The External Service Provider (ESP) is delivering critical security functions (SIEM, log management, MDM) that are integral to the OSC's ability to meet CMMC practice requirements for protecting Controlled Unclassified Information (CUI). According to official CMMC scoping guidance, when an ESP provides security protection for CUI assets, the ESP's offering is considered in-scope for the OSC’s CMMC assessment. The Assessment Team is therefore required to assess the ESP's services against all applicable CMMC practices to verify their implementation and effectiveness. The OSC remains accountable for ensuring the ESP's services meet these CMMC requirements.

B. Assess them against CA.L2-3.12.4 - System Security Plan only.

This is incorrect because assessing only the documentation in the SSP is insufficient; the actual implementation and effectiveness of the security controls provided by the ESP must be validated.

C. Review the SSP per practice CA.L2-3.12.4 - System Security Plan.

This is incorrect as it implies only a documentation review. The assessment must go beyond the SSP to test and verify that the ESP's services effectively meet the required CMMC practices.

D. They are out of scope; there is no need to assess them against CMMC practices.

This is incorrect because the ESP provides security protection for CUI assets, which explicitly places their services within the CMMC assessment boundary according to official scoping guidance.

---

1. Department of Defense (DoD). (2021, December 3). CMMC Scoping Guide Level 2. Version 2.0.

Section 2.4, External Service Providers (ESPs), Page 7: "If an ESP is used to process, store, or transmit CUI, or provides security protection for CUI assets, the ESP offering is in-scope for the OSC’s CMMC assessment." The scenario describes the ESP providing security protection (SIEM, Intune), making it in-scope.

Section 2.4, Page 7: "If the ESP does not have a CMMC assessment or a FedRAMP authorization with a scope that is appropriate for the OSC’s assessment, the C3PAO will assess the ESP’s offering as part of the OSC’s assessment against the applicable CMMC practices." This directly supports assessing the ESP against the practices.

2. Department of Defense (DoD). (2023, July). CMMC Assessment Process (CAP) for CMMC Level 2. Version 2.0.

Section 3.3.3, Scoping, Page 14: "The Assessment Team Lead validates the OSC’s proposed CMMC Assessment Scope... The CMMC Assessment Scope must include all assets that process, store, or transmit CUI as well as assets that provide security protection for CUI assets." This reinforces that the ESP's security services are part of the scope to be assessed.