What is CMMC? CMMC Update Archives CMMC Links
Consulting Employee Training Security Awareness Training Public Speaking Expert Witness
White Papers Newsletters CMMC Update Articles Videos Interviews
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

November 12, 2025

Security Protection Assets & External Service Providers

It's final! The CMMC clauses will start showing up in all new contracts now. Be on the lookout ...

Meanwhile, I find that Security Protection Assets (SPA) represent one of the most confusing concepts in CMMC scoping, based on recent conversations. So let's tackle SPAs and ESPs!

First, definitions from the CMMC Program Rule (32 CFR 170):

External Service Provider (ESP) means external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data ... must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (CMMC-custom term)

Security Protection Assets (SPA) means assets providing security functions or capabilities for the OSA’s CMMC Assessment Scope. (CMMC-custom term)

Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC's assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (CMMC-custom term)

So, to summarize:

  • an ESP provides IT and/or cyber security services and has CUI or SPD on its assets
  • SPA are assets (i.e., products, tools) that provide security functions or capabilities
  • SPD must be stored or processed by SPA to qualify as SPD

Now that we understand exactly what these things are, we need to tackle the three biggest questions I get on a regular basis:

Do Cloud SPA need to be FedRAMP Moderate or Equivalent?

No. Table 4 "ESP Scoping Requirements" in the final rule makes it very clear that only CUI in the cloud needs FR, not SPD.

Do SPA need to provide a Customer Responsibility Matrix (CRM) for our assessment?

It's easy to confuse SPA with the ESPs that manage them. If you purchase a security tool (like a firewall) from a security vendor but you install, configure and manage that tool yourself, you do not need a CRM from the vendor or manufacturer. If, however, you pay a third party (MSP or MSSP) to manage that tool for you, that third party is an ESP and must provide you with a CRM and must be a part of your assessment. This is spelled out in the CMMC Assessment Process (CAP) beginning at section 2.16. If you have not yet read the CAP, you should do so now! It's important to understand how the assessment will be managed. The CAP is the guide that C3PAOs must follow.

What exactly is "relevant"?

The CMMC L2 Scoping Guide tells us that SPA will be assessed against "Level 2 security requirements that are relevant to the capabilities provided." So who defines what is relevant?

I say that you do. For example, if you put in your System Security Plan (SSP) for a particular assessment objective(AO): "We do [this] using [SPA] [in this way]." You have determined that AO is relevant to the security functions and capabilities of that SPA. The assessor will verify that SPA is doing this as described.

Too many people confuse "applicable" with "needs to be assessed." Many controls are applicable to SPAs (separation of duties, principle of least privilege) but SPAs aren't assessed on those controls unless the SPA is actually enforcing those controls (Entra ID/AD for example.) The SPA should be assessed on the controls for which it is doing something to help meet the requirement.

NOTE: Not all CCAs agree with me on the "relevant" question, though many do. This should be a topic of conversation with potential C3PAOs prior to engagement for official assessment.

Clear as mud? Ask me for help!

A Lead CCA’s Breakdown of How to Prepare for a Level 2 Assessment

Join me and Derek White of CuickTrac for this free webinar next week!



A practical discussion on what organizations can do to prepare for CMMC Level 2 assessments — directly from a Lead CCA’s perspective.

Key Takeaways:

  • How to structure and organize your readiness efforts before engaging with a C3PAO
  • Common pitfalls that slow down assessment progress (and how to avoid them)
  • Real-world tips to make your assessment process more efficient and effective

Register at https://ati.zoomgov.com/webinar/register/WN_3IC4patZT7yD3aBJJIoNHA#/registration

Hope to "see" you there!



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
email: sales at theneteffect dot com
Secure Payment Center






Site Map

Home
CMMC
PCI
GLBA
Consulting
Employee Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews



The Net Effect, LLC

Copyright 1996-2025 The Net Effect, L.L.C. All rights reserved. Read our privacy policy