The Department of Defense (DoD) established the Cybersecurity Maturity Model Certification (CMMC) for its contractors. The purpose was to enhance the protection of sensitive and unclassified information. The CMMC framework is a set of standards that helps the DoD ensure defense contractors have proper security measures when sharing sensitive government information, or rather Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
Most recently, the final CMMC rule (published in October 2024) took effect in December 2024. Though requirements for Defense Industrial Base (DIB) contractors remained, the final wording reverted from the previous language in the December 2023 interim rule. This ultimately impacts compliance standards for external service providers (ESPs).
What MSPs Must Watch
Per recent updates, there is no direct requirement for ESPs — such as MSPs or managed security service providers (MSSPs) — to have their own CMMC certification as long as they do not handle CUI/FCI. Alternatively, their security responsibilities can be determined via a shared responsibility matrix between the ESP/MSP and the DIB contractor. For MSPs supporting DIB contractors, this clarification impacts compliance expectations and operational responsibilities.
Here are the key takeaways from the final CMMC rule and recommended next steps for MSPs:
1. No Certification Requirement for Non-CUI Holders
- What Does This Mean? The DoD states that MSPs/MSSPs (and tools) are not required to obtain CMMC certification if they do not store, process, or transmit sensitive government data. Responsibility for CUI security remains with the DIB Contractor.
- Next Steps
- Assess the security requirements for your DIB customers.
- A shared responsibility matrix based on NIST SP 800-171A helps MSPs and their customers clearly outline responsibilities and set a clear plan for handling security and standardizing their offerings.
2. Adherence to NIST SP 800-171 R2
- What Does This Mean? The final CMMC rule confirms that compliance remains with NIST SP 800-171 Revision 2 (June 2018), versus the latest Revision 3 (May 2024). This ensures continuity and avoids immediate adjustments to the revised version.
Patrick Beggs
- Next Steps
- Stay informed about future compliance updates. Although MSPs supporting DIB contractors can currently use NIST SP 800-171 Revision 2, this may change.
- Proactively monitor security requirements to better support customers during CMMC compliance phases.
3. Updated Definitions for CSPs and ESPs
- What Does This Mean? The definition of a cloud service provider (CSP) has reverted back to the 2011 framework. ESPs using standard SaaS tools are no longer considered CSPs. For ESPs that use these off-the-shelf tools, the need for additional certifications is eliminated.
- Next Steps
- Ensure that your security practices align with any relevant compliance standards (such as NIST SP 800-171).
- Although you may be avoiding the CSP certification requirements, these security practices help properly support DIB contractor customers.
Ensuring MSP Readiness for DIB Compliance
The bottom line: If an MSP isn’t specifically processing, storing, or transmitting CUI, it avoids direct CMMC certification. However, MSPs still need to support DIB contractors in meeting their compliance needs. Moving forward, MSPs can expect further updates regarding CMMC as the compliance landscape is constantly evolving.
In terms of immediate action, MSPs should:
- Read the DoD CIO FAQ and the final CMMC rule.
- Survey customers to understand their CMMC plans and timelines.
- Review NIST 800-171 R2 and NIST 800-171A, and create a shared responsibility matrix for each control.
By taking these steps, your MSP can better support DIB contractors, streamline compliance efforts, and stay ahead of future regulatory changes.
Patrick Beggs is chief information security officer at ConnectWise. With over 20 years of experience leading high-performing technical and non-technical cybersecurity teams, Beggs has a strong track record of attracting and developing top talent to succeed in critical cyber operational roles.
Images: DALL-E
