External Service Provider
Also known as: ESP
An External Service Provider (ESP) is an external entity that provides information technology or cybersecurity services that handle the contractor's FCI or CUI, or that play a security-protection role for in-scope systems. Examples include managed service providers, cloud hosting providers, and managed security service providers; ESPs that handle CUI must themselves meet applicable CMMC requirements.
Related terms
- Assessment Scope
The assessment scope (also called the boundary) is the set of assets — people, technology, facilities, external service providers — that process, store, or transmit FCI or CUI and therefore must meet the applicable CMMC requirements. Drawing the smallest defensible scope is the highest-leverage decision in a CMMC project.
- FedRAMP
FedRAMP is the federal government program that standardizes the security assessment, authorization, and continuous monitoring of cloud service offerings used by federal agencies. Cloud services used by DoD contractors to process or store CUI must be FedRAMP Moderate Equivalent or higher under DFARS 252.204-7012(b)(2)(ii)(D).
- Managed Service Provider
A Managed Service Provider (MSP) is an outsourced IT services firm that operates portions of a contractor's information environment. Under CMMC, an MSP that handles FCI is treated as an External Service Provider and must meet the applicable safeguarding requirements for the in-scope environment it manages.