Cloud Service Providers & CMMC: Do they Mix?

October 7, 2021 Redspin, Inc.

In this 3rd installment, we break down CSPs, what they are and how they can help achieve your organization's goals. In this edition, we cover cloud service provider (CSP) requirements with respect to CMMC.

Today, most companies are relying on some form of third-party assistance, whether from a cloud service provider or a managed service provider. Outsourcing IT or cybersecurity services to a third-party provider can provide quality services that the company cannot afford with an on-premise solution, and for less overall cost.

Recently we have been receiving questions with respect to cloud service providers (CSPs) and Managed Service Providers (MSPs) with respect to CMMC compliance. In this newsletter, we provide some basic answers to your CSP questions. Note, we cannot cover all aspects of CSP compliance in just one newsletter. Each organization is different and each organization comes with its own nuances with respect to their third-party providers. So, it is highly recommended that you consult cybersecurity professionals to continue with your preparation for a CMMC assessment.

Cloud Service Provider

Many DoD contractors rely on CSPs for various services, whether to store CUI or to provide secure collaboration or communication services, to name a couple. With respect to CMMC and federal requirements, Defense Federal Acquisition Regulation Supplement (DFARS) rule 252.204-7012 mandates that federal contractors must validate the security requirements for any CSP that processes, stores, or exchanges Controlled Unclassified Information (CUI).

FedRAMP Certified or Not?

For CMMC, the CSP must be a minimum of FedRAMP Moderate certified. In some cases, such as for meeting International Traffic in Arms Regulations (ITAR) requirements, the CSP must be FedRAMP High certified. “FedRAMP certified” means the CSP has had an independent assessment done by a certified assessment organization. With respect to DoD contractors (in CMMC vernacular, Organization Seeking Certification (OSC)) for CMMC requirements:

  • OSC can use the FedRAMP certification for a particular CSP as proof that the CSP is meeting certain CMMC requirements.
  • OSC is still responsible for ensuring the protection of the data (CUI) within the cloud.
  • OSC must also have a clear, shared responsibility matrix between the OSC and CSP.
  • OSC must demonstrate a clear understanding of the shared requirements.
  • OSC must have valid documentation from the CSP to answer assessor questions.

Note that there is no formal reciprocity agreement at this time and as such the OSC still is responsible for showing due diligence. The DoD is working to publish reciprocity guidance later this year. Keep in mind that a FedRAMP-certified CSP does not meet all CMMC requirements, in which the upcoming DoD reciprocity policy will provide those details.

Q: What About Other Certifying Bodies?

A: While FedRAMP dominates the topic of CSP certification, there are other certification frameworks that may meet DoD reciprocity requirements. These are yet still to be determined.

Q: What Does the CSP need to Provide?

A: The CSP will need to provide a copy of its certification, shared responsibility matrix between the CSP and OSC, and respective procedures. If the CSPs accreditation package is available, it is recommended to get a copy, which typically includes the System Security Plan (SSP), Plan of Action & Milestones (POA&M), policies, etc.

Q: Is the CSP in scope for the CMMC Assessment?

A: Yes, the CSP will be in scope if CUI is involved. However, the OSCs scoping (i.e., where CUI resides, locations of facilities with CUI, etc) will dictate the level of CSP involvement.

Q: Will the CSP be Interviewed during the CMMC Assessment?

A: This depends on the scoping (as described above), defined responsibilities between the two parties, and reciprocity requirements. For some CSPs, they may not be interviewed, while for others they may be an integral part of the CMMC assessment. As explained above, if the CSP has a valid certification, such as FedRAMP, then the CSP should not be a Subject Matter Expert (SME) as part of the CMMC assessment.

If the CSP is not certified (i.e., known as “equivalent”), then the CSP SMEs may be a part of the assessment, and thus interviewed.

Once again, we recommend contacting experts with respect to federal, DoD, and CMMC requirements to help navigate you through your path to preparing for CMMC.

How Redspin can help >>

If you have questions on any related aspects of CMMC compliance or if you would like to have a more detailed conversation with a CMMC assessor on third-party providers, readiness, documentation, or training, click the button below to schedule a call.


Additional CMMC resources can be found on our website.

The Redspin Team

© Copyright 2021 Redspin - A Division of CynergisTek

About the Author

Redspin, Inc.

Redspin is a leading provider of risk assessments using various frameworks including NIST CSF, CMMC-AB, ISO 27001, PCI DSS, and healthcare cybersecurity consulting. We’ve helped many Fortune 500 and leading growth companies in highly regulated industries including government, financial, technology, and manufacturing improve their cyber readiness and resiliency through a strategic and proven approach to reduce cyber risks and safeguard sensitive information.

Follow on Twitter Follow on Linkedin Visit Website More Content by Redspin, Inc.
Previous Article
FAQs about MSPs & CMMC
FAQs about MSPs & CMMC

We break down MSPs in relation to CMMC assessments when most companies rely on some form of third-party ass...

Next Article
How GCC-High and a VDI Environment Can Help Clarify your Scope for Meeting CMMC Requirements
How GCC-High and a VDI Environment Can Help Clarify your Scope for Meeting CMMC Requirements

When preparing for a CMMC assessment, whether it be Level 1 or Level 3, we at Redspin advise organizations ...