Managed Security Services in a CMMC World

October 29, 2024

Well, it is finally here…after several years and the failed launch of CMMC 1.0, the Department of Defense (DoD) has finally formally published the Cybersecurity Maturity Model Certification 2.0 program guidance. In my community, the angst around CMMC has been building over the past several years, with one company after another fretting on the cost and complexity of meeting the CMMC requirements. Now that the requirements are finalized, they can move from fretting to worrying about how to meet the requirements.

Recently, I was asked my opinion on what a Defense Industrial Base (DIB) cybersecurity assessment should look like. CMMC did not jump to mind when I was putting my response together, and this is the paradox of CMMC. Before I explain why, you should probably know a bit more about my background.

The Department of Defense (DoD) has finally released the formal rules behind the Cybersecurity Maturity Model Certification (CMMC) program, version 2.0. CMMC is now very real, and we’ll start seeing it as a requirement on DoD contracts over the next several months.

The final rules made a minor, but very important set of changes with regards to how the DoD treats External Service Providers (ESPs) such as Managed Security Service Providers (MSSPs). These changes significantly altered the compliance requirements for those companies from what was described in the proposed rules the DoD last released.

I’d like to use this post to dig into the new MSSP landscape for those companies faced with an upcoming CMMC journey. I’ll start with a disclaimer. I’m not a lawyer, and as with any federal regulations, things are open to interpretation. The following is my interpretation, and before you make any decisions regarding MSSPs within your CMMC program, please consult with your C3PAO and DoD customers to ensure that your MSSP strategy will get you through the assessment successfully. I’ll further caveat that the DoD has released on FAQ that further changed my thoughts on this and is likely to issue additional FAQs in the future further changing the MSSP landscape.

The DoD has estimated that 163,987 “small” companies will be required to go through the CMMC process (https://www.federalregister.gov/d/2024-22905/p-1239). According to the DoD, these “small” companies are “likely to outsource IT and cybersecurity to an External Service Provider (ESP)” (https://www.federalregister.gov/d/2024-22905/p-1252). It is more likely that small companies requiring Level 2 or Level 3 compliance will actually leverage MSSPs compared to the Level 1 companies.

Personally, I think the DoD is underestimating the number of companies that will need to go through CMMC, and I think many large companies will also use these External Service Providers. What we do agree on is that many companies that rely on these External Service Providers who are now facing CMMC and are now trying to figure out a strategy to meet their compliance requirements.

Before we dig into the details, I should explain some of the terms that the DoD uses within the CMMC program. We all know that the DoD can’t do anything without generating new acronyms. I’ve tried to simplify the definitions here, but I’ve cited DoD sources where they give concise definition.

So, an OSA can contract with an MSSP, which is a form of ESP that manages SPAs that generate SPD. I hope that is clear as day.

Previously, the DoD stated that SPD must be handled the same as CUI, which resulted in requiring the MSSP vendor to be CMMC compliant and to have all of their services either within scope of their CMMC assessment boundary, or to be a minimum of FedRAMP Moderate cloud offerings or equivalent. In the final regulations, the DoD removed that sentence and it resulted in setting up a structure where MSSPs are no longer required to be CMMC certified, but where it makes sense for them to be certified anyway.

On October 22, 2025, the DoD release a FAQ document that also informs this discussion, and that FAQ can be found here: CMMC FAQs (defense.gov)

This gets us to the scoping discussion, and where it is important to understand the role of an MSSP is going to have under CMMC.

For this discussion, I’m going to limit this discussion to CMMC Level 2, since that will apply to most contractors. There is scoping guidance for CMMC Level 1 and CMMC Level 3 available, and they should be similar.

I’m pulling this from Table 2, located here:

For Security Protection Assets managed by the MSSP, the OSA is required to:

The MSSP itself is responsible for:

All of the above assumes that the MSSP consumes, processes, or stores absolutely NO CUI. If it does, then all bets are off.

Now, let’s jump to Table 4, which clarifies this a bit.

For all CUI, including SPD which is corrupted by CUI it gets more complicated. Part of this is addressed in the FAQ under Q34. An MSSP handling CUI in the cloud is not a Cloud Service Provider if the OSA owns the licenses with the underlying cloud services managed by the MSSP. However, if the MSSP owns the licenses and “further modifies the basic cloud service”, then it may be considered a CSP and therefore require that MSP offering to be FedRAMP authorized or to meet the FedRAMP equivalency requirements. What isn’t clear is if basic tenant configuration or new cybersecurity detection rules constitute “further modification” or not.

So, when would an MSSP not be a CSP? If the MSSP technology stack is installed in the customer environment, then the MSSP would not be a CSP, but that technology stack would still fall under the OSA’s CMMC assessment boundary and treated as a SPA/SPD. Or, according to the FAQ, if the OSA owned the licenses used by the MSSP. Alternatively, the MSSP’s technology stack could be in a MSSP data center, and thus not be a cloud offering. However, the DoD defines a CSP this way:

“An ESP would be considered a CSP when it provides its own cloud services based on a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing that can be rapidly provisioned and released with minimal management effort or service provider interaction on the part of the OSA.” Source

That pretty much makes all non-locally hosted MSSPs CSPs by definition, even if their technology stack is within their own data center and not in a traditional cloud infrastructure. However, the FAQ Q30 does provide some clarity here, and according to the answer the MSSP wouldn’t need to be CMMC certified itself in this instance since the SPA will be in scope of the OSA’s CMMC assessment.

So, no matter what, expect the MSSP to fall under the OSA’s assessment. At a minimum their service capability will be assessed, and at a maximum they will be an OSA themselves and go through their own CMMC assessment.

Here is an important question: is SPD CUI?

As defined in the CMMC guidance, SPD is not CUI and is separable. While I agree with the DoD’s determination, their definition of SPD, specifically “data related to the configuration or vulnerability status of in-scope assets” potentially conflicts with Information System Vulnerability Information (ISVI), which is a CUI category (CUI Category: Information Systems Vulnerability Information | National Archives). Perhaps the DoD made the determination because the systems under question are not DoD owned systems, but rather OSA corporate systems. I’ve never like vulnerability data being treated as CUI, but that is the current guidance outside of CMMC. Maybe FedRAMP could learn from the DoD here.

Before an OSA celebrates that their MSSP doesn’t need to be CMMC compliant, it must take a very close look at the data ingested by the MSSP to verify that absolutely no CUI data is included.

Finally, why do I believe that despite the updated rules I believe that companies should be looking for MSSPs that are CMMC certified. Let me explain why I think this.

Reduced Risk

Failure to meet the CMMC requirements may lead to an OSA not being able to propose against new DoD contracts, to lose subcontracting opportunities, and potentially facing criminal charges if the DoD believes that the OSA has been fraudulent in describing their cybersecurity posture.

Simply put, there is a lot of risk of not doing CMMC correctly. Having a MSSP that has gone through this journey themselves reduces the risk. They understand the program, and if they are good, have tailored their offering to minimize the risk to the client.

Risk is also reduced in the event that CUI is accidently processed or stored by the MSSP, in what the DoD would consider an information spillage event. If the MSSP is CMMC certified and the SPA is authorized to handle CUI, this would be a non-event. This also would allow the OSA to expand the use of the SPA beyond pure security, and perhaps implement a data lake, conduct application performance monitoring, or other activities that may explicitly include CUI.

Operational Understanding of CMMC

The OSA is relying on an MSSP to satisfy multiple CMMC controls, most typically in the auditing and incident response areas. A CMMC certified MSSP has the experience to ensure that their services meet or exceed these requirements, and has likely tailored these services to ensure that the CMMC control is well met.

Level 2 has 110 controls, and of those 110, there are 9 controls under the Audit and Accounting family, and 3 under Incident Response which most likely be the responsibility of the MSSP to satisfy. While these are aligned with typical MSSP operations, there may be key differences between a how a CMMC MSSP would implement these controls and a non-CMMC MSSP which could impact the OSA’s ability to pass their audit. A CMMC MSSP should be tailored to ensure that these controls are met in a way that will absolutely pass the audit.

Audit Ready

The OSA is responsible for documenting how the MSSP meets the CMMC controls on behalf of the OSA. This is a case where the MSSP can no longer be a black box to the OSA, and where the MSSP must be proactive in providing operational details to the OSA so the OSA can adequately prepare for the audit, whether it be a self-assessment of conducted by a C3PAO. A CMMC certified MSSP understands this and should provide audit support as part of their service. This will include documentation on how they implement the CMMC controls for inclusion into the OSA’s system security plan, network diagrams, and inventory lists. Additionally, a CMMC certified MSSP is familiar with audits, and is comfortable facing the auditors during the audit interviews, and in generating the requested evidence.

Summary

CMMC 2.0 is here, like it or not. Tens of thousands of companies will now be looking at their existing MSSPs or determining if they need an MSSP to help them meet this new compliance framework. This is also a time for a shift in the MSSP community from a black box to a more active and transparent partnership with their clients. I expect a new class of MSSPs to come to market, that are tailored to support OSA’s along their CMMC journey. Ultimately the market will determine if companies stay with legacy non-CMMC MSSPs or not. My belief is that the new class of MSSPs will be successful, just like their FedRAMP counterparts have been. In the end we all have the same goals, to establish and maintain sufficient cybersecurity and compliance, and perhaps more importantly, let these companies focus on their product or service, which is why they are in business in the first place.

Follow Optiv
LinkedIn: www.linkedin.com/company/clearshark
Facebook: www.facebook.com/optivinc
YouTube: www.youtube.com/c/OptivInc
Blog: www.optiv.com/explore-optiv-insights/blog