Third parties are not automatically out of scope. If they touch key material or affect how it’s managed, they are part of the system.
The scope of a CCSS audit is defined by the CCSS Trusted Environment. That includes any people, processes, or technology that can impact the security of key material. If a provider is involved in key material generation, storage, access, usage, or could impact the key material in any way, they are in scope.
This often includes custodians, wallet providers, cloud infrastructure, signing services (multi-sig or MPC), and managed security or DevOps providers.
Using a third party does not shift responsibility. The system being audited is still responsible for meeting CCSS requirements.
In practice, this means either the third party is in scope and their controls are assessed, or the system relies on a Qualified Service Provider (QSP), where responsibilities are clearly defined.
If a third party is in scope, there needs to be visibility into how their controls work. Without that, it becomes difficult to show requirements are met.
Using a well-known provider is not enough on its own. What matters is whether the controls can be understood, evidenced, and audited as part of the system.
The CCSS Trusted Environment is everything that can impact the security of key material. This includes people, processes, technology, systems, infrastructure, and any third parties involved in key material generation, usage, storage, access, etc.
If a person or systems can approve a transaction, access a key, or influence how key material is handled, they are part of the CCSS Trusted Environment. Same goes for vendors, cloud providers, or external services that play a role.
In practice, defining the CCSS Trusted Environment is about answering:
Who or what could compromise the key material?