Are you in the Defense Industrial Base? Do you use an External Service Provider (ESP) (a.k.a. MSP, MSSP, local IT company, et al) to help your business run? Did you know under 32 CFR Part 170, CMMC Program, DoD just dropped a big, stinky, and explosive turd ball in your lap?
DoD listened to everyone’s complaining about the aforementioned ESPs having to get certified by an Authorized CMMC 3rd Party Assessment Organization (C3PAO) like Peak InfoSec. In short, you got what your wanted BUT you won’t like it…
Well, in the rule they don’t have to be certified, “however, services they provide are in the OSA’s assessment scope.” Those are DoD’s words BTW.
Those ESPs, deemed in scope, “shall be assessed as part of the OSA’s assessment” if the ESP handles CUI or “shall be assessed as Security Protection Assets” if they are involved in protecting CUI.
So, if your ESP ####s up, you ####ed up too, to include not being eligible for a CMMC Level 2 Certification.
Starting to panic yet? Just remember, your ESP will expect you to pay for their staff’s time and effort to demonstrate they are complaint, to include providing you evidence to support your CMMC Level 2 Certification.
So, DoD foisted the business risk and cost of your ESP back on you, the Organization Seeking Certification (OSC), in order to demonstrate your conformity to NIST SP 800-171 in accordance with 32 CFR Part 170 directions.
Just Great.
Social Contact