What Does CMMC Mean for an OSC’s ESP?

December 19, 2024 | 4 min read  | Redspin Blog

The Cybersecurity Maturity Model Certification (CMMC) rule is finalized and takes effect on December 16, 2024.  

One of the most significant updates? 

External Service Providers (ESPs), like Managed Service Providers (MSPs) and Cloud Service Providers (CSPs), can now be included in their client’s (the DoD Contractor or Organization Seeking Certification (OSC)) certification assessment rather than needing their standalone certification. 

This shift underscores the critical role ESPs play in maintaining compliance and security across the DoD supply chain and in meeting standards to avoid being the weak link in their client’s assessments.  

What ESPs Need to Know 

As an ESP, your services can make or break your client’s CMMC assessment. Here’s what you need to prioritize: 

Understand the Scope

• Align your security practices with NIST SP 800-171r2 and DFARS 7012 requirements applicable to you. 
• Determine whether your services touch Security Protection Data (SPD), Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).  

Prepare for Assessment Inclusion 

• Your client’s CMMC Level 2 certification means you need to meet the same security standards if your services involve CUI or SPD.  
• Be ready to provide evidence of compliance for all applicable areas of NIST 800-171r2 (like a System Security Plan (SSP), vulnerability scan results, and security control implementation).  

Be Transparent

• Establish Client Relationship Management (CRM) by clearly defining roles and responsibilities. Share relevant security documentation and updates with your clients, and be prepared to provide evidence to assessors as needed.
• Make it easy for OSCs to access compliance evidence when they need it.Establish a Customer Responsibility Matrix (CRM) by clearly defining roles and responsibilities. Share relevant security documentation and updates with your clients, and be prepared to provide evidence to assessors as needed.

Go Beyond Minimum Requirements

• Even if CMMC certification isn’t mandatory for you, obtaining one voluntarily can boost your credibility and attract more clients. 

For DoD Contractors: Ensuring ESP Compliance  

DoD contractors are already grappling with challenges in implementing adequate security controls. A report by the Office of the Inspector General highlighted significant deficiencies among contractors in areas such as: 

– Access controls 

– Incident response 

– Configuration management 

– Risk management 

These challenges are compounded when contractors rely on ESPs with little CMMC experience or lack robust security practices themselves. 

Since an ESP’s compliance falls under the OSC’s CMMC assessment, even a single security gap within an ESP could jeopardize an OSC’s certification and its ability to accept awarded contracts. 

This isn’t just a compliance risk; it’s a business risk, with potential loss of revenue and reduced scalability. It is no longer about operational convenience, but rather operational necessity for the organization.  

As an OSC, your ESPs are integral to your CMMC certification. Here’s how to set them up for success and safeguard your compliance: 

1. Vet Your ESPs Thoroughly
   • Choose an ESP with proven compliance and CMMC expertise, especially those familiar with NIST SP 800-171r2 controls. 
   • Evaluate their ability to detect threats, investigate alerts, and distinguish real threats from false positives while considering your unique business context. 
   • Ask them for their Client Responsibilty Matrix (CRM) as it pertains to NIST 800-171r2.
   • For more tips, check out 5 Time Saving Tips for Evaluating a Managed Security Provider.  

2. Establish Clear Expectations  
   • Define CMMC requirements explicitly in contracts, SLAs, and onboarding processes. 
   • Specify what evidence and timelines ESPs must follow to demonstrate compliance. 

3. Monitor and Verify Compliance  
   • Conduct vendor risk assessments regularly, reviewing ESP’s security policies, incident response plans, and certifications. 
   • Request documentation such as SSPs, Security Assessment Reports (SARs), vulnerability assessments, Incident Response Plans (IRPs), and mitigation plans to address identified gaps. 
   • Use a secure, centralized platform to track compliance artifacts and monitor ESP performance. 
4. Recognize the Risks of Non-Compliance
   • If an ESP fails to meet security standards, your certification and your ability to secure DoD contracts could be in jeopardy.
   • Educate your team on how critical vendor management is to your overall compliance strategy. 

CMMC and ESPs, Breaking It Down 

If you’re an ESP that stores, processes or transmits SPD, CUI or FCI, you must align with your client’s required CMMC compliance level. 

For example: 

• If your OSC must achieve CMMC Level 2 compliance and you handle CUI, you must also implement all 110 NIST SP 800-171r2 controls at that level. 

• If you only handle Security Protection Data (SPD)—such as network diagrams or access control lists, and not CUI, your requirements may differ. While SPD protects CUI’s confidentiality, integrity, and availability, it is not considered CUI itself, but is held accountable for any and all areas of NIST 800-171r2 that apply to the implementation. 

Regardless of whether you handle CUI or SPD, your System Security Plan (SSP) may include other CMMC-relevant requirements. 

Even though ESPs are not required to undergo their own certification assessments, voluntarily seeking certification can offer a competitive edge. Demonstrating proactive compliance can build stronger relationships with OSCs and set you apart from competitors. 

How Redspin Can Help 

As the first C3PAO, Redspin brings unmatched expertise in navigating CMMC. Whether you’re an OSC managing ESPs or an ESP supporting OSCs, Redspin can help you succeed. 

For OSCs:

We can be your MSP or CSP 

• Our Managed Security Services provide continuous monitoring, threat detection, and incident response to secure your systems, protect CUI/FCI, and meet controls validated by the CMMC program.  
• As a Managed Cloud Services provider, we offer CMMC-ready solutions for storing, processing, and transmitting CUI and FCI and compliance maintenance beyond certification that are fully aligned with compliance requirements through our Redspin Ready Program.  

For ESPs: 

As a C3PAO, we can help you get certified 

• We can conduct readiness reviews to identify gaps in your compliance and develop clear remediation plans. 
• We can be your C3PAO and guide you through the assessment  

 We can provide training and additional support

• Equip your team with the knowledge needed to meet and exceed CMMC requirements through Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) training programs. 
• Provide tailored consulting to ensure your team understands how to implement and document necessary controls effectively. 

CMMC compliance is a team effort. Redspin’s expertise can help you build a secure, compliant ecosystem that protects sensitive data and ensures success in the DoD supply chain.

No matter where you are on your CMMC journey, we are here to help. To begin your path to CMMC compliance, contact our team or email info@redspin.com.