At recent CyberAB Town Halls, CEO Matthew Travis clarified critical points about External Service Providers (ESPs) and their impact on your organization's Cybersecurity Maturity Model Certification (CMMC) assessment. This clarification is essential for Organizations Seeking Assessment (OSAs) who utilize outsourced services.
What are ESPs and SPDs?
External Service Providers (ESPs) are third-party entities contracted to manage, consult, process, store, or transmit your organization's information. They may be called by a variety of names with broad or narrowly defined responsibilities: Managed Services Providers (MSPs), Managed Security Services Providers (MSSPs), Infrastructure-as-a-Service, Help Desk, Solutions Architects, and more. The services they provide are what matters to you as an OSA.
ESPs may provide the following services:
Staff augmentation— traditional IT
- IT help desk (remote), onsite technicians, fractional CIO/CISO
- Policies and procedures
Procurement services
- Buy and install workstations, servers, and networks
- Buy and install software
Infrastructure as a Service (IaaS)
- Provide a portion of a cloud infrastructure that the ESP manages
- Provide infrastructure on ESP-owned hardware (private datacenter)
IT security services (MSSP)
- Security Operations Center (SOC)
- Incident response and forensics
Security Protection Data (SPD) refers specifically to data stored or processed by Security Protection Assets that are used to protect an OSA's environment. In the CMMC Level 2 Scoping Guide, SPDs are defined as “security-relevant information which, if disclosed, could aid an attacker in the compromise of the system. It includes, but is not limited to:
- configuration data required to operate a security protection asset,
- log files generated by or ingested by a security protection asset,
- data related to the configuration or vulnerability status of in-scope assets, and
- passwords that grant access to the in-scope environment.”
ESP Assessment Requirements: A Closer Look
Matthew Travis explained, referencing 32 CFR Table 4 §170.19(c)(2)(i):
- ESPs handling CUI must be fully assessed against all 110 requirements of NIST SP 800-171r2, effectively integrating their security practices directly into your organization's scope of assessment.
- ESPs managing only SPD (no direct CUI) are assessed as Security Protection Assets (SPAs). These assessments are narrower, scoped specifically to the requirements directly related to the security services provided.
Why Does This Matter?
The implications are significant:
- If your ESPs handle CUI and have not already independently undergone a voluntary CMMC assessment, they must be assessed as part of your assessment.
- This effectively doubles the assessment scope—and therefore, the cost and complexity—for your organization, potentially requiring you to finance separate comprehensive CMMC assessments for each ESP involved.
- Scheduling your assessment may be impacted: if your ESPs are not prepared, you will need be able to achieve CMMC Level 2 status with all objectives “Met” until they have completed their part.
Ultimately, this could impact your business’s ability to win contracts.
Strategic Considerations for Defense Contractors
For OSAs, this reality underscores the importance of clearly understanding your ESP's role and scope of service. For many businesses it is not transparent to them what exactly is being handled by their managed services or security services provider. Remember that CMMC Level 2 assessments inspect 340 objectives: find out what portion of those objectives are shared between you and your ESP, what is wholly owned by the ESP, and what you are entirely responsible for.
Once you understand what your ESP is responsible for, encourage or require those ESPs handling CUI to proactively pursue independent CMMC certification. This will assist you in the timing and scheduling of your business’s assessment.
For ESPs handling SPD, make sure to coordinate with them for their availability during your assessment time period.
Taking these steps can mitigate your overall assessment cost and complexity significantly.
MNS Group’s Proactive Approach
MNS Group recognized this critical compliance issue early and proactively pursued CMMC Level 2 certification. As one of the first MSPs to achieve this certification, MNS Group ensures significant cost savings and peace of mind for OSAs during the certification process.
Final Thoughts
As the CyberAB continues to clarify these rules, it's crucial to stay ahead of changes. Engage your ESPs now to understand their current certification status and compliance readiness.
What's your take? Should ESPs proactively certify to alleviate this burden, or should OSAs bear this responsibility?
Stay informed and proactive in navigating CMMC compliance effectively.
