What is an External Service Provider (ESP)?

Based on the definition in the CMMC Final Rule (32 CFR Part 170.4), an External Service Provider (ESP) is a third-party entity that processes, stores, or transmits Federal Contract Information (FCI), Controlled Unclassified Information (CUI), or Security Protection Data (SPD) in its provision or management of IT and/or cybersecurity services to an organization seeking to undergo a CMMC assessment. 

ESPs that meet this CMMC definition of an ESP must be considered in the CMMC scoping process and will be assessed against CMMC security requirements.

ESPs can take many forms, including cloud service providers, software vendors, managed service providers (MSPs), managed security service providers (MSSPs), IT consultants, or other third parties that handle FCI, CUI, or SPD as part of their service delivery.