CMMC 2.0 Final Rule: What Defense Contractors Need from Their MSP

The Cybersecurity Maturity Model Certification is no longer optional. Defense Industrial Base contractors must now prove compliance — and their IT service providers are in scope.

February 10, 2025 · Compliance

The CMMC 2.0 final rule, published in October 2024 and effective December 16, 2024, ends years of uncertainty about how the Department of Defense will enforce cybersecurity requirements across its supply chain. For the estimated 220,000 companies in the Defense Industrial Base (DIB), CMMC compliance is now a condition of contract eligibility — not a future aspiration.

For IT service providers managing infrastructure for defense contractors, the rule creates both obligation and opportunity. MSPs that handle Controlled Unclassified Information (CUI) or operate within the contractor's security boundary are themselves subject to CMMC assessment. Those that can demonstrate compliance become essential partners; those that can't become contract risks.

CMMC 2.0 structure: three levels

LevelRequirementsAssessmentApplies to
Level 115 practices (basic cyber hygiene from FAR 52.204-21)Annual self-assessmentContracts with FCI only
Level 2110 practices (aligned with NIST SP 800-171 Rev 2)Third-party assessment (C3PAO) or self-assessment depending on contractContracts involving CUI
Level 3110+ additional practices (NIST SP 800-172 subset)Government-led assessment (DIBCAC)Highest-priority programs

Most defense contractors will require Level 2 certification, which maps to the full 110 controls of NIST SP 800-171. This is where MSP capability matters most.

Why MSPs are in scope

CMMC 2.0 follows the CUI wherever it goes. If an MSP accesses, stores, processes, or transmits CUI on behalf of a defense contractor — or if the MSP's systems are connected to networks where CUI resides — the MSP is considered part of the contractor's security boundary and subject to the same CMMC level requirements.

Common MSP activities that bring CUI into scope:

An MSP can potentially reduce its CMMC scope by isolating its management infrastructure from CUI-handling systems, but this requires careful architectural planning and documentation — not just a statement in a service agreement.

If your remote monitoring agent runs on a server that processes CUI, your RMM platform is in CMMC scope. There's no exception for "we don't look at the data."

The MSP compliance gap

The reality is that most MSPs serving small defense contractors have not implemented the full 110 controls of NIST SP 800-171. Many have completed Plan of Action and Milestones (POA&M) documentation — acknowledging gaps while committing to future remediation — but CMMC 2.0 limits the use of POA&Ms. Under the final rule, organizations cannot have POA&Ms for more than 180 days, and certain critical controls cannot have POA&Ms at all.

For defense contractors evaluating their MSP, the question is stark: can your provider pass a C3PAO assessment today, or will their compliance gaps prevent your contract eligibility?

What defense contractors should require from their MSP

MSP evaluation checklist for CMMC

The market opportunity

For MSPs willing to invest in CMMC compliance, the defense contractor market segment represents a high-value, high-retention client base. Contractors who find a CMMC-compliant MSP are unlikely to switch — the cost of re-scoping and re-assessing a new provider is substantial. Monthly recurring revenue per client tends to be higher due to the elevated security requirements, and contract terms tend to be longer.

The providers who move first will capture this market. The compliance investment is significant, but the competitive moat it creates is durable.