2 min read

Vetting an MSP or ESP for CMMC: Questions to Ask Before You Sign

Vetting an MSP or ESP for CMMC: Questions to Ask Before You Sign
Photo by Brett Jordan / Unsplash

Most small defense contractors do not run their own IT. They lean on a managed service provider, and increasingly on an External Service Provider that touches CUI directly. That partner can make or break your CMMC outcome, because their security posture flows into your assessment. Choosing one on price or a vague claim of being CMMC ready is how contractors end up inheriting someone else's gaps. The right questions, asked before you sign, save you from that.

Why Your Provider Is Part of Your Scope

If a provider processes, stores, or transmits your CUI, or provides a security function to the environment that does, they are in your assessment scope. Their controls become controls you have to account for, and their failures become your findings. CMMC ready is not a certification, and a provider saying it does not transfer any assurance to you. What protects you is documented evidence of how they meet the controls that apply to them, and a contract that holds them to it.

Questions to Ask Before Signing

Put these to any MSP or ESP that will touch your CUI:

  • Will you provide a customer responsibility matrix showing exactly which controls you cover and which remain ours?
  • Where will our CUI be stored and processed, and is that environment appropriate for it?
  • Are your own personnel who access our data US persons where our CUI requires it?
  • Can you supply evidence, such as a current assessment or attestation, rather than just a claim?
  • How will you support us during an incident and the 72-hour reporting window?

Red Flags to Walk Away From

Some answers should end the conversation. A provider who cannot or will not produce a customer responsibility matrix is telling you they have not done the work. So is one who claims a single product or certification makes you compliant, who is vague about where your data physically lives, or who treats the contract terms around security and incident support as boilerplate they would rather not discuss. The right partner welcomes these questions because they have answers ready. The wrong one gets defensive, and that defensiveness is the most useful signal you will get before signing.

Whatever the provider tells you, get the responsibilities and the security commitments in writing. A verbal assurance is not evidence, and your assessor will want the documentation, not the sales pitch.

Provider Due Diligence Checklist

  • Obtain a customer responsibility matrix before signing, not after.
  • Confirm where your CUI is stored and that the environment fits the data type.
  • Verify US persons handling where your CUI requires it.
  • Request documented evidence of their security posture, not just claims.
  • Put security responsibilities and incident support obligations in the contract.

CMMC Operator provides compliance readiness resources for informational and planning purposes only. This article is not legal advice, an assessment determination, or a substitute for a qualified C3PAO or GRC advisor. Validate provider responsibilities against your own scope, contracts, and the current CMMC guidance on external service providers.