External Service Providers

If you use external companies to provide services that touch CUI or contribute to your security posture, some of them fall within your assessment scope. The key questions: Does CUI reside on the ESP’s assets? and Does the ESP provide security functions for your CUI environment? If either answer is yes, that ESP is in your scope.

The Rules

ESP Type	Handles CUI?	Requirement
Cloud Service Provider (CSP)	Yes	Must meet FedRAMP Moderate (or equivalent) per DFARS 252.204-7012
CSP	No, but provides security functions	No FedRAMP required, but services are in your scope as SPAs
Non-CSP ESP (MSP, MSSP)	Yes	ESP services are in your scope; assessed against relevant requirements
Non-CSP ESP	No, but provides security functions	In scope as SPA; assessed against relevant requirements
Staff augmentation	N/A	No CMMC assessment needed — you provide all processes, technology, and facilities

---

Important Distinctions That Trip People Up

CSP vs. MSP. A CSP provides its own cloud computing platform (AWS, Azure, GCP, Microsoft 365). An MSP that deploys your tools on someone else’s cloud is NOT a CSP — the underlying cloud provider is the CSP. Your MSP managing your Azure tenant is an ESP, but Azure itself is the CSP that needs FedRAMP.

Not every vendor is an ESP. Your HR SaaS, your accounting software, your corporate CRM — if they don’t handle CUI and don’t contribute to your security posture, they’re not ESPs. The test is whether CUI or Security Protection Data resides on their systems. A payroll provider that never sees CUI is not an ESP.

The FedRAMP question. Only CSPs that host CUI need FedRAMP Moderate (or equivalent). A CSP providing a security tool (like a cloud SIEM that ingests your logs but not CUI) needs to be in scope as an SPA but doesn’t need FedRAMP — because it handles SPD, not CUI.

---

What You Must Document

For each ESP in your scope:

• The relationship and services described in your SSP — what the ESP does, what data it handles
• The ESP’s service description — what they provide and how
• A Customer Responsibility Matrix (CRM) — which security requirements are the ESP’s responsibility vs. yours. This is critical — if the ESP is responsible for encrypting CUI at rest, that responsibility must be documented, agreed to, and verifiable
• Relevant agreements — SLAs, contracts, MOUs that establish the ESP’s obligations
• Your on-premise connections — the infrastructure connecting you to the ESP is also assessed

To a CEO or Board

When we use a cloud provider or managed service for CUI, that provider is part of our assessment scope. We need to verify they meet their security obligations and document clearly who’s responsible for what. The Customer Responsibility Matrix is how we avoid “I thought you were handling that” during an assessment.

The Shared Responsibility Trap

The most common ESP mistake: assuming the cloud provider handles everything. AWS, Azure, and Microsoft 365 operate on a shared responsibility model. They secure the infrastructure; you secure the configuration, access controls, data protection, and monitoring. If you can’t explain which requirements are yours vs. the provider’s, the assessor will find gaps.