Does Your MSP Drag You Into FedRAMP? ESP vs CSP Scoping Under CMMC, Explained
The May 2026 Cyber AB Town Hall clarified when a managed service provider counts as a Cloud Service Provider - and when that triggers FedRAMP requirements for your CMMC assessment. Here's the decision logic and the questions to ask your MSP this week.
The Question That Sinks Assessments
You've scoped your environment, remediated your controls, and booked your C3PAO. Then, in the first hour of the assessment, the assessor asks: "Your MSP administers these systems — walk me through how they're scoped." And suddenly your assessment has a problem you didn't budget for.
External providers are the most misunderstood part of CMMC Level 2 scoping, and the stakes escalated in May 2026 when the Cyber AB's Town Hall made ESP-vs-CSP classification its headline topic, alongside updated DoD PMO FAQs. Get the classification wrong in one direction and you're paying for FedRAMP-grade services you don't need. Get it wrong in the other direction and your assessment stalls — or your certification rests on a scoping error that surfaces later, with your annual affirmation already signed.
Here is the decision logic, in plain language.
The Three Buckets: ESP, CSP, and Everything Else
Under the CMMC rule (32 CFR Part 170), an outside company touching your environment lands in one of three buckets:
1. External Service Provider (ESP), not a CSP. A provider that processes, stores, or transmits CUI — or provides security protection assets — using your systems or conventional hosting, without offering a cloud service. A typical MSP doing helpdesk, patching, and administration falls here. ESPs do not need their own CMMC certification, but their services are in scope of your assessment: your C3PAO will examine what the ESP does, what access it holds, and how your controls cover it. You need the relationship documented — responsibilities matrix, access paths, and the ESP's role in your SSP.
2. Cloud Service Provider (CSP). If the provider's offering meets the definition of cloud computing in NIST SP 800-145 — on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service — it's a CSP. And if that CSP processes, stores, or transmits CUI, DFARS 252.204-7012 requires it to meet FedRAMP Moderate or equivalency. This is the bucket that surprises people: it's about what the service is, not what the vendor calls itself.
3. Out of scope. Providers that never touch CUI and provide no security protection assets — payroll SaaS, marketing tools — assuming genuine separation.
The trap is in the middle. Plenty of "MSPs" have quietly become cloud providers: they host your file shares in their multi-tenant data center, run your backup service on shared infrastructure, or resell a proprietary hosted VDI. If the offering walks like NIST 800-145 cloud and CUI flows through it, calling the vendor an MSP doesn't save you. Your C3PAO will apply the definition, not the marketing.
What Changed in May 2026
Two clarifications from the May 2026 Cyber AB Town Hall and the accompanying DoD PMO FAQ updates matter for planning:
First, the NIST SP 800-145 test is now the explicit standard for whether an ESP's offering counts as a cloud service. That gives you and your provider a concrete, five-characteristic checklist instead of a vibes-based argument during the assessment.
Second, FedRAMP Moderate Equivalency (FME) got more workable. C3PAOs may now rely on a CSP's FME assertion — the body of evidence produced by a 3PAO — without waiting for separate DIBCAC vetting of that CSP. If your stack includes a smaller CSP that has done equivalency work but isn't FedRAMP-authorized, this removes a bottleneck that was previously stalling assessments.
The same Town Hall cycle also sharpened the Cyber AB's public warnings about "CMMC-in-a-box" offerings — turnkey packages promising compliance by subscription. The warning exists because the scoping problem described in this post can't be outsourced: even a legitimately FedRAMP-authorized enclave doesn't cover the endpoints, people, and processes that connect to it. Anyone selling certification-by-purchase is selling you an assessment failure.
The Decision Tree
Work through each provider that touches your environment:
- Does the provider process, store, or transmit CUI — or provide security protection assets (SIEM, SOC, EDR management)? No → out of scope. Document the separation and move on.
- Is the service it provides a cloud offering under NIST SP 800-145? (Multi-tenant, self-service, elastic, metered — their infrastructure, not yours.) Yes → it's a CSP. If CUI flows through it, require FedRAMP Moderate authorization or a documented equivalency package. Get the FME body of evidence before your assessment, not during. No → it's an ESP.
- For ESPs: their people and tools are in your assessment scope. You need a shared responsibility matrix, documented access paths, and evidence that your controls (MFA, logging, access review) cover their administrative access.
Five Questions to Send Your MSP This Week
The difference between a smooth assessment and a stalled one is usually whether these answers exist in writing before the C3PAO asks:
- "Where exactly does our CUI live and travel in your services?" If any answer involves their hosted infrastructure, apply the 800-145 test to that service.
- "For any cloud service you provide us: are you FedRAMP Moderate authorized, or can you produce a FedRAMP Moderate equivalency body of evidence from a 3PAO?" A blank stare here, four months before Phase 2, is a vendor-risk signal in itself.
- "Will you sign a shared responsibility matrix mapping the 110 NIST 800-171 controls between us?" Serious DIB-focused providers have this on the shelf.
- "How is your administrative access to our environment authenticated, logged, and reviewed?" Their admin accounts are in your assessment scope.
- "Have you supported customers through C3PAO assessments before, and can you provide the artifacts an assessor will ask for?" Experience shows up as ready-made evidence; inexperience shows up as billable discovery during your assessment window.
If the answers reveal that your MSP's offering makes them an unauthorized CSP handling your CUI, you have three options: they pursue equivalency, you re-architect CUI flows out of their cloud, or you change providers. All three take months — which is why this exercise belongs at the start of your CMMC timeline, not the end. (Check what that does to your schedule with the deadline work-back calculator.)
Scoping Is a Data-Flow Problem — Treat It Like One
Every ESP/CSP misclassification traces back to the same root cause: the organization didn't actually know where CUI flowed. Scoping from an org chart or a vendor list produces the errors above; scoping from observed data flows doesn't.
This is where automation earns its keep. PolicyCortex maps your actual cloud environment — accounts, identities, data paths, third-party access — against all 110 CMMC Level 2 controls, so external-provider access shows up as observed fact rather than questionnaire answers. The 30-day CMMC pilot includes exactly this boundary-and-access mapping, and the output is an SSP where the ESP section is written from evidence.
Start with the free CMMC readiness assessment — it includes the external-provider questions most contractors miss — and read our C3PAO backlog analysis to see why a scoping surprise in Q4 2026 is a schedule-killer you can't recover from.
The assessor is going to apply the NIST 800-145 test to your providers either way. The only question is whether you applied it first.
Replace 4 tools with one platform.
See how PolicyCortex consolidates compliance, security, AI governance, and cost — autonomously.
- R-01Best CMMC Compliance Software in 2026: A Defense Contractor's Honest GuideAn honest breakdown of the CMMC compliance software landscape - GRC tools, CSPM platforms, and autonomous governance - with clear evaluation criteria and an objective look at what each category actually delivers for defense contractors.
- R-02CMMC Level 2 Requirements in 2026: The Complete Guide for Defense ContractorsCMMC Phase 2 enforcement begins November 2026. This guide breaks down every requirement - 110 NIST 800-171 controls, C3PAO assessment process, timelines, costs, and what happens if you're not certified.
- R-03CMMC Level 2 Compliance Costs: The Complete Breakdown for 2026Most defense contractors budget for the C3PAO assessment and forget about everything else. Here's the full cost picture - including the hidden line items that blow budgets and how automation changes the math.
