CMMC External Service Provider Requirements: What MSPs, MSSPs, and CSPs Actually Have to Do
If someone has told you your MSP, cloud provider, or security operations team could make or break your audit, here’s the short version of CMMC external service provider requirements: an outside provider only becomes a CMMC External Service Provider (ESP) when your Controlled Unclassified Information (CUI) — or your Security Protection Data (SPD), meaning logs, configurations, and admin passwords — lives on that provider’ssystems. And here’s the part most pages still get wrong: under the CMMC Final Rule (effective December 16, 2024), your provider almost certainly does not need its own CMMC certification. The proposed rule said it did. The final rule removed that requirement before it was published.
We built this guide by reading the rule text itself, the Defense Department’s own technical guidance, and the current DoD CMMC FAQ — and we’ll show you exactly what we verified and when, lower down. This is the question contractors and IT providers get stuck on more than almost any other, and a lot of what’s ranking for it is out of date. Last verified: June 2, 2026.
The 30-second answer
Bottom line:For Level 2 and Level 3, a vendor enters your CMMC scope when your CUI or Security Protection Data is processed, stored, or transmitted on the vendor’s own assets. Match your situation to the row, then read the section that fits.
| Your provider situation | What CMMC requires |
|---|---|
| A cloud service stores, processes, or transmits your CUI | The cloud must be FedRAMP Moderate authorized or FedRAMP Moderate equivalent (DFARS 252.204-7012). |
| A non-cloud MSP stores or handles your CUI on its own systems | Those services are inside your CMMC assessment scope — but the MSP’s own certification is not automatically required. |
| An MSSP or SOC handles your logs, alerts, configs, or admin credentials but no CUI | Usually treated as a Security Protection Asset — assessed against the relevant controls, with no separate certification and no FedRAMP. |
| A provider’s assets touch neither CUI nor SPD | Not an ESP for CMMC purposes. Document why, and move on. |
| A subcontractor receives FCI or CUI to perform the actual contract work | This is a flow-down question, not just an ESP question (DFARS 252.204-7021). See the flow-down section below. |
Not sure which row you’re in?
Get matched with a verified provider who will map your ESP relationships and build the evidence package — before a C3PAO ever asks for it. No pressure; it’s a scoping conversation, not a sales pitch. Earlier in the journey and not sure what data you hold yet? Start with the CMMC Readiness Checklist instead.
Check my ESP scope →Does your MSP or external provider need its own CMMC certification?
No — not automatically.Under the CMMC Final Rule, an External Service Provider is not required to hold its own CMMC certification. The requirement that scared the entire managed-services market — the one in the December 2023 proposed rule that said your provider had to be certified at your level or higher — was removed before the rule was finalized.Your provider’s relevant services can instead be assessed as part of your assessment. (The exception is a cloud provider that stores, processes, or transmits CUI, which must meet the FedRAMP Moderate standard under DFARS 252.204-7012 — but that’s a specific cloud requirement, not a universal ESP certification mandate.)
This is the single biggest change between the proposed and final rules
The December 2023 proposed rule stated plainly that “if an OSA utilizes an ESP, other than a Cloud Service Provider (CSP), the ESP must have a CMMC certification level equal to or greater than the certification level the OSA is seeking.” That would have forced essentially every IT and security provider in the defense supply chain to get certified. The final rule removed it entirely. If you land on an article telling you your MSP “must be CMMC certified to keep you compliant,” check the date — many pages published this line in 2025 and beyond without correcting it.
Here’s what the final rule actually says happens instead. Your ESP has two paths:
Path 1 — Get assessed as part of your assessment
Whatever the provider does that touches your CUI or SPD gets reviewed when your assessor reviews you. You document the relationship; the provider supports the evidence.
Path 2 — Voluntarily get its own CMMC assessment
The rule explicitly lets an ESP undergo its own CMMC Level 2 assessment — scoped to the services it provides to clients — “to reduce the ESP’s effort required during the OSA’s assessment.” It’s optional. But a provider that does it makes your audit smoother, which is why many serious defense-focused MSPs and MSSPs pursue it.
One important nuance: the minimum assessment type for the ESP is dictated by your contract.If your contract requires a third-party Level 2 assessment, that’s the bar the relevant ESP services are held to within your assessment.
The takeaway is calmer than the headlines: your provider almost certainly doesn’t need its own certificate. But “doesn’t need a certificate” is not the same as “doesn’t matter.” We’ll get to why in a moment — because that gap is where real assessments stall.
What makes a vendor an “External Service Provider” under CMMC?
An ESP is external people, technology, or facilities you use to provide or manage IT or cybersecurity services — but it only meets CMMC’s definition of an ESP if your CUI or Security Protection Data is processed, stored, or transmitted on the provider’s assets.If a provider touches neither, it is not an ESP for CMMC purposes, no matter how critical it is to your business. The label — MSP, MSSP, consultant, SaaS tool — matters far less than what the provider actually does with your data.
The CMMC glossary (32 CFR 170.4) defines an ESP as “external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization,” then adds the test that does all the work: CUI or Security Protection Data must be processed, stored, or transmitted on the ESP assets to be considered an ESP. The Defense Department’s own technical guidance puts it more bluntly: “What you call them isn’t important — it’s what they do and provide that matters.”
Providers that often are ESPs once you trace the data: managed service providers (MSPs), managed security service providers (MSSPs), security operations centers (SOCs), SIEM and log-management platforms, remote monitoring and management (RMM) tools, managed EDR/MDR, cloud backup, CUI enclaves, incident response and forensics firms, and virtual desktop (VDI) hosts.
Providers that usually are not ESPs: a software or license reseller with no access to your data, a procurement-only vendor, a consultant who only advises and never touches systems holding your CUI or SPD, and a hardware supplier that never receives FCI or CUI. A subcontractorthat performs contract work with your CUI is a different animal entirely — that’s a flow-down obligation, covered below.
The DCR ESP Requirement Matrix: what each provider type actually has to do
The fastest way to classify any external provider is to answer four questions: Does it touch CUI? Does it touch Security Protection Data? Is it acting as a cloud service provider? Or is it really a subcontractor receiving FCI or CUI to do the work? Those four answers determine the CMMC treatment, the evidence you owe, and your next move. The matrix below combines the scoping table in 32 CFR 170.19, the Defense Department’s February 2025 technical guidance, and the DoD CMMC FAQ (Revision 2.3, May 2026).
How to read it:Start with the actual data flow, not the provider’s title. Identify what runs on the provider’s assets. Then find your row.
| Provider situation | ESP? | Acting as a CSP? | CMMC treatment | What you must collect | Primary-source basis |
|---|---|---|---|---|---|
| Cloud/SaaS/IaaS stores, processes, or transmits CUI | Yes | Yes | Use a FedRAMP Moderate authorized or equivalent offering | FedRAMP Marketplace listing or equivalency body of evidence (BOE); CRM; SSP entry; service description | DFARS 252.204-7012; 32 CFR 170.19(c)(2)(i) |
| Non-cloud MSP stores/handles your CUI on its own systems | Yes | No | Services are in your assessment scope and assessed with you; no separate certification required | SSP entry, service description, CRM, data-flow and asset diagrams, provider interview support | 32 CFR 170.19(c)(2)(i); DoD CMMC FAQ |
| MSP administers a cloud tenant licensed to you | Depends on data touched | Usually not a CSP just for administering | The cloud still needs proper treatment; the MSP is scoped by whether it handles your CUI or SPD | Tenant licensing proof, admin-access model, CRM | DoD CIO Technical Application of CMMC Requirements (Feb 2025) |
| MSP contracts with a CSP and modifies the cloud service it resells | Yes | May be a CSP | May have to meet FedRAMP/equivalency for that offering | Contract chain, service architecture, BOE, CRM | DoD CIO Technical Application (Feb 2025) |
| MSSP/SOC/SIEM handles logs, alerts, configs, or admin credentials — but no CUI | Yes | Usually no | Assessed as a Security Protection Asset against relevant controls; no separate cert, no FedRAMP | CRM, service description, log/alert flow, access method, evidence access | 32 CFR 170.19(c)(1); DoD CIO Technical Application |
| RMM / help desk / ticketing tool that can reach endpoints, transfer files, or capture screenshots/logs | Depends on data flow | Depends on delivery | Classify by what lands on provider assets: CUI → CUI treatment; SPD only → SPA; neither → not an ESP | Ticket/screenshot/file-transfer controls, credential storage, RMM architecture, CRM | 32 CFR 170.4 |
| GRC / compliance-automation SaaS storing your SSP, POA&M, evidence, or scan data | Depends on content | Delivery model decides it | CUI in the platform → CSP/FedRAMP path; security data only → SPA; sanitized tracking only → may be outside ESP scope | Evidence data classification, FedRAMP status if CUI, export/access controls, CRM | 32 CFR 170.4; 170.19 |
| Staff augmentation using your devices/accounts, with no provider-owned system holding CUI/SPD | Usually no (based on people) | No | Treated like your own staff — but if a provider-owned system stores your credentials, logs, or other SPD, classify those services as an ESP / SPA | Access model, device ownership, credential handling, remote-access logs | DoD CIO Technical Application (Feb 2025) |
| License reseller / procurement-only vendor with no data access | Usually no | No | Not an ESP | Contract role, no-access attestation, data-flow confirmation | 32 CFR 170.4 |
| VDI endpoint passing only keyboard/video/mouse (copy/paste, file transfer, local save, print, screenshot blocked) | Endpoint may be out of scope; hosted environment stays in scope | Depends on hosting | The endpoint can be treated as Out-of-Scope only if configured to prevent any CUI beyond keyboard/video/mouse | VDI configuration, blocked-channel evidence, data-flow diagram | 32 CFR 170.19; DoD CMMC FAQ; DoD CIO Technical Application |
| Subcontractor receiving FCI or CUI to perform the contract | Not just an ESP question | Depends on services | Flow-down applies at the appropriate level | Subcontract flow-down language, subcontractor CMMC status in SPRS | DFARS 252.204-7021; 32 CFR 170.23 |
| Provider’s assets touch neither CUI nor SPD | No | No | Don’t include it just because it’s a vendor | No-access / no-data-flow documentation | 32 CFR 170.19(c)(2)(i) |
Turn this into your action list.Get matched with a verified readiness provider who can build your ESP evidence package — SSP entries, CRM, data-flow diagrams — before a C3PAO ever asks for it.
Get matched with a verified CMMC provider →ESP vs. CSP: when does the cloud question change everything?
A CSP (Cloud Service Provider) is a cloud company; an ESP is the broader CMMC category for any external IT or security provider whose assets handle your CUI or Security Protection Data. The distinction matters because of one fork in the road: when a cloud service stores, processes, or transmits CUI, it must meet the FedRAMP Moderate authorized or equivalentstandard required by DFARS 252.204-7012 — a separate, harder bar than the rest of the ESP rules. When a cloud service touches no CUI, that bar disappears.
The rule’s scoping table (32 CFR 170.19(c)(2)(i)) lays the whole thing out in four cells. If the provider handles CUI and it’s a CSP, it meets FedRAMP. If it handles CUI and it’s not a CSP, its services get assessed inside your assessment. If it handles SPD only, it’s a Security Protection Asset either way — never FedRAMP. And if it handles neither, it isn’t an ESP at all.
“Is my MSP a CSP?” — the Defense Department’s own test
This is where contractors get tangled. The DoD CIO’s February 2025 technical guidance answers it directly:
If the cloud tenant is licensed or subscribed to you — even if your MSP resells it to you — the MSP is not a CSP.
If the MSP contracts with the cloud provider and then modifies the basic cloud service beyond configuring and maintaining it, the MSP may be considered a CSP and has to meet FedRAMP or equivalency for that offering.
If the MSP owns the cloud tenant and sub-divides it for its customers, it has probably crossed the line into being a CSP.
There’s a real gray zone here, and the government acknowledges it. The way you resolve it is by documenting the relationships among the cloud provider, the MSP, and you — in your System Security Plan and Customer Responsibility Matrix.
FedRAMP “authorized” is not the same as FedRAMP “equivalent”
FedRAMP authorization means the cloud offering went through the FedRAMP process and appears on the FedRAMP Marketplace. FedRAMP Moderate equivalency is a separate path the Defense Department defined in a December 2023 policy memo: the cloud offering must be assessed by a FedRAMP-recognized third-party assessor (3PAO) against 100% of the FedRAMP Moderate controls, with the findings from that assessment remediated and closed, and documented in a body of evidence the cloud provider hands to you. Continuing operational POA&Ms (open items that don’t come from the 3PAO assessment) are allowed; the assessment itself has to come back clean.
There is no registry of “equivalent” offerings.If a cloud service claims equivalency but isn’t FedRAMP authorized, youare responsible for evaluating its body of evidence — and your assessor (a C3PAO, or DIBCAC at Level 3) will review that evidence as part of your assessment. A vendor saying “we’re FedRAMP equivalent” in a sales deck is not evidence. The BOE is.
If you use a genuinely FedRAMP-authorized cloud (Moderate or higher),you are not responsible for the cloud provider’s underlying compliance. That’s a meaningful reason to prefer authorized offerings where you can.
Encryption alone doesn’t make the problem disappear
A common hope: “we encrypt the CUI, so the cloud is out of scope.” The DoD CMMC FAQ (Revision 2.3, May 2026) explicitly shuts this down: CUI remains controlled until it is formally decontrolled, and encrypting it does not convert it into non-CUI or let you treat the ciphertext as out of scope. A non-FedRAMP-Moderate cloud can’t quietly hold your encrypted CUI on the theory that the encryption solves it. The cloud still has to meet the equivalent security requirement.
One more myth to retire: “We use GCC High” or “We’re on AWS GovCloud” isn’t automatically the end of the analysis. Microsoft 365 GCC High holds a FedRAMP High authorization, which clears the FedRAMP Moderate bar — but your CMMC outcome still turns on the specific services in scope, how they’re configured, what controls you inherit, who has admin access, and what the CRM says. The environment can be right and your scoping and evidence still wrong. Standard commercial productivity clouds generally are not FedRAMP Moderate for CUI, even from the same vendor.
Not sure your cloud setup holds up?See exactly what to verify before you trust a “FedRAMP equivalent” claim, and how managed enclaves compare.
What if your provider only touches security data (SPD), not CUI?
A provider can be in your scope even if it never sees a single CUI file. If it handles Security Protection Data— logs, alerts, configurations, vulnerability data, or admin credentials that protect your assessed environment — the relevant services are assessed as Security Protection Assets (SPAs). The reassuring part: an SPD-only provider needs no separate CMMC certification and no FedRAMP authorization. It’s assessed against only the controls relevant to what it does, as part of your assessment.
The Defense Department’s guidance is explicit: “ESPs that only store SPD or provide an SPA and do not process, store, or transmit CUI do NOT require a separate CMMC assessment, nor do they require FedRAMP authorization or equivalency.”
Security Protection Data includes more than most people expect: configuration data, log files generated or ingested by your security tools, vulnerability and status data about your in-scope assets, and passwords that grant access to your in-scope environment.This is why “we don’t touch CUI, so we’re irrelevant” is the wrong answer from an MSSP. A SOC watching your firewall logs and EDR alerts may never see CUI — but it’s holding SPD, which makes those services a Security Protection Asset in your scope. Not ignored. Just assessed against the controls relevant to the capability, with the relationship documented in your SSP and CRM.
The better question to ask any security vendor is not “Do you handle CUI?” It’s “Do you handle CUI or Security Protection Data?”
DCR SPD Triage Table: is this data Security Protection Data?
| Data artifact a provider holds | Likely classification | Why it matters | What to collect |
|---|---|---|---|
| Admin / privileged passwords to your in-scope systems | SPD | Grants access to your in-scope environment | Where credentials are stored, access controls, CRM |
| SIEM or security log files (generated or ingested) | SPD | Used to detect threats to in-scope assets | Log-flow diagram, retention, access method |
| EDR / antivirus alerts and telemetry | SPD | A security function for in-scope assets | Tool ownership, data location, CRM |
| Vulnerability scan results / asset status data | SPD | Reveals the security posture of in-scope assets | Scan-data handling, who can view it, CRM |
| Firewall and security configuration data | SPD | Required to operate a Security Protection Asset | Config storage, change control |
| Help-desk tickets or screenshots showing system state | SPD (or CUI if they contain CUI) | Can carry security-relevant or controlled data | Ticket-content controls, redaction, CRM |
| RMM remote-session data and stored credentials | SPD | Endpoint access plus credentials | RMM architecture, credential vaulting |
| Actual CUI files (drawings, specs, controlled technical data) | CUI (not just SPD) | Triggers full CUI treatment — and FedRAMP if it’s in the cloud | Data-flow map, FedRAMP status if cloud, CRM |
What you must document about an ESP before assessment
You need enough documentation to show what the provider does, which of your assets are involved, which CMMC requirements the provider performs, and the evidence that proves it. The rule names the core artifacts directly: the relationship must be captured in your System Security Plan (SSP) and described in the provider’s service description and Customer Responsibility Matrix (CRM)— the document that splits which security requirements belong to you, the provider, or both.
That’s 32 CFR 170.19(c)(2)(ii), nearly verbatim. In practice, an assessment-ready ESP file has six parts.
| Artifact | What it captures | Where an assessor uses it |
|---|---|---|
| SSP section for the service | Provider, services, data touched, asset boundary, inherited requirements, evidence location | Validating scope and starting the examine/interview/test process |
| Service description | Tools used, where data is stored, who has admin access, whether support staff can see CUI, how tickets/screenshots/files are handled | Understanding what the service actually does |
| Customer Responsibility Matrix (CRM/SRM) | Each relevant requirement mapped to you, the provider, or shared | Confirming who owns and evidences each inherited or shared control |
| Data-flow diagram | CUI, SPD, admin, ticketing, logging, backup, remote-access, and cloud-tenant boundaries | Verifying scope and where data really moves |
| Evidence package | Policies, configurations, logs, procedures; plus the FedRAMP listing or equivalency BOE if cloud CUI is involved | The objective evidence behind each control |
| Participation commitment | Written confirmation the provider will support evidence requests and interviews | Making sure the provider’s people show up during the assessment |
The honest part: “doesn’t need a certificate” is not “doesn’t matter”
Even though your MSP usually doesn’t need its own certificate, the moment it touches your CUI or SPD it becomes part of your assessment — and a provider that can’t produce a CRM, can’t tell you where your CUI actually lives, or won’t sit for an assessor interview becomes your problem, on your timeline, at yourcost. That is precisely where a lot of comfortable, long-standing “we’re totally fine” MSP relationships fall apart under a real assessment.
But here’s the part that should lower your blood pressure: this is fixable, and you almost always find out with enough runway to fix it. The contractors who get burned are the ones who assumed their provider was out of scope and never checked. Map your data flows now, document the relationships properly, and pressure-test whether your provider can actually support the evidence.
Have a provider that’s clearly in your scope?Get matched with a CMMC readiness provider who can build your ESP evidence package — SSP entries, CRM, data-flow diagrams — before a C3PAO ever asks for it.
Get matched with verified readiness providers →How a C3PAO assesses your ESP during a Level 2 assessment
A C3PAO — a CMMC Third-Party Assessment Organization, the only kind of organization authorized to perform Level 2 certification assessments — does not ignore your provider just because it sits outside your company.If the provider’s services are in scope, the assessment team confirms the relationship is documented, reviews your CRM, and examines, interviews, and tests against the relevant requirements. Provider claims have to be backed by evidence, the same as your own.
The assessment methodology is built on NIST SP 800-171A: assessors examine documentation, interview the people who run the controls, and testthat the controls actually work. For inherited or shared controls — the ones your CRM says the provider handles — they’ll want to see what’s inherited, from whom, under which service, and with what evidence. The CRM is the bridge. Without it, “we inherit that control” is just an assertion.
Things that will reliably stall or stop an assessment:
- No CRM or service description for an in-scope provider.
- Cloud CUI without a FedRAMP authorization or a documented equivalency BOE.
- A provider that won’t make its people available for interviews.
- A provider that can’t produce evidence for the controls it owns.
- CUI or SPD data flows that nobody can map.
- A voluntary ESP certificate whose scope doesn’t actually cover the service you use.
For context on how the assessment itself works and when you need one, see CMMC Level 2 self-assessment vs. C3PAO. For a current list of authorized assessors, see the C3PAO directory. Note: the C3PAO that assesses you cannot be the same organization that consulted you on CMMC readiness — that’s a conflict of interest under 32 CFR 170.9 and the Cyber AB Code of Professional Conduct.
Hard-copy CUI edge case
“We only have hard-copy CUI. Are we even in this?”Per the DoD CMMC FAQ (Revision 2.3, May 2026), organizations that only handle hard-copy CUI aren’t required to undergo a CMMC assessment of an information system, because assessments address CUI that’s processed, stored, or transmitted on systems. The catch: the moment that CUI lands on a system — scanned, typed, photographed, emailed, uploaded, or printed from one — that system is expected to meet the applicable CMMC requirements, and you still have to safeguard hard-copy CUI under your contract. Paper-only is a narrow lane, and most organizations don’t truly stay in it.
What we actually verified for this page
As of June 2, 2026.
- The ESP scoping table in the eCFR (32 CFR 170.19(c)(2)(i)) and the ESP definition (32 CFR 170.4), read directly from the rule text.
- The Defense Department’s “Technical Application of CMMC Requirements” guidance (February 2025) for the “Is my MSP a CSP?” logic, the staff-augmentation nuance, and the Security Protection Asset treatment.
- The cloud requirement at DFARS 252.204-7012 and the FedRAMP Moderate equivalency standard described in the December 2023 DoD memo — 100% of the controls met at the conclusion of a FedRAMP-recognized 3PAO assessment, with a body of evidence, and no equivalency registry.
- The CMMC Program Rule effective date (December 16, 2024), the DFARS clause rule (DFARS 252.204-7021, effective November 10, 2025), the Phase 1 window (through November 9, 2026), and the November 10, 2026 start of mandatory Level 2 third-party assessments — against the Federal Register and the DoD CMMC FAQ (Revision 2.3, May 2026).
- That CMMC assessments are conducted against NIST SP 800-171 Revision 2 (under the Department’s class deviation), and the conflict-of-interest rule that a C3PAO can’t assess an organization it consulted for.
- That the proposed-rule ESP certification requirement was removed in the final rule — confirmed against both the December 2023 proposed rule text and the final rule (89 FR 83214).
Frequently asked questions: CMMC external service provider requirements
What is an External Service Provider in CMMC?
An External Service Provider is an outside party providing IT or cybersecurity services where your CUI or Security Protection Data is processed, stored, or transmitted on that provider’s assets. If neither CUI nor SPD touches the provider’s assets, it is not considered an ESP for CMMC assessment purposes (32 CFR 170.4).
Does my MSP need its own CMMC certification?
Usually not. Under the CMMC Final Rule, an External Service Provider is not required to obtain its own CMMC certification — the requirement in the December 2023 proposed rule was removed. Its in-scope services are instead assessed as part of your assessment, though the provider may voluntarily pursue its own Level 2 assessment to streamline yours (32 CFR 170.19).
Does my MSSP need CMMC certification?
Not automatically. If an MSSP handles Security Protection Data — logs, alerts, configurations, admin credentials — but no CUI, its services are assessed as a Security Protection Asset within your assessment rather than requiring the MSSP to hold its own certificate.
Does a cloud service provider need FedRAMP for CMMC?
Only if the cloud service stores, processes, or transmits CUI. Then it must be FedRAMP Moderate authorized or meet FedRAMP Moderate equivalency under DFARS 252.204-7012. A cloud service that handles only Security Protection Data, or no CUI, does not need FedRAMP.
Can encrypted CUI be stored in a non-FedRAMP cloud?
No. The DoD CMMC FAQ (Revision 2.3, May 2026) states that encrypting CUI does not decontrol it, so a non-FedRAMP-Moderate cloud cannot hold encrypted CUI unless it meets the equivalent security requirement.
What is Security Protection Data in CMMC?
Security Protection Data is security-relevant information used to protect the assessed environment — such as log files, configuration data, vulnerability status data, and passwords that grant access to in-scope assets. SPD can bring a provider into CMMC scope even when the provider never handles CUI (32 CFR 170.4).
Is a GRC platform an ESP?
It depends on what you store in it. If it holds CUI, cloud/CSP treatment can apply; if it holds security evidence or vulnerability data, SPD treatment may apply; if it holds only sanitized tracking, your scope may be narrower.
Does an ESP’s own certification make my company compliant?
No. A provider’s certificate can reduce assessment friction, but you still have to document scope, inherited and shared responsibilities, and how the provider’s services support your assessed environment.
Does CMMC flow down to subcontractors?
Yes. When a subcontractor or supplier will process, store, or transmit FCI or CUI under the subcontract, DFARS 252.204-7021 requires appropriate flow-down and CMMC status checks — a separate obligation from ESP scoping.
Can the same company be my CMMC consultant and my C3PAO assessor?
No. Under the CMMC rule, C3PAOs must follow the Accreditation Body’s Conflict of Interest and Code of Professional Conduct policies and meet ISO/IEC 17020 independence requirements, which means a C3PAO cannot assess an organization it provided consulting, advisory, implementation, or remediation services to. Use different parties for readiness and certification, and confirm any prior relationship is conflict-cleared.
What should I do if I’m not sure whether a provider is in scope?
Map whether the provider’s assets touch CUI, FCI, Security Protection Data, or cloud services handling CUI. Then classify it with the DCR ESP Requirement Matrix above and assemble the SSP, CRM, service description, and evidence package the assessment will require.
Need help deciding what type of CMMC provider you need?
Get matched with verified providers in 60 seconds — readiness, managed operations, enclave, or assessment. Tell us your level, your timeline, and your rough CUI footprint, and we’ll route you to providers that fit your scope.
Get matched with verified CMMC providers →Related guides
- CUI Enclave Providers for CMMC: Compare & Verify (2026)
- CMMC Managed Compliance Services: What to Outsource, What You Still Own (2026)
- CMMC Managed Service Providers: When Your MSP Is In Scope
- CMMC MSSP Providers: Scope, Evidence & Cost Guide (2026)
- GCC High for CMMC: When You Need It and When You Don’t
- CMMC Managed Enclaves: Scope Reduction Without GCC High Migration
- CMMC Level 2 Self-Assessment vs. C3PAO: Which Assessment Path Applies to You
- Best C3PAO for CMMC Level 2: The Independent Selection Framework
- C3PAO Directory: Authorized CMMC Level 2 Assessors
- Best CMMC Providers for Small Business
- CMMC Readiness Checklist
Sources
- 32 CFR Part 170 (CMMC Program Rule), 89 FR 83214, eff. Dec. 16, 2024 — eCFR. § 170.4 (ESP definition), § 170.19(c)(2)(i) Table 4 (ESP scoping), § 170.19(c)(1) (asset categories), § 170.9 (C3PAOs; COI/CoPC + ISO 17020), § 170.23 (flow-down).
- DFARS final rule (48 CFR), eff. Nov. 10, 2025 — DFARS 252.204-7021 and 252.204-7025. Acquisition.gov.
- DFARS 252.204-7012 (safeguarding CDI; CSP FedRAMP Moderate requirement). Acquisition.gov.
- DoD CIO, “Technical Application of CMMC Requirements: ESPs, Asset Categories, SPA/SPD, and VDI” (February 2025). dodcio.defense.gov.
- DoD CMMC FAQ, Revision 2.3 (May 2026). Confirms Phase timing, the Rev. 2 class deviation, encryption-does-not-decontrol, hard-copy CUI, and ESP/VDI scoping answers. dodcio.defense.gov/cmmc/FAQs/.
- DoD CIO FedRAMP Moderate Equivalency Memo, December 2023. 100% of FedRAMP Moderate controls via a FedRAMP-recognized 3PAO; no equivalency registry.
- NIST SP 800-171 Rev. 2 (110 requirements, 14 families); NIST SP 800-171A (assessment methodology); NIST SP 800-172 (Level 3). csrc.nist.gov.
- Cyber AB Code of Professional Conduct v2.0 and R2002 C3PAO Accreditation Requirements — conflict-of-interest lookback on prior consulting. cyberab.org.
- SPRS (Supplier Performance Risk System) — CMMC status, scores, UIDs, affirmations; Level 2 C3PAO results flow via CMMC eMASS to SPRS.