Where We Stand

Click each header to expand/collapse more information.


Why We Exist

Managed Service Providers (MSP) and Managed Security Service Providers (MSSP), commonly referred to as External Service Providers (ESP), are key players in facilitating IT, cybersecurity, and supply chain risk management across critical infrastructure sectors, the federal contracting base, and especially in the Defense Industrial Base (DIB).
Small and medium-sized businesses (SMBs) comprise over 75% of the Defense Industrial Base. The Department of Defense (DoD) estimates that at least 80,000 companies will be required to achieve CMMC Level 2 certification. Therefore, CMMC Level 2 certification for 60,000 SMBs is a conservative estimate.

Most SMBs leverage ESPs because it simply makes good business sense. SMBs typically have neither in-house IT and security expertise, nor the time, budget, and resources required to recruit, develop, and sustain such a team. If 50% - 70% of SMBs requiring CMMC Level 2 certification leverage ESPs, then upwards of 30,000 – 40,000 DoD suppliers and their Controlled Unclassified Information depend entirely on the quality of the external IT and security service providers.
It is common for an ESP supporting the DIB to be directly responsible for 40% - 70% of the IT and cybersecurity requirements that must be implemented and maintained to achieve CMMC Level 2 certification.

In addition, ESPs are key threat vectors for malicious actors to scale cybercrime, ransomware, and state-sponsored cyber espionage. ESPs are essential, but they are also a potential weak point in the protection of the DIB due to the consolidated privileged access that they may have, which may extend to multiple DIB members. While it is possible to limit and compartmentalize privileged access across numerous customers, it is not uncommon for an ESP to support 100s of companies with their consolidated infrastructure. Because of the enormous potential attack surface ESPs create, a worst-case scenario could see an ESP capable of compromising 100s of DIB members and their CUI data with a single attack.

Unfortunately, even though ESPs are essential in support of critical infrastructure, standards, regulations, and certification programs have routinely failed to acknowledge, account for, or control their systemic importance.

Sector Coordinating Agencies (e.g., DoD, DHS), Sector Coordinating Councils (e.g., DIB-SCC), organizations such as National Defense Information Sharing and Analysis Center (ND-ISAC), and even elements of the government such as NIST and the Office of the National Cyber Director (ONCD) have failed to take the initiative and use ESPs as cybersecurity leverage points to advance the security of critical infrastructure sectors and their data flows.

Sadly, previous efforts to normalize a regulatory understanding of ESPs and standardize basic security best practices for ESP use cases were abandoned in 2019. Since then, regulators have drifted toward conflating cloud service providers (CSPs) and managed IT and security service providers – typically only because cloud-focused cybersecurity standards such a FedRAMP exist while ESP-focused security standards do not.

Meanwhile, existing definitions of covered systems and organizations need to account for the unique nature of managed services. As a result, regulatory efforts such as CMMC are often hamstrung by inadequate source materials and authoritative references.  

Worst of all, myopic supply chain cybersecurity strategies based on the idea of government-provided cloud enclaves are gaining support even though such solutions need to correctly address the ESP service model and adequately control the unique nature of ESP interfaces woven throughout the supply chain.

As a result of these issues, we desire to collaborate with Congress, DoD, the Cyber AB, state legislatures, and the broader critical infrastructure ecosystem to provide insight into the importance of external service providers in securing critical infrastructure, the federal contracting base, and especially the Defense Industrial Base. 

Our recommendations for the CyberAB, the DoD, and Congress are all borne from a desire to help secure the Defense Industrial Base, support the warfighter, and improve national security. Our companies stand ready to support and will continue to work with government, industry, and academia to put appropriate technology, processes, and capabilities in place to ensure that we stay a step ahead of the aggressors. Protection of our national intellectual property is paramount to ensuring we can continue to thrive as a nation.



ESP Standards

Congressional Appropriations

RPO Certification

Our members all engage with the CyberAB and the developing ecosystem created by the CMMC program. Through our experience in this ecosystem, we have identified several issues that must be addressed to improve the DIB and the CyberAB ecosystem.  


One of the areas needing improvement within the CyberAB's ecosystem is the Registered Provider Organization (RPO) program. The requirements to become an RPO are low and are limited to paying a fee to the CyberAB in exchange for status and badge. 


Very little due diligence is done to establish the competency and skills these organizations possess. It is common to see RPOs distributing inaccurate and potentially harmful information to OSCs through their marketing materials and consulting practices. Additionally, the consequences of receiving improper guidance could include additional costs, lost opportunity, and an extended timeline to achieve compliance. These bad practices undermine trust in the RPO program and OSC's progress toward compliance and ultimately sidetrack the overarching mission of the CyberAB to secure the DIB.  

We suggest significant changes to the RPO program to increase trust  within the ecosystem. This mission can be accomplished by modifying the RPO program to enhance the requirements to become a credentialed RPO. Doing this will raise professionalism and consulting amongst RPOs, ensuring that OSCs receive accurate and constructive information and guidance when engaging with an RPO.


First, each candidate RPO should demonstrate their ability to establish a security baseline equivalent to the levels at which they would provide consultation services. This could be done by requiring an RPO to achieve CMMC L2 by validating an approved CMMC 3rd Party Assessor Organization (C3PAO). 


  • This will prove to the CyberAB that the RPO has the necessary process and technology knowledge to appropriately implement an environment suitable for handling CUI. This knowledge should be required before they can consult with OSCs on their security program.  


  • Second, each RPO should be required to maintain a minimum of 1 Certified CMMC Assessor (CCA)  and 1 Registered Practitioner Advanced (RPA) on full-time W2 staff. This will ensure that the consulting provided by the RPO is accurate and vetted across multiple levels of CMMC credentialed expertise within the candidate RPO. These types of minimum certification requirements for organizations are very common among partner programs within the industry.

 ESP Scoping

MSPs and MSSPs that support clients in the Defense Industrial Base should prove their ability to provide adequate protection of their client environment and support CMMC capabilities in their delivery of services. As such, the MSP or MSSP should be required to undergo their own CMMC L2 assessment, validated by an authorized C3PAO, and they should be listed in the Cyber AB marketplace as a vetted ESP.


Determining the scope of the assessment for an MSP or MSSP is essential, as the CMMC L2 certification would carry with it the intention of inheritance for a standardized Shared Responsibility Matrix (SRM) applicable to their client environments. Any deviation from the certified SRM with the OSC would need to be called out on a NIST 800-171A Practice and Assessment Objective basis in the OSC SSP.


MSPs and MSSPs likely will not be directly processing, storing, or transmitting CUI for their DIB clients. According to the SR, the scope of their CMMC L2 certification should encompass the people, processes, and technology leveraged in delivering services to the OSC. CMMC L2 Scoping categorization of assets would be referenced to determine applicable controls for users, applications, systems, or devices leveraged to provide security functions to an OSC whose systems or users process, store, or transmit CUI.  


Accordingly, the MSPs or MSSPs who leverage Non US Persons for services that are delivered to OSCs who have ITAR, EAR or NOFORN data need to prove they have removed physical and logical access to those OSC environments and provide for an alternate means of US-person based service delivery for those capabilities as if they are a CUI asset.

For further guidance on program and scoping recommendations supporting the validation of a Service Provider's qualifications, refer to this MSP Collective Paper:
External Service Provider Scoping and CMMC L2 Assessment Program Recommendations