External Service Provider Management
External Service Providers (ESPs) represent one of the most consistent CMMC assessment failure points for defense contractors. The problem is rarely intentional — most organizations simply haven't mapped every cloud service, SaaS subscription, and managed service relationship against the question: does this system touch CUI, or does it support a security function that protects CUI? If the answer to either is yes, that service is an ESP and must be inventoried, assessed, and governed.
The CMMC Final Rule (32 CFR Part 170) establishes specific requirements for ESPs before an organization can achieve certification. Cloud Service Providers handling CUI must meet FedRAMP Moderate or equivalent. Managed Service Providers with privileged access to the environment may require their own CMMC certification. Software accessed from within the CUI boundary must be assessed for CUI exposure. These are not optional controls — assessors will ask for an ESP inventory, contractual flow-downs, and documented posture for every material third-party service in the environment.
ESP Categories
The CMMC framework defines three categories of ESP that an Organization Seeking Certification (OSC) must account for:
| ESP Type | Definition | CMMC Requirement | Examples |
|---|---|---|---|
| Cloud Service Provider (CSP) | Hosts or processes CUI in a cloud environment | Must meet FedRAMP Moderate Authorized or equivalent | M365 GCC High, Azure Government, AWS GovCloud |
| Managed Service Provider (MSP) | Provides IT services within or connected to the OSC environment | If privileged access to CUI systems exists, MSP is in scope; may need own CMMC certification | IT support vendors, NOC/SOC providers, co-managed IT firms |
| SaaS / Software ESP | Software-as-a-service accessed from within the CUI environment | Must be assessed for CUI exposure and security posture | DocuSign, Salesforce, Deltek, GitHub |
The distinction between categories matters because the assessment obligations differ. A CSP requires FedRAMP verification. An MSP requires a contractual flow-down and access control review. A SaaS tool may require either, depending on whether CUI is stored or transmitted through it.
FedRAMP Moderate Equivalency
FedRAMP Moderate is based on the NIST SP 800-53 Moderate baseline — 325 security controls covering confidentiality, integrity, and availability requirements appropriate for systems handling sensitive federal data. CMMC Level 2 requires that any CSP handling CUI must meet FedRAMP Moderate Authorized status or demonstrate equivalency.
"Equivalency" is not self-declared. A CSP claiming equivalency must demonstrate documented controls mapped to the FedRAMP Moderate baseline, a third-party security assessment, and a continuous monitoring program. In practice, most CSPs used in DIB environments either hold FedRAMP authorization or do not — there is limited middle ground. If a CSP cannot point to a FedRAMP authorization package or a comparable third-party assessment, treat it as non-compliant for CUI handling.
How to verify FedRAMP status: The FedRAMP Marketplace at marketplace.fedramp.gov is the authoritative source. Filter by "Authorized" status. "In Process" does not satisfy the CMMC requirement.
- GCC High
- Commercial
Microsoft 365 GCC High is FedRAMP High Authorized — it exceeds the Moderate baseline requirement. Azure Government is also FedRAMP High authorized. Both are appropriate platforms for CUI handling under CMMC Level 2.
One important caveat: not all M365 services share the same authorization boundary. The core workloads (Exchange Online, SharePoint Online, Teams, OneDrive for Business) are covered under the M365 GCC High authorization. Some third-party add-ins, Power Platform connectors, and preview features may not be. Before enabling a new M365 service or connector in a GCC High tenant, verify it falls within the authorization boundary documented in the M365 GCC High FedRAMP System Security Plan.
The FedRAMP authorization for M365 GCC High and Azure Government can be viewed in the FedRAMP Marketplace under Microsoft as the CSP. Authorization packages are available to agencies and their contractors via FedRAMP's secure repository.
Commercial Microsoft 365 (non-GCC) is FedRAMP Moderate authorized for specific plans — primarily E3 and E5 — under a shared responsibility model. The authorization covers the platform infrastructure and core workloads, but the tenant configuration and data handling responsibilities fall on the customer.
For NIST SP 800-171 compliance using commercial M365, verify that your specific subscription plan is covered by the current FedRAMP authorization, that your tenant is configured to meet the relevant NIST 800-171 controls, and that you have reviewed the Microsoft Customer Responsibility Matrix for the applicable services. Commercial M365 does not provide the same boundary isolation as GCC High — data residency, personnel screening, and government-only logical separation are not guaranteed.
Building the ESP Inventory
An ESP inventory is not a one-time exercise. It must be maintained as a living document and referenced in the System Security Plan (SSP). Build the initial inventory using the following process:
-
Start with the data flow diagram. Every external service that appears in the data flow (Chapter 1) is a candidate ESP. If CUI flows to it, through it, or it provides a service that protects CUI, add it to the inventory.
-
Interview business units. Ask: what cloud tools do you use for work? What do you log into that isn't on the domain? What SaaS tools do you use for proposals, contracts, engineering, or project management? Business units routinely use tools that IT has never reviewed.
-
Review network egress logs and DNS. Shadow IT is real in every organization. Review firewall egress logs and DNS query logs for destinations that are not part of the authorized cloud environment. Recurring SaaS hostnames (e.g.,
*.slack.com,*.notion.so,*.dropbox.com) indicate tools that must be assessed or blocked. -
Pull the Entra ID Enterprise Application list. Authorized OAuth applications registered in Entra ID represent SaaS tools that users have connected to their M365 identity. Review the full list for applications with access to mail, files, or calendar data — these have a CUI exposure path.
-
Interview the IT team. Identify every SaaS subscription the organization pays for. Finance or procurement may have a more complete list than IT, particularly for department-level software purchases.
Once the initial list is compiled, document each ESP in a structured inventory table. The minimum columns are:
| ESP Name | Service Type | CUI Exposure | FedRAMP Status | Contractual CUI Handling | Risk Disposition |
|---|---|---|---|---|---|
| (provider name) | CSP / MSP / SaaS | Direct / Indirect / None | Authorized / In Process / None | Yes / No / Pending | Accept / Mitigate / Eliminate |
The "Risk Disposition" column drives action. ESPs with direct CUI exposure and no FedRAMP authorization must either be replaced with compliant alternatives or have CUI removed from the workflow before assessment.
Common ESP Scenarios
The following table covers ESP types that appear in most DIB environments, with assessment guidance for each:
| ESP | CUI Exposure Risk | Acceptable Posture | Notes |
|---|---|---|---|
| Microsoft 365 GCC High | Direct — primary CUI storage and communication | FedRAMP High Authorized | Primary CUI platform; verify specific service coverage |
| Azure Government | Infrastructure — session hosts, storage, VMs | FedRAMP High Authorized | Used for AVD session hosts and supplemental storage |
| Deltek Costpoint (cloud) | Indirect — contract financials and labor data | Verify FedRAMP or third-party equivalent | ERP systems often contain contract data with CUI elements; confirm authorization scope |
| DocuSign | Potential — contracts may carry CUI markings | FedRAMP Moderate Authorized (Government Cloud plan) | Limit use to non-CUI signature workflows or confirm Government Cloud plan is in use |
| Zoom | High if used for CUI discussions | Not authorized for CUI | See warning below |
| Slack | High if CUI is shared in channels | Not FedRAMP Moderate authorized for CUI | See warning below |
| GitHub (commercial) | High if source code is CUI or export-controlled | Use GitHub Enterprise GovCloud | Commercial GitHub does not meet FedRAMP Moderate; ITAR-controlled source code must not be stored there |
| Salesforce Government Cloud | Indirect — CRM with contract and customer data | FedRAMP Moderate Authorized (Government Cloud plan) | Verify the Government Cloud plan is in use, not commercial Salesforce |
Neither Zoom (standard or business plans) nor Slack (standard plans) are FedRAMP Moderate authorized for CUI handling. If personnel are using these tools to discuss, share, or review CUI — including contract deliverables, technical data, or export-controlled information — the organization has an active compliance gap.
The mitigation is straightforward: Microsoft Teams in the GCC High tenant is the authorized alternative for both voice/video conferencing and persistent messaging. Teams meets the FedRAMP High authorization boundary. Block Zoom and Slack at the network layer for devices within the CUI boundary, and enforce Teams as the only approved communication platform for CUI-related work.
MSP Assessment Requirements
Managed Service Providers with privileged access to your CUI environment represent a significant and often underestimated risk. Privileged access means administrative rights — specifically the ability to read, modify, or delete CUI-related configurations, data, or security controls. Examples include: Global Administrator or Security Administrator access to the M365 GCC High tenant, administrative access to Entra ID, and remote management access to CUI endpoints.
An MSP with this level of access is, for CMMC purposes, operating within the CUI boundary. Their personnel, processes, and tooling are in scope for assessment.
CMMC certification requirement for MSPs: Under the CMMC Final Rule, MSPs providing managed security services to an OSC may be required to hold their own CMMC Level 2 certification. This requirement is most clearly triggered when the MSP operates as a Managed Security Service Provider (MSSP) or performs security-relevant functions (monitoring, incident response, vulnerability management) on the OSC's behalf. Confirm the current requirement with your C3PAO during scoping — the boundary between "in scope" and "out of scope" for MSP certification has evolved through rulemaking.
Contractual flow-down requirements: DFARS 252.204-7012 (Safeguarding Covered Defense Information) must flow down to subcontractors and service providers that handle covered defense information. This includes MSPs. The flow-down must be contractual — verbal agreements are not sufficient. At minimum, the MSP contract must include:
- A definition of CUI and covered defense information as used in the engagement
- An obligation for the MSP to comply with DFARS 7012 requirements
- Incident notification obligations (72-hour reporting requirement to DoD)
- Rights for the OSC to audit the MSP's compliance posture
Practical minimum requirements for MSPs that do not yet hold CMMC certification:
- Written CUI handling procedures specific to the OSC engagement
- Documented access control policy covering the OSC environment (including MFA enforcement and privileged access management)
- Background screening policy for personnel with access to the CUI environment
- Incident notification SLA of 72 hours or less, consistent with DFARS 7012
- Annual review of access rights and security controls
Document all MSP relationships in the SSP, including the access scope, contractual protections in place, and the MSP's assessed compliance posture.
External Service Providers — Compliance Control Mapping
- GCC High
- Commercial
The following CMMC Level 2 practices apply directly to ESP management:
| CMMC Practice | Requirement | ESP Management Artifact |
|---|---|---|
| CA.L2-3.12.1 | Periodically assess the security controls in organizational systems to determine if the controls are effective | ESP assessments documented and dated; FedRAMP verification records retained |
| CA.L2-3.12.4 | Develop, document, and periodically update system security plans | ESP inventory included in the SSP; external systems section completed |
| SR.L2-3.17.1 | Establish and maintain a supply chain risk management plan | ESP risk assessment covering CUI exposure, FedRAMP status, and contractual controls |
| SR.L2-3.17.2 | Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and disposal of systems, system components, or system services | Contractual CUI handling clauses in all ESP agreements; DFARS 7012 flow-down verified |
Assessors reviewing these practices will expect to see: a current ESP inventory, evidence of FedRAMP verification (screenshots or URLs from marketplace.fedramp.gov), signed contracts with CUI flow-down language, and documented risk dispositions for all material ESPs.
For organizations using commercial M365 and pursuing NIST SP 800-171 Rev. 3 compliance, the relevant controls are:
| NIST 800-171 Rev. 3 Control | Requirement | ESP Management Artifact |
|---|---|---|
| 3.17.1 | Establish a supply chain risk management program | ESP inventory with risk assessment; documented decision rationale for each ESP |
| 3.17.2 | Assess the risks to organizational operations and assets from supply chain issues | Formal risk assessment for each ESP with CUI exposure; FedRAMP or equivalent verification |
| 3.12.4 | Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems | SSP external systems section documents all ESPs, access scope, and data flows |
In addition, the NIST SP 800-161 (Supply Chain Risk Management Practices) publication provides detailed implementation guidance for the 3.17.x controls and is referenced by NIST 800-171 assessors.
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.