|
CAGE Codes, Title 48 Status, and Terminology
Inaccuracies in CAGE codes have created issues for companies that have undergone their formal cybersecurity assessment. After the assessment, information needs to be transferred from the eMASS system to the SPRS database. Not only does the entity being assessed need to be in SAM and have its CAGE code active, all entities within the scope of the assessment also must be in SAM and have CAGE codes that are correct. This includes all entities in a company’s hierarchy.
Title 48 CFR Status – the rulemaking process continues; no new information concerning when the process will be finalized.
Important terminology – It seems like a small distinction but it is an important one. Please note the correct way to reference an ESP – see below. The inclusion of the phrase “not a CSP” is important. A link to this section is below the following text.
Level 2 certification assessment with the use of an External Service Provider (ESP), not a CSP. An OSA may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO) under the following circumstances:
(i) The use of the ESP, its relationship to the OSA, and the services provided are documented in the OSA's SSP and described in the ESP's service description and customer responsibility matrix.
(ii) The ESP services used to meet OSA requirements are assessed within the scope of the OSA's assessment against all Level 2 security requirements.
(iii) In accordance with § 170.19(c)(2), the OSA's on-premises infrastructure connecting to the ESP's product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSA's SSP.
URL: https://www.ecfr.gov/current/title-32/part-170#p-170.17(c)(6)
| 
