External Service Provider (ESP) Service Description
With Customer Responsibility Matrix
Effective date: May 13, 2026 · Custodia, LLC
This document describes the BidFedCMMC platform (the “Service”) as an External Service Provider (ESP) so that your C3PAO or DIBCAC assessor can place it in your CMMC assessment scope quickly and correctly. It is written to be dropped straight into your System Security Plan (SSP) as a reference for how the Service is categorized and where responsibility divides.
1. Service description
The BidFedCMMC platform is a multi-tenant Software-as-a-Service application built and operated by Custodia, LLC, a U.S. company, and hosted in the contiguous United States. It guides a defense contractor through a CMMC readiness and affirmation cycle and produces a print-ready SSP and a signed affirmation memo. Deployment is cloud-hosted SaaS accessed over the browser; there is no on-premises component.
The data classes the Service processes are:
- Compliance metadata: assessment answers, scores, plans, registers, and program records.
- Evidence of configuration: screenshots and exports that show settings, policies, rosters, and logs, that is, evidence about your systems.
- Drafted documents: policies, procedures, and SSP narratives generated from the facts you provide.
The Service explicitly does not process, store, or transmit Controlled Unclassified Information (CUI).
2. CMMC scoping determination
The BidFedCMMC platform processes, stores, and transmits no CUI. Depending on how you use it, you categorize it as an Out-of-Scope Asset or, where it holds security-relevant readiness data about your environment, a Security Protection Asset (SPA) assessed within your own CMMC assessment. In neither case is it a cloud service provider handling CUI, so it does not trigger the DFARS 252.204-7012 FedRAMP Moderate requirement.
The Out-of-Scope determination is the OSC's to make and justify, not an automatic exemption. As the OSC, you determine that the asset cannot process, store, or transmit CUI and does not provide security protections for CUI Assets, and you must be prepared to justify that determination. Where the platform holds security protection data about your environment, treat it as an SPA and assess it against the Level 2 security requirements relevant to the capability it provides, inside your own assessment, not as a separate certification.
Authorities: asset categories and the Security Protection Asset / Security Protection Data definitions at 32 CFR 170.4 and 170.19; the CMMC Assessment Scope, Level 2 (v2.13), which provides that SPAs are assessed within the OSC assessment and that Out-of-Scope Assets carry no documentation requirement; and DFARS 252.204-7012, whose FedRAMP Moderate trigger applies to a CSP that stores, processes, or transmits CUI, which the Service does not.
3. Suggested SSP asset-inventory line
Copy the following into your asset inventory or SSP, adjusting the category to match your own determination:
Asset: BidFedCMMC (Custodia, LLC) | Category: Security Protection Asset / Out-of-Scope | CUI: None processed, stored, or transmitted | FedRAMP: Not applicable, no CUI
4. Customer Responsibility Matrix
The Service provides tooling and evidence organization. You perform, decide, and attest. Nothing on the platform is ever marked met automatically.
| Area | BidFedCMMC provides | Customer owns |
|---|---|---|
| Evidence collection and organization | Guided capture, upload, AI review for sufficiency and CUI screening, per-control organization, and freshness tracking. | Gathering the actual settings and configurations, and accepting each artifact before it counts toward a control. |
| Policy and SSP drafting | AI-drafted policies, procedures, and SSP narratives from the facts you enter, plus print-ready SSP output. | Reviewing, editing, approving, and signing every document. The content is yours. |
| Access control to the workspace | Authentication and session management via Clerk, with MFA available on every tier, and role-based workspace roles. | Deciding who you invite, enforcing MFA on your users, and offboarding promptly. |
| Encryption of platform data | AES-256-GCM at rest under a per-tenant key wrapped by a platform key backed by AWS KMS; TLS 1.2+ in transit; crypto-shred on request. | Protecting the credentials and devices your users sign in from. |
| CUI handling | A no-CUI platform. Uploads carrying CUI or export-control markings are screened and blocked. The platform stores none. | Keeping all CUI in your own environment (enclave, GCC High, file server) and never uploading it to the Service. |
| Assessment scoping decision | This ESP description and the citations so your assessor can categorize the platform quickly. | Making and justifying the Out-of-Scope or SPA determination for your specific use, with your assessor and counsel. |
| SPRS / eMASS filing and affirmation | The data, artifacts, and walkthrough needed to prepare your submission. | Filing to SPRS or eMASS and making the annual affirmation as the responsible official. |
| Attestation that controls are met | Tooling that stages evidence and drafts for your review. Nothing is marked met automatically. | Attesting that each control is met. Attestation is a human act with no API. |
5. Data handling summary
- Residency: stored and processed in the contiguous United States; all sub-processors are U.S. entities.
- Encryption: AES-256-GCM at rest under a per-tenant key wrapped by a platform key backed by AWS KMS; TLS 1.2+ in transit.
- Isolation: tenant isolation is enforced at the data-access layer, and each organization carries its own encryption key.
- AI: a governed drafting and review feature that receives no CUI, does not train on your data, and never marks a control met. See the AI Fact Sheet.
- Crypto-shred: destroying your tenant key renders your records permanently unreadable, on request.
6. Related documents
This statement describes the platform's architecture and is not legal advice. Whether a specific artifact is CUI, and how your assessor treats any tool, is a determination for you, your counsel, and your assessor. Questions: security@bidfedcmmc.com.