Who is in-scope for CMMC security requirements
Here is a short video explaining if you use a Managed Service Provider (MSP), how they can fall in-scope of CMMC.
This is Steve. He is the business owner of Control Alt Defeat, a software development company. Steve has a contract with the Department of Defense to develop software executable code for a new missile guidance system.
This is Sarah. She works for Hercules IT, a local managed service provider.
Steve hires Sarah to manage his network where the software executable code is developed.
Because Sarah has access to the network that contains the software executable code, both Steve and Sarah are now in-scope to meet the CMMC CUI security requirements.