What DoD Contractors Need to Know About the 32 CFR CMMC Rule and Its Effect on Vendors
FedRAMP | Federal Assessments | CMMC
Published: Aug 13, 2024
Last Updated: Jul 17, 2025
Looking back, 2024 was a big year for the Department of Defense (DoD), as they released both a memorandum titled Federal Risk and Authorization Management Program (FedRAMP) Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings, and the 32 CFR Part 170 - Cybersecurity Maturity Model Certification (CMMC) Rule.
Together, these publications provided significant clarifications for those in the Defense Industrial Base (DIB) that currently have a DFARS 252-204-7012 clause in their contracts with the DoD, or those that may have interest in doing business with the DoD in the future. But to understand the complete implications, each document must be broken down separately, and as leading providers of FedRAMP assessments and the first firm of our kind to become an authorized CMMC Certified Third Party Assessment Organization (C3PAO), we are well positioned to help do this.
In this blog post, we’ll describe the requirements of the relevant DFARS Clause 252.204-7012 and the expectations for DoD contractors laid out in the 32 CFR CMMC Rule. We’ll also detail how it all trickles down to their external service providers (ESPs), including Cloud Service Providers (CSPs) and Managed Service Providers (MSPs).
To learn more about the details within the FedRAMP memo regarding Moderate equivalency, check out our other blog, and then you’ll be better prepared to proceed forward with these evolving federal regulations and standards.
What is DFARS Clause 252.204-7012?
Created in 2013, the DFARS 252.204-7012 clause dictates cybersecurity requirements to ensure that contractors of the DoD are protecting Covered Defense Information (CDI)—more commonly referred to as Controlled Unclassified Information (CUI).
The requirements applicable to DoD contractors outlined per the clause include, but are not limited to, the following:
- Implement the 110 controls outlined in NIST SP 800-171: “Protecting CUI in Nonfederal Information Systems and Organizations.”
*Contractors must also comply with other DFARS 252.204-7012 requirements for protection against malicious software, media preservation and protection, access to the equipment necessary for forensic analysis, and cyber incident damage assessment.
- Perform a self-assessment of that implementation and enter their scores in the DoD’s Supplier Performance Risk System (SPRS) in accordance with DFARS clause 252.204-7019.
- Report cyber incidents that affect CUI or that impact the contractor’s capacity to perform requirements to the Department of Defense Cyber Crimes Center (DC3)—that may also mean:
- Sharing cyber incident data requested by DC3
- Retaining said data
- Complying with any subsequent investigations that may occur
It’s not just contractors that must comply with these requirements, which also contains language referring to what’s called “flowdown”—i.e., a mandate that contractors include the DFARS 252.204-7012 clause in all related subcontracts ensuring that if a subcontractor does not agree to comply then they shall not be in possession of CUI as an assurance of the above protections.
Also embedded within that same clause are legal clarifications and obligations regarding where the CUI—within contractor systems or those of compliant subcontractors—may be stored, processed, or transmitted, as well as the possibility of a contractor employing the services of a CSP.
On the latter, the clause specifically says:
“If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline.”
ESPs vs. MSPs vs. CSPs in the 32 CFR CMMC Rule
The DoD finalized the CMMC Rule in October 2024, which officially went into effect in December 2024 and contained additional context and expectations for DoD contractors.
Among the biggest and most important clarifications was the confirmation of the applicability of DFARS 252.204-7012 as well as the requirement for CSPs to comply with the FedRAMP Moderate equivalency standard.
Aside from that enormous development, the CMMC Rule also redefined CSPs to separate them from what the DoD is now calling External Service Providers (ESP)—a new distinction that will be important to any Organizations Seeking (CMMC) Certification in the future.
What is a CMMC External Service Provider (ESP)?
As defined by the CMMC Rule, an ESP is a third-party organization that provides services in support of a DIB member’s services or contract performance. More specifically, the CMMC Rule states:
“CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”
Given this definition, the type of services provided by an ESP can vary widely, but they are commonly responsible for handling specific tasks or functions such as active administration of incident response, managed IT services, and consultancy—all of which may not necessarily involve cloud technologies.
What is a CMMC Managed Service Provider (MSP) or Managed Security Service Provider (MSSP)?
Rather, they could be an MSP or MSSP—these are a specific type of ESP that offers cybersecurity services, such as monitoring and management of systems. While the specific type of service among MSPs/MSSPs could vary greatly, they are commonly responsible for:
- Monitoring of a boundary or enclave
- Management of system components
- Data and system access control
In simpler terms, an MSP or MSSP may perform the above (or other services) within an environment that is under the direct control of a DIB member or may have their own assets collecting and managing data on behalf of the DIB member in accordance with their agreement.
What is a CMMC Cloud Service Provider?
CSPs also fall under the CMMC ESP umbrella, although they are defined as providers offering cloud-based services such as Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). More specifically—according to NIST SP 800-145—a service must exhibit the following five essential characteristics to qualify as a cloud computing service:
- On-demand self-service
- Broad network access
- Resource pooling
- Rapid elasticity
- Measured service
In simpler terms, a cloud service is commonly delivered over the internet, allowing users to access, store, and manage applications and compute resources without needing local infrastructure.
An Important Caveat About Determining the Category of Your Providers: As an assessment organization for both FedRAMP and CMMC, we frequently field questions from our customers related to whether they fall under these definitions, and while these definitions are meant to help you discern that, it typically requires further discussion with a CMMC C3PAO and/or FedRAMP Third Party Assessment Organization (3PAO) to address the nuances that come with each type of service provider (and possible overlaps).
Assessment Implications of the 32 CFR CMMC Rule
This new separation of external provider type is important because depending on what type of provider you—as an Organization Seeking Certification (OSC)—employ, your vendors will also need to meet certain compliance requirements, because if they don’t, the outcome of your requisite CMMC assessment may be negatively affected.
Here are specific details on how those requirements shake out for OSCs and their (non-CSP) ESPs:
- If the OSC utilizes an ESP (non-CSP) for handling CUI that is outside the control of the OSC—e.g., an MSP/MSSP where their customer’s CUI is handled on the MSP/MSSP’s assets, infrastructure, or footprint (on premise or in a CSO) as part of their services—that ESP will be required to undergo their own CMMC Certification Assessment and pursue the relevant CMMC certification type for the processing, storage, or transmission of CUI at Level 2 or Level 3.
- Their certification level will be determined by the sensitivity of the data they handle and/or the type of government contracts they support.
Alternatively, if that same ESP in this scenario is only handling their customer’s Security Protection Data (SPD) and not CUI, that ESP will be required to provide their customers with a Shared Responsibility Matrix (SRM) that describes the responsibilities of the OSC and ESP with respect to the services provided.
Note that while an ESP (non-CSP) only handling SPD can choose to pursue their own CMMC Certification, it is not required.
- If the OSC utilizes an ESP (non-CSP) for handling CUI or SPD and the OSC remains in control of the data—e.g., an MSP/MSSP where they have access to CUI or SPD on the OSC’s assets, infrastructure, or footprint (on premise or in a CSO) as part of their services—that ESP may effectively be an extension of the OSC’s personnel and could be required to participate during the assessment if the ESP has sole responsibility in meeting objectives on behalf of the OSC.
Note that if an MSP/MSSP provides a cloud service offering and is handling CUI or SPD as part of that offering, the MSP/MSSP would fall in the CSP category defined above and whose requirements are noted in the next section.
- If the ESP (non-CSP) is internal to the OSC (e.g., another business unit) but outside the OSC’s CMMC certification scope, the requirements outlined above remain the same.
- Organizations Seeking Assessment (OSA) that are self-assessing at Level 1 should also be prepared to identify potential ESPs and how their assets or personnel handle Federal Contract Information (FCI).
Here are the assessment implications for OSCs and their ESP (CSPs):
- If an OSC is attempting to obtain a CMMC Level 2 or Level 3 certification and intends to use an ESP’s Cloud Service Offering (CSO) for handling CUI, then the ESP’s CSO will be required to either:
- Hold a FedRAMP Authorization at the Moderate baseline (or higher); or
- Work with a FedRAMP 3PAO to perform a FedRAMP Moderate equivalency assessment and present the results to their OSC as evidence to ensure their CUI is stored, processed, or transmitted in accordance with the standard set forth in the CMMC Rule, which will be evaluated as part of the OSC’s CMMC certification assessment.
- If an OSC is attempting to obtain a CMMC Level 2 or Level 3 certification and intends to use an ESP’s Cloud Service Offering (CSO) for handling SPD, but not CUI, then the ESP will be required to provide their customers with a Customer Responsibility Matrix (CRM) that describes the responsibilities of the OSC and ESP with respect to the CSO services provided.
- If the ESP’s CSO is internal to the OSC (e.g., another business unit) but outside the OSC’s CMMC certification scope, the requirements outlined above remain the same.
- If an OSA is using an ESP’s CSO as part of their scope for a Level 2 Self-Assessment, the requirements outlined above remain the same.
Moving Forward with CMMC and the New FedRAMP Moderate Equivalency
Understanding the requirements and expectations outlined in DFARS 252.204-7012 and the new context within the CMMC Rule—not to mention the equally highly relevant FedRAMP Moderate Equivalency memorandum—is certainly no easy feat.
While DIB organizations navigate the applicability of these requirements, it will be important to focus on the capabilities of their external services, how these services are provided to the DIB, and whether those external services handle CUI or SPD, as this will ultimately determine the applicability of CMMC or FedRAMP for those ESPs and the requirements they need to meet ahead of, or during, your CMMC Certification Assessment.
Though this blog hopefully provides a helpful head start, we know you likely still have questions about these complexities, and as a leading FedRAMP 3PAO and CMMC C3PAO, our experience in this space could be of help. Contact our team today so that we can help you find the right assessment roadmap for your organization.
In the meantime, discover additional CMMC insights in these helpful resources:
About Tim Walsh
Tim Walsh is a Manager in Schellman's Federal Practice overseeing both the emerging CMMC assessment program and the established FedRAMP assessment program. Prior to joining Schellman in 2019, Tim worked as a Systems Engineer for a Defense Contractor specializing in the design of physical security systems for Naval installations across the United States. Tim also led and supported various other projects, including software development of an inventory and logistics program used in support of Naval vessels as well as participating in Internal Research & Development (IRAD) of critical operations.