Elevate

External Service Providers and CSPs in CMMC

External service providers and the cloud platforms that run alongside them are the single biggest source of confusion in a CMMC assessment, and for good reason. The rules changed. Under the earlier proposed rule, a managed service provider that touched a defense contractor’s environment generally had to hold its own CMMC certification. Under the final rule, that requirement is gone, replaced by a more nuanced set of tests that turn on what kind of data the provider handles. The result is a landscape where two contractors with nearly identical vendors can face very different obligations, and where a single wrong assumption about who is responsible for a control can stall an assessment. This guide explains the definitions that decide everything, what the final rule actually requires of each provider type, and how to keep a provider from becoming the reason your certification slips.

Why External Service Providers Are the Biggest CMMC Blocker

Almost every defense contractor relies on outside help for IT and security, from a local managed service provider to a hyperscale cloud platform. That reliance is sensible, but it introduces a question the contractor cannot answer alone: where does the contractor’s responsibility end and the provider’s begin. Most CMMC delays are not caused by a lack of concern for security. They come from boundary confusion, thin documentation, and unresolved shared-responsibility gaps with the very providers meant to make compliance easier.

The confusion is worse here than almost anywhere else in CMMC because the requirements shifted between the proposed and final rules, and a great deal of published guidance still reflects the older position. A contractor reading two-year-old advice may believe every vendor needs a certificate, budget for it, and lose months chasing something the final rule no longer requires. Getting the current rules right is not a technicality. It determines cost, timeline, and whether an assessment proceeds cleanly.

The Definitions That Decide Everything

In CMMC, the label attached to a provider is not marketing language. It is a regulatory classification that determines exactly what the provider and the contractor must do. Four definitions carry the weight, and each one is drawn from the CMMC Program Rule at 32 CFR Part 170.

External Service Provider

An external service provider is defined as external people, technology, or facilities that an organization uses to provide and manage IT or cybersecurity services on its behalf. The definition carries a critical qualifier: in the CMMC program, Controlled Unclassified Information or Security Protection Data must be processed, stored, or transmitted on the provider’s assets for that provider to count as an external service provider. A vendor that touches neither CUI nor Security Protection Data does not meet the definition and does not enter your assessment on this basis at all. This single test filters out a surprising number of vendors that contractors assume are in scope.

Cloud Service Provider

A cloud service provider is an external company that delivers cloud services in the sense defined by NIST, meaning on-demand network access to a shared pool of configurable computing resources. CSPs are a distinct category under the rule because a cloud offering that holds CUI triggers a specific federal requirement that other providers do not. The distinction between a general external service provider and a CSP is one of the most consequential in the entire framework, because it decides whether FedRAMP enters the picture.

Managed Service Provider

A managed service provider manages IT infrastructure without hosting its own cloud platform. Many contractors use one for day-to-day administration, monitoring, and support. The important nuance is conditional: if a managed service provider delivers a cloud offering that itself processes, stores, or transmits CUI or Security Protection Data, it is treated as a cloud service provider for that offering, and the CSP rules apply. A provider can therefore wear more than one hat, and the classification follows the service, not the company name.

Security Protection Data and Security Protection Assets

Security Protection Data is the hinge that the lighter treatment turns on. The rule defines it as data used to protect your assessed environment, including configuration data needed to operate a security tool, log files generated or ingested by that tool, vulnerability status data for in-scope assets, and passwords that grant access to the in-scope environment. The assets that provide those security functions, such as a SIEM, an endpoint detection tool, or a multifactor authentication service, are Security Protection Assets. A provider that handles only Security Protection Data, and never CUI itself, sits in a different and less demanding category than one that handles CUI, and recognizing that difference is often where the real savings live.

Does Your Provider Need Its Own CMMC Certification?

This is the question that stalls more programs than any other, and the answer changed with the final rule. In earlier versions of the proposed rule, external service providers, including managed service providers, were required to obtain their own CMMC certification. Under the final rule, that is no longer required. The shift meaningfully reduces cost and effort for contractors and their providers alike.

For an external service provider that is not a cloud service provider and that handles CUI or Security Protection Data, the services are assessed within your assessment scope rather than through a separate certification of the provider. The relationship, the provider, and the services it delivers must be documented in your System Security Plan, and the provider participates in your assessment for the objectives it touches. No independent certificate is required for the provider to support you.

There is an optional path that many capable providers choose. A provider may voluntarily pursue its own CMMC Level 2 certification covering just the services it offers, which spares it from being folded into every client’s assessment one at a time. This is not mandatory, but it is a genuine competitive differentiator, because a certified provider simplifies and shortens the assessment for every contractor it serves. The flip side is the practical consequence of skipping it: if a provider is not certified, its in-scope assets become part of your C3PAO assessment, which can add hurdles and extend your timeline. The requirement is gone, but the incentive to use a certified or assessment-ready provider is very much alive.

When FedRAMP Applies, and When It Does Not

FedRAMP is the second question providers raise, and it applies far more narrowly than most contractors assume. It is triggered by cloud handling of CUI, not by the mere presence of a provider. Walking the cases in order makes the rule clear.

A cloud service provider that processes, stores, or transmits CUI must meet the FedRAMP Moderate baseline, either by holding a FedRAMP Moderate authorization or by meeting the Department of War’s FedRAMP Moderate equivalency requirements, as required by DFARS 252.204-7012. The rule draws a helpful line on responsibility here. If you use a FedRAMP Authorized cloud service provider at the Moderate baseline or higher, you are not responsible for that provider’s compliance. If the provider does not hold a FedRAMP authorization, you become responsible for determining whether it meets FedRAMP Moderate equivalency, which means obtaining and reviewing a body of evidence assessed by a recognized third-party assessment organization. That is a meaningful burden, and it is a strong reason to prefer an authorized platform when CUI is involved.

Outside that specific case, FedRAMP recedes. A cloud service provider or external service provider that handles only Security Protection Data, and never CUI, is treated as a Security Protection Asset within your assessment scope and does not need FedRAMP authorization. A managed service provider that does not deliver a cloud offering does not need FedRAMP at all. The table below summarizes where each provider lands.

Provider and the data it handlesFedRAMP required?Own CMMC certification?How it is assessed
CSP that handles CUIYes, Moderate or equivalencyNoFedRAMP evidence, documented in your SSP
CSP or ESP handling only Security Protection DataNoNoAs a Security Protection Asset in your scope
Non-CSP ESP handling CUI or SPDNoNo, optionalWithin your assessment scope, documented in your SSP
MSP not delivering a cloud offeringNoNo, optionalWithin your assessment scope

The pattern the table reveals is that two questions drive every outcome: does the provider deliver a cloud offering, and does it handle CUI or only Security Protection Data. Answer those two, and the requirements fall into place. The most expensive mistakes come from collapsing the categories, assuming every cloud needs FedRAMP when only a CUI cloud does, or assuming every provider needs a certificate when the final rule removed that requirement. Classifying each provider correctly is the first and highest-leverage step in controlling both cost and scope.

What You Are Still Responsible For

The most dangerous assumption a contractor can make is that outsourcing a function outsources the compliance obligation. It does not. Using a FedRAMP-authorized cloud or a capable external service provider does not transfer responsibility for the controls to the provider. You still have to implement and maintain a large share of the 110 requirements yourself, and you remain accountable for CUI throughout its lifecycle even when someone else handles it day to day.

The instrument that prevents this from going wrong is the shared responsibility documentation, often delivered as a Customer Responsibility Matrix or Shared Responsibility Matrix. A complete matrix maps every one of the 320 assessment objectives to an owner, marking whether the objective is the provider’s responsibility, yours, or shared, and it must be reflected in your System Security Plan. Assessments fail when a contractor assumes the provider covers an objective that the matrix actually assigns to the contractor. The document is not paperwork for its own sake. It is the map that keeps a control from falling into the gap between two organizations. The mechanics of building this out, along with asset categorization, are covered in the guide to scoping your environment for CMMC, and the enclave-specific version in scoping your enclave.

How to Keep a Provider From Derailing Your Assessment

A disciplined approach to providers turns the biggest blocker into a solved problem. The sequence below reflects how the rule actually works, so each step narrows the requirements before cost enters the conversation.

Inventory Providers by the Data They Touch

Start by listing every provider and marking, for each, whether it handles CUI, only Security Protection Data, or neither. That single classification determines FedRAMP applicability, assessment treatment, and whether the provider is even an external service provider under the definition. It is the input to every downstream decision, and getting it wrong propagates through the entire program. This step also connects directly to defining your CUI boundary and the broader requirements of CMMC Level 2.

Get the Shared Responsibility Matrix and Verify It

Request the Customer Responsibility Matrix from each in-scope provider and confirm it is complete and accurate against the objectives the provider actually performs. Do not accept a generic template at face value. Walk it objective by objective, confirm your team can produce evidence for every item the matrix assigns to you, and integrate it into your System Security Plan. A matrix that is vague or unverified is a source of assessment findings, not protection from them.

Choose Providers That Simplify Rather Than Complicate

Given the rules, the strongest providers are those that either hold FedRAMP authorization for any cloud that touches CUI, carry their own CMMC Level 2 certification for the services they deliver, or are genuinely prepared to participate in your assessment with clean documentation. A provider that offers none of these can still be used, but it will bring its assets into your assessment and add work. Elevate Consult’s CMMC End-to-End Managed Services, delivered through a partnership with MNS, a managed services provider with more than 20 years supporting federal contractors, deploy enclaves on Microsoft GCC High and Google Workspace that your business owns rather than leases, and pair the technology with shared-responsibility mapping so the provider relationship strengthens your assessment instead of complicating it. To work through which providers in your environment are in scope and what each one requires, you can talk to an advisor.

Conclusion

External service providers stopped being a certification problem and became a classification problem. The final rule removed the blanket requirement that every provider hold its own CMMC certification and replaced it with a set of tests that depend on two things: whether the provider delivers a cloud offering, and whether it handles CUI or only Security Protection Data. Answer those, and the obligations for FedRAMP, certification, and assessment treatment become clear.

What did not change is where accountability lives. No provider, however capable or authorized, absorbs your responsibility for the controls or for CUI. The contractors who navigate this well classify every provider precisely, insist on an accurate shared responsibility matrix, and choose providers that shorten the assessment rather than lengthen it. To map the providers in your environment against the current rules, Elevate Consult’s CMMC readiness services can help you sort scope, documentation, and shared responsibility before an assessor does it for you. To pressure-test your provider landscape against the final rule, talk to an advisor.

Key Takeaways

  • Providers no longer need their own CMMC certification. The proposed rule required external service providers, including managed service providers, to be certified; the final rule removed that, so a non-CSP provider handling CUI or Security Protection Data is assessed within your scope and documented in your SSP.
  • The data type decides everything. A provider that handles CUI faces the strictest treatment, one that handles only Security Protection Data is treated as a Security Protection Asset in your scope, and one that touches neither is not an external service provider under the rule.
  • FedRAMP applies to CUI clouds, not to every provider. A cloud service provider handling CUI must meet FedRAMP Moderate authorization or equivalency, while a Security Protection Data provider or a non-cloud managed service provider does not need FedRAMP.
  • Authorization shifts responsibility. With a FedRAMP-authorized cloud you are not responsible for the provider’s compliance, but with a non-authorized cloud you must determine and document its FedRAMP Moderate equivalency yourself.
  • Optional certification still helps. A provider that voluntarily earns CMMC Level 2 for its services avoids being reassessed for every client and shortens your timeline, which is why certified providers are worth preferring even though certification is not required.
  • You keep the compliance obligation. No provider absorbs your responsibility, so an accurate Customer Responsibility Matrix mapped to all 320 objectives and reflected in your SSP is what keeps a control from falling into the gap between organizations.

Frequently Asked Questions

Does my MSP need to be CMMC certified?

No. Under the CMMC final rule, external service providers, including managed service providers, are not required to obtain their own certification. If the provider handles CUI or Security Protection Data and is not a cloud service provider, its services are assessed within your assessment scope and documented in your System Security Plan. The provider may choose to earn its own CMMC Level 2 certification to streamline assessments across its clients, but that is optional.

Does a cloud service provider need FedRAMP for CMMC?

Only when it handles CUI. A cloud service provider that processes, stores, or transmits CUI must meet the FedRAMP Moderate baseline through authorization or Department of War equivalency, as required by DFARS 252.204-7012. A cloud service provider that handles only Security Protection Data, such as logs or configuration data, is treated as a Security Protection Asset in your scope and does not need FedRAMP authorization.

What is the difference between an ESP and a CSP in CMMC?

An external service provider is the broad category for outside people, technology, or facilities that deliver IT or cybersecurity services and that handle your CUI or Security Protection Data. A cloud service provider is a specific type that delivers cloud computing services, and it is treated distinctly because a cloud offering holding CUI triggers the FedRAMP Moderate requirement. A managed service provider that delivers a cloud offering handling CUI or Security Protection Data is treated as a cloud service provider for that offering.

What is Security Protection Data in CMMC?

Security Protection Data is information used to protect your assessed environment rather than CUI itself. It includes configuration data needed to run a security tool, log files, vulnerability status data for in-scope assets, and passwords that grant access to the in-scope environment. The distinction matters because a provider that handles only Security Protection Data falls into a lighter category than one that handles CUI, with no FedRAMP requirement.

Does using a FedRAMP-authorized cloud make me CMMC compliant?

No. A FedRAMP-authorized cloud satisfies the cloud requirement for handling CUI, but it does not implement your controls or transfer your compliance obligation. You remain responsible for a large share of the 110 requirements and for CUI throughout its lifecycle. A Customer Responsibility Matrix mapped to the 320 assessment objectives and reflected in your System Security Plan is what clarifies which controls are yours and which the provider covers.