CMMC Final Rule Explained for MSPs

The Department of Defense (DOD) has published its final rule for the Cybersecurity Maturity Model Certification (CMMC) program. And as a result, all contractors and subcontractors within the defense supply chain are now contractually obligated to follow its requirements.

For managed service providers (MSPs), this new development presents them with a new set of compliance challenges. If you’re managing systems that store, process, or transmit Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), your practices have a direct effect on whether your clients pass their CMMC assessments.

This guide breaks down the implications of the CMMC final rule to MSP operations and explores how you can align your services with these new requirements so that you can provide your clients the support needed to achieve CMMC compliance.

What the CMMC final rule establishes and what makes it different from earlier iterations

The CMMC final rule, also known as the clause rule, formalized several requirements that were previously undefined or inconsistent in the early iterations of the framework.

Certification levels

The biggest change that the final rule made to the CMMC program is streamlining the original five-level structure to a three-tier certification model that was first introduced in CMMC 2.0. Each level corresponds to the type of sensitive information that a contractor or subcontractor handles:

In addition to reducing the model from five levels to three, the clause rule also made NIST SP 800-171 the primary foundation for Level 2 requirements. Instead of introducing an entirely new set of rules, it builds on the standard that most contractors were already working with under the existing DFARS obligations.

This means that defense contractors who have already invested in NIST SP 800-171 can simply build on those controls instead of starting from scratch.

Assessment and enforcement

Before the final rule was published, CMMC compliance was largely self-reported. Defense contractors conducted self-assessments against NIST SP 800-171 and submitted Plans of Action and Milestones (POA&Ms) to the Supplier Performance Risk System (SPRS) whenever they found a gap in their implementation.

The CMMC clause rule changed this condition for Levels 2 and 3. Organizations aiming to get a Level 2 certification would either conduct self-assessments or C3PAO assessments, depending on the stipulations of their contract. Those in Level 3 will be assessed by the DCMA DIBCAC.

It has also made CMMC compliance a condition of contract eligibility under the DFARS clause 255.204-7021. If an organization wants to win a specific DoD contract, they need to acquire the certification level stipulated in that contract’s solicitation and maintain that status throughout the life of the contract.

Definitions and scope

In addition to this, the final rule also established a clear regulatory line between CUI and FCI.

• Federal Contract Information (FCI): Information generated or provided under a government contract that is not meant for public release.
• Controlled Unclassified Information (CUI): Information that requires specific safeguarding or disseminating controls according to law, regulation, or policy.

This distinction matters to defense contractors; too many organizations have made the mistake of interchanging CUI for FCI and vice versa, which means they were likely following the wrong requirements.

These changes made CMMC compliance a regulation instead of an aspirational standard that contractors are ideally following.

What the final rule means for MSPs

So, what does this mean for MSPs working in the Defense Industrial Base (DIB)?

The revised CMMC scoping guidelines make it clear that if an external service provider (ESP), such as an MSP, touches the systems or security infrastructure of an organization seeking assessment (OSA), it will be included in its compliance environment.

This is outlined in the 32 CFR § 170.19, which states that the CMMC Assessment Scope covers all assets in the OSA’s environment, including services and systems provided by an ESP that falls within that assessment boundary.

Now, whether or not an MSP is considered in scope depends on three key conditions:

• Whether it processes, stores, or transmits CUI on behalf of the OSA
• Whether it handles Security Protection Data (for example, configuration data, log files, or credentials)
• Whether its systems are connected to the OSA’s environment in a manner that affects the overall confidentiality of CUI

For MSPs working with defense contractors, at least one of these conditions applies. Most commonly, the third one, since many of the 110 security controls stipulated in NIST SP 800-171 are considered common MSP offerings.

Assessors aren’t just going to look into the contractor’s security controls; they’ll also evaluate how well you, the MSP, secure the tools, platforms, and structures you’re using to serve them.

At the same time, the final rule places greater emphasis on the importance of clearly defining the scope and shared responsibility between the MSP and the OSA.

Under 32 CFR § 170.19(c)(2)(ii), the use of an ESP, its relationship to the OSA, and the services provided must be included in the contractor’s official System Security Plan (SSP). This should also be stipulated in the ESP’s service description and Customer Responsibility Matrix.

You need to make sure that the division of compliance responsibilities between your team and your clients’ staff is clear and documented. Otherwise, assessors won’t have any basis for determining whether every control has its designated owner.

Ultimately, the CMMC clause rule highlights that MSPs are now active participants in the compliance process. The way that they deliver their services, implement controls, and maintain their own documentation directly shapes whether their defense clients can actually achieve and maintain the certification they’re after.

What MSPs should do to align with the new ruling

Since the new CMMC program has a three-year implementation, now’s the perfect time to realign your services with its requirements and other conditions. Here’s how you can get started:

Review your services against existing requirements

First, you should review your services and check which of them actually cover the 110 security requirements in NIST SP 800-171.

You have to go through each prerequisite and identify if your current service delivery addresses it completely, partially, or not at all. This step is important because an MSP’s engagement with clients varies depending on what they were hired to do.

For example, your compliance responsibilities to a defense contractor that hired you to manage their entire IT stack will be different from those who brought you in for help desk support.

Identify gaps in control implementation and documentation

Once you’ve audited your services, the next step is to look for any technical or documentation gaps.

Technical gaps are the controls that are either not implemented at all or aren’t implemented consistently across relevant systems. Meanwhile, documentation gaps are controls that are implemented in practice, but aren’t included in any written policies, procedures, or configuration records.

Documentation gaps are very common in MSP environments, but it’s not something that should be normalized. From a compliance perspective, an undocumented control is like a control that was never implemented in the first place.

Establish responsibility boundaries with clients

One of the biggest mistakes that MSPs make when it comes to CMMC compliance is forgetting to document who should be responsible for what.

32 CFR § 170.19(c)(2)(ii) of the CMMC final rule also requires that the division of compliance between an MSP and its clients be included in the defense contractor’s SSP and the Customer Responsibility Matrix.

If you’re missing these documents, then you’re operating on the assumption that your clients know which security controls fall on their responsibility and which don’t. Unfortunately, these assumptions rarely hold in formal assessments.

You want to ensure that your Customer Responsibility Matrix maps each applicable NIST SP 800-171 control to either you, your client, or a shared arrangement you’ve agreed upon.

Prepare for a more active role in compliance assessments

Finally, you need to prepare your team and inform them that your organization will be playing a more active role in CMMC assessments.

The final rule indicates that if your services are within the client’s assessment scope, which is often the case for MSPs working with defense contractors, your MSP will be part of the evaluation. This means that assessors may also interview your staff, review your documentation, and evaluate the systems and controls that you manage.

Your entire organization should be prepared for that level of scrutiny. All of your documentation should be organized well enough that you can easily present it to assessors.

MSPs have always supported defense contractors in managing and securing their IT environments, but the final ruling fundamentally shifted that role from a passive vendor to an active partner.

Long-term implications of the CMMC clause rule to MSP operations

In addition to redefining the MSP’s role in the compliance process, the CMMC final rule also reshaped the MSP landscape for years to come.

Increased demand for compliance-focused services

As the enforcement timeline continues over the next three years, the volume of defense contractors actively looking for compliance support will likely increase. MSPs that offer managed compliance services built around the new CMMC program will find a new, growing market.

Greater accountability for ESP

Now that ESPs are considered active participants in the compliance process, they’re expected to take accountability for the quality and completeness of the controls that they implement and maintain.

The results of formal CMMC assessments are documented and recorded in SPRS, which means there will be traceable records of your team’s contributions to your client’s compliance outcome.

More importantly, the False Claims Act indicates that senior officials who sign off on self-attestations will be personally liable for the accuracy of what they’re affirming. This means that if the quality of your compliance work isn’t as accurate as what was attested to, both you and the contractor may face civil penalties.

Strong alignment between IT operations and regulatory requirements

The clause rule also adds further emphasis on the importance of aligning service delivery with regulatory compliance. Routine tasks, like patching, access management, and logging, should be executed with compliance in mind.

MSPs that incorporate CMMC compliance into their service delivery model are more likely to succeed than those that treat them as two different projects.

Ongoing evolution of compliance expectations

Lastly, it’s important for MSPs to recognize that the CMMC final rule is only the starting point of what is likely going to be a continuous evolution of cybersecurity compliance across the defense supply chain.

Right now, the new program only reflects what the DoD believes is the appropriate baseline for protecting sensitive defense information. Their assessment is largely dependent on the current threat environment, which is constantly evolving.

The threat environment that the new CMMC program aims to address is becoming more sophisticated than when it was initially conceived, and it’ll continue to grow as the years go by.

The biggest takeaway here is that MSPs should keep track of all the regulatory developments that could affect their defense clients’ compliance requirements.

Doing so gives them enough time to adjust their service offerings, update their documentation practices, and prepare their clients for what’s coming before it starts to arrive in government contracts.

The CMMC final rule redefines the MSP’s role in compliance assessments

The CMMC final ruling represents a major shift in how cybersecurity compliance is enforced across the DIB, and for MSPs, this shift brings a new set of requirements that directly affect how you deliver your services.

What was once considered a defense contractor’s problem has now become a shared responsibility that extends to every service provider operating in their environment.

Every control you implement and the documentation you maintain has a significant impact on your clients’ ability to win and maintain contracts. More importantly, they reflect your organization’s commitment to the standards that the defense supply chain now requires.

That’s why it’s crucial that your team takes the new program with the same level of seriousness that your defense contractor clients do.

Understanding where your service falls within your clients’ assessment scope, closing gaps in your control implementation and documentation, and establishing responsibility boundaries with your clients are only a few of the steps that you could take to align your service delivery with these new demands.

And with the three-year implementation window, now’s the perfect time to restructure your service model in a way that supports both your defense clients and your business.

Related topics:

• CMMC Is Not What Most MSPs Think
• How to Spot a CMMC Opportunity: Discovery Questions and Red-Flag Keywords
• What Steps Should MSPs Take to Support Client Compliance?