Defining an External Service Provider

In pursuit of CMMC Certification, External Service Providers (ESPs) are third parties that provide services that affect DoD-controlled information, whether it be the Confidentiality, Integrity, and/or Availability of the data itself, or any systems that protect the data. For example, Managed Service Providers and/or Security Operations’ Centers are common examples of CMMC ESPs.

FedRAMP Equivalency

Under DFARS 252.204-7012, any external cloud service provider leveraged by a contractor seeking CMMC certification to store, process, or transmit defense information must meet security requirements equivalent to those of the FedRAMP Moderate Baseline.

Assessing FedRAMP Equivalency

In order to confirm / assess FedRAMP equivalency, providers pursuing CMMC certification must obtain the following from all external cloud services they leverage that store, process, or transmit defense information:

• System Security Documentation
  • This is typically provided in the form of a System Security Plan
• Shared Responsibility Matrix
  • This is typically provided in the form of a Control Implementation Summary  
• 3PAO Assessment Documentation
  • A Security Assessment Plan (SAP) and Security Assessment Report (SAR), at minimum, are required
• Plan of Actions & Milestones

Not All ESPs Require FedRAMP Equivalency

Leveraging ESPs is vital to ensuring efficiency and reducing costs when pursuing CMMC certification. One key detail to note is that not all third-party services leveraged by contractors pursuing CMMC certification require FedRAMP equivalency. If an External Service Provider does not store, process, or transmit defense information, then they are not in scope for FedRAMP equivalency, nor do they require their own CMMC certification. For example, Managed Service Providers can access their customers’ CMMC boundaries through defined access control procedures without storing, processing, or transmitting defense information. In these cases, the boundary of the CMMC environment is not increased and the CMMC contractor receives vital service support.

In the event that an ESP does store, process, or transmit defense information, FedRAMP equivalency is then required of them. Proving FedRAMP equivalency can be satisfied through assessment of the ESP and its services against the FedRAMP Moderate baseline as a part of your CMMC certification process. Alternatively, the ESP can provide evidence of its own CMMC certification and/or FedRAMP Moderate Authorization.

What CMMC Contractors Need to Do

Defining your boundary is key. Work with your external service providers as partners rather than obstacles. Ensure they are on board to provide audit support and answer audit inquiries on how they support your system and processes. If they store, process, or transmit your defense data, collaborate with them to gather the body of evidence needed to demonstrate FedRAMP equivalency, whether through your CMMC assessment or through their own. If they do not store, process, or transmit your defense data, work with them to support your assessment and ensure they function as partners, not as part of the boundary.