Yes.

CMMC auditors will focus extra attention on your Supply Chain and your IT/MSP provider will be the first ones a good auditor will ask about.

Make sure your organization passes both the FAR 52 & DFARS Clause onto them.  Don’t try to read in partial compliance…you don’t have the authority per the DFARS clause.

External Service Providers (ESP) are heavily cited as being in scope in the DRAFT 32 CFR Part 170 – Cybersecurity Maturity Model Certification (CMMC) Program rule.