CMMC for External Service Providers – What the Final Rule means for you

The long-awaited Cyber Maturity Model Certification (CMMC) officially launched in December 2024, and certification assessments authorized to begin as of the start of this year. With these launches, the colossal task of moving hundreds of thousands of Defense Industrial Base (DIB) contractors and subcontractors into officially recognized compliance has begun.  

Throughout the DIB ecosystem, not every organization will be up to the task of fully comprehending and complying with CMMC requirements. It is expected that efficiency and practicality will lead to a somewhat limited number of External Service Providers (ESPs) taking responsibility for security requirements, so that DIB members can focus on delivering their core business functions and expertise.  

Read on to learn what you as an ESP, be it Cloud Service Provider (CSP), Managed Service Provider (MSP), or Managed Security Service Provider (MSSP), need to know about supporting the DIB during this critical time. 

The Final Rule – Roles and Requirements 

The Final Rule, published in October, provided some key details surrounding ESPs.  

ESPs storing CUI in Coud Systems 

ESPs will not be required to achieve CMMC certification unless they are direct contract holders. Instead, if an ESP stores, processes, or transmits Controlled Unclassified Information (CUI) in a cloud system, the ESP is considered a CSP and is required to be FedRAMP Moderate authorized or equivalent, as described in a DoD memo. 

Once a CSP has either demonstrated FedRAMP Moderate authorization through the FedRAMP marketplace, or by having their FedRAMP equivalency body of evidence reviewed and approved by the DIB member, they are absolved of further assessment. 

ESPs storing CUI in Non-Coud Systems

ESPs that do store CUI in non-cloud systems, or ESPs that store security protection data (logs, vulnerability scans, etc.) in either cloud or non-cloud systems are both evaluated based on applicable NIST 800-171 practices. The DoD makes no further distinction between MSPs or MSSPs, except that an organization that does not process CUI or security protection data is not considered an ESP for the purposes of CMMC.

Other ESPs

Other ESPs will be expected to participate in the assessment of any leveraging DIB member to demonstrate to the assessor that the controls owned by the ESP are functioning properly and fulfilling the security requirements. For all ESPs then, the Customer Responsibility Matrix (CRM) or Shared Responsibility Matrix (SRM) is an essential document that will determine which party is assessed for each objective of each control, and should be the chief concern of any prospective DIB customer.

Lessening your Assessment Load 

For non-CSP ESPs with multiple customers, participation in all their CMMC assessments threatens to be a considerable investment of resources. For these organizations, although certification is not a requirement, it may become worthwhile to achieve Level 2 certification for the advantages it offers during customer assessments.  

With the applicable controls officially assessed and authorized, assessment participation changes from having to demonstrate implementation of all controls owned by the ESP, instead to demonstrating that the system is still operating in its certified form, and discussing any shared responsibilities between the ESP and its DIB customer.  

Level 2 certification also represents market differentiation. It is a clear sign that the ESP will be a strong resource and partner in helping a DIB member achieve their own certification requirements.  

Still Have Questions? 

If you have further questions, including how Tevora can help you prepare for or undergo a Level 2 Certification assessment, please contact us at [email protected] and we will be happy to discuss further.  

As an RPO, A2LA certified assessor of NIST SP 800-171 controls, and a FedRAMP 3PAO, Tevora is your partner in achieving compliance in advance of your CMMC certified assessment. As a candidate C3PAO, Tevora will soon be qualified to deliver certified assessments for organizations that are more advanced in their security journeys, and achieving this landmark will keep you and your customers qualified for all DoD contracts for years to come.