The CMMC 2.0 final rule, published in October 2024 and effective December 16, 2024, ends years of uncertainty about how the Department of Defense will enforce cybersecurity requirements across its supply chain. For the estimated 220,000 companies in the Defense Industrial Base (DIB), CMMC compliance is now a condition of contract eligibility — not a future aspiration.
For IT service providers managing infrastructure for defense contractors, the rule creates both obligation and opportunity. MSPs that handle Controlled Unclassified Information (CUI) or operate within the contractor's security boundary are themselves subject to CMMC assessment. Those that can demonstrate compliance become essential partners; those that can't become contract risks.
CMMC 2.0 structure: three levels
| Level | Requirements | Assessment | Applies to |
|---|---|---|---|
| Level 1 | 15 practices (basic cyber hygiene from FAR 52.204-21) | Annual self-assessment | Contracts with FCI only |
| Level 2 | 110 practices (aligned with NIST SP 800-171 Rev 2) | Third-party assessment (C3PAO) or self-assessment depending on contract | Contracts involving CUI |
| Level 3 | 110+ additional practices (NIST SP 800-172 subset) | Government-led assessment (DIBCAC) | Highest-priority programs |
Most defense contractors will require Level 2 certification, which maps to the full 110 controls of NIST SP 800-171. This is where MSP capability matters most.
Why MSPs are in scope
CMMC 2.0 follows the CUI wherever it goes. If an MSP accesses, stores, processes, or transmits CUI on behalf of a defense contractor — or if the MSP's systems are connected to networks where CUI resides — the MSP is considered part of the contractor's security boundary and subject to the same CMMC level requirements.
Common MSP activities that bring CUI into scope:
- Remote management of servers or endpoints that store CUI
- Backup and disaster recovery services that replicate CUI-containing systems
- Email hosting or management where CUI may transit
- Help desk access to workstations used for CUI processing
- Cloud infrastructure management where CUI workloads run
An MSP can potentially reduce its CMMC scope by isolating its management infrastructure from CUI-handling systems, but this requires careful architectural planning and documentation — not just a statement in a service agreement.
If your remote monitoring agent runs on a server that processes CUI, your RMM platform is in CMMC scope. There's no exception for "we don't look at the data."
The MSP compliance gap
The reality is that most MSPs serving small defense contractors have not implemented the full 110 controls of NIST SP 800-171. Many have completed Plan of Action and Milestones (POA&M) documentation — acknowledging gaps while committing to future remediation — but CMMC 2.0 limits the use of POA&Ms. Under the final rule, organizations cannot have POA&Ms for more than 180 days, and certain critical controls cannot have POA&Ms at all.
For defense contractors evaluating their MSP, the question is stark: can your provider pass a C3PAO assessment today, or will their compliance gaps prevent your contract eligibility?
What defense contractors should require from their MSP
MSP evaluation checklist for CMMC
- CMMC level certification — ask for the MSP's own CMMC assessment status and timeline. If they haven't started, they're behind.
- Scope documentation — the MSP should be able to describe exactly which of their systems are in your CMMC boundary and which are out of scope.
- FIPS 140-2 validated encryption — CMMC Level 2 requires FIPS-validated cryptographic modules. Commercial-grade encryption isn't sufficient.
- FedRAMP or equivalent cloud hosting — if the MSP hosts CUI workloads in the cloud, the cloud environment must meet FedRAMP Moderate or equivalent.
- Incident response plan — the MSP needs a documented IR plan that includes 72-hour reporting to the DIBNet portal, as required for CUI incidents.
- Separation of duties — the MSP should demonstrate that personnel with access to your CUI environment undergo appropriate background screening and access controls.
The market opportunity
For MSPs willing to invest in CMMC compliance, the defense contractor market segment represents a high-value, high-retention client base. Contractors who find a CMMC-compliant MSP are unlikely to switch — the cost of re-scoping and re-assessing a new provider is substantial. Monthly recurring revenue per client tends to be higher due to the elevated security requirements, and contract terms tend to be longer.
The providers who move first will capture this market. The compliance investment is significant, but the competitive moat it creates is durable.