I have two environments I secure: a ISO 27001 environment and an air-gapped second environment. I use Rapid 7 for 3rd-party SOC/SIEM services, just to name a few, for the former environment. I wanted to use them in a second-instance scenario for the CMMC environment I'm securing, but my understanding of the controls around CUI, is that since that SOC/SIEM service could see CUI in a file, during an investigation or IR scenario, then that SOC/SIEM service (in this case, Rapid7) would also need to be CMMC certified to my same level if I'm to use them.

Is that correct?

If yes, my assumption right now is there aren't any, as most don't pursue NIST 800-171 compliance...they pursue either FedRAMP, SOC 2 Type 2, both, or any others like ISO 27001.

Any help/info on this is greatly appreciated.