In the Defense Industrial Base (DIB), External Service Providers (ESPs) are becoming increasingly common. ESPs, also commonly referred to as Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), or Cloud Service Providers (CSPs), have become especially beneficial for small and medium-sized businesses where hiring a full-time compliance employee may not be practical.
ESP services can range from full system management and support to security services, network monitoring, cloud management, and many other options. Proving to alleviate a lot of the manual labor required of DIB organizations to mature their environment, prepare for a C3PAO assessment, or maintain a compliant status once already achieved. However, when working within the defense industry, ESPs are left with a common question: should you also have CMMC certification?
The short answer is, yes. Engaging an ESP with a CMMC certification can provide Organizations Seeking Certification (OSCs) with peace of mind when selecting a service provider. However, the extent of what is required of ESPs is entirely reliant on the service agreement for every individual client. In this guide, we have broken down the top 4 things External Service Providers need to consider when choosing to work with DIB organizations.
1. Customer Responsibility Matrix (CRM) and Shared Responsibility Matrix (SRM)
Between an organization and an ESP, there needs to be an agreed upon document that is to define exactly what service is being provided. This should show who’s responsible when it comes to the burden of proof for the certification process and maintaining compliance afterwards. For instance, if a customer organization is pursuing certification and the ESP is providing network security services, the agreement between both parties must explicitly define which CMMC controls are the ESP’s responsibility to implement and maintain on behalf of the customer.
This document can take many forms, but the most comprehensive version would be a complete coverage of NIST 800-171 and all controls/objectives. Each objective will have a “Yes” or “No” when it comes to whether it is the ESP’s responsibility. Within the System Security Plan (SSP) this relationship will also need to be documented to memorialize roles and responsibilities between customer and service provider.
2. Types of CMMC Certifications for ESPs
Depending on the direction and what services an ESP provides there are two options:
- Full Certification (for CSPs) – If a Cloud Service Provider (CSP) delivers services where Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is processed, stored, or transmitted within the CSP’s own systems, the CSP itself is subject to FedRAMP certification at the appropriate level (Moderate or High).
- Certification Covering a Limited Number of Controls – If an ESP only provides a specific service or function that is limited in scope to its clients, it may have only those services reviewed and certified under a CMMC Assessment.
Both of these options will be covered further in the next section with their references and justifications.
3. CMMC Certification References and Resources for ESPs
According to the 32 CFR Section 170 there are two types of service providers, Cloud Service Providers (CSPs) and Not CSPs. Having an understanding on what each means will clarify what requirements apply to an ESP. The following are the definitions from 32 CFR Section 170:
“Cloud Service Provider (CSP)” means an external company that provides cloud services based on cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition is based on the definition for cloud computing in NIST SP 800-145 Sept2011. (CMMC-custom term)”
“External Service Provider (ESP)” means external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI, or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (CMMC-custom term)”
ESPs seeking certification still follow the same controls and practices as Organizations Seeking Assessment (OSA). The only difference is that the controls considered “In Scope” are only the ones they provide a service for. Located in 32 CFR, the table below shows the scoping requirements for ESPs for all three instances of data handling while acting either as a CSP or not as a CSP.
According to this chart, if an ESP is not a Cloud Service Provider (CSP) then their services will be assessed as part of the OSA’s assessment scope if they have access to CUI data or security protection data. To smooth this process for clients, the ESP may undergo a CMMC Certification process that only covers the services they provide. This is further expanded upon below in section § 170.19(d)(2)(ii)
“The use of an ESP, its relationship to the OSC, and the services provided need to be documented in the OSC’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSC and ESP with respect to the services provided. Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP’s effort required during the OSA’s assessment. The minimum. The minimum assessment type for the ESP is dictated by the OSC’s DoD contract requirement.”
We are going to focus on the section “Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP’s effort required during the OSA’s assessment.” This section is not exactly clear on what does that mean for an ESP when it says, “undergo a CMMC certification assessment,” does this mean a full assessment or something different? According to the “Topics For CIO Summit: External Service Providers (ESPs), Asset Categories, SPA/SPD, and VDI” put out by the DoD CIO Office which clarifies this topic states that the “Scope should cover services provided to clients.” These services being identified in the CRM or SRM are crucial to knowing what service should be certified for an ESP.
4. Burden of Responsibility for ESPs and CMMC
An ESP that provides full-service support and has administrative access to a client’s network containing CUI may be taking on more responsibility than anticipated, since the burden of meeting CMMC controls falls on them. It is important to consider this when drafting and agreeing on the CRM. If the ESP is not taking on that responsibility, then there will need to be measures in place to restrict and control the access and levels of privilege an ESP may have on the clients’ network.
Documentation is everything. This should be the catchphrase of CMMC. The relationship between the client (OSA) and the ESP needs to be defined and documented in the SSP, ESP’s Service Description, and the CRM/SRM. The ESP’s achievement of certification does not remove the obligation to clearly explain how the ESP service meets the Control/Objective. Without alignment between these documents, the burden of responsibility cannot be defined causing issues before, during, and after the certification process.
Final Thoughts
With the assessment requirements and responsibilities clarified, we can conclude that ESPs seeking CMMC certification only need to certify the services that protect CUI or CUI assets. When an ESP is being assessed, ensure that all or as many applicable controls are included in the scope, as this helps reduce the compliance burden on the OSA.
Engaging an ESP does not transfer all compliance risks away from the OSA. Even if an ESP provides certified services, the OSA is still accountable for ensuring the relationship is properly documented in its System Security Plan (SSP) and that controls are enforced in practice. Certification for ESPs is a risk mitigation measure, not a risk elimination one.