ESPs and CSPs both fall under CMMC scope — but the requirements for each are different. Here is what your organization needs to know before you start scoping your environment.
When beginning their CMMC journey, many Organizations Seeking Certification (OSCs) struggle to differentiate between External Service Providers (ESPs) and Cloud Service Providers (CSPs) and the different requirements of each. This article will identify the differences between ESPs and CSPs and drill down on the requirements each holds at different CMMC levels.
External Service Providers (ESPs) vs. Cloud Service Providers (CSPs)
ESPs and CSPs are relevant to the scope of CMMC at all three levels. In the same way that all squares are rectangles, but not all rectangles are suqares, it’s important to remember that every CSP is an ESP, but not every ESP is a CSP. In 32 CFR 170.4(b), CMMC defines an ESP as follows:
“external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”
In less technical terms, people, technology, or facilities are only considered “external” for the purposes CMMC if they are not the utilizing assets internal to the OSC to perform work.
For example, if a company seeking to get CMMC Level 2 hired an external contractor to maintain said company’s systems using a company provided laptop, then the contractor themselves would NOT be considered an ESP for the case of CMMC. However, if the same company seeking to get CMMC Level 2 hired an external contractor to maintain the company’s systems using the contractor’s own personal laptop, then the contractor and their device would be considered an ESP.
CSPs are ESPs that provide cloud services for an OSC, hence “Cloud Service” Provider. According to 32 CFR 170.4(b), CSPs are defined as follows:
“an external company that provides cloud services based on cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
For an ESP to be classified as a CSP, they must host some form of cloud service the OSC takes advantage of. For example, if an organization seeking to obtain CMMC Level 2 has its servers hosted by a managed service provider in a shared datacenter, then the managed service provider would be classified as a CSP. However, if the organization seeking to obtain CMMC Level 2 is using a managed service provider that is not hosting anything themselves but simply using third-party tools, then the managed service provider is only an ESP.
Now that we have identified the differences between ESPs and CSPs, we can discuss the difference requirements each has for the various levels of CMMC. Pertinent to this conversation, we will also cover Customer Responsibility Matrices (CRMs) and FedRAMP.
Requirements for CMMC Level 1
When implementing CMMC Level 1, the goal is the protection of FCI. The actual assets that are in scope are minimal. According to the CMMC Level 1 Scoping Guide, only assets that process, store, or transmit FCI are in-scope. However, this can include people, technology, facilities, and external service providers. Under CMMC Level 1, there is no documentation explicitly requiring a CRM or any FedRAMP status for ESPs. To complete the process of Level 1 self-assessment with an ESP in scope, it can be helpful to have a CRM to prove your implementation. However, this is not required.
Requirement for CMMC Level 2
The requirements of ESPs and CSPs for CMMC Level 2 are a bit more complex as it introduces Security Protection Assets. According to 32 CFR 170.19(c)(2)(i) and 32 CFR 170.19(c)(2)(ii), there are several different requirements depending on how the CSP or ESP is functioning.
- If it is purely an ESP (not a CSP) that processes, stores, or transmits CUI, then it is treated as a CUI asset and requires a CRM.
- If it is purely an ESP (not a CSP) that processes, stores, or transmits Security Protection Data (SPD) but NOT CUI, then it is treated as a Security Protection Asset and requires a CRM.
- If it is both an ESP and a CSP that processes, stores, or transmits CUI, then it is treated as a CUI asset and is required to be FedRAMP Authorized at FedRAMP Moderate or higher OR meets FedRAMP Moderate or higher equivalency. It is also required to have a CRM. (Based on 32 CFR 170.16(c)(2))
- If it is both an ESP and a CSP that processes, stores, or transmits SPD but NOT CUI, then it is treated as a Security Protection Asset and it is required to have a CRM.
If an external source is doing anything else besides working directly with CUI and/or SPD, then it is not considered an ESP by CMMC and thus is irrelevant to the scoping of CMMC Level 2.
CMMC Level 3
While CMMC Level 3 does change quite a lot when it comes to the scoping and the types of assets allowed, the rules for ESPs and CSPs largely remain the same as they were in CMMC Level 2.
Overall, the concept of ESPs and CSPs is one that is highly debated in the CMMC community. If you are in a situation where you are unsure how to scope your environment, Stratus Services is here to help you with your CMMC needs!
