External Service Providers and CMMC: How MSPs, CSPs, and Cloud Vendors Affect Your Assessment in 2026

The single most expensive misunderstanding I see in CMMC engagements right now does not involve a NIST control. It involves a vendor. A defense contractor signs with a managed service provider that advertises itself as "CMMC compliant," assumes that wraps up the inheritance question, and then discovers — sometimes during the assessment itself — that the C3PAO does not share that interpretation.

The final CMMC rule (32 CFR Part 170, effective December 16, 2024) changed how External Service Providers are treated, and the change is more subtle than most contractors realize. The proposed rule required ESPs to obtain CMMC certification. The final rule does not. That sounds like a relaxation. It is anything but. What the final rule actually does is shift the risk back to you, the contractor, and force you to either carry your ESP through your own assessment scope or independently verify that they meet equivalent standards.

This article walks through exactly how ESPs are defined under the final rule, where MSPs, MSSPs, and CSPs fit in, what documentation your assessor will demand, and the practical steps to keep a vendor relationship from sinking your assessment.

The Definition That Drives Everything

Under 32 CFR 170.19 and the broader Subpart D, an External Service Provider is any external person, technology, or facility that an Organization Seeking Assessment (OSA) uses to provide or manage IT or cybersecurity services on its behalf. For the relationship to qualify as an ESP relationship in the CMMC sense, one of two conditions must be true:

1. The ESP processes, stores, or transmits Controlled Unclassified Information (CUI) on its assets, or
2. The ESP handles Security Protection Data — log data, configuration data, identity data, alerting telemetry, or anything else used to protect CUI.

That second prong catches many contractors off guard. A SOC-as-a-service provider that never touches a CUI document still receives your SIEM logs, your authentication events, and your endpoint telemetry. That makes them an ESP whether or not they ever see a single drawing.

If a vendor only handles non-CUI, non-protection data — say, a marketing automation platform with zero overlap with your CUI environment — they are not an ESP under CMMC. They are a third-party vendor with their own contractual obligations, and you treat them through your supply chain risk program rather than as part of your CMMC scope.

The Three Categories You Need to Distinguish

The final rule treats different kinds of external providers differently. Lumping them all together is one of the fastest paths to a confused assessment.

Managed Service Providers (MSPs) and MSSPs

MSPs and MSSPs are the most common ESP type. They typically administer your endpoints, your network, your identity stack, and often your security tooling. Because they hold privileged access into your CUI environment, they almost always handle Security Protection Data at minimum.

Under the final rule, MSPs are not required to obtain their own CMMC certification. They have two options:

• Voluntary CMMC certification at the level required by your contract. If your MSP holds a Level 2 certification, you can inherit their controls during your own assessment, and the C3PAO will not need to assess the MSP's assets directly.
• Inclusion in your assessment scope. If the MSP is not certified, their relevant assets become in-scope for your C3PAO. The assessor will walk into the MSP's controls just as if they were yours, and any deficiency lands on your assessment.

Both options are legitimate. Neither is free. The certified-MSP path costs more in monthly fees and limits your vendor choice. The unscoped-MSP path costs more in assessment time and creates real risk if their controls do not hold up under scrutiny.

Cloud Service Providers (CSPs)

CSPs are a separate animal. If your CSP processes, stores, or transmits CUI — and the moment you put a CUI document in a SharePoint Online tenant or a virtual machine on AWS, your CSP is doing exactly that — the CSP must meet FedRAMP Moderate authorization or FedRAMP Moderate equivalency.

This is not a CMMC requirement that was invented in 2024. It comes from DFARS 252.204-7012, which has been in clauses since 2017. What changed in 2024 is enforcement: the CMMC final rule, combined with DFARS 252.204-7021 (effective November 10, 2025), made it explicit that your C3PAO will evaluate cloud provider compliance during the Level 2 or Level 3 assessment.

The trap inside this requirement is the word "equivalency." The DoD's FedRAMP Equivalency Memo, issued in December 2023 and reaffirmed in 2024, is unambiguous: equivalency means 100 percent of the FedRAMP Moderate baseline implemented, with zero open POA&M items, validated by a 3PAO. A vendor saying it is "FedRAMP Moderate equivalent" with three or four open controls is not equivalent under the DoD's definition. The standard FedRAMP authorization process tolerates open POA&Ms during continuous monitoring. The equivalency path does not.

If your cloud provider cannot produce a 3PAO-attested Body of Evidence demonstrating 100 percent baseline implementation, you cannot legitimately host CUI there for DoD work. There is no middle ground.

Other ESPs: Backup, Email Security, EDR, Vulnerability Management

Beyond the headline categories, the long tail of ESPs gets contractors in trouble more often than the obvious ones. A few examples I see fail assessments:

• Backup providers that replicate CUI workloads into commercial regions, not GovCloud.
• Email security gateways that route mail through commercial scanning infrastructure before delivery.
• EDR and MDR platforms whose telemetry is processed in non-FedRAMP regions.
• Vulnerability scanning vendors whose findings include configuration data sufficient to compromise CUI systems.
• Identity providers whose authentication logs constitute Security Protection Data.

Each of these can be legitimate ESPs under CMMC. The question is never whether they qualify — the question is whether you have documented the relationship and either inherited their controls or assessed their assets within your own scope.

What Your Assessor Will Demand

A C3PAO walking into your assessment will ask three specific things about every ESP relationship. If you cannot produce these documents quickly and consistently, you have a finding regardless of how well the underlying controls are implemented.

1. System Security Plan (SSP) Documentation

Your SSP must describe each ESP, the services they provide, and the boundary between their responsibility and yours. The SSP should name the provider, identify the services in scope, list the controls inherited from the provider, and explicitly state where CUI flows through the provider's environment.

A common failure pattern: contractors write "MSP manages our endpoints" in a single sentence and consider the documentation complete. That is nowhere near enough. The SSP must be specific enough that an assessor can trace a control number from your scoping diagram into the provider's environment without ambiguity.

2. Customer Responsibility Matrix (CRM)

The CRM is a control-by-control assignment of who does what. For each applicable NIST 800-171 control (or NIST 800-172 control at Level 3), the matrix specifies whether the OSA, the ESP, or both share implementation responsibility. Where responsibility is shared, the CRM must describe the split with enough granularity that a reasonable assessor can verify each side independently.

If your MSP or CSP cannot produce a CRM on request, you do not have an ESP relationship — you have a vendor relationship with hope. Get the CRM in writing or replace the provider.

3. Service Description and Evidence Artifacts

Beyond the CRM, you need a service description that defines what the provider actually delivers, contractually. You also need ongoing evidence: the provider's certification letters, FedRAMP authorization or equivalency body of evidence, recent continuous monitoring reports, and any attestations they have produced for similar customers.

Where the provider is certified, ask for the C3PAO assessment report or at minimum the Final Findings Letter. Where the provider relies on FedRAMP equivalency, ask for the 3PAO attestation, the most recent monthly continuous monitoring executive summary, and the annual 3PAO validation. Without these, you are guessing — and assessors do not credit guesses.

The Inheritance Trap

The most expensive misunderstanding I mentioned at the start of this article almost always comes down to the same mechanic. A contractor sees that an MSP is "CMMC certified" and assumes every relevant control is inherited. That is not how inheritance works under the final rule.

Inheritance requires three things:

1. The provider's certification must cover the services they actually provide you. A Level 2 certification for a single SOC service does not extend to endpoint management or vulnerability scanning.
2. The provider's scope must encompass your assets. An MSP certified for its own internal CUI environment may not have your tenant within its assessment boundary.
3. The CRM must reflect the inheritance. If the CRM is silent or ambiguous about a control, the assessor will not credit it as inherited regardless of what marketing materials say.

I have personally seen a contractor lose six months of assessment preparation because they assumed an MSP's Level 2 certification covered SIEM ingestion they had bolted on after the certification snapshot. The MSP was certified. The service in question was not in scope. The assessor caught it on the second day.

A Practical ESP Hygiene Checklist

To keep your ESP relationships from sinking your assessment, work through this list in the next 30 days. Most contractors take longer to get through it than they expect.

1. Inventory every external provider that touches CUI, Security Protection Data, or your CMMC scope boundary. Include backup, identity, email security, endpoint, network, SIEM, vulnerability management, ticketing, and any niche tooling.
2. For each provider, document the data type they handle (CUI, SPD, or neither), the services they deliver, and whether they qualify as an ESP under 32 CFR 170.19.
3. For each ESP, obtain a current CRM, the relevant certification or FedRAMP attestation, and the contractual service description. File them where your assessment evidence lives.
4. For each CSP, verify FedRAMP Moderate authorization or, if equivalency is claimed, the 3PAO body of evidence with zero open POA&Ms. Without this, treat the relationship as broken until it is fixed.
5. Update your SSP and scoping diagram so every ESP is named, every data flow is shown, and every inherited control is annotated with its source.
6. Review your DFARS 252.204-7012 flow-down clauses in each ESP contract. The flow-down obligations are still in force regardless of CMMC, and an assessor will check.
7. Plan how you will produce monthly continuous monitoring evidence for any cloud provider relying on FedRAMP equivalency. The DoD memo requires ongoing validation, not a one-time snapshot, and the burden of producing that evidence ultimately lands on you.

Where Policy and Documentation Help

ESP failures are almost always documentation failures. The controls are usually in place — or close enough to in place that the gap can be closed quickly. What sinks contractors is the inability to produce the SSP language, the CRM, the service description, and the evidence chain on demand.

The TalonPoint PolicyPack includes the supply chain risk management, third-party security, and cloud services policies that anchor an ESP program, along with the contractual flow-down language and CRM templates that make ESP documentation defensible. A polished policy stack does not replace the operational work, but it gives you the scaffolding to put that work into a form an assessor will accept. If your ESP documentation today is a few scattered notes and a vendor's marketing PDF, the gap is closeable in weeks rather than months — but only if you start with the right structure.

The Bottom Line

The final CMMC rule did not let your vendors off the hook. It let them choose between certification and being dragged into your assessment, and either way it placed the responsibility for that choice on you. The contractors who handle this well treat their ESP program as a first-class component of CMMC scope, not an afterthought to be sorted out the week before an assessment.

If you cannot today produce a complete ESP inventory, a CRM for each provider, and a clean line from each inherited control back to its source, your assessment risk is higher than your gap analysis suggests. Closing that gap is unglamorous work — vendor calls, contract reviews, documentation cleanup — and it is precisely the work that separates contractors who pass on the first attempt from contractors who do not.

Start the inventory this week. Everything else follows from there.