant. A GRC tool or an EDR agent is a supporting layer, not the whole program. The 110 requirements and 320 objectives are yours to meet and prove.

What should you ask a provider before you hire?

Ask category-specific questions about scope, evidence, and role separation — not a generic “are you CMMC compliant?” The right questions surface whether the provider’s work reduces or creates assessment risk.

For an RPO/RP readiness provider:

Will you define ESP/CSP/SPD scope before remediation? Will you help write the SSP and CRM language? Will you avoid receiving CUI unless the engagement is explicitly scoped for it? Will you coordinate with our MSP/MSSP and future C3PAO without creating a conflict of interest?

For an MSP/MSSP:

Which of your tools touch CUI or SPD? Do you provide a CRM/SRM? Do you store tickets, logs, admin credentials, screenshots, or backups? Have you supported Level 2 (Self) or Level 2 (C3PAO) clients? Are any subcontractors or downstream tools involved?

For a C3PAO:

How do you handle ESP evidence during an assessment? What do you expect in the CRM/SRM? How do you treat SPD-only providers? What provider evidence must exist before the assessment begins? One rule to plan around: a C3PAO cannot assess an organization it previously served as a CMMC consultant within the past three years (32 CFR § 170.8(b)(17)(ii)(G)). Keep readiness help and the formal assessment in separate hands from the start.

For a GRC, enclave, or software vendor:

Is the offering a cloud service? Does it store CUI, SPD, or both? Is there FedRAMP authorization or equivalency evidence if CUI is stored? Can it export evidence without exposing CUI?

What we actually verified

We built this page from primary and authoritative sources, and cross-checked the tricky parts against each other. Here’s exactly what we confirmed and when. (See our editorial standards and methodology for how we source and date every claim.)

Verification record —
Verified itemSourceLast verified
ESP scoping outcomes for CUI / SPD / CSP (Table 4)32 CFR § 170.19(c)(2)(i) (eCFR, current as of 6/29/2026)
ESP definition; SPD and SPA definitions32 CFR § 170.4 (eCFR)
Non-CSP ESP with CUI assessed within your assessment32 CFR §§ 170.16(a)(3), 170.17(a)(6)
MSP not required to have its own CMMC assessmentDoD CIO CMMC FAQ, E-A3
MSP + MSSP both ESPs, assessed in your scope, no separate cert requiredDoD CIO CMMC FAQ, E-A4
MSP vs. CSP tenant/relationship testDoD CIO CMMC FAQ, E-A5
Encrypted CUI still requires a FedRAMP-appropriate cloudDoD CIO CMMC FAQ, E-A2
CSP handling CUI must meet FedRAMP Moderate (or equivalent)DFARS 252.204-7012 (acquisition.gov, May 2024 clause)
FedRAMP Moderate equivalency = 100% of controls via 3PAO + body of evidenceDepartment’s December 2023 FedRAMP equivalency memo; DoD CMMC FAQ E-A1
Level 2 = 110 requirements, NIST SP 800-171 Rev. 2, 14 families, 320 objectives32 CFR § 170.14; NIST SP 800-171A
Four-phase rollout; Phase 1 Nov 10, 2025; Phase 2 Nov 10, 2026; Phase 3 Nov 10, 202732 CFR § 170.3(e); Federal Register (Sept 10, 2025)
C3PAO three-year conflict-of-interest bar (consultant then assessor)32 CFR § 170.8(b)(17)(ii)(G)
103 authorized C3PAOs on the Cyber AB MarketplaceCyber AB Marketplace snapshot,

What we did not verify for this page: the current Cyber AB Marketplace status, service scope, or any compensation relationship for any named provider. For that reason, this page routes to provider categories, not named vendors. When you’re ready to compare specific providers, verify each one’s status live on the Cyber AB Marketplace.

Frequently asked questions about CMMC external service provider assessment

Does my MSP need its own CMMC certification?

Usually no. Per the DoD CIO CMMC FAQ (E-A3), an MSP storing your CUI is not required to have its own CMMC assessment; its services are assessed as part of your assessment. It may certify voluntarily to simplify things, but that’s a business choice, not a requirement.

Is my MSSP in scope if it only handles logs?

Yes. Logs and configuration data are Security Protection Data. An MSSP handling your SPD is an External Service Provider and is assessed as a Security Protection Asset within your assessment under 32 CFR 170.19.

Is Security Protection Data the same as CUI?

No. SPD is the data used to protect your environment — logs, configs, vulnerability status, and access credentials (32 CFR 170.4). CUI is the protected government information itself. They’re scoped differently: SPD-only providers are Security Protection Assets, while CUI-handling providers face the CUI or CSP path.

If no CUI leaves our tenant, is the MSP out of scope?

Not necessarily. If the MSP has administrative access to systems that process CUI, or handles your SPD, it’s an ESP and in scope — even when no CUI ever crosses to its systems (DoD CIO CMMC FAQ E-A4).

Can a SOC 2 report replace a CMMC assessment?

No. SOC 2 is a separate attestation. It may support your evidence, but it does not satisfy CMMC requirements or replace a Level 2 assessment against NIST SP 800-171 Revision 2.

What is a CRM or SRM for a CMMC ESP?

A Customer Responsibility Matrix (or Shared Responsibility Matrix) documents which party is responsible for each control and where the evidence lives. 32 CFR 170.19 requires ESP services to be described in a CRM and referenced in your SSP. See our CMMC control inheritance guide for CRM documentation patterns.

Does a GRC tool make the vendor an ESP?

Only if it stores your CUI or SPD. A GRC platform holding only policy documents may not be an ESP; one storing CUI evidence in the cloud is on the CSP/CUI path and needs FedRAMP-appropriate hosting.

Are MSP admin passwords Security Protection Data?

Yes. Passwords that grant access to your in-scope environment are SPD (32 CFR 170.4). An MSP holding those credentials is handling SPD, which brings it into scope.

Is a CSP treated the same as an ESP?

Every CSP touching your CUI or SPD is an ESP, but a CSP handling CUI has a distinct obligation: FedRAMP Moderate or equivalent under DFARS 252.204-7012, rather than being assessed inside your CMMC assessment.

Does encrypted CUI in a cloud service still require FedRAMP Moderate or equivalency?

Yes. The DoD CIO CMMC FAQ (E-A2) is explicit — encryption does not decontrol CUI or remove the platform authorization requirement. A non-FedRAMP-authorized cloud can’t store your encrypted CUI on the theory that encryption made it safe.

Do Level 2 (Self) and Level 2 (C3PAO) handle ESPs differently?

The scoping logic is identical; the rigor differs. In a self-assessment you document ESP services and post your score to SPRS. In a C3PAO assessment, an assessor may test your CRM inheritance claims and interview your provider directly.

Can a C3PAO fix my ESP gaps before assessment?

No — and it shouldn’t. A C3PAO cannot assess an organization it consulted for within the past three years (32 CFR 170.8(b)(17)(ii)(G)), so readiness/remediation and the formal assessment must stay in separate hands. Fix scoping and gaps first (often with an RPO/RP or MSP/MSSP), then bring in the C3PAO.

What should I do if my provider refuses to provide evidence?

Reduce your CUI/SPD exposure, require a CRM, consider a provider better suited to a compliance-driven environment, or delay a formal assessment until the evidence exists. Don’t hide the relationship or accept vague “CMMC-ready” language as proof.

Does CMMC use NIST SP 800-171 Rev. 3?

No. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 (32 CFR 170.14), even though NIST has separately published Revision 3. Unless DoD amends the rule, Rev. 2 is the controlling standard.

What’s the fastest way to reduce ESP scope?

Shrink the footprint that touches CUI. Consolidate CUI into a dedicated enclave, lock down endpoints (VDI configured so no CUI is processed locally can put those endpoints out of scope, per DoD CIO CMMC FAQ E-A6), and keep CUI out of tickets, logs, and general-purpose tools.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. See our corrections policy if you spot something that needs fixing.

Need help deciding what type of CMMC provider you need?Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find My CMMC Path →

Do not submit CUI, drawings, or sensitive contract details.

Related from The Defense Compliance Report