The Defense Compliance Report — independent trade publication on CMMC 2.0 and DIB compliance
CMMC External Service Provider Assessment: How ESPs Are Scoped — and When They Need Their Own
Here is the short version, because you clicked for an answer, not a warm-up act. A CMMC external service provider assessment almost never means your MSP has to go get its own certification. Under the CMMC Program Rule at 32 CFR § 170.19, an External Service Provider (ESP) — external people, technology, or facilities you use to provide or manage IT or cybersecurity services, where your Controlled Unclassified Information (CUI) or Security Protection Data (SPD) lands on its systems — is assessed inside your CMMC assessment, not in a separate one of its own. The exception is a cloud service provider (CSP) that handles your CUI: that path triggers FedRAMP Moderate (or equivalency), not a separate CMMC assessment.
That’s the bottom line. Now here’s the part nobody selling you an assessment wants to say out loud, and it’s the reason most contractors get this expensive decision wrong: the deciding factor isn’t what your vendor calls itself. It’s what data lands on whose systems.Get that one variable right and the entire ESP question resolves. Get it wrong and you can pay a C3PAO to assess a relationship you never should have brought into scope — or fail because you left one out.
Which providers this applies to: MSPs, MSSPs, SOC/SIEM services, RMM and EDR platforms, GRC tools, backup and DR providers, cloud administrators, CUI enclave operators — any outside party that processes, stores, transmits, or protects your CUI or the data used to protect it.
Which it doesn’t: Vendors that never touch CUI or security data (a break/fix shop that never logs in, a payroll SaaS, an office-supply reseller). Under the rule, they don’t meet the CMMC ESP definition. Don’t over-scope them.
The 30-second scoping table
Use this to place any provider before you read further. Every outcome below is straight from 32 CFR § 170.19, Table 4.
| What the provider touches | If the provider is a CSP | If the provider is not a CSP | Your next move |
|---|---|---|---|
| CUI (with or without SPD) | Must meet FedRAMP Moderate or equivalent under DFARS 252.204-7012 | Its services are in your assessment scope and assessed as part of your assessment | Document it in your SSP + CRM; collect evidence |
| SPD only (logs, configs, alerts, admin credentials) | Assessed as a Security Protection Asset in your scope | Assessed as a Security Protection Asset in your scope | Document the relevant security capabilities |
| Neither CUI nor SPD | Not a CMMC ESP | Not a CMMC ESP | Keep proof there’s no CUI/SPD path |
| You’re not sure | Treat as unresolved scope risk | Treat as unresolved scope risk | Map it before you request quotes |
Not sure which row your provider falls in?That’s the whole point of mapping before you buy. Answer a few scoping questions and we’ll point you to the provider category you likely need. Do not submit CUI, drawings, or contract-sensitive details.
Find My CMMC Path →Do external service providers need their own CMMC assessment?
Usually, no. The DoD CIO’s CMMC FAQ (Section E, answer E-A3) states plainly that an MSP storing your CUI in a system it provides is not required to have its own CMMC assessment — though it may elect to self-assess or pursue certification to simplify your assessment. When a non-cloud ESP touches your CUI or SPD, its relevant services are assessed as part of your assessment against the applicable security requirements (32 CFR § 170.19).
This is the single most misreported fact in the CMMC ecosystem. Search the CMMC Program Rule for “MSP” and you won’t find the acronym once. The Department of Defense uses one umbrella term — External Service Provider— to cover managed service providers, managed security service providers, cloud administrators, and the tooling they run. What matters is not the label on the invoice. It’s the answer to three questions.
The three-question test: CUI, SPD, or CSP?
Before you can decide how a provider is handled, you answer these in order. This is the logic baked into Table 4 of the rule.
- Does the provider process, store, or transmit your CUI? CUI is information the government creates or possesses — or that a company creates or possesses for the government — that a law, regulation, or government-wide policy requires or permits an agency to protect with safeguarding or dissemination controls (32 CFR 2002.4). Common examples: export-controlled technical data, contract data, engineering drawings, and specifications related to defense work.
- Does it process, store, or transmit your SPD? Security Protection Data is the supporting data used to protect your environment — log files, configuration data, the vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment (32 CFR § 170.4).
- Is the provider actually a Cloud Service Provider?A CSP delivers cloud computing services under the NIST SP 800-145 definition. Reselling licenses or logging into your cloud does not automatically make a vendor a CSP — more on that below.
If the answer to both 1 and 2 is no, the provider does not meet the CMMC ESP definition and drops out of this entire framework. If yesto either, it’s an ESP, and the treatment depends on the CSP question.
The one variable that decides it: whose systems hold the CUI?
Here’s the distinction that resolves nearly every argument. The regulation and the DoD FAQ point the same direction:
- CUI stays on your systems; the MSP only administers them remotely. The MSP’s administrative access is in scope and assessed inside your assessment, but no CUI resides on the MSP’s own systems — so the MSP needs no separate certification.
- CUI actually resides on the MSP’s own systems. Now the MSP is a non-CSP ESP that processes, stores, or transmits your CUI. Per DoD CMMC FAQ E-A3 it still isn’t required to hold its own certification — but the ESP services used to meet your requirements are in your assessment scope and assessed as part of your assessment against all Level 2 requirements, which is a heavier lift for everyone involved.
Either way, the burden lands on you to document the relationship and prove the controls.
What a voluntary ESP certification can — and can’t — do
An ESP is allowed to voluntarily undergo a CMMC assessment. If it does, the assessment level and type must be at least equal to what your contract requires and must cover the assets in scope for your assessment (32 CFR § 170.19(c)(2)(ii); DoD CMMC FAQ E-A3). It can reduce friction: a certified ESP’s validated controls can be inherited through your CRM, so it doesn’t have to participate directly in your assessment for those objectives. It cannotcertify you — that certification is yours to earn.
A certified MSP does not make you compliant, and it does not remove that MSP’s services from your assessment scope. You, the contractor, remain accountable for all 110 NIST SP 800-171 Revision 2 security requirements and all 320 assessment objectives in NIST SP 800-171A. We flag this because contractors routinely treat a vendor’s certificate as a finish line and discover, during a readiness review, that their own tenant configuration, user management, and customer-owned controls were never mapped.
Realized your provider relationships need to be documented and defensible?That’s readiness work, and it’s dramatically cheaper before an assessor is on the clock. Compare provider categories and see whether your next step is readiness help, managed security, a CUI enclave, or a GRC platform.
Compare provider categories →The CMMC ESP Assessment Decision Matrix: which provider scenarios are in scope?
The safe way to answer ESP scope is by scenario, not by vendor label. What does the provider actually do, what data lands on its systems, is the service cloud-based, and which assessment type does your contract require? The matrix below is built from 32 CFR § 170.19, the DoD CIO CMMC FAQ Section E, and the DoD CIO technical ESP guidance. It is a scoping triage tool, not a compliance determination.
MSP, help desk, and IT administration
| Scenario | CUI on provider’s systems? | SPD on provider’s systems? | CSP? | How it’s treated | Own CMMC cert required? | Key evidence to collect | Common mistake |
|---|---|---|---|---|---|---|---|
| On-site IT contractor uses only your devices and accounts | Usually no | Maybe | No | People/process in your scope; verify no provider system stores CUI/SPD | No | Account list, access procedures, contract terms, SSP role description | Assuming “contractor” means out of scope |
| Remote help desk stores admin passwords in its own password manager | No | Yes | Usually no | ESP handling SPD; assessed as a Security Protection Asset | No | Password-vault boundary, CRM, access paths, SSP entry | Missing that admin passwords are SPD |
| MSP remotely administers your CUI environment; CUI never resides on MSP systems | No | Yes | No | Admin services assessed inside your assessment | No | Admin role list, CRM, remote-access diagram | Treating “no CUI on us” as “not in scope” |
| MSP hosts your CUI file share or RDS on its own (non-cloud) hardware | Yes | Maybe | Usually no | Non-CSP ESP with CUI; services assessed in your scope vs. all Level 2 requirements | No (voluntary) | Hosting boundary, physical/logical separation, CRM, evidence package | Buying hosting before deciding CSP vs. ESP |
| MSP ticketing system contains CUI (screenshots, drawings, excerpts) | Yes | Maybe | If SaaS, maybe | CUI path; non-CSP ESP in your scope, or CSP/FedRAMP if it’s cloud | Depends | Ticket-data policy, redaction rules, data-flow diagram, CRM | Letting CUI leak into tickets |
MSSP, SOC, SIEM, and security tooling
| Scenario | CUI on provider’s systems? | SPD on provider’s systems? | CSP? | How it’s treated | Own CMMC cert required? | Key evidence to collect | Common mistake |
|---|---|---|---|---|---|---|---|
| MSSP/SOC ingests logs from your CUI environment | No | Yes | Could be | ESP handling SPD; assessed as a Security Protection Asset | No | Log-flow diagram, SOC responsibilities, CRM, SSP | Forgetting logs and configs are SPD |
| SIEM hosted inside your tenant; MSSP views alerts | No provider storage if configured that way | Access to SPD | No/depends | SIEM is an SPA; MSSP access in scope | No | SIEM architecture, access roles, CRM | Assuming “hosted in our tenant” removes the ESP question |
| Provider-hosted SIEM stores your logs | Usually no | Yes | Often cloud | CSP/ESP handling SPD; assessed as an SPA | No | Data residency, CRM, access-control evidence | Confusing FedRAMP-for-CUI rules with SPD-only rules |
| RMM/EDR console stores endpoint telemetry and configuration | Usually no | Yes | Often SaaS | SPD path; relevant services assessed as SPAs | No | Tool architecture, privileged access, CRM | Missing the tool console’s scope |
| Vulnerability scanner stores scan results | No | Yes | Often SaaS | SPD/SPA path | No | Result storage, retention, CRM | Treating scan results as harmless |
Cloud, CSP, GovCloud, and CUI enclave
| Scenario | CUI on provider’s systems? | SPD on provider’s systems? | CSP? | How it’s treated | Own CMMC cert required? | Key evidence to collect | Common mistake |
|---|---|---|---|---|---|---|---|
| SaaS file-sharing or collaboration tool stores your CUI | Yes | Maybe | Usually yes | CSP handling CUI; FedRAMP Moderate or equivalent required | A CMMC cert alone is not enough | FedRAMP authorization or equivalency BoE, CRM | “It’s encrypted, so it’s fine” (it isn’t) |
| You own the GCC/GCC High tenant; MSP administers it | CUI in tenant, not on MSP assets | Often, yes | MSP is not the CSP (DoD FAQ E-A5) | MSP may still be an ESP for its admin/SPD access | No | Tenant ownership proof, admin role list, CRM, SSP | Calling the MSP the CSP because it resold licenses |
| MSP contracts with the CSP and modifies/subdivides the cloud service | Yes, if CUI stored there | Maybe | May be a CSP (DoD FAQ E-A5) | CSP/FedRAMP path if CUI is involved | CMMC is not a substitute for FedRAMP | CSP agreement chain, FedRAMP package, CRM | Missing the “MSP may be the CSP” branch |
| Backup/DR provider stores your CUI (even encrypted) | Yes | Maybe | Often cloud | CSP handling CUI; FedRAMP Moderate or equivalent | A CMMC cert alone is not enough | Backup architecture, encryption, FedRAMP evidence, CRM | Thinking encryption removes the FedRAMP requirement |
| CUI enclave provider stores and operates your CUI environment | Yes | Yes | CSP or ESP depending on model | FedRAMP/CSP path, or non-CSP ESP path; the CRM is central | No (unless voluntary) | CRM, SSP, FedRAMP evidence if cloud, service boundary | Assuming the enclave vendor makes you compliant |
GRC platforms, documentation, and edge cases
| Scenario | CUI on provider’s systems? | SPD on provider’s systems? | CSP? | How it’s treated | Own CMMC cert required? | Key evidence to collect | Common mistake |
|---|---|---|---|---|---|---|---|
| GRC tool stores only policies and control notes | Usually no | Maybe | Usually SaaS | If it stores SPD, SPA/ESP treatment; if neither, not an ESP | No | Data classification, upload policy, CRM | Casually uploading CUI evidence into it |
| GRC tool stores CUI screenshots as evidence | Yes | Maybe | Usually yes | CSP/CUI path; FedRAMP Moderate or equivalent if cloud | A CMMC cert alone is not enough | FedRAMP evidence, evidence-handling policy, CRM | Treating GRC as “just paperwork” |
| Incident response/forensics firm retains images and logs | Likely yes | Yes | Depends | In-scope provider relationship for the engagement | No | IR statement of work, data-handling terms, chain of custody | Waiting until an incident to approve CUI handling |
| Colocation facility hosts your owned hardware | Maybe, on your hardware | Maybe | Usually no | Facilities/physical scoping needed | No | Facility responsibility matrix, physical access controls, SSP | Treating colocation like an ordinary vendor |
| Parent-company or shared corporate SOC serves a subsidiary | No | Yes | Usually no | Shared service can operate like an ESP/SPA for the assessed scope | No | Shared-service agreement, SOC scope, responsibility matrix | Assuming “internal corporate” makes it invisible |
| Procurement-only reseller buys licenses, no system access | No | No | No | Does not meet the CMMC ESP definition | No | Contract showing no access, procurement-only role | Over-scoping every vendor you pay |
| Subcontractor receives your CUI to perform contract work | Yes | Maybe | No | Not just an ESP — a subcontractor flow-down analysis | Contract-dependent | Subcontract flow-down clause, required CMMC level, CUI data flow | Treating a true subcontractor as a mere service provider |
Turn your provider stack into an evidence list before an assessor asks for it.When you want your specific stack mapped to the category and evidence you’ll need, map it with Find My CMMC Path. No CUI required.
Map your provider stack →What is an External Service Provider under CMMC?
An ESP is external people, technology, or facilities you use to provide or manage IT or cybersecurity services — but under CMMC, the provider counts as an ESP only if your CUI or SPD is processed, stored, or transmitted on its assets (32 CFR § 170.4). The provider’s label matters less than what it actually does and where your data lands.
That definition does real work. It’s the reason a payroll SaaS or a break/fix technician who never logs into a CUI system isn’t an ESP, while a SOC that only ever sees your logs is one. Two clarifications save contractors the most grief.
ESP vs. a normal vendor
If a vendor never touches your CUI and never handles your security data, it isn’t a CMMC ESP. Office suppliers, generic marketing tools, and procurement-only resellers don’t get pulled into scope just because you pay them. The test is data flow, not a purchase order — resist the urge to over-scope every line item in your budget.
ESP vs. subcontractor
If another company receives your FCI or CUI to perform contract work, that’s a subcontractor flow-down question, not merely an ESP question. Under DFARS 252.204-7021and the CMMC Program Rule, prime contractors must flow the appropriate CMMC level down to subcontractors that will process, store, or transmit FCI or CUI. A subcontractor implements and validates its own CMMC status; an ESP’s services are assessed inside yours. Confusing the two is a scoping and contracting error with real consequences.
ESP vs. CSP
Every CSP that touches your CUI or SPD is an ESP, but CSPs are the special case with their own rulebook (FedRAMP, covered below). The DoD CIO’s FAQ (E-A5) draws the line clearly: if the cloud tenant is subscribed or licensed to you, an MSP that merely administers it is notthe CSP — even if the MSP resold you the licenses. If the MSP contracts with the CSP directly and modifies the base cloud service, then the MSP itself may be a CSP and must meet FedRAMP requirements.
ESP vs. an RPO/RP readiness consultant
A readiness advisor — a Registered Provider Organization (RPO) or Registered Practitioner (RP) helping you prepare — should not receive CUI through intake forms or casual uploads unless the engagement is explicitly scoped and built for it. Kept clean, an advisory relationship generally doesn’t make the consultant an ESP. Send them CUI through an unsecured portal, and you’ve created a scoping problem where none needed to exist.
Are MSPs and MSSPs assessed during a CMMC Level 2 assessment?
Yes — when their services process, store, transmit, or protect CUI or SPD in your assessed environment, even if you never send CUI to them. The DoD CIO CMMC FAQ (E-A4) gives the direct example: where an MSP handles IT support and an MSSP manages your security tools, bothqualify as ESPs and are assessed as part of your assessment against the applicable requirements — and neither is required to hold its own CMMC certification.
CMMC Level 2 is built on the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families, and assessed against the 320 objectives in NIST SP 800-171A (32 CFR § 170.14). When your MSP or MSSP is part of how those controls get met, the assessor will look at how their services contribute — and may interview their personnel directly.
MSP with admin credentials
The DoD CIO’s technical guidance treats offsite technicians or MSPs holding passwords to your equipment as handling SPD — those admin credentials are Security Protection Data. That alone can bring the provider into scope even when no CUI ever crosses to their systems. Document the access, define it in the CRM, and be ready to show it.
MSSP running a SOC or SIEM
Log monitoring, SIEM, and security operations commonly involve Security Protection Assets and SPD. Expect the assessor to want your asset inventory, SSP treatment, a network diagram, and evidence for the requirements relevant to what the SOC actually provides. Under the current rule, an MSSP handling only your SPD (not CUI) is assessed within your scope as a Security Protection Asset — it is not required to certify on its own, though many do to reduce the burden of joining each client’s assessment (DoD CMMC FAQ E-A4).
RMM, EDR, DLP, backup, ticketing, and remote access
The practical rule: any tool that stores logs, configurations, access paths, alerts, endpoint telemetry, admin credentials, scan results, or CUI-containing tickets needs a data-flow and responsibility analysis. Don’t scope by product category — scope by what data the tool holds and who can reach it.
What if your MSP refuses to provide evidence?
It happens, and it’s a planning problem, not an assessment-week surprise. Your options, roughly in order of preference:
- Get the provider evidence-ready — request a CRM or Shared Responsibility Matrix (SRM) and the artifacts for its responsibilities.
- Reduce CUI/SPD exposure — move CUI, tickets, logs, backups, and admin paths into controlled boundaries so less of the provider’s footprint is in scope.
- Change provider category — if the MSP can’t support evidence, a CMMC-focused MSP/MSSP, a CUI enclave, or a GRC platform may fit the gap better.
- Delay the formal assessment — if provider evidence doesn’t exist, a Level 2 C3PAO assessment is premature.
An MSP can be excellent at uptime and still be a poor CMMC fit if it can’t produce assessment evidence. That doesn’t mean you need the most expensive provider — it means you need one whose role, data boundary, CRM, and evidence package match your contract requirement. It helps to see how ESP scope actually moves CMMC readiness and assessment cost before you ask anyone for quotes.
If your MSP is part of the assessment story,decide whether the next step is readiness help, managed security, a CUI enclave, or a C3PAO — before you request quotes.
Compare provider categories →When is an MSP a Cloud Service Provider instead of just an ESP?
It depends on the relationship among the CSP, the MSP, and you. Per the DoD CIO CMMC FAQ (E-A5): if the cloud tenant is subscribed or licensed to you — even if the MSP resells the service — the MSP is not the CSP. If the MSP contracts with the CSP and modifies the basic cloud service, then the MSP may be a CSP and must meet the applicable FedRAMP or equivalency requirements.
This distinction has real money attached, because the CSP path (FedRAMP) is a different and heavier obligation than the ESP path (assessed inside your assessment).
You own the tenant; the MSP administers it
Here the MSP typically isn’t the CSP. But it may still be an ESP because of its administrative access or the SPD it handles. Keep proof of tenant ownership in your evidence packet, list the admin roles, and define responsibilities in the CRM.
The MSP owns or modifies the cloud service
Now the MSP may become the CSP, and if CUI is processed, stored, or transmitted there, FedRAMP requirements apply. You cannot lean on “it’s managed by a CMMC-aware MSP” as a substitute for the platform’s authorization.
FedRAMP Moderate, FedRAMP equivalency, and encrypted CUI
The rule here is firm. Under DFARS 252.204-7012, if you use a CSP to store, process, or transmit CUI, you must require and ensure the CSP meets security requirements equivalent to the FedRAMP Moderate baseline. The Department’s December 2023 FedRAMP Moderate Equivalency memo sets a high bar: to be considered equivalent, a cloud offering must achieve 100 percent of the FedRAMP Moderate controls through an assessment by a FedRAMP-recognized Third Party Assessment Organization (3PAO), backed by a body of evidence including an SSP and a CRM (DoD CMMC FAQ E-A1).
And here’s the trap the DoD FAQ (E-A2) closes explicitly: encrypting CUI does not let you store it in a non-FedRAMP cloud. CUI stays controlled regardless of encryption state. A non-FedRAMP-authorized platform can’t hold your encrypted CUI and claim the encryption erased the authorization requirement. The fastest way to check a cloud vendor is to search the exact offering — not just the vendor name — on the FedRAMP Marketplace, then confirm your specific license is for that authorized offering, because standard commercial tiers usually aren’t. For Microsoft environments specifically, that typically means a U.S. Government cloud such as GCC Highrather than commercial Microsoft 365; verify the exact service boundary against Microsoft’s own current documentation before you rely on it.
Before you sign a cloud, enclave, or managed-service contract,make sure the relationship model doesn’t create a FedRAMP or assessment gap you didn’t budget for. The wrong model can manufacture assessment work out of thin air.
Check the CSP-vs-ESP path →What documents should you collect from an ESP before assessment?
At minimum: the ESP’s service description, a Customer Responsibility Matrix (CRM) or Shared Responsibility Matrix (SRM), SSP language, data-flow and asset boundaries, access paths, and the evidence package for the provider’s responsibilities. 32 CFR § 170.19(c)(2)(ii)requires the ESP’s use, relationship, and services to be documented in your SSP and described in the ESP’s service description and CRM.
The CRM is the linchpin. Assessors verify it, and they may interview your provider on the specific controls the CRM assigns to it — so vague, aspirational language won’t survive contact.
Customer Responsibility Matrix / Shared Responsibility Matrix
Structure it so every requirement has a named owner and a traceable artifact:
| Requirement / control | Your responsibility | ESP responsibility | Evidence owner | Artifact location | Notes |
|---|---|---|---|---|---|
| AC.L2-3.1.1 (access control) | Define access policy | Enforce in RMM | ESP | RMM config export | Inherited via CRM v1.2 |
SSP language for an ESP (fill-in template)
“The [OSA] uses [provider / category] to provide [service]. The provider [does / does not] process, store, or transmit CUI. The provider [does / does not] process, store, or transmit Security Protection Data. Responsibilities are documented in [CRM/SRM name, version, date]. Connecting infrastructure and access paths are shown in [network diagram name, version, date].”
Network diagram and asset inventory
Map, and label, the following: CUI assets, Security Protection Assets, provider-managed systems, remote admin paths, cloud tenant ownership, and every ticketing, logging, or evidence repository. An assessor who can trace CUI and SPD across your diagram is an assessor who moves quickly.
The evidence-request email to send your MSP or MSSP (copy/paste)
Subject: CMMC scoping — external service provider documentation request
We’re finalizing our CMMC assessment scope and need to document every external service provider that processes, stores, transmits, or protects our CUI or Security Protection Data. Please send: (1) your current service description; (2) your Customer Responsibility Matrix or Shared Responsibility Matrix; (3) a data-flow diagram for our environment; (4) the list of tools you use to administer or monitor our systems; (5) the evidence you can support for the applicable responsibilities; and (6) confirmation of whether any CUI or SPD is stored on your systems. Please do not include any CUI in your response.
The email plus the CRM and SSP templates above are the free head start.When you’d rather have your specific stack mapped to the provider category and evidence you’ll need, use Find My CMMC Path to build your ESP evidence list.
Build your ESP evidence list →How does ESP assessment change for Level 1, Level 2 (Self), Level 2 (C3PAO), and Level 3?
Your contract clause sets the required level and assessment type — and that, in turn, sets the minimum for your ESPs. Level 2 is assessed against NIST SP 800-171 Revision 2; Level 3 requires a Final Level 2 (C3PAO) status first and is assessed by DCMA DIBCAC. An ESP’s minimum assessment type follows your DoD contract requirement (32 CFR §§ 170.16–170.19). For a deeper split of the two Level 2 paths, see our guide on CMMC Level 2 self-assessment vs. C3PAO certification.
| Level / path | Data trigger | Assessment type | ESP implication | Common mistake |
|---|---|---|---|---|
| Level 1 | FCI only | Annual self-assessment (15 FAR 52.204-21 requirements) | Consider ESPs that process/store/transmit FCI | Ignoring FCI systems because there’s no CUI |
| Level 2 (Self) | CUI; contract allows self-assessment | Self-assessment every 3 years; score posted to SPRS | Non-CSP ESP with CUI/SPD is in your scope | Thinking “no C3PAO” means “no ESP evidence” |
| Level 2 (C3PAO) | CUI; contract requires third-party | Assessment by an authorized C3PAO; result in CMMC eMASS | ESP evidence can be examined in a formal assessment | Asking the C3PAO to fix your scoping too late |
| Level 3 | High-value/critical CUI | DCMA DIBCAC, after a Level 2 (C3PAO) | ESP scope must align to the Level 2/Level 3 boundary | Attempting Level 3 before Level 2 scope is clean |
DoD’s final-rule analysis estimated that most of the Defense Industrial Base — on the order of 63% — falls under Level 1 self-assessment, with roughly 35% needing Level 2 (C3PAO) certification and small shares for Level 2 self-assessment and Level 3. It’s a useful gut check on where most contractors, and their ESPs, will land.
Level 2 (Self) vs. Level 2 (C3PAO): where the evidence goes
Self-assessment scores are submitted to the Supplier Performance Risk System (SPRS). C3PAO results are uploaded into the CMMC instance of eMASS and flow to SPRS. The ESP evidence expectation is the same in spirit — a current CRM, documented services, and defensible controls — but a third-party assessment means an assessor may test those CRM inheritance claims directly.
Level 3 ESP scope
The Level 3 CMMC Assessment Scope must be equal to or a subset of your Level 2 scope, and any Level 2 POA&M items must be closed before the Level 3 certification assessment begins (32 CFR § 170.19(e)). Level 3 adds 24 enhanced requirements selected from NIST SP 800-172 on top of Level 2. If your ESP touches the Level 3 enclave, its services are assessed against the applicable Level 2 and Level 3 requirements.
Why the timing matters right now
The CMMC Program Rule (32 CFR Part 170) took effect December 16, 2024. The DFARS acquisition rule that puts CMMC into contracts became effective November 10, 2025, kicking off a four-phase, three-year rollout under 32 CFR § 170.3(e).
- Phase 1 (November 10, 2025 – November 9, 2026): DoD includes Level 1 (Self) or Level 2 (Self) in applicable solicitations and contracts, and may at its discretion require a Level 2 (C3PAO).
- Phase 2 (begins November 10, 2026): DoD intends to include Level 2 (C3PAO) certification in applicable new solicitations as a condition of award, though it may delay to a contract option period.
- Phase 3 (November 10, 2027): Across-the-board “all applicable” Level 2 (C3PAO) requirement, plus Level 3 (DIBCAC).
- Phase 4 (November 10, 2028): Full implementation.
That timeline is not a marketing countdown — it’s a capacity problem. DoD estimated roughly 8,350 medium and large entities alone would need a Level 2 (C3PAO) assessment as a condition of award, part of a far larger pool of CUI-handling contractors. As of , the Cyber AB Marketplace listed 103 authorized C3PAOs to assess all of them. Assessment slots fill from the front of that line, and getting your ESP scope clean is what lets you get in it.
How should you scope tools like GRC, SIEM, EDR, RMM, and backup?
Follow the data, not the product name. If the tool stores your CUI, the CUI/CSP analysis applies. If it stores logs, configurations, admin credentials, vulnerabilities, or alerts for your CUI environment, it’s likely handling SPD and is treated as a Security Protection Asset. If it handles neither, it may not be a CMMC ESP at all (32 CFR § 170.19, Table 4).
- GRC platforms. Great for organizing evidence — but the moment CUI screenshots land in a non-authorized GRC cloud, you’ve created a CSP/CUI problem. Keep CUI out unless the platform is FedRAMP-appropriate.
- SIEM and SOC tooling. SPD by nature; expect Security Protection Asset treatment and evidence for the requirements the service actually supports.
- EDR / RMM / admin tooling. Map telemetry, privileged access, and configuration state. The console is in scope even when CUI never touches it.
- Backup and disaster recovery. Separate backup metadata from stored CUI. Cloud backup of encrypted CUI still triggers the CSP/FedRAMP analysis — encryption doesn’t exempt it.
- Vulnerability scanning and pen-test artifacts. Scan results and findings are security-sensitive and generally SPD. Store and share them accordingly.
A reminder worth its own line: software alone does not make you CMMC compliant. A GRC tool or an EDR agent is a supporting layer, not the whole program. The 110 requirements and 320 objectives are yours to meet and prove.
What should you ask a provider before you hire?
Ask category-specific questions about scope, evidence, and role separation — not a generic “are you CMMC compliant?” The right questions surface whether the provider’s work reduces or creates assessment risk.
For an RPO/RP readiness provider:
Will you define ESP/CSP/SPD scope before remediation? Will you help write the SSP and CRM language? Will you avoid receiving CUI unless the engagement is explicitly scoped for it? Will you coordinate with our MSP/MSSP and future C3PAO without creating a conflict of interest?
For an MSP/MSSP:
Which of your tools touch CUI or SPD? Do you provide a CRM/SRM? Do you store tickets, logs, admin credentials, screenshots, or backups? Have you supported Level 2 (Self) or Level 2 (C3PAO) clients? Are any subcontractors or downstream tools involved?
For a C3PAO:
How do you handle ESP evidence during an assessment? What do you expect in the CRM/SRM? How do you treat SPD-only providers? What provider evidence must exist before the assessment begins? One rule to plan around: a C3PAO cannot assess an organization it previously served as a CMMC consultant within the past three years (32 CFR § 170.8(b)(17)(ii)(G)). Keep readiness help and the formal assessment in separate hands from the start.
For a GRC, enclave, or software vendor:
Is the offering a cloud service? Does it store CUI, SPD, or both? Is there FedRAMP authorization or equivalency evidence if CUI is stored? Can it export evidence without exposing CUI?
What we actually verified
We built this page from primary and authoritative sources, and cross-checked the tricky parts against each other. Here’s exactly what we confirmed and when. (See our editorial standards and methodology for how we source and date every claim.)
| Verified item | Source | Last verified |
|---|---|---|
| ESP scoping outcomes for CUI / SPD / CSP (Table 4) | 32 CFR § 170.19(c)(2)(i) (eCFR, current as of 6/29/2026) | |
| ESP definition; SPD and SPA definitions | 32 CFR § 170.4 (eCFR) | |
| Non-CSP ESP with CUI assessed within your assessment | 32 CFR §§ 170.16(a)(3), 170.17(a)(6) | |
| MSP not required to have its own CMMC assessment | DoD CIO CMMC FAQ, E-A3 | |
| MSP + MSSP both ESPs, assessed in your scope, no separate cert required | DoD CIO CMMC FAQ, E-A4 | |
| MSP vs. CSP tenant/relationship test | DoD CIO CMMC FAQ, E-A5 | |
| Encrypted CUI still requires a FedRAMP-appropriate cloud | DoD CIO CMMC FAQ, E-A2 | |
| CSP handling CUI must meet FedRAMP Moderate (or equivalent) | DFARS 252.204-7012 (acquisition.gov, May 2024 clause) | |
| FedRAMP Moderate equivalency = 100% of controls via 3PAO + body of evidence | Department’s December 2023 FedRAMP equivalency memo; DoD CMMC FAQ E-A1 | |
| Level 2 = 110 requirements, NIST SP 800-171 Rev. 2, 14 families, 320 objectives | 32 CFR § 170.14; NIST SP 800-171A | |
| Four-phase rollout; Phase 1 Nov 10, 2025; Phase 2 Nov 10, 2026; Phase 3 Nov 10, 2027 | 32 CFR § 170.3(e); Federal Register (Sept 10, 2025) | |
| C3PAO three-year conflict-of-interest bar (consultant then assessor) | 32 CFR § 170.8(b)(17)(ii)(G) | |
| 103 authorized C3PAOs on the Cyber AB Marketplace | Cyber AB Marketplace snapshot, |
Frequently asked questions about CMMC external service provider assessment
Does my MSP need its own CMMC certification?
Usually no. Per the DoD CIO CMMC FAQ (E-A3), an MSP storing your CUI is not required to have its own CMMC assessment; its services are assessed as part of your assessment. It may certify voluntarily to simplify things, but that’s a business choice, not a requirement.
Is my MSSP in scope if it only handles logs?
Yes. Logs and configuration data are Security Protection Data. An MSSP handling your SPD is an External Service Provider and is assessed as a Security Protection Asset within your assessment under 32 CFR 170.19.
Is Security Protection Data the same as CUI?
No. SPD is the data used to protect your environment — logs, configs, vulnerability status, and access credentials (32 CFR 170.4). CUI is the protected government information itself. They’re scoped differently: SPD-only providers are Security Protection Assets, while CUI-handling providers face the CUI or CSP path.
If no CUI leaves our tenant, is the MSP out of scope?
Not necessarily. If the MSP has administrative access to systems that process CUI, or handles your SPD, it’s an ESP and in scope — even when no CUI ever crosses to its systems (DoD CIO CMMC FAQ E-A4).
Can a SOC 2 report replace a CMMC assessment?
No. SOC 2 is a separate attestation. It may support your evidence, but it does not satisfy CMMC requirements or replace a Level 2 assessment against NIST SP 800-171 Revision 2.
What is a CRM or SRM for a CMMC ESP?
A Customer Responsibility Matrix (or Shared Responsibility Matrix) documents which party is responsible for each control and where the evidence lives. 32 CFR 170.19 requires ESP services to be described in a CRM and referenced in your SSP. See our CMMC control inheritance guide for CRM documentation patterns.
Does a GRC tool make the vendor an ESP?
Only if it stores your CUI or SPD. A GRC platform holding only policy documents may not be an ESP; one storing CUI evidence in the cloud is on the CSP/CUI path and needs FedRAMP-appropriate hosting.
Are MSP admin passwords Security Protection Data?
Yes. Passwords that grant access to your in-scope environment are SPD (32 CFR 170.4). An MSP holding those credentials is handling SPD, which brings it into scope.
Is a CSP treated the same as an ESP?
Every CSP touching your CUI or SPD is an ESP, but a CSP handling CUI has a distinct obligation: FedRAMP Moderate or equivalent under DFARS 252.204-7012, rather than being assessed inside your CMMC assessment.
Does encrypted CUI in a cloud service still require FedRAMP Moderate or equivalency?
Yes. The DoD CIO CMMC FAQ (E-A2) is explicit — encryption does not decontrol CUI or remove the platform authorization requirement. A non-FedRAMP-authorized cloud can’t store your encrypted CUI on the theory that encryption made it safe.
Do Level 2 (Self) and Level 2 (C3PAO) handle ESPs differently?
The scoping logic is identical; the rigor differs. In a self-assessment you document ESP services and post your score to SPRS. In a C3PAO assessment, an assessor may test your CRM inheritance claims and interview your provider directly.
Can a C3PAO fix my ESP gaps before assessment?
No — and it shouldn’t. A C3PAO cannot assess an organization it consulted for within the past three years (32 CFR 170.8(b)(17)(ii)(G)), so readiness/remediation and the formal assessment must stay in separate hands. Fix scoping and gaps first (often with an RPO/RP or MSP/MSSP), then bring in the C3PAO.
What should I do if my provider refuses to provide evidence?
Reduce your CUI/SPD exposure, require a CRM, consider a provider better suited to a compliance-driven environment, or delay a formal assessment until the evidence exists. Don’t hide the relationship or accept vague “CMMC-ready” language as proof.
Does CMMC use NIST SP 800-171 Rev. 3?
No. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 (32 CFR 170.14), even though NIST has separately published Revision 3. Unless DoD amends the rule, Rev. 2 is the controlling standard.
What’s the fastest way to reduce ESP scope?
Shrink the footprint that touches CUI. Consolidate CUI into a dedicated enclave, lock down endpoints (VDI configured so no CUI is processed locally can put those endpoints out of scope, per DoD CIO CMMC FAQ E-A6), and keep CUI out of tickets, logs, and general-purpose tools.
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. See our corrections policy if you spot something that needs fixing.
Need help deciding what type of CMMC provider you need?Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Related from The Defense Compliance Report
- The CMMC Final Rule, explained
- CMMC levels: Level 1 vs. Level 2 vs. Level 3
- CMMC Level 2 requirements (110 requirements, 14 families)
- CMMC Level 2 cost: DoD estimate vs. real market
- CMMC control inheritance: SSP, CRM & evidence rules
- CMMC scoping guide
- CMMC policies and procedures
- CMMC readiness checklist
- GCC High for CMMC · AWS GovCloud for CMMC
- CUI enclave providers
- SPRS score and posting guide
- NIST SP 800-171A assessment objectives
- Our editorial standards · Corrections policy