What is an External Service Provider (ESP) under CMMC?

An External Service Provider is an outside company that provides IT or cybersecurity services that could affect the protection of CUI — for example an MSP, MSSP, or cloud provider. Under CMMC, how an ESP is handled depends on whether it processes, stores, or transmits CUI or Security Protection Data on your behalf.

If my MSP manages my security tools, are they in scope?

Yes — as Security Protection Assets. A provider that manages security-relevant services (such as your SIEM, endpoint protection, or identity provider) without holding CUI is generally assessed within your CMMC assessment scope rather than needing a separate certification, but those services must be documented and meet the applicable requirements.

Who is responsible for CMMC compliance — me or my MSP?

You are. The contractor seeking certification retains responsibility for meeting CMMC requirements, regardless of what an MSP provides. A "CMMC-ready" MSP can help you implement and operate controls, but it cannot transfer your obligation. Always obtain a customer responsibility matrix showing which controls the MSP covers and which remain yours.

MSPESPCMMC Scoping

Does My MSP Need to Be CMMC Certified? What the Final Rule Actually Says

By Glenn Ballard·CMMC Registered Practitioner·June 20, 2026·8 min read

“Our MSP says they're CMMC certified, so we're covered.” It's one of the most common — and most dangerous — assumptions in the defense supply chain, and it's wrong on both halves. Your MSP usually doesn't need its own certification, and even a great MSP can't make youcompliant. Here's what the CMMC final rule actually says about managed and external service providers, and how to set the relationship up correctly.

The Test: Does the Provider Touch CUI?

The rule doesn't care what your provider calls itself — MSP, MSSP, IT shop. It asks one core question: does the provider store, process, or transmit your CUI (or your Security Protection Data)? The answer determines everything.

The MSP does NOT hold CUI (CUI stays in your systems; they just manage tools) → the MSP generally does not need its own CMMC certification.
The MSP DOES store/process/transmit CUI → that handling is squarely in scope and must meet the requirements.

The CMMC final rule does notrequire every ESP that touches your environment to obtain its own Level 2 certification. The dividing line is CUI and Security Protection Data — not whether you outsource IT.

What About the MSP Running Your Security?

Many providers don't hold your CUI but do run security-relevant services — your SIEM, endpoint protection, identity provider, patching. Under CMMC these are Security Protection Assets, and the services they provide are assessed within your CMMC assessment scoperather than requiring the MSP to hold a separate certificate. They're in the picture — just as part of your assessment, documented in your SSP, not as an independent cert.

Cloud Providers Are a Separate Path

If your provider is a cloud service provider that stores or processes CUI, it follows the DFARS 252.204-7012 path: meet the FedRAMP Moderate baseline (or equivalent) and the clause's incident-reporting requirements. That's why the platform you choose matters so much — see GCC High vs Commercial.

The Responsibility Never Leaves You

Here's the half nobody likes: even a fully “CMMC-ready” MSP cannot transfer your obligation. The contractor seeking certification is responsible for meeting the requirements — full stop. An MSP can implement and operate controls on your behalf, but if something is missing, it's your assessment that fails and your contract at risk.

Always get a customer responsibility matrix (CRM)from your MSP: a control-by-control breakdown of what they cover and what stays with you. “They handle security” is not a CRM — and the gaps between assumed and actual coverage are exactly where assessments fail.

Setting the Relationship Up Right

Map the data. Confirm in writing whether your MSP ever holds CUI or Security Protection Data.
Get the CRM. Know which of the 110 requirements they cover and which are yours.
Document them in your SSP. Their security services belong in your System Security Plan.
Verify the cloud path. If a provider holds CUI in the cloud, confirm FedRAMP status — don't assume it.

Know Exactly Where Your MSP Fits

The cleanest way to settle the MSP question is to scope your environment and assess against all 110 requirements — mapping which controls your provider covers and which are yours. The Dragonfli Group CMMC Accelerator does exactly that, producing a draft SSP and gap plan reviewed by a CMMC Registered Practitioner, so the line between you and your MSP is documented, not assumed.

DON'T ASSUME — VERIFY

Is your MSP actually covering what you think?

The free Pulse Check takes about 15 minutes and shows where you stand on your highest-risk CMMC requirements — no credit card, no sales call.

Start Free Pulse Check →

RELATED GUIDES

GCC High vs Commercial

The cloud path for providers that hold CUI →

What Is CUI? CMMC Scoping

The data question that decides MSP scope →