Managed Service Provider
Also known as: MSP
A Managed Service Provider (MSP) is an outsourced IT services firm that operates portions of a contractor's information environment. Under CMMC, an MSP that handles FCI is treated as an External Service Provider and must meet the applicable safeguarding requirements for the in-scope environment it manages.
Related terms
- External Service Provider
An External Service Provider (ESP) is an external entity that provides information technology or cybersecurity services that handle the contractor's FCI or CUI, or that play a security-protection role for in-scope systems. Examples include managed service providers, cloud hosting providers, and managed security service providers; ESPs that handle CUI must themselves meet applicable CMMC requirements.
- Assessment Scope
The assessment scope (also called the boundary) is the set of assets — people, technology, facilities, external service providers — that process, store, or transmit FCI or CUI and therefore must meet the applicable CMMC requirements. Drawing the smallest defensible scope is the highest-leverage decision in a CMMC project.