top of page
Search

SPA, ESP, CSP - What's the Difference, and Why it Matters

Cybersecurity Maturity Model Certification (CMMC), the DoD’s system for assessing contractor compliance with security requirements, has a lot of acronyms. But SPA, ESP, and CSP are particularly important.


Clearly, they are different. They’re different acronyms, right? In practice, these labels split important hairs, and are often confused. Each label has crucially specific connotations when it comes to CMMC assessments.


Let’s start with the definitions. 


SPA. SPA stands for Security Protection Asset, one of the five categories of assets under the CMMC scoping framework. “Security Protection Assets provide security functions or capabilities within the OSA’s CMMC Assessment Scope. Security Protection Assets are part of the CMMC Assessment Scope and are assessed against Level 2/3 security requirements that are relevant to the capabilities provided.” 


From an assessment perspective, the scoping guides state, “Assess against Level 2 [or 3] security requirements that are relevant to the capabilities provided.”


CSP.  CSP stands for Cloud Service Provider,  “An external company that provides cloud services based on cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition is based on the definition of cloud computing in NIST SP 800-145 Sept 2011. (CMMC-custom term).”


In the context of assessments, if the CSP processes, stores, or transmits CUI then it must be FedRAMP-certified or equivalent (realize that equivalency is specifically defined at what is likely a higher bar than certification).  


ESP. Stands for External Service Provider, “External people, technology, or facilities that an organization utilizes for the provision and management of IT and/or cybersecurity services on behalf of the organization. In the context of a contractor’s CMMC program, CUI or Security Protection Data (SPD) ( e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (CMMC-custom term).” All ESP’s are considered to be within your assessment scope.


During assessments, “If the OSC has identified an ESP as being within their CMMC Assessment Scope, the Assessment Team shall confirm that a Customer Responsibility Matrix (CRM) will be available and that ESP personnel will be present and actively participating in the assessment.” (CAP 1.6)



*This table has been copied from 32CFR170 the CMMC final rule which you can find here.
*This table has been copied from 32CFR170 the CMMC final rule which you can find here.


So what is the problem?  Well, the problem is that we often see the misapplication of these labels — and that can heavily impact assessment outcomes. 


There are three major requirements for assessments that drive the need to very precisely and accurately apply these definitions to your environment. First, ESP’s must have people prepared to participate in the OSC’s assessment. Consider that for a second. This means that if GCCH is an ESP, then Microsoft must have someone prepared to participate in your assessment. How likely is that? Pretty much nil. Fortunately, GCCH is a CSP not an ESP - but the fact remains that OSCs should not label any service provider an ESP unless they are prepared to both share a detailed Customer Responsibility Matrix (CRM) and have a representative present during assessment.  


Second, CSPs that process, transmit, or handle CUI must be FedRAMP-certified (or equivalent).  See the table above. Many OSCs will read this requirement as severely limiting their possible tool suite. However, the CMMC-specific definition of CSP sets quite a high bar; providing services in the cloud, or being a cloud based tool is not enough to label a service provider a CSP. By basing the definition of CSP on the NIST definition of cloud computing, the DoD set the requirement of, “enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” So, for example, a cloud-based SIEM would not be considered a CSP but rather a SPA, and would not require FedRAMP certification. Note it is also unlikely a cloud-based SIEM would meet the threshold of being an ESP, “External people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization.” However, an external SOC would qualify as an ESP, as such a service manages cybersecurity actions on behalf of the OSC and they may have a SIEM that they use in support of that contract. 


Third, SPAs are to be assessed against “relevant security controls,” on which there is no consensus in the Certified Third Party Assessment Organization (C3PAO) community. Therefore, OSCs would do best to interview potential C3PAOs in advance before selecting an organization to conduct their assessment and understand what they consider as relevant. In keeping with the examples above, OSCs utilizing a cloud-based SIEM would benefit from asking potential assessment organizations, “How would you evaluate ‘relevant’ security controls for SPAs, including a cloud-based SIEM solution?”  Keep the questions away from consulting.  C3PAOs are not allowed to consult.  They should be able to outline their assessment outlook though under the regulation.


Security Protection Data or SPD is not CUI.  So the fact that a system or tool processes, stores, or transmits SPD does not make it subject to FedRAMP requirements in the cloud as outlined in the table above.  The confusion of SPD requirements with CUI requirements is a common misconception.


As stated above, the misapplication of these labels can make the difference between passing and failing a CMMC L2 Assessment. In summary: 


  • An organization only constitutes a Cloud Service Provider (CSP) when it provides cloud services based on cloud computing:

    • Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 

    • EX: GCCH 


  • An organization or service only constitutes an External Service Provider (ESP) when it does both of the following:

    • Provides “External people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization.” 

    • and Processes, stores, or transmits CUI or Security Protection Data (e.g., log data, configuration data)

    • EX: External SOC or IT Service Provider commonly referred to as MSPs and MSSPs


  • A service or tool constitutes a Security Protection Asset when it: 

    • Provides security functions or capabilities for the OSA's CMMC Assessment Scope


To keep these conventions straight while constructing a compliant environment (and undergoing assessment), DCG often recommends clients maintain an external connections matrix. Such matrices list all of the OSC’s SPAs, ESPs, CSPs, and other external connections (i.e. ADP, DoD SAFE, etc). In addition to the name of the connection, we recommend including the service’s designation as SPA, CSP, ESP, or external connection; its CMMC category (i.e. CUIA, OOS, etc); relevant certification numbers (i.e. CSP’s FedRAMP information, ESP’s CMMC status); and POCs. 





Questions? Contact us at contact@cybersecgru.com


 
 
bottom of page