Section E: External Service Providers

E-Q1. Must my cloud service provider (CSP) meet Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline requirements if it processes, stores, or transmits CUI?

E-A1. Yes. Per DFARS 252.204-7012, if the contractor intends to use a CSP to store, process, or transmit CUI in the performance of a contract, the contractor shall require and ensure that the CSP meets security requirements equivalent to those established by the Government for the FedRAMP Moderate baseline. 

This can be met by using a FedRAMP Moderate authorized service provider, or a provider that meets the requirements for equivalency as specified in the Department’s December 2023 memo, “Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider’s Cloud Service Offerings.”

E-Q2. Can a non-FedRAMP Moderate cloud service offering store encrypted CUI data? 

E-A2. No. If a contractor intends to use an external CSP in the performance of a DoD contract to store encrypted CUI data, the contractor shall require and ensure that the CSP meets security requirements equivalent to those established for the FedRAMP Moderate baseline.

E-Q3.  An Organization Seeking Assessment (OSA) stores CUI in a system provided by a Managed Service Provider (MSP) that is not a cloud offering. Does the MSP require its own CMMC assessment? 

E-A3. No. The MSP is not required to have its own CMMC assessment but may elect to perform its own self-assessment or undergo a certification assessment. If the MSP chooses to attain a CMMC certification to simplify the OSA’s assessment, the assessment level and type need to be the same, or above, as the level and type specified in the OSA’s contract with the Department and cover those assets that are in scope for the OSA’s assessment.

E-Q4. We separately outsource our IT support to an External Service Provider (ESP) (that is an MSP), and our security tools are managed by a different ESP (that is a Managed Security Service Provider). No CUI is sent to either vendor. Are they required to be assessed?

E-A4. Yes. In a scenario where IT support is handled by an MSP and where security protection data is handled by an MSSP, both the MSP and the MSSP qualify as ESPs and will be assessed as part of the OSA’s assessment against applicable security requirements. The ESPs do not require their own CMMC certification.

E-Q5. We store CUI in the cloud and our MSP administers the environment. Is the MSP a CSP?

E-A5. It depends on the relationships between the CSP, the MSP, and the OSA. If the cloud tenant is subscribed/licensed to the OSA (even if the MSP resells the service), then the MSP 13 is not a CSP. If the MSP contracts with the CSP and modifies the basic cloud service, then the MSP may be a CSP and must meet applicable FedRAMP or equivalency requirements.

E-Q6. CUI is processed, stored, and transmitted in a Virtual Desktop Infrastructure (VDI). Are the endpoints used to access the VDI in scope as CUI assets?

 E-A6. An endpoint hosting a VDI client is considered an Out-of-Scope Asset if it is configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client. Proper configuration of the VDI client must be verified. If the configuration allows the endpoint to process, store, or transmit CUI, the endpoint will be considered a CUI Asset and is in scope of the assessment.

E-Q7: Is the endpoint used to access a VDI required to be "in scope" for NIST SP 800-171 when implementing its controls to protect CUI, or can the endpoint be considered "out of scope" if CUI remains entirely within the VDI instance?

E-A7: Yes, the endpoint could be considered "out of scope," but this depends on how the VDI and VDI server are implemented. Some VDI systems include features that cache data on the client device or allow the virtual desktop to connect to the local machine’s file system, printers, or other resources for user convenience. 

For NIST SP 800-171 compliance, these features must be disabled on the server side to ensure that unmanaged endpoints cannot mount drives, print files, or perform other actions that invoke system protocols (e.g., file handling, print spooling) beyond the basic VDI protocol (e.g., transmitting only video, keyboard, and mouse data).

If the VDI is properly configured to prevent copying (including screenshots), saving, or printing CUI on the endpoint (except within a NIST SP 800-171-compliant system), and multifactor authentication is implemented for access to the VDI server, the endpoint would not be considered "in scope."

To achieve this: 

• The virtual desktop server must be configured to block copy-paste, file transfers, or any other data exchange across the session.
• The VDI should only transmit video, keyboard, and mouse data.
• Users must log into the virtual desktop and handle CUI entirely within the session.
• Multifactor authentication to the VDI server must be separate from the unmanaged client, such as using a hardware-based one-time password token or Public Key Infrastructure token with a password/PIN.
• Only authorized users should be allowed to access the virtual desktop environment, and access should be restricted to allowable locations.

By ensuring these configurations, the endpoint used to access the VDI can remain "out of scope" for NIST SP 800-171 and CMMC compliance.

This information is sourced from the official Cybersecurity Maturity Model Certification Program Frequently Asked Questions, Revision 2.2. January 2026, published by the Department of War (DoW) CIO. You can access the full document here.