What is an External Service Provider (ESP) According to CMMC and the DoD in the New CMMC Proposed Rule

A version of this article originally ran in the Deltek Project Nation Blog on June 24, 2024. 

An External Service Provider (ESP), as defined by the Cyber Maturity Model Certification (CMMC) and the Department of Defense (DoD) in the new CMMC proposed rule issued on December 26, 2023, refers to a third-party entity that delivers a service affecting the confidentiality, integrity, or availability of DoD-controlled unclassified information. These providers can encompass a wide range of services, including cloud computing services, IT management, security monitoring, and other external support functions that are integral to a company's cybersecurity posture. The significance of ESPs in the context of CMMC compliance stems from their potential impact on the overall security environment of a contractor's information system. 

Under the proposed rule, organizations that use ESPs are required to ensure that these providers also adhere to CMMC requirements relevant to the level of information they handle. This includes ensuring that ESPs implement necessary security controls and procedures to protect DoD data. Moreover, businesses must thoroughly document the roles of ESPs in their cybersecurity strategy and undergo assessments to verify compliance. The increased scrutiny on ESPs highlights the interconnected nature of modern cybersecurity ecosystems and underscores the importance of comprehensive security measures that extend beyond internal practices to include external partners.

The New CMMC Proposed Rule and the Implication of ESP Certification

The new CMMC rule proposes that contractors must ensure their ESPs meet the same level of CMMC certification as required for their own organization. This means that contractors must carefully vet and monitor the security practices of any external service provider they work with to ensure compliance with CMMC requirements. Failure to do so could result in a breach of sensitive information, leading to potential data loss, financial penalties, and reputational damage. 

Furthermore, the inclusion of ESPs in CMMC compliance highlights the importance of a strong supply chain security posture. As contractors work with external service providers, they must ensure that these third-party entities also adhere to rigorous cybersecurity practices to prevent potential vulnerabilities or breaches from entering their system through the supply chain. This not only protects the contractor's information but also helps to secure sensitive government data that may be shared through these partnerships.

Despite these benefits, imposing the requirement for CMMC certification on ESPs presents a significant challenge as there is no current contract mechanism to enforce this on ESPs that do not have current contracts with the U.S. Government. Robert Metzger (Law Firm of Rogers, Joseph, O'Donnell) articulates this issue, stating, "ESPs will not have legal privity with prime contractors or the U.S. government, and consequently cannot be compelled via contract to adhere to CMMC standards." Without a direct contractual obligation, ensuring that ESPs comply with CMMC standards relies heavily on the diligence and oversight of the contracting organizations as well as the Defense Industrial Base (DIB) contractors themselves to enforce CMMC through client-stipulated terms inserted into vendor agreements, which is unlikely to be effective.

Are MSPs and MSSPs considered ESPs?

Managed Service Providers (MSPs) and Managed Security Services Providers (MSSPs) often play a pivotal role as ESPs in helping contractors manage and secure their IT infrastructure. As ESPs, MSPs and MSSPs are responsible for providing essential services such as network management, data storage, cybersecurity monitoring, and incident response. To comply with the CMMC requirements, MSPs and MSSPs must implement robust security measures, including the adoption of advanced threat detection systems, regular security audits, and comprehensive incident response plans. These providers are also required to undergo the same level of CMMC certification as the contractors they support per the CMMC Proposed Rule. This proposed certification for ESPs would ensure that any sensitive data handled by MSPs and MSSPs is protected against potential threats and conforms to the stringent security standards set forth by the CMMC framework. By achieving CMMC certification, MSPs and MSSPs not only demonstrate their commitment to maintaining high cybersecurity standards but also provide contractors with greater confidence in the security of their outsourced services. 

The Challenge of Categorizing MSPs and MSSPs as External Service Providers for CMMC

Categorizing MSPs and MSSPs as External Service Providers under the CMMC framework presents certain challenges due to the nature of how they manage Controlled Unclassified Information (CUI). Unlike traditional service providers who store data directly on their infrastructure, many modern MSPs and MSSPs typically manage and secure CUI that resides only on the client's government-approved cloud tenant (like Microsoft Azure or Amazon AWS Government Clouds) within a 100% digital enclave. This fundamental difference means that while MSPs and MSSPs oversee the integrity and security of the system, the actual storage and control of CUI may solely remain with the client's tenant, which is accessed only by the client.

Consequently, the categorization of MSPs/MSSPs as ESPs may impose compliance requirements that do not align with their operational reality of the deployed environment. For instance, they might be expected to secure data they do not physically or logically host. This misalignment can lead to potential gaps in compliance and security, as the standards and protocols designed for direct data handlers might not be entirely applicable or effective. 

Furthermore, imposing full ESP compliance burdens on MSPs and MSSPs could result in unnecessary complexity and increased costs without corresponding security benefits. A tailored approach that recognizes the unique role of these providers within the CMMC ecosystem might lead to more effective and efficient compliance, ensuring robust protection of CUI while accommodating the operational distinctions of MSPs and MSSPs.

Why MSPs might still be considered ESPs with Client On-Premise or Hybrid Systems

Despite the challenges with categorizing MSPs and MSSPs as External Service Providers (ESPs) under the CMMC Proposed Rule, it is essential to recognize scenarios where this categorization remains relevant. Specifically, when MSPs provide services for clients that maintain on-premise systems or adopt cloud/on-premise hybrid systems, the role of MSPs can extend beyond mere oversight. In these instances, MSPs often have direct access to CUI and, more crucially, potentially access International Traffic in Arms Regulations (ITAR) data, which demands stringent U.S. Data Sovereignty protection measures. This access involves not just managing and securing the data but also ensuring compliance with regulatory standards that govern its handling and storage, regardless of its physical location. Thus, even in a hybrid environment, the responsibilities and risks associated with managing sensitive information necessitate that MSPs adhere to ESP requirements to guarantee comprehensive security and compliance across all platforms.

ESPs that fall into the "Cloud Service Provider" category

In addition to meeting CMMC requirements, ESPs that operate as Cloud Service Providers (CSPs) must also follow the guidelines set forth in the DoD FedRAMP Equivalency Memo issued in December of 2023. This memo outlines the necessity for CSPs to achieve FedRAMP authorization or meet an equivalent level of certification for the NIST 800-53 security controls and processes as mandated by the DoD. FedRAMP (the Federal Risk and Authorization Management Program) aims to standardize security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. 

By adhering to the imposed high standards of the FedRAMP Equivalency Memo, CSPs ensure that their cloud environments are secure enough to handle sensitive government data and operations. Contractors must verify that their cloud service providers not only comply with the stringent FedRAMP guidelines but also integrate these requirements seamlessly with CMMC practices. This dual compliance framework ensures that both the cybersecurity landscape and data protection measures are holistically covered, reducing the risk of vulnerabilities and breaches. Consequently, the memo underscores the imperative for CSPs to maintain a robust security infrastructure that can protect against sophisticated threats and safeguard critical government information.

Why Cloud Service Providers Do Not Require CMMC Certification as ESPs

CSPs are not mandated to obtain a CMMC certification as ESPs under the CMMC framework because the FedRAMP authorization requirements suffice to cover their security obligations. This FedRAMP requirement stems from the Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7012 and DFARS 252.239-7010. Specifically, DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," mandates contractors to implement adequate security measures to protect covered defense information that is processed, stored, or transmitted in their cloud services. Inside of the DFARS 7012 requirement is the additional mandate to DFARS 252.239-7010 "Cloud Computing Services," which establishes comprehensive cybersecurity requirements for the acquisition of cloud services, ensuring these services meet stringent information security standards. The alignment with these two DFARS clauses combined with the FedRAMP Equivalency Memo published in December of 2023 underscores the DoD's commitment to maintaining rigorous cybersecurity protocols to safeguard sensitive defense-related information, further justifying the equivalency of FedRAMP authorization in lieu of additional certifications like the CMMC for CSPs.

The primary rationale behind this distinction lies in the specialized security controls and continuous monitoring processes demanded by FedRAMP, which are tailored specifically for cloud environments. Given the sophisticated nature of cloud services, FedRAMP provides a more suitable and rigorous framework than CMMC for these providers. 

MSPs and MSSPs face a parallel situation, where their unique operational models and the specific nature of the services they provide necessitate a bespoke set of security standards. For CSPs, FedRAMP ensures that their infrastructure, policies, and procedures meet comprehensive federal security requirements, effectively mitigating risks associated with the storage and handling of classified government data. This alignment with FedRAMP not only simplifies the compliance process but also aligns CSP security measures more closely with the expectations and risks faced in cloud-based environments. Thus, while CMMC focuses broadly on cybersecurity practices, FedRAMP's cloud-specific guidelines provide the pertinent level of scrutiny and security assurance required for CSPs.

Third Party Independent Systems Integrators and ESP Classification under CMMC

Third-party independent systems integrators may not qualify as an ESP under the CMMC proposed rule as long as they adhere to specific conditions. Firstly, they must ensure that they do not store, process, or transmit CUI on their third-party systems. By refraining from handling CUI data independently, these integrators eliminate the need to meet the stringent requirements set for ESPs.

Secondly, if these integrators work solely within the end-client's systems, they remain outside the ESP classification. Operating within the client-controlled environment shifts the responsibility of maintaining CUI protections back to the client. It is thus imperative for the end client to verify that these integrators have proper system credentials and authorizations on the client's system. Additionally, the end client must ensure that these integrators receive appropriate CUI handling and security training through the client's Learning Management System (LMS).

This delineation of responsibilities ensures that third-party integrators can effectively assist with system integration tasks without undergoing the rigorous CMMC certification required for ESPs, provided they operate strictly under these guidelines. However, if the third-party integrator handles CUI on their own systems or outside the end-client's controlled environment, they must adhere to all requirements of an ESP and obtain proper certification accordingly.

Final Thoughts for the DIB Contractor – how to manage your ESPs?

The distinction of who is labeled an “External Service Provider (ESP)” under the CMMC proposed rule is a nuanced discussion that hinges on the handling and location of CUI. By ensuring that CUI is not stored, processed, or transmitted through their systems and by working exclusively within the client's controlled environment, most true service providers such as MSPs, MSSPs, or systems integrators can sidestep the rigorous requirements associated with ESP CMMC certification. This approach ensures that both the service providers and end clients maintain the highest levels of data security while optimizing operational efficiency. 

For the end-client DIB Contractor: Does your service provider constitute an External Service Provider as defined by CMMC? Maybe – maybe not.  First notate where the CUI is stored, processed, or transmitted.  If the service provider is not accessing this data, nor stores it on their systems, they may not meet the definition of External Service Provider as defined by CMMC.

Second, if they do access, store, process, transmit CUI – perhaps a CMMC certification might be too much for the provider.  Typically, what BDO will ask for from the service provider is a Shared Responsibility Matrix (SRM) (or some call it a Client Responsibility Matrix - CRM) which shows which controls are satisfied by the provider and how you, the Organization Seeking Certification (OSC), will use inheritance of those controls to measure and maintain your overarching authorization boundary.  By clearly delineating the responsibilities and requirements for third-party service providers in an SRM, the NIST 800-171 framework provides a comprehensive roadmap for organizations to secure their information systems and maintain compliance with government regulations alongside their service providers. 

In closing, navigating the complexities of CMMC certification involves a thorough understanding of the roles and responsibilities of all parties involved. By accurately identifying whether a service provider qualifies as an External Service Provider (ESP) as defined by the CMMC Proposed Rule and leveraging tools such as an SRM, organizations can ensure a clear and effective division of compliance tasks against NIST SP 800-171 and CMMC. This approach not only aids in maintaining robust data security practices but also helps streamline operational efficiencies by allowing DIB contractors to achieve and sustain CMMC compliance while optimizing their partnerships with MSPs, MSSPs, Cloud Service Providers, and systems integrators.