What is a Cloud Service Provider (CSP)?

A Cloud Service Provider (CSP), as defined in the CMMC Final Rule (32 CFR Part 170.4), is a third-party entity that provides cloud services based on cloud computing, a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.

A cloud service provider that processes Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or Security Protection Data (SPD) on behalf of an organization seeking a CMMC assessment must be considered in the CMMC scoping process and will be assessed against CMMC security requirements.

In the CMMC program, all cloud service providers are classified as external service providers (ESPs), but not all ESPs are cloud service providers. Major infrastructure providers like AWS, Microsoft Azure, and Google Cloud are common examples of CSPs, but the definition also includes all Software-as-a-Service (SaaS) companies that handle FCI, CUI, or SPD on behalf of an OSC.