Managing External Service Providers for CMMC Compliance
Your CMMC scope doesn't end at your firewall. Every cloud provider, MSP, and third-party service that touches CUI is part of your compliance story.
What Is an ESP in CMMC?
An External Service Provider (ESP) is any third-party organization that stores, processes, or transmits CUI on your behalf. If CUI flows through it, that provider is part of your CMMC assessment scope — and their compliance directly affects yours.
Common ESP types include:
Cloud Providers
AWS, Azure, GCP, Microsoft 365 — any cloud infrastructure or SaaS platform where CUI is stored or processed.
Managed Service Providers
MSPs and MSSPs that manage your IT infrastructure, security monitoring, or network operations where CUI is in scope.
SaaS Applications
Any software-as-a-service tool that processes CUI — project management, file sharing, communication platforms.
Communication Services
Email providers, VPN services, and any communication tool that transmits CUI between systems or users.
CUI Handling and ESP Classification
Every ESP must be classified by how it handles CUI. There are three handling types, and an ESP can perform one, two, or all three:
Stores
ESP holds CUI at rest — cloud storage, email archives, backup systems, databases.
Processes
ESP actively works with CUI — SaaS applications, analytics platforms, data processing services.
Transmits
ESP moves CUI between systems — email services, VPN providers, file transfer services.
How Bedrock CMMC Tracks ESPs
Bedrock CMMC tracks CUI handling flags (stores/processes/transmits) for each ESP, along with compliance certifications, contract details, and requirement flow-down mapping — all in a single provider profile. When an ESP's certification expires or a contract is approaching renewal, you'll know.
See ESP managementCompliance Requirements for ESPs
ESPs that handle CUI must meet specific compliance standards. The requirements depend on the type of service:
- Cloud services — must meet FedRAMP Moderate equivalency (or higher) if they handle CUI. This is the minimum baseline for government data in the cloud.
- Supply chain partners — may need their own CMMC certification if they handle CUI as part of a DoD contract flow-down.
- Managed service providers — must demonstrate security controls equivalent to your CMMC level for the services they provide.
For each ESP, you should collect and maintain these key documents:
Shared Responsibility Matrix (SRM)
Defines which security controls are the ESP's responsibility vs. yours. The foundation of your inheritance documentation.
Customer Responsibility Matrix (CRM)
Details the specific actions you must take to maintain security within the ESP's platform — configurations, settings, policies.
Provider SSP (or relevant excerpts)
The ESP's System Security Plan or relevant sections showing how they implement controls on your behalf.
Authorization Letter
FedRAMP authorization letter, CMMC certificate, or other compliance attestation with dates and scope.
Bedrock CMMC stores SRM, CRM, and Provider SSP documents per ESP, so your assessor can see the complete picture of each provider relationship in one place.
Control Inheritance and Flow-Down
Control inheritance is when an ESP implements a security control on your behalf. Understanding inheritance is critical because it determines which of the 110 controls you need to implement yourself vs. what your ESPs cover.
Fully Inherited
ESP handles the control entirely. Example: physical security (PE) controls in a FedRAMP data center.
Partially Inherited
Shared responsibility. Example: the ESP provides encryption at rest, but you must configure and manage the keys.
Customer Responsibility
You implement the control entirely, even within the ESP's platform. Example: access control policies and user management.
In Bedrock CMMC, each control has an ESP inheritance field. When you mark a control as inherited from an ESP, it maps directly to that provider's profile and flows into your SSP automatically.
Flow-down requirements are contractual clauses that require your ESPs to meet specific security standards. If your DoD contract requires CMMC Level 2 and you subcontract work that involves CUI, your subcontractor must also meet CMMC Level 2. This is documented in your contracts and tracked as part of your ESP profile.
Managing ESP Risk
ESP compliance isn't a one-time verification. Providers' compliance status can change, contracts expire, and services evolve. Ongoing ESP risk management includes:
- Contract tracking — monitor expiration dates and renewal terms to ensure compliance clauses remain in effect
- Compliance status monitoring — track FedRAMP authorization status, CMMC certification status, and any changes to your ESP's security posture
- Incident notification — ensure contracts require ESPs to notify you of security incidents that could affect your CUI
An ESP losing its FedRAMP authorization can immediately affect your CMMC posture.Controls you inherited from that provider may no longer be covered, creating gaps you need to address. Monitor your providers' compliance status as part of your continuous monitoring program.
Common ESP Management Mistakes
Shadow IT is real. Teams adopt SaaS tools without IT awareness. If CUI touches an untracked service, it's a scope gap your assessor will find.
FedRAMP authorization covers the ESP's responsibilities, not yours. You still need to implement customer-side controls and document the shared responsibility boundary.
Without an SRM and CRM, assessors can't verify that inherited controls are properly covered. 'Our cloud provider handles that' isn't sufficient documentation.
If your subcontractors handle CUI, they need equivalent security requirements. Without contractual flow-down, you're responsible for gaps in their controls.
An ESP that was compliant at assessment time may not be compliant 18 months later. Service changes, personnel turnover, or authorization revocations can all affect your posture.
Frequently Asked Questions
What is an External Service Provider in CMMC?
An External Service Provider (ESP) is any third-party organization that stores, processes, or transmits Controlled Unclassified Information (CUI) on your behalf. This includes cloud providers (AWS, Azure, Microsoft 365), managed service providers (MSPs/MSSPs), SaaS applications, email services, and any other vendor that handles CUI as part of your operations.
Do my cloud providers need to be FedRAMP authorized for CMMC?
If a cloud provider handles CUI, it must meet FedRAMP Moderate equivalency (or higher). This doesn't mean every cloud service you use needs FedRAMP — only those in your CUI scope. Services that never touch CUI are outside the boundary. FedRAMP Moderate is the minimum baseline for cloud services processing government data.
What is control inheritance in CMMC?
Control inheritance is when an ESP implements a security control on your behalf. For example, if you use a FedRAMP-authorized cloud provider, their physical security controls (PE family) are inherited — you don't need to implement them yourself. Inheritance can be full (ESP handles entirely), partial (shared responsibility), or none (customer responsibility). This must be documented in your SSP.
How do I track ESP compliance for CMMC?
Maintain an ESP inventory that documents each provider's CUI handling type (stores/processes/transmits), compliance certifications (FedRAMP, CMMC), contract details, and the shared responsibility boundary. Review ESP compliance status as part of your continuous monitoring program. Bedrock CMMC tracks all of this per ESP with contract expiration alerts and requirement flow-down mapping.
Continue Learning
Continuous Monitoring Guide
How to maintain compliance after certification — including ESP compliance monitoring.
Read GuideThe Assessment Process
How CMMC assessments work — self-assessment, evidence collection, and SPRS scoring.
Read GuideManage Your Supply Chain Compliance
Bedrock CMMC tracks every ESP's CUI handling, compliance certifications, contracts, and requirement flow-down — so your supply chain is always documented and assessment-ready.