Whether you are using a managed service provider (MSP) for IT support or a specialized cloud tool for engineering, if they have access to your Controlled Unclassified Information (CUI), they are in scope. I’m seeing many contractors fail to document these relationships correctly in their System Security Plan (SSP).

The 2026 ESP Reality In the current CMMC framework, you cannot "outsource" your responsibility. If an ESP provides security services or handles CUI on your behalf, they must meet the same security requirements as you.

3 Steps to Manage ESP Compliance

1. Validate the FedRAMP Status If you are using a Cloud Service Provider (CSP) to store CUI, they must be FedRAMP Moderate (or High) or meet the "FedRAMP Equivalency" requirements.

CCP Tip: Don't just take their word for it. Download their latest Customer Responsibility Matrix (CRM) and attach it to your SSP as an artifact.

2. The "Access" Litmus Test Does your MSP have administrative access to your CUI environment? If yes, they are a Security Protection Asset (SPA).

Tactical Action: Ensure your MSP staff has cleared background checks and that their access is logged and reviewed quarterly. This is a top-tier requirement for Level 2 certification.

3. Formalize the Shared Responsibility Your SSP must explicitly state where your security ends and the ESP's security begins.

The CRM Approach: Use a table to map each of the 110 NIST 800-171 controls to either "Contractor," "Provider," or "Shared."

Summary for DOW Contractors The Department of War (DOW) is looking for supply chain integrity. If your ESP is the "weak link," your certification is at risk. Treat your service providers as an extension of your own team. Document their access, verify their certifications, and never assume they are "covered" just because they are a large company.