Home Resources Vendor Oversight
Specialized Topics · 13-minute read · Third-party management

MSP, Vendor, and CSP Oversight

Most small DIB contractors rely on managed service providers for IT, cloud service providers for productivity tools, and a long tail of specialty vendors. CMMC requires that you understand which of these are in scope, what controls they're responsible for, and what evidence supports their compliance posture. This guide walks through the practical management of those relationships.

Why Vendor Oversight Matters

Most contractors have no internal IT department large enough to handle every aspect of compliance themselves. The MSP administers the network. A cloud provider hosts the email. A SaaS vendor handles the engineering CAD repository. A support contractor manages the ticketing system. Every one of those relationships extends your authorization boundary outward — and the controls those vendors implement (or fail to implement) become part of your compliance posture.

From an assessor's perspective, there is no distinction between "things you control directly" and "things your vendors control." If a vendor's failure causes your environment to be non-compliant, the finding lands on you. The vendor isn't certified — you are. The contract is between you and the government; the vendor is your problem.

Vendor oversight under CMMC is therefore not a procurement exercise. It is a security exercise: knowing which vendors handle in-scope assets, what their security posture is, what controls they're responsible for, and what evidence supports their compliance. The work happens before the assessment, not during.

Three Vendor Types

TypeDescriptionExampleCMMC posture
Managed Service Provider (MSP) Operates and administers your IT infrastructure on your behalf. Often has privileged access to in-scope systems. Outsourced IT firm administering your firewalls, servers, and endpoints Almost always in scope. May themselves require CMMC certification (under emerging "ESP" rules).
Cloud Service Provider (CSP) Operates a multi-tenant platform that hosts your data or runs your software. Customer configures usage; provider operates the platform. Microsoft 365 GCC High; AWS GovCloud; PreVeil; Kiteworks In scope when it stores/processes/transmits CUI. Must meet FedRAMP Moderate or equivalent.
Specialty vendor A vendor that provides a discrete service or tool to your organization. May or may not have system access. Background screening firm; payroll provider; office supplies vendor; outside counsel; software application vendor In scope only when the relationship involves CDI handling or in-scope system access. Many specialty vendors are out of scope.

The distinctions matter because the compliance obligations differ. An MSP with persistent privileged access to your in-scope environment is fundamentally different from a payroll vendor that processes employee names and hours. Treating them the same way over-invests in oversight of low-risk vendors and under-invests in high-risk ones.

When Vendors Are In Scope

A vendor relationship pulls into CMMC scope when any of the following is true:

  • The vendor stores, processes, or transmits CUI. A cloud-hosted CUI repository, a secure file-transfer service that handles CUI exchange, an encrypted communication platform that carries CUI — all in scope.
  • The vendor has access to systems that handle CUI. An MSP with administrative access to your CUI server is in scope, regardless of whether the MSP technicians ever read the actual CUI files. The access alone creates the scope.
  • The vendor's services are part of your CUI workflow. A CAD tool used to work with CUI drawings, a PLM system that manages CUI engineering data, an analytics tool that processes CUI as input — all in scope as part of the workflow that handles CUI.
  • The vendor is contractually a subcontractor handling CDI. See the DFARS flow-down guide; a sub handling CDI must comply with all 7012 obligations.

A vendor relationship is generally out of scope when the vendor:

  • Has no access to in-scope systems
  • Does not handle CUI
  • Provides a service that does not involve in-scope data flows (e.g., a public-facing marketing website hosted on commercial cloud, with no CUI in the workflow)

The boundary determination must be made vendor-by-vendor. A vendor inventory listing each vendor, the service provided, the in-scope/out-of-scope determination, and the rationale is a worthwhile artifact for the assessment.

External Service Providers (ESPs)

The CMMC Final Rule introduces the concept of an "External Service Provider" — an entity that provides specific services to the contractor that affect the contractor's ability to meet CMMC requirements. The rule places obligations on contractors with respect to their ESPs:

  • The contractor must identify ESPs in the SSP. The SSP must list ESPs whose services affect compliance, with the specific controls each ESP supports.
  • ESPs that handle CUI may themselves require CMMC certification. An MSP whose technicians have privileged access to a contractor's CUI environment is, under the rule, an ESP — and depending on how the rule is interpreted in practice, may need to be CMMC certified at the appropriate level. The interpretive guidance is still evolving; track the CMMC PMO's published clarifications.
  • The contractor remains responsible for the ESP's controls. Even where the ESP has its own certification, the contractor's SSP must document the relationship and the contractor must verify the ESP's compliance through evidence.

The practical implication: when you select MSPs and CSPs going forward, the question "is this vendor itself CMMC certified?" matters. An MSP that is CMMC Level 2 certified is operationally and contractually easier to work with than one that is not. The available pool of CMMC-certified MSPs is small but growing rapidly.

The ESP rules are an area of active interpretation. Cyber AB and the CMMC PMO have published guidance, but specific scenarios continue to surface novel questions. When in doubt about whether a particular vendor falls under ESP requirements, consult current PMO guidance and consider asking your C3PAO during the scoping discussion.

Contractual Requirements

Every in-scope vendor relationship needs contractual terms that bind the vendor to security obligations consistent with the contractor's CMMC posture. The specifics vary by vendor type, but the categories below should appear in some form:

For all in-scope vendors

  • An obligation to handle CUI consistently with NIST SP 800-171 Rev 2 requirements (or to inherit them via the contractor's SSP if the vendor is fully embedded)
  • Cyber incident notification: requirement to notify the contractor of any security incident affecting the contractor's data, with specific timelines
  • Access controls: vendor personnel access to in-scope systems must follow the contractor's access control policies (named users, MFA, periodic review)
  • Audit rights: the contractor's right to assess the vendor's relevant controls (or to receive third-party assessment evidence in lieu of direct audit)
  • Data return / destruction at end of relationship: how the vendor returns or destroys contractor data when the engagement ends
  • Sub-vendor / lower-tier provider requirements: rules around the vendor's own use of subcontractors who would gain access to contractor data
  • Insurance: appropriate cyber liability coverage given the data exposure

Additional for MSPs

  • US-person personnel requirement (especially if any ITAR-controlled CUI is in scope — see the ITAR/EAR guide)
  • Specific named technicians on the contractor's account, with notification of personnel changes
  • Background check requirements for technicians with privileged access
  • Privileged access controls: separate accounts for vendor admin work, MFA enforcement, session logging
  • Change management: vendor changes to in-scope systems must follow the contractor's change control process
  • Documentation of vendor activities: tickets, change records, audit logs of vendor access

Additional for CSPs handling CUI

  • FedRAMP Moderate authorization or demonstrable equivalence — confirmed through the FedRAMP Marketplace or the CSP's published equivalence evidence
  • Customer Responsibility Matrix (CRM) provided to the contractor
  • Annual SOC 2 Type II report or equivalent attestation
  • Data residency requirements: where data is stored, where it is processed, geographic and jurisdictional constraints
  • Incident notification timeline tied to the contractor's 72-hour DoD reporting obligation
  • For CUI handling: confirmation that no foreign-person administrative access exists (or that any such access is authorized under appropriate licenses for ITAR data)

The Customer Responsibility Matrix

For every CSP in your authorization boundary, the Customer Responsibility Matrix (CRM) is the document that defines who is responsible for which controls. The CRM is published by the CSP and varies by service. Microsoft publishes CRMs through the Service Trust Portal; AWS publishes them through Artifact; PreVeil and Kiteworks publish CRMs through their respective compliance documentation pages.

Each control in the CRM is categorized as:

  • Inherited (or "Provider-Provided"): The CSP fully implements the control; the customer relies on the CSP's implementation
  • Shared: Both the CSP and customer have responsibilities (the CSP provides the capability; the customer must configure it correctly)
  • Customer-Responsible: The CSP provides no implementation of this control; the customer must implement it independently

For CMMC purposes, you must document in your SSP which controls you inherit, which are shared, and which you implement directly. The shared controls are where most operational findings cluster, because they require the customer to actually configure the platform correctly — and the most common failure is leaving the platform at default settings.

Reading the CRM is not optional. A common assessor question is "show me your CRM for [CSP] — and show me how you've implemented the customer-responsible controls." Not having the CRM (or having it but not having internalized it) is a common finding.

Evidence to Collect

For each in-scope vendor, your evidence package should include:

  • Contract or master service agreement incorporating the security clauses described above
  • Customer Responsibility Matrix (for CSPs) — current version, with the customer-responsible controls mapped to your SSP
  • FedRAMP authorization confirmation (for CSPs handling CUI) — Marketplace listing screenshot or equivalent
  • SOC 2 Type II report or equivalent from the vendor (annual)
  • Vendor security questionnaire response documenting the vendor's relevant security posture
  • For MSPs: list of named technicians with US-person status (if relevant) and date of last background check
  • For MSPs: privileged access logs showing what vendor personnel accessed, when
  • Vendor incident notifications (any incidents reported by the vendor, the response taken, the lessons learned)
  • Records of vendor access reviews — periodic confirmation that the vendor's access is still appropriate and limited to the named personnel
  • Vendor offboarding records for any vendor relationships that have ended — confirmation that data was returned or destroyed and access was revoked

The vendor evidence is part of your overall evidence library. Treat it with the same freshness discipline — vendor questionnaires from three years ago are not useful; current ones are.

MSP Selection Questions

If you're selecting an MSP for the first time, or evaluating an existing MSP for CUI work, the questions below cover the relevant ground. Treat as an initial filter; expect detailed follow-up on the answers that matter most.

CMMC posture

  • Are you CMMC certified? At what level? When was the certification granted?
  • Do you meet the External Service Provider requirements as currently interpreted by the CMMC PMO?
  • Can you provide an SSP excerpt covering the controls you implement on our behalf?
  • What is your incident response procedure when a contractor's environment is affected?

Personnel

  • Are all personnel with access to our environment US persons under ITAR? Can you contractually commit to that?
  • What background checks are performed on personnel with privileged access?
  • Will we have specific named technicians assigned to our account, and will we be notified of changes?
  • What is your policy on offshore support, follow-the-sun support, or use of foreign subcontractors?

Operations

  • How do you log and audit your personnel's access to our systems? Will we have access to those logs?
  • How are change requests handled? Do they follow our change control process or yours?
  • What's your security incident notification timeline if your tools or staff are compromised?
  • How do you handle credential management for the privileged accounts you use to administer our environment?

Contracts and exit

  • What security clauses are in your standard MSA? Are you willing to negotiate additions for CUI handling?
  • What is your data return / destruction policy at end of engagement?
  • What insurance coverage applies to incidents affecting our data?
  • What is your liability cap for security incidents? Is it negotiable for CUI engagements?

Sample Vendor Contract Clause

Below is a plain-language sample clause for a CUI-handling vendor (MSP, software vendor with system access, etc.). Adapt for your specific situation; have legal counsel confirm before use.

Section [N]. Information Security and CMMC Compliance.

(a) NIST SP 800-171 implementation. Vendor shall implement and maintain controls satisfying NIST SP 800-171 Revision 2 to the extent applicable to its services for Customer, including all systems and personnel with access to Customer's Covered Defense Information ("CDI") or to Customer's information systems handling CDI.

(b) FedRAMP authorization (cloud services). Any cloud service or cloud-hosted infrastructure used to deliver services that handle CDI shall be authorized at the FedRAMP Moderate baseline or demonstrably equivalent under the December 21, 2023 DoD CIO memorandum on FedRAMP Moderate Equivalency, including assessment by a FedRAMP-recognized 3PAO against the full FedRAMP Moderate baseline with no open POA&Ms.

(c) US-person personnel. All personnel with access to Customer's CDI-handling systems shall be United States Persons as defined under 22 CFR 120.62. Vendor shall maintain a list of authorized personnel and notify Customer of any additions or removals within five business days.

(d) Cyber incident reporting. Vendor shall notify Customer of any security incident affecting Customer's data or systems within 24 hours of discovery, in writing, with available details. Vendor shall cooperate with Customer's required reporting under DFARS 252.204-7012.

(e) Privileged access controls. Vendor personnel accessing Customer's systems shall use named, multi-factor-authenticated accounts. Shared accounts and unmonitored access are prohibited. Vendor shall provide Customer with audit logs of vendor access on request.

(f) Data return and destruction. Upon termination of this Agreement, Vendor shall return all Customer data within 30 days and destroy any retained copies in accordance with NIST SP 800-88 sanitization standards. Vendor shall provide written certification of destruction.

(g) Sub-vendors. Vendor shall not permit any sub-vendor or lower-tier provider to access Customer CDI or CDI-handling systems without Customer's prior written approval. Approved sub-vendors are bound by these same obligations.

(h) Audit rights. Customer or its designated assessor (including any C3PAO conducting Customer's CMMC assessment) shall have reasonable access to Vendor's relevant policies, procedures, evidence, and personnel for the purpose of verifying compliance with this Section.

(i) Annual attestation. Vendor shall provide Customer annually with (i) a current SOC 2 Type II report or equivalent attestation, (ii) confirmation of any material changes to its security posture, and (iii) a current Customer Responsibility Matrix where applicable.

Authoritative References

DoD CIO CMMC Program Office
Authoritative source for ESP guidance and the rolling interpretive clarifications
FedRAMP Marketplace
Authoritative directory of FedRAMP-authorized cloud services — verify any CSP holding CUI
DoD CIO FedRAMP Equivalency Memo (Dec 21, 2023)
The standard for "FedRAMP Moderate equivalent" — assessment by FedRAMP-recognized 3PAO, 100% baseline coverage, zero findings, no open POA&Ms, full Body of Evidence; no self-attestation
Microsoft Service Trust Portal
Source for Microsoft's CRMs and FedRAMP package documentation
AWS Artifact
AWS's portal for security and compliance documentation including FedRAMP packages and customer responsibility documentation
The Cyber AB
Maintains the directory of CMMC-certified MSPs and CSPs as the program matures

Related resources: See the DFARS flow-down guide for subcontractor obligations that overlap with vendor management, the enclave architecture guide for cloud-side scoping, and the ITAR/EAR guide for export-control overlay on vendor selection.