Totalcare IT
Defining External Service Providers (ESPs)
ESPs are formally defined in the CMMC program under § 170.4 as third-party organizations providing information system services to an Organization Seeking Certification (OSC), which may process, store, or transmit FCI or CUI. This definition, detailed in the Federal Register's CMMC program documentation, includes entities like cloud service providers (CSPs), security service providers, and others impacting the confidentiality, integrity, or availability of DoD-controlled information.
Key requirements for ESPs include:
-
If processing, storing, or transmitting CUI and classified as a CSP, they must meet FedRAMP Moderate baseline requirements, as per DFARS clause 252.204-7012.
-
If not a CSP but handling CUI, they are considered an extension of the OSC's environment, within the scope of the OSC's CMMC assessment, and assessed against all applicable requirements.
-
If not handling CUI, they do not require a separate CMMC assessment but their services are included in the OSC's assessment scope.
-
ESPs may voluntarily request assessment by a Certified Third-Party Assessment Organization (C3PAO) if advantageous, requiring a CAGE code and SPRS account for registration.
The DoD's CMMC FAQs further elaborate, noting in Q44 that ESPs can include internal corporate entities if at different organizational levels, such as a centralized Security Operations Center (SOC) not under the same CAGE code as the OSC, requiring a service description and customer responsibility matrix (CRM) for assessment.
Understanding Managed Service Providers (MSPs)
MSPs, while not explicitly defined in the official CMMC documentation, are commonly understood in the industry as companies managing IT infrastructure and end-user systems, offering services like network management, helpdesk support, and cybersecurity monitoring. The term "MSP" was removed from § 170.4 in the CMMC program, as noted in the Federal Register, indicating no official definition, but it is implied as a type of ESP (not a CSP) providing technical support services.
From the CMMC FAQs, MSPs are discussed in questions like Q33, Q34, Q35, Q36, and Q37, highlighting their role:
-
Q33 states MSPs do not need their own CMMC assessment, but if storing or processing CUI, their systems are in scope for the OSC's assessment.
-
Q34 clarifies that if an MSP or Managed Security Service Provider (MSSP) does not handle CUI, they are considered ESPs and assessed as Security Protection Asset Critical.
-
Q35 notes that an MSP using cloud tools for service delivery is not considered a CSP.
-
Q36 specifies no CMMC certification is needed if the MSP does not process, store, or transmit CUI.
-
Q37 discusses scenarios where an MSP may be considered a CSP depending on contract terms with a CSP and service modifications.
Comparative Analysis: MSPs vs. ESPs, Including Cybersecurity Management
To systematically compare MSPs and ESPs, consider the following table based on the gathered information, with an additional column for the impact of managing cybersecurity:
From this, it is evident that MSPs are a subset of ESPs, and when managing cybersecurity, they are almost certainly classified as ESPs handling CUI, with heightened compliance requirements.
Impact of MSP Managing Cybersecurity of the OSC
When an MSP manages the cybersecurity of the OSC, it significantly alters its classification and compliance obligations. Managing cybersecurity typically involves handling security protection data, log data, configuration data, and potentially CUI, making the MSP an ESP under CMMC 2.0. This is because cybersecurity management often includes monitoring, threat detection, and incident response, all of which may involve accessing sensitive DoD information.
From the CMMC FAQs, Q34 specifically addresses MSPs or MSSPs, noting that if they handle CUI, they are assessed as part of the OSC's environment, requiring compliance with Level 2 controls if applicable. The article "CMMC Explained by the Experts: What is an External Service Provider?" reinforces this, stating that ESPs providing cybersecurity services must be included in the OSC's assessment scope, especially if handling CUI.
This change means:
-
The MSP must be treated as an ESP, potentially requiring a separate CMMC Level 2 certification if it processes, stores, or transmits CUI.
-
The OSC must include the MSP's services in its assessment, ensuring all security controls are met, as per Q33 and Q34 of the FAQs.
-
Costs for compliance may increase, with estimates for small entities outsourcing to ESPs including planning, assessment, and reporting phases, with hourly rates around $260.28, totaling significant investments (e.g., $22,904 for self-assessment, $43,727 for certification, as inferred from partial data in the Federal Register).
Implications for Compliance
Understanding this relationship is vital for organizations seeking CMMC certification, especially when outsourcing cybersecurity to an MSP. If the MSP manages cybersecurity, it must be treated as an ESP, potentially requiring inclusion in the OSC's assessment scope or separate certification.
This shift underscores the importance of interpreting MSPs within the ESP framework for compliance planning, particularly when cybersecurity is involved, ensuring robust protection of DoD information.
In conclusion, MSPs are not the same as ESPs but are a type of ESP, focusing on IT management services within the broader category of external service providers. When an MSP manages the OSC's cybersecurity, it becomes an ESP handling CUI, requiring compliance with Level 2 controls and potentially certification. The evidence leans toward MSPs being a subset, with added scrutiny if managing cybersecurity due to sensitive data, ensuring robust cybersecurity for DoD contracts. Organizations must carefully assess their MSPs as ESPs to meet CMMC standards, leveraging resources like the CMMC FAQs and Federal Register for guidance.
We heavily suggest doing your own research. Here's links: