As CMMC compliance packages flood the market, OSCs need to know the difference between ESPs and CSPs and how it impacts your compliance.
With CMMC burgeoning relevance, many Managed Service Providers (MSPs) have started to put together “CMMC Ready” packages to ship off to Defense Industrial Base (DIB) members as quickly as possible. While this brings many more products and service options to the ecosystem, some packages could cause you to fail your CMMC assessment. The question is: how does an Organization Seeking Certification (OSC)researching a compliance partner figure out which are reliable and which could bring more headaches than solutions?
ESPs, CSPs, MSPs, and MSSPs
Providers of CMMC compliance related services typically are split into two main classifications: External Service Providers (ESPs) and Cloud Service Providers (CSPs). The key distinction is that CSPs are providers responsible for cloud computing services, whereas ESPs may or may not provide them. (Read our in-depth article on FedRAMP and the CMMC requirements for more on this distinction.) However, the key for DIB companies seeking to understand MSP offerings is whether the MSP’s package includes cloud services.
To further understand the difference, NIST has published multiple special publications that indicate whether a package is classified as a cloud computing service. These are detailed below.
NIST SP 800-145
In 2011, NIST released its official definition of cloud computing, which compiled five different essential characteristics into one single definition:
- On-demand self-service
- Broad network access
- Resource pooling
- Rapid elasticity
- Measured service
In NIST SP 800-145, there are very broad definitions of these characteristics and how they should be used to determine whether an MSP or ESP is actually a CSP, even if not obvious in application. Because CMMC requirements rely heavily on this definition, some MSP packages blur the lines if you rely only on the definition in NIST SP 800-145. To truly understand what NIST defines as a CSP, more analysis is required.
NIST SP 500-322
Following the release of NIST SP 800-145 in 2011, NIST conducted an evaluation of cloud computing services in 2018 based on the previous special publication, which was published as NIST SP 500-322. In section 3, NIST breaks down each essential characteristic and provides examples of how each can be implemented.
On-demand self-service
One of the more debated essential characteristics of a cloud computing service is “on-demand self-service.” Inside of NIST SP 500-322, NIST provides two baseline examples of how a CSP might deploy on-demand self-service:
Option A) Fully automated service provisioning (both the [consumer] interface and the internal cloud infrastructure).
Option B) The [consumer] uses an automated interface to request and track the service, but the provider may use manual labor to provision the service internally.
Without the context of NIST SP 500-322, an MSP might argue that they must provide manual input to spin up a new tenant, so they do not fall under the definition of a CSP. However, this clarification by NIST shows that an MSP may do some manual provisioning and still be classified as a CSP.
Broad network access
Similarly to on-demand self-service, broad network access also provides two different options for how a cloud computing service might meet this definition.
Option A) Available over the Internet.
Option B) Available over a network that is available from all access points the [consumer] requires.
This one is less controversial because it is more cut-and-dry. If something is accessible over the internet, it is a cloud service. Option B breaks this down a bit and clarifies: even if only specific devices selected by the consumer can access the service, if the service is accessed over the internet, it is still considered a cloud service.
Resource Pooling
Resource pooling is the most straightforward of these essential characteristics because it only has a single primary criterion.
Option A) Two or more [consumers] can share the cloud service resources using a multi-tenant model.
Simply put, if a CSP uses some form of pooling that the consumer cannot differentiate, then they are a CSP, regardless of the Cloud Service Model they use (expanded upon in NIST SP 500-322, section 4). Onesticking point with this essential characteristic is that one may think it excludes private clouds; however, a “consumer” in NIST’s definition can encompass different parts of a single business, down to the individual user level.
Rapid Elasticity
Elasticity is defined in NIST 800-145 as “[the ability] to scale … outward and inward to commensurate with demand.” What differentiates this essential characteristic from typical IT functions is the term “rapid.” NIST provides two options for defining rapid elasticity.
Option A) Resource allocation modification is automated and near-real-time.
Option B) Not fully automated, but fast enough to support the requirements of the [consumer].
Option B more clearly describes elasticity in a way that CSPs often do not consider rapid elasticity. Even if the process is not automated, if it is fast enough to meet the consumer's requirements, it is considered rapid.
Measured Service
Measured service is pretty straightforward as well, focusing on the pricing model CSPs typically use. NIST describes measured services in a single option:
Option A) Cloud service characteristics are measured with enough detail to support the requirements of the [consumer].
Simply put, a CSP must be able to monitor, control, and report resource usage to the consumer for transparency and, potentially, billing.
Relevance to CMMC
With these essential services better defined, we can now consider how each component applies to an OSC seeking CMMC-compliance. The first, essential step in completing both CMMC levels 1 and 2 compliance is defining an appropriate scope. To do that, the OSC needs to identify its ESPs and CSPs. MSPs can claim either status, but according to 32 CFR 170.19(c)(2)(i), it is the responsibility of the OSC itself to determine if the program they are choosing to use is a CSP or just an ESP.
What is the easiest way for someone who doesn’t want to go digging into the NIST documents to do this? Thankfully, NIST provides a checklist in NIST SP 500-32, section 6.1, for OSCs to easily walk through with each of their providers to determine whether they are truly ESPs or CSPs in disguise. With this checklist, an OSC can go through with their providers to ensure that if all five essential characteristics are met in one way or another, they are truly claiming to be a CSP. Furthermore, if they are a CSP, they must have FedRAMP Moderate or higher to be used at CMMC Level 2, which includes many more requirements for the provider.
As the CMMC ecosystem continues to grow, it is becoming harder for OSCs to trust the information that providers have posted publicly. Like all other aspects of your cybersecurity approach, it is important to properly vet your CMMC compliance provider before entrusting them with your entire compliance program. Careful planning now can mean less hiccups down the road for meeting assessment objectives and ongoing maintenance.
If you are still looking for help understanding your scope and getting your organization up to CMMC compliance, reach out to Stratus Services, and we can help you through each step of the process.
