CMMC Compliance Monitoring Services: What to Buy, What to Skip, and When Your Provider Enters Scope
CMMC compliance monitoring servicesare recurring engagements that operate, review, and document your security controls between assessments — log collection, alert triage, vulnerability tracking, control reviews, and the evidence proving all of it happened. Nothing in the CMMC rule requires you to outsource any of it. But here is what almost no vendor page tells you up front: when a provider’s assets process, store, or transmit your CUI or Security Protection Data, that provider’s services enter your Level 2 CMMC assessment scope under 32 CFR § 170.19.
Read that again with a proposal in front of you, because it means the monitoring service you’re pricing may quietly add something to the assessment you’re trying to pass. That’s not a reason to keep everything in-house. It’s the reason two proposals that look identical on the cover page can carry very different downstream cost — and it’s the first thing to settle before anyone talks about price.
This is the buyer’s guide. It is not the requirement explainer — we published that separately, and it goes deep on control text, cadence taxonomy, scoring weights, and the evidence chain. This page answers what comes next: what the service should include, who should provide it, when it changes your scope, and how to compare three proposals that all say “continuous compliance” and mean three different things.
The 30-second answer
| Question | Bottom line |
|---|---|
| Is buying a monitoring service required? | No. The obligation is to operate and evidence effective controls. Outsourcing is one of three delivery models. |
| Who is it for? | Contractors with recurring monitoring work nobody owns, alerts nobody triages, or evidence nobody can produce on demand. |
| Who is it not for? | Anyone shopping for a formal assessment, a one-time gap analysis, or software marketed as “automatic compliance.” |
| Does hiring one affect my CMMC scope? | It does when the provider processes, stores, or transmits CUI or Security Protection Data — which includes log files it ingests. Confirm the actual data flow before you sign. |
| Does Level 2 require a SIEM or a 24/7 SOC? | No product or staffing model is named as universally mandatory. Buy the capability you’re missing, not the phrase. |
| What drives the price? | In-scope users and assets, log sources and volume, retention, coverage hours, governance hours, and evidence support. |
| What changed in July 2026? | Phase II was suspended. Self-assessment, safeguarding, and affirmation obligations did not change. |
This page is for Level 2 contractors handling Controlled Unclassified Information (CUI) who are evaluating outside help; Affirming Officials who need defensible evidence between assessments; and small and midsize DIB companies trying to right-size a recurring contract.
This page is not the full answer forLevel 1 (Federal Contract Information only) companies, anyone still determining which level a contract requires, or organizations weighing Level 3 enhanced requirements. If that’s you, start with Find My CMMC Path instead.
What are CMMC compliance monitoring services?
CMMC compliance monitoring services are recurring, usually managed engagements that keep a defense contractor’s security controls operating and evidenced between formal assessments. There is no official CMMC credential named “CMMC compliance monitoring service.” A provider may separately hold a status in the CMMC ecosystem — Registered Practitioner (RP), Registered Provider Organization (RPO), or Certified Third-Party Assessment Organization (C3PAO) — but holding one of those does not turn a commercial service label into an official credential. What the label covers varies enormously between vendors, which is precisely why proposals are so hard to compare.
One distinction resolves most of the confusion. “Monitoring” is doing two different jobs in this market, and vendors blur them constantly:
Security monitoringwatches your environment for attacks. Log collection and retention, alert triage, detection, response. In NIST SP 800-171 Revision 2 — the standard CMMC Level 2 maps to under 32 CFR Part 170 — this lives in the Audit and Accountability family (§3.3) and the System and Information Integrity family (§3.14.6, §3.14.7). This is the SIEM, SOC, and managed detection and response (MDR) work.
Compliance monitoringwatches your controls. Are they still configured correctly? Did the review actually happen? Does the System Security Plan (SSP) still describe the environment you’re running? This is NIST SP 800-171 Rev. 2 §3.12.3 — CMMC practice CA.L2-3.12.3, monitor security controls on an ongoing basis— plus the SSP (§3.12.4) and plan-of-action (§3.12.2) work around it.
Most contractors searching for “monitoring services” assume they need the first. A real share need the second, or both. Buying a 24/7 security operations center will not cure an SSP that no longer reflects the actual environment — and that’s an expensive way to remain exposed.
What a monitoring service does not automatically include
- Correct CUI scoping — that decision stays with you
- Full NIST SP 800-171 implementation
- An accurate SSP (a provider can draft it; you attest to it)
- Any formal certification assessment
- Legal interpretation of your contract clauses
- The determination of whether an incident is reportable
- Any guarantee of a CMMC status or assessment outcome
Did the July 2026 Phase II suspension make this optional?
No. On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II — the phase that would have expanded third-party (C3PAO) assessment requirements beginning November 10, 2026 — and launched a 60-day program review. Phase I self-assessment requirements remain, and during the suspension procurements may designate only CMMC Level 1 (Self) or Level 2 (Self). DFARS 252.204-7012 safeguarding and cyber-incident reporting duties were not affected where that clause is included in and applicable to a contract.
Here is the part that matters for a buying decision. The government paused the expansion of third-party assessment. It did not pause the requirement — and it did not remove every external check. Three things remain live:
- Level 1 and Level 2 self-assessments, which carry your SPRS score.
- Annual affirmation, for organizations maintaining an applicable CMMC Status.
- Select Government-led assessments.DCMA DIBCAC Medium and High assessments did not go away. That’s the mechanism that produced the enforcement case below.
Under 32 CFR § 170.22, an Affirming Official — a senior representative with authority over your organization’s compliance — must affirm continuing compliance in the Supplier Performance Risk System (SPRS) after every assessment, including POA&M closeout, and annually thereafter. Not “we were compliant in March.” Continuing.That word is the entire business case for monitoring, and with third-party assessment paused, the weight of it now rests on your own attestation — which a government assessment can still test.
The 60-day review is run by a newly established CMMC Reform Task Force under a memorandum dated July 10, 2026, signed by DoW Chief Information Officer Kirsten Davies. Treat it as what it is: a policy review window, not a contractor deadline, and not a guaranteed public decision date.
One thing to do this week, regardless of what you buy.
The implementing memorandum directs contracting activities to amend active solicitations and to remove Level 2 (C3PAO) and Level 3 requirements from existing contracts by modification. A press release does not change your instrument — the modification does. Confirm in writing that the applicable amendment or modification has actually been issued for your contract before you assume anything changed for you.
Which clause numbers actually control your contract
Effective February 1, 2026, Class Deviation 2026-O0025 — Revolutionary FAR Overhaul Part 40, DFARS Part 240— directed Department of War contracting officers to use a revised FAR Part 40 and DFARS Part 240 construct for covered actions, and introduced DFARS 252.240-7997 for the Government assessment mechanics it addresses. A class deviation is not rulemaking. It changes what contracting officers put in covered solicitations and contracts; it does not erase codified clauses or rewrite instruments you already signed. That distinction is why two well-informed people can cite different clause numbers and both be right.
This is where a lot of vendor content goes sideways, and where a sharp buyer separates a firm that reads regulations from a firm that reads competitors’ websites.
| Clause | Codified status | Deviation-covered actions | What to check in your instrument |
|---|---|---|---|
| DFARS 252.204-7012 | Still codified and applicable when included | Unchanged | Whether it’s in your contract — it carries safeguarding, 72-hour reporting, and 90-day preservation |
| DFARS 252.204-7021 (CMMC) | Still codified | Unchanged; Level 2 (C3PAO) and Level 3 designations constrained by the July 2026 suspension | Which CMMC level and assessment type your solicitation designates |
| DFARS 252.204-7019 | Still present in the codified DFARS | Not used as the operative provision in Part 240 covered actions | Whether an existing instrument still carries it |
| DFARS 252.204-7020 | Still present in the codified DFARS | Covered actions use DFARS 252.240-7997 for the addressed Medium and High assessment mechanics; “Basic” assessment references removed | Which version your contract actually contains |
| FAR 52.204-21 | Still present in the codified FAR | Covered actions may use FAR 52.240-93; same title, text, and 15 FCI safeguarding requirements | Note that CMMC Level 1 still references 52.204-21 |
Assessment obligations did not disappear — CMMC self-assessment and affirmation continue, and the Part 240 construct retains mechanisms for Government-performed Medium and High assessments. And because this happened by deviation rather than rulemaking, both numbering systems will circulate until rulemaking catches up. Class Deviation 2026-O0025 is already at Revision 2, dated July 16, 2026, which tells you how live this is.
The buying test — and it is not “did they cite 7019.”
Ask every prospective provider:
“For our contract, which clause text controls — the codified clause, a deviation-covered Part 240 clause, or the language already in our instrument? Point me to it.”
A provider that can answer that has read your contract. A provider that treats codified, deviated, and existing-contract language as interchangeable has not — and you should assume the same looseness applies to their compliance claims.
What actually happens when a monitoring gap goes unnoticed
Two Department of Justice settlements in the last ten months show the two ways a monitoring gap surfaces, and neither involved an alleged data breach. In one, a government assessment found it. In the other, employees did. Both resolved under the False Claims Act, the mechanism the government uses when a contractor bills for work while representing cybersecurity compliance it cannot support.
We include these because buyers ask a fair question: what is the realistic downside? The answer is specific, documented, and public.
Path one — the government assessment. On June 18, 2026, DOJ announced that LOGZONE Inc., an Alabama contractor providing logistics services to the Navy, agreed to pay $507,144 to resolve FCA allegations. According to DOJ, LOGZONE self-reported a perfect SPRS score of 110 for its NIST SP 800-171 implementation. The issues were identified when the Defense Contract Management Agency assessed its implementation, resulting in a score of −170, at the low end of the possible range of −203 to 110. DOJ’s announcement identifies no relator. The settlement resolves allegations only; there was no determination of liability.
Path two — your own people. On September 30, 2025, Georgia Tech Research Corporation agreed to pay $875,000to resolve FCA allegations involving Air Force and DARPA contracts. Two former members of the university’s cybersecurity team filed the qui tam case in 2022; DOJ intervened in 2024. Among the allegations: that a submitted assessment score was based on a “fictitious” or “virtual” environment rather than the actual covered contracting system. Of the settlement, $201,250 went to the whistleblowers. Georgia Tech denied the allegations, and the settlement included no admission of liability.
| LOGZONE (June 2026) | Georgia Tech Research Corp. (Sept 2025) | |
|---|---|---|
| Amount | $507,144 | $875,000 |
| How the issues surfaced | DCMA assessment of NIST SP 800-171 implementation | Two former employees filed qui tam; DOJ intervened |
| Relator identified | No | Yes ($201,250 relator share) |
| Alleged data breach involved | No | No |
| What was at issue | Self-attested score versus assessed implementation | Score allegedly based on an environment that was not the actual covered system |
DCR editorial lesson:neither settlement establishes that buying a monitoring service would have changed the outcome, and we won’t claim it would. What both illustrate is the distance between what an organization represented and what its actual covered environment could support. A documented monitoring and evidence process is one of the disciplines that keeps that distance small — which is the real value proposition here. Not threat detection. Not a dashboard. Keeping your attestation supportable.
Do you need to buy this, or can your team do it?
Nothing in CMMC requires outsourcing. An internal team can run monitoring when it has adequate coverage, skill, documented procedures, evidence discipline, and — the one that trips people up — the capacity to act on what it finds. Outside help earns its cost when one or more of those is genuinely missing, not because the work feels intimidating.
Three delivery models, and the middle one is the one buyers most often overlook:
| Model | Best fit | Real advantage | Real risk | The test that settles it |
|---|---|---|---|---|
| Internal | Small, stable scope; capable staff; low log volume | Full control and scope visibility | Key-person dependency; execution slips when work gets busy | Can you show every recurring activity with owner, date, result, and action taken? |
| Co-managed | An existing IT team or MSP operates the systems, but security analysis, governance, or evidence ownership is unfilled | Keeps working relationships; fills precise gaps | Responsibility ambiguity between you and the provider | Is every handoff written into the SSP and a Customer Responsibility Matrix? |
| Fully outsourced | Multiple environments, real log volume, no after-hours capability | Specialist depth and continuity | Lock-in, evidence access, scope expansion | Can you retrieve and explain all your evidence without asking the vendor’s sales team? |
Before you take a single sales call — six questions
Answer these honestly:
- Can someone name and maintain every required log source?
- Can someone review findings at the cadence you’ve committed to?
- Can someone tell an actionable event from noise?
- Does every finding become a corrective action with an owner and a date?
- Does someone validate that the fix worked?
- Can you produce dated evidence for any of it, today, without help?
DCR decision heuristic, not a regulatory threshold:six supported yeses point toward a documentation and governance gap. Three or fewer point toward an operating-capacity gap worth scoping. Neither result establishes a requirement to outsource — it tells you what you’d actually be buying.
Not ready to talk to vendors yet?
Run your environment against our CMMC Readiness Checklist first — it’s mapped to the 14 security-requirement families, takes no login, and asks for no CUI. Contractors who arrive at a sales call with a completed checklist get materially better proposals, because they can describe the gap instead of asking the vendor to name it.
Run the CMMC Readiness Checklist first →When does hiring a monitoring provider change your CMMC assessment scope?
When the provider’s assets process, store, or transmit your CUI or Security Protection Data, its relevant services enter your Level 2 CMMC assessment scope under 32 CFR § 170.19. Security Protection Data is defined in 32 CFR § 170.4 and expressly includes log files generated by or ingested by a Security Protection Asset, configuration data required to operate one, data related to the configuration or vulnerability status of in-scope assets, and passwords granting access to the in-scope environment. A provider that handles neither CUI nor Security Protection Data does not meet CMMC’s definition of an External Service Provider (ESP).
Here’s the part we’d rather you hear from us than discover mid-assessment.
Buying a monitoring service can expand your CMMC assessment scope. If your provider ingests your security logs, that is Security Protection Data — the regulation names it. And the DoD CMMC Level 2 Scoping Guide uses exactly this scenario as its worked example: an ESP providing a security information and event management (SIEM) service may be logically separated and may never process CUI, but it still contributes to meeting CMMC requirements within your assessment scope.
So the honest answer to “will this simplify my compliance?” is: not automatically. It may add something you have to inventory, document, diagram, and have assessed.
Now the part that turns this from a problem into a filter. This applies to any external provider meeting the same test — including the MSP you already use. You are not choosing between scope consequences and no scope consequences. You are choosing between a provider who walks in already knowing this and one who doesn’t. A provider that supplies a usable service description and Customer Responsibility Matrix has handed you documentation you’d otherwise have to extract from them under deadline. A provider that looks confused when you ask has told you everything you need to know in the first ten minutes.
ESP scoping consequences under 32 CFR § 170.19 — CMMC Level 2
| What your provider processes, stores, or transmits | If they are a Cloud Service Provider (CSP) | If they are not a CSP | Documentation required before signature |
|---|---|---|---|
| CUI (with or without SPD) | The CSP must meet the FedRAMP requirements in DFARS 252.204-7012 | The provider’s services are in your assessment scope and are assessed as part of your assessment | SSP entry, service description, CRM, data-flow diagram, subprocessor list, FedRAMP status |
| Security Protection Data only (no CUI) | The services are in your assessment scope and assessed as Security Protection Assets | The services are in your assessment scope and assessed as Security Protection Assets | SSP entry, service description, CRM, data-flow diagram, subprocessor list |
| Neither CUI nor SPD | Does not meet the CMMC definition of an ESP | Does not meet the CMMC definition of an ESP | Document the basis for concluding neither is handled |
Row two is where most monitoring services land. Security Protection Assets are in the Level 2 CMMC Assessment Scope — documented in your asset inventory, your SSP, and your network diagram, and assessed against the Level 2 security requirements relevant to the capabilities they provide.
The regulation is equally specific about paperwork. The use of an ESP, its relationship to your organization, and the services provided must be documented in your SSP and described in the ESP’s service description and Customer Responsibility Matrix, which sets out who is responsible for what. The rule also notes that an ESP may voluntarily undergo its own CMMC certification assessment to reduce the ESP’s effort required during your assessment.
One nuance worth carrying into the conversation: Security Protection Data is not automatically CUI. But if a log or report contains information falling under a CUI category, it has to be handled accordingly — which changes which row of the table you’re in.
The five questions that settle scope before a demo, not after
- Will your personnel or systems process, store, or transmit our CUI?
- Will you receive, ingest, or retain Security Protection Data — security logs, configuration data, vulnerability status, or credentials for our in-scope environment?
- Which of your subprocessors touch it, and where is it stored?
- Are you a Cloud Service Provider, and if so, what is your FedRAMP status?
- Will you provide a service description and a Customer Responsibility Matrix before we sign?
If a provider can’t answer those five in writing, the proposal isn’t ready to price.
If scope expansion is genuinely unacceptable for your situation, the alternative isn’t heroics. It’s architecture: confining CUI to a smaller, well-defined environment so there is less to monitor and fewer providers touching it. Our CMMC scoping guide covers that path, and it’s the right next read if that’s where you’ve landed.
Map your monitoring gap before you take a sales call
The most expensive mistake on this page is requesting quotes before defining the gap — you end up buying the module that demos best instead of the one you’re missing. Tell us your level, CUI scope, environment, existing providers, and timeline. The Defense Compliance Report’s Find My CMMC Path tool routes you to a provider category — an RPO, an MSSP, a GRC platform, a CUI enclave, or when it’s actually required, a C3PAO. It routes to a category, not a ranking, and it takes a few minutes.
Map my monitoring gap with Find My CMMC Path →What should CMMC compliance monitoring services actually include?
A defensible service scope names the activity, the systems covered, the cadence, the responsible party, the escalation path, the corrective-action workflow, and the evidence produced. A proposal promising “continuous compliance” without those fields cannot be compared to another proposal, priced accurately, or relied on during an assessment.
The matrix below is the scope framework we’d hand a contractor before they write an RFP. We built it to sit between the regulation and the sales conversation. The requirement text tells you what must be true; a vendor quote tells you what they’ll sell. This maps what’s in between: what you’re actually buying, what stays yours regardless, and the one question that exposes whether a module is real.
The CMMC Monitoring Service Scope & Responsibility Matrix — v1.0, verified July 18, 2026
| Service module | Requirement basis | What you’re actually buying | What stays yours regardless | Evidence it must produce | Ask this in the RFP | SPD flag |
|---|---|---|---|---|---|---|
| Log collection & source health | §3.3.1 (AU.L2-3.3.1), §3.3.4 | Centralized ingestion; alerting when a source stops reporting | Deciding which sources are required; validating completeness | Log-source inventory, health alerts, retention settings, gap tickets | “Which sources are included, which are excluded, and what happens when one goes silent?” | Yes |
| Alert triage & escalation | §3.14.6, §3.14.7 | Human or defined-process review of detections; severity assignment; escalation | Business-impact decisions; who gets called | Alert record, analyst notes, severity rationale, disposition, response ticket | “Which events get action after hours versus a next-business-day email?” | Yes |
| Vulnerability scanning & remediation tracking | §3.11.2 (RA.L2-3.11.2) | Scheduled scans; findings triage; remediation follow-through | Risk prioritization and acceptance; system-owner fixes | Scan scope, authenticated-scan proof, findings with owners and due dates, retest evidence | “Does the price include authenticated scanning, retesting, and closure evidence — or just the scan?” | Yes |
| Endpoint & malware protection health | §3.14.1, §3.14.2, §3.14.5 | Agent deployment, policy enforcement, update and coverage monitoring | Application ownership; exception approval | Agent-health report, policy status, offline-device exceptions | “How do you find devices whose agent is disabled, outdated, or not reporting?” | Yes |
| Configuration & drift monitoring | §3.4.1, §3.4.2 (CM.L2) | Baseline monitoring; change detection; security-impact review support | Approval authority; business justification | Approved change record, configuration diff, impact review, baseline update | “How does an unapproved change become a tracked finding, and who updates the SSP?” | Yes |
| Control-effectiveness review | §3.12.3 (CA.L2-3.12.3), §3.12.1 | Recurring review that controls still work — the governance layer | Risk acceptance; control ownership; truth of implementation | Control calendar with owner, method, result, exception, corrective action | “Show me how every applicable control gets an owner, a cadence, a result, and a corrective action.” | Possible |
| SSP, plan of action & CRM upkeep | §3.12.2, §3.12.4; 32 CFR §170.19, §170.21 | Keeping documentation aligned with what’s actually running | Accuracy, approval, and the truthfulness of every representation | Versioned SSP, current operational plan of action, assessment POA&M where applicable, evidence index, change log | “Walk me from a technical ticket to an updated SSP entry.” | Possible |
| Incident response & DFARS reporting support | §3.6.x; DFARS 252.204-7012(c)–(g) | Detection, containment support, timeline reconstruction, reporting assistance | Determining reportability; submitting the report | Incident ticket, timeline, affected-system list, preservation log | “Who escalates a discovery, and who is authorized to submit the report?” | Yes |
| Evidence curation & export | NIST SP 800-171A objectives; 32 CFR §170.16/§170.17 | Organized, retrievable, assessment-ready artifacts | Deciding what constitutes sufficient evidence | Evidence index tied to requirements, with period covered and capture date | “Can we bulk-export everything, in a usable format, without a renewal or a fee?” | Yes |
| Management reporting | §3.12.3 (risk-based decisions) | Reporting that supports risk decisions, not alert-volume theater | Risk acceptance and resource decisions | Executive report showing unresolved risk, overdue actions, control failures, decisions | “Does the report show decisions and overdue corrective actions — or just how many alerts you closed?” | Possible |
Read the SPD column before the price column. Every module flagged Yesinvolves data the regulation names as Security Protection Data. That’s your scope trigger from the previous section, module by module — and it’s the reason the same monthly fee can mean two very different assessment consequences.
Not every contractor needs all ten. The modules that get quietly dropped from proposals are the unglamorous ones — control-effectiveness review, evidence curation, and SSP upkeep — because they don’t demo well and no vendor’s marketing leads with them. They are also the modules that make your affirmation supportable.
Which provider category fits which gap?
No single provider category covers all of CMMC monitoring. An MSP (Managed Service Provider) operates IT controls. An MSSP (Managed Security Service Provider) or MDR provider handles detection and response. An RPO or RP (Registered Provider Organization / Registered Practitioner) supports scope, interpretation, and readiness. A GRC (governance, risk, and compliance) platform organizes workflow and evidence. A CUI enclave constrains where CUI lives. A C3PAO (Certified Third-Party Assessment Organization) performs the formal Level 2 certification assessment.
The right CMMC provider isn’t the same for every contractor — the category you need depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
| Provider category | Genuinely good at | Not automatically responsible for | Choose it when |
|---|---|---|---|
| MSP | Identity, endpoints, patching, configuration, backup, day-to-day IT operations | Security analysis, SSP interpretation, formal assessment | Your operational IT controls are inconsistent or unowned |
| MSSP / MDR | Log monitoring, detection, alert triage, escalation, incident support | Your governance program, an accurate SSP, certification | You have telemetry but no analyst capacity behind it |
| RPO / RP / readiness provider | Scope, SSP, requirement interpretation, remediation planning, evidence strategy | Operating every technical control; conducting the certification assessment | You don’t know what applies to you or how to document it |
| GRC platform | Control mapping, tasks, evidence workflow, POA&M tracking, reporting | Performing the controls or validating that they’re truly working | Execution happens but ownership and evidence are scattered |
| CUI enclave | Confining CUI processing and collaboration; potential scope reduction | Removing enterprise systems, providers, or people from scope automatically | CUI can genuinely be restricted to a smaller boundary |
| C3PAO | The formal Level 2 certification assessment when authorized and required | Preparing you, implementing controls, or running your program | New Level 2 (C3PAO) designations are paused during the current Phase II suspension. Confirm what your contract requires after any modification |
Two guardrails we won’t soften
Software alone does not satisfy CMMC. A GRC platform automates evidence, reminders, control mapping, and reporting. It does not operate your technical and procedural controls. Treat it as a supporting layer. Any vendor claiming their platform makes you compliant is describing something the regulation does not recognize.
Know what actually triggers the independence restriction. Under 32 CFR § 170.8(b)(17), a CMMC Ecosystem member that served as a consultant to prepare an organization for a CMMC assessment may not participate in that organization’s Level 2 certification assessment within three years. Operational monitoring is not automatically assessment-preparation consulting, so determine what the engagement actually includes. C3PAOs are separately bound by Accreditation Body conflict-of-interest policies and ISO/IEC 17020:2012 impartiality requirements under 32 CFR § 170.9.
Match your gap to the right category before you request quotes
Sending the same vague “we need CMMC help” email to an MSP, an MSSP, an RPO, and a C3PAO produces four proposals you can’t compare and at least two that don’t fit. Map your situation first — level, FCI or CUI, assessment type, environment, timeline — and you’ll know which category to approach and exactly what to ask them.
Compare provider categories with Find My CMMC Path →Does CMMC Level 2 require a SIEM, a SOC, or 24/7 coverage?
No. CMMC Level 2 does not name a SIEM product, a security operations center, or around-the-clock analyst coverage as universally mandatory. The requirements specify outcomes — audit records created and retained, alerting on audit-process failure, correlated analysis, system monitoring, unauthorized-use detection — and a SIEM is a common way to achieve them at scale, not the requirement itself. A small number of specific activities are explicitly real-time, which is where most of the confusion starts.
| What the source says | Requirement | What it does and doesn’t prescribe |
|---|---|---|
| Explicitly real-time | §3.14.5 (SI.L2-3.14.5) | Periodic system scans and real-time scans of files from external sources as they’re downloaded, opened, or executed. That’s on-access antimalware — real and required. It is not a mandate to staff a console overnight. |
| Event-triggered | §3.3.4 (AU.L2-3.3.4) | Requires an alert in the event of an audit logging process failure. It does not prescribe an alert-delivery latency or a human staffing interval. |
| Risk-based and ongoing | §3.12.3 (CA.L2-3.12.3) | Monitoring at a frequency sufficient to support risk-based decisions. You set the cadence and you defend it. |
When 24/7 coverage is a rational purchase: internet-facing systems in scope, high log volume, no internal after-hours capability, meaningful ransomware exposure, or a contract specifying response times.
When a lighter model can hold up:a small, stable boundary, limited in-scope assets, strong endpoint controls, a documented business-hours review and response process, a real on-call escalation path, and a written risk decision explaining why. Whether that combination satisfies the applicable AU and SI assessment objectives still depends on your scope, implementation, and evidence — size and centralization alone don’t decide it.
What separates a defensible choice from a cheap one is the written rationale. “We review logs weekly because our enclave has eleven assets, no inbound services, and a documented on-call path” is a risk decision. “We didn’t get to it” is a finding.
For the control-by-control detail — which requirements set cadence, which leave it to you, and what each carries in SPRS scoring weight — see our CMMC continuous monitoring requirements guide.
How often should CMMC monitoring actually happen?
There is no single universal CMMC monitoring calendar. Some activities carry source-stated timing, some are event-triggered, and the rest are organization-defined at a frequency sufficient to support risk-based decisions under §3.12.3. When you buy a service, you are buying against yourcadence — so define it before you ask a vendor to price it, or you’ll be quoted theirs.
Six different clocks get flattened into the word “continuous.” Keep them separate when you write the scope:
| Clock | What sets it | Where it shows up in a service contract |
|---|---|---|
| Real-time | §3.14.5 for scans of files from external sources | On-access scanning configuration, not staffing |
| Event-triggered | §3.3.4 audit-failure alerts; incidents; advisories; changes | Alert configuration and escalation SLA |
| Recurring, risk-based | You define it under §3.12.3 | Review cadence, reporting cadence, retainer hours |
| “Periodically” | Under 32 CFR § 170.4, an interval set by the organization that may not exceed one year | Annual floor for the activities the guidance describes this way |
| Assessment cycle | 32 CFR § 170.16 / § 170.17 | Not a monitoring cadence — don’t let a three-year cycle set a three-year habit |
| Affirmation | 32 CFR § 170.22 — annually while maintaining an applicable status | The date your evidence has to be ready by |
The trap worth naming: a three-year assessment cycle is not a three-year monitoring cycle. Between assessments you’ll have system changes, new vulnerabilities, staff turnover, silent logging failures, and provider changes. That gap is what you’re buying coverage for.
For the full cadence taxonomy, the source-stated timing for each requirement, and how to document a defensible interval, see our continuous monitoring requirements guide.
What evidence, data rights, and SLAs should you demand?
A dashboard is not evidence. A monitoring service must produce artifacts you can retrieve, interpret, and hand to an assessor — tied to specific requirements, covering specific periods, and available to you whether or not you renew. Evidence portability and response commitments are contract terms, not product features, and they are the terms most often left undefined until they’re needed.
The evidence chain a provider should produce on demand: the monitoring plan (what was supposed to happen), the execution record (that it happened), the finding (what it revealed), the corrective action with an owner and date, the validation that the fix worked, and the management decision or document update that followed. Our Evidence-Chain Framework breaks this into seven layers.
The 90-day test
Where DFARS 252.204-7012 is included in and applicable to your contract, paragraph (e) requires that when you discover a cyber incident, you preserve and protect images of all known affected systems and all relevant monitoring and packet-capture data for at least 90 days from submission of the cyber incident report, so DoD can request the media or decline interest.
The clause names monitoring data explicitly. So put this in the contract, not the kickoff call:
- Can your provider preserve and produce images and monitoring or packet-capture data for at least 90 days from report submission — and who executes that, at 2 a.m.?
- A short ordinary retention tier is not automatically a gap. A rolling retention tier with no incident-triggered preservation process is. The clause requires incident-specific preservation, not a universal 90-day hot-storage window for every log.
- How is preservation activated, in what format is it exported, and does it cost extra?
While you’re in that clause: reporting goes to https://dibnet.dod.mil, and “rapidly report” means within 72 hours of discovery of a cyber incident. Filing requires a DoD-approved medium assurance certificate. Verify access to the portal and the certificate beforean incident — the 72-hour clock starts on discovery, not on the day you finish setting up credentials.
Contract terms worth negotiating
| Term | Why it matters | What “good” looks like |
|---|---|---|
| Evidence access during the term | You can't prove what you can't reach | Self-service retrieval, no ticket required |
| Bulk export on demand | Assessments and transitions don't wait | Human- and machine-readable, no fee |
| Post-termination access | Evidence disputes outlive relationships | Defined window after cancellation, in writing |
| Incident preservation | DFARS 252.204-7012(e) where applicable | Explicitly in scope, with a named executor and activation method |
| Retention definition | Ambiguity becomes your finding | Stated hot and archive periods per source |
| Source-health notification | A silent log source is an invisible gap | Defined detection and notification time |
| Alert acknowledgment & escalation | "We monitor" is not a commitment | Acknowledgment and escalation times by severity |
| Containment authority | Someone has to be allowed to act | Named authorized actions and approval path |
| Failed-contact procedure | Incidents don't respect org charts | Documented fallback contacts and timeout |
| Remediation inclusions | Finding and fixing are different contracts | Included hours stated; overage rate stated |
| Customer Responsibility Matrix | Required by 32 CFR § 170.19 | Delivered before signature, not after |
| Subprocessor disclosure & change notice | New subprocessors can change your scope | Written list, advance notice of changes |
| Transition assistance | Lock-in is a compliance risk | Defined handoff of configs, rules, open tickets |
Take the checklist with you.
Everything in that table is available as our CMMC monitoring contract checklist — bring it to the negotiation rather than reconstructing it from memory. No login, no CUI.
One nuance vendors get wrong in both directions: NIST SP 800-171 does not set a universal log-retention period. Two separate rules do bite — the incident preservation above, and a six-year retention rule under 32 CFR Part 170 for the artifacts used as evidence for a Level 2 assessment, measured from the CMMC Status Date. For a Level 2 certification assessment, the C3PAO carries its own separate assessment-record retention duties. None of that is a mandate to keep every raw operational log in hot storage for six years, and anyone telling you otherwise is selling storage.
What should happen before a monitoring service goes live?
Onboarding should begin with your contract, CUI flow, and scope — not with installing a tool. A provider should establish and document a verified baseline before promising coverage, and you should formally accept what is and isn’t covered before the first invoice. Anything not written down at go-live becomes an argument during an assessment.
A compact acceptance checklist.Don’t sign off until every line has an answer:
- ✓Scope validated — CMMC Assessment Scope, CUI assets, Security Protection Assets, boundaries, and CUI flows confirmed in writing
- ✓Source inventory complete — Every log source named, with owner, and every exclusion listed explicitly
- ✓Data flow confirmed — Exactly what CUI or Security Protection Data the provider will receive, and through which subprocessors
- ✓CRM accepted — Responsibilities allocated line by line, reviewed by you, incorporated into your SSP
- ✓Coverage tested — Not asserted: verify collection works, and test the audit-failure alert
- ✓Escalation approved — Severity definitions, contacts, response times, authorized containment actions, failed-contact fallback
- ✓Evidence export tested — Pull a real export before you need one under deadline
- ✓Known gaps documented — Anything not covered at go-live, with an owner and a date
- ✓SSP and diagrams updated — The environment on paper matches the environment running
Don’t accept a universal “30/60/90-day onboarding” promise. Timelines depend on your environment; the acceptance criteria above are what actually matter.
What do CMMC compliance monitoring services cost?
There is no government-set price for CMMC monitoring, and no honest universal range, because proposals bundle different modules, log volumes, coverage hours, and governance work under identical names. What can be stated precisely is the pricing structure — the units vendors bill on — which is what lets you normalize quotes that look nothing alike.
We’re not going to invent a number. A range built from someone else’s scope is worse than no number, because it anchors your negotiation to something meaningless. Here’s what moves the price, and the unit to require in every quote:
| Cost driver | Pricing unit to require in the quote | Why it moves your number |
|---|---|---|
| In-scope users and endpoints | Per user or per endpoint, monthly | The usual headline unit — pin down what counts as an endpoint |
| Log sources and ingest volume | Per source, and per GB/day ingested | Volume grows silently; get the overage rate in writing |
| Retention period | Tiered by hot vs. archive duration | Longer retention is storage cost, often billed separately |
| Coverage hours | Business hours vs. 24/7, as a stated uplift | Priced as a step change, not a slider — interrogate this line |
| Governance and documentation hours | Retainer hours per month, or per review | Where control review and SSP upkeep live; confirm it's included |
| Onboarding and integration | One-time project fee | Connector build, tuning, baseline — rarely in the monthly headline |
| Remediation labor | Included hours, then a stated hourly rate | "We'll find it" and "we'll fix it" are different contracts |
| Incident response | Retainer, included hours, or hourly | Ask what an actual incident costs, not what monitoring costs |
| Assessment support | Hours, or explicitly excluded | Packaging evidence for an assessment is real work |
| CUI or SPD handling | May require a different service tier | Drives your scope consequences — see the ESP section |
Costs that surface after signature: connector setup, data migration, additional retention, after-hours callouts, extra endpoint licenses, cloud egress, API access, custom reports, evidence exports, termination assistance, annual escalators, and minimum contract terms. Ask about each before you sign, not after.
Why the lowest quote may not be the lowest cost.A low monthly number usually means governance hours, remediation, evidence support, SSP updates, and after-hours action sit outside the scope. You’ll buy them anyway — at hourly rates, under pressure, later.
The honest framing: ongoing monitoring is recurring operational work, and outsourced monitoring is a recurring operating expense. Budget it like insurance and accounting, not like a one-time purchase. For the broader Level 2 program budget, see our CMMC Level 2 cost guide — monitoring is a line inside it, not the whole thing.
How do you compare CMMC monitoring quotes on equal terms?
Compare proposals against one standardized scope you define, not against each other’s package names. Vendor packages differ materially, so a side-by-side of three brochures measures packaging, not value. Send every provider the same module list and the same questions, then normalize the responses into a single table before anyone discusses price.
Run the pass/fail gates first. Applying them before you compare pricing saves weeks.
A proposal fails preliminary review if it:
- Guarantees a CMMC status, certification, or assessment outcome — no provider can
- Can’t state its exclusions in writing
- Can’t say whether it will handle CUI or Security Protection Data
- Won’t provide a service description and Customer Responsibility Matrix
- Makes evidence export conditional on renewal
- Describes a dashboard as your compliance evidence
- Has no defined incident escalation path or failed-contact procedure
- Can’t say who performs remediation versus who reports findings
- Bundles assessment-preparation consulting and formal assessment without addressing the three-year independence restriction
- Can’t identify which clause or deviation text controls your actual solicitation or contract, and treats codified, deviation-covered, and existing-contract language as interchangeable
Then normalize the survivors. Same fields, same assumptions, every vendor:
| Comparison field | Vendor A | Vendor B | Vendor C |
|---|---|---|---|
| Onboarding / one-time fee | |||
| Monthly recurring fee | |||
| Contract minimum term | |||
| Users / endpoints included | |||
| Log sources included (list) | |||
| Ingest volume and overage rate | |||
| Retention: hot / archive | |||
| Coverage hours | |||
| Human triage included? | |||
| Alert acknowledgment / escalation times | |||
| Authorized containment actions | |||
| Vulnerability scanning: authenticated? retest? | |||
| Remediation hours included / overage rate | |||
| Control-effectiveness reviews included | |||
| SSP / plan of action / CRM updates included | |||
| Evidence deliverables (named artifacts) | |||
| Evidence export rights and format | |||
| Post-termination evidence access | |||
| Incident response: included or retainer | |||
| Incident preservation capability and executor | |||
| Handles CUI? Handles SPD? | |||
| Subprocessors disclosed | |||
| Material exclusions |
The headline monthly fee only becomes comparable once this table is filled in. Until then you are comparing packaging, and the cheapest package is usually the one with the most left out.
Get scoped quotes from the categories that actually fit
You now know which modules you’re missing, which category performs them, and what to put in the RFP. That’s a real scope — and a real scope gets you proposals you can compare instead of brochures you can’t. Tell us your level, scope, and timeline and we’ll point you to the provider categories that fit, with the questions to ask each one.
Get matched with the right provider categories →What we actually verified
We built this page by reading the primary sources ourselves — the scoping rule and its definitions, the affirmation rule, the current DFARS clause text on Acquisition.gov, the class deviation index published by the Defense Acquisition Regulations System, the DoD CMMC Level 2 Scoping Guide, the NIST requirement text, the July 2026 suspension release, and two Department of Justice settlement announcements. Where a statement is our conclusion rather than the regulation’s, we label it.
Verified
| What we verified | Source and edition | Claim type | Where it’s used |
|---|---|---|---|
| CMMC Phase II suspended July 13, 2026; Phase I self-assessments remain; only Level 1 (Self) and Level 2 (Self) may be designated during the suspension; select Government-led assessments continue | U.S. Department of War release, July 13, 2026; DoW CIO memorandum dated July 10, 2026 | Regulatory fact | Suspension section |
| Definition of External Service Provider and Security Protection Data, including log files ingested by a Security Protection Asset, configuration data, vulnerability-status data, and passwords | 32 CFR § 170.4 | Regulatory fact | Scope section |
| ESP scoping: CUI vs. SPD, CSP vs. non-CSP, Security Protection Assets in scope, SSP + service description + CRM required, voluntary ESP assessment reduces the ESP's effort | 32 CFR § 170.19, Tables 3 and 4 (read in full) | Regulatory fact | Scope section |
| A SIEM service is used as the worked example of an ESP that may not process CUI yet still contributes to meeting CMMC requirements within the assessment scope | DoD CMMC Level 2 Scoping Guide | Regulatory guidance | Scope section |
| Affirmation of continuing compliance by an Affirming Official in SPRS after every assessment, including POA&M closeout, and annually thereafter | 32 CFR § 170.22 | Regulatory fact | Suspension section |
| "Periodically" means an organization-set interval not exceeding one year | 32 CFR § 170.4 | Regulatory fact | Cadence section |
| Monitoring requirement text and control identifiers | NIST SP 800-171 Rev. 2 §3.3.1, §3.3.4, §3.11.2, §3.12.1–.4, §3.14.1, §3.14.2, §3.14.5, §3.14.6, §3.14.7 | Regulatory fact | Throughout |
| 72-hour cyber-incident reporting from discovery; preservation of affected-system images and relevant monitoring/packet-capture data for at least 90 days from report submission; FedRAMP requirement for external CSPs; medium assurance certificate | DFARS 252.204-7012, current text on Acquisition.gov (DFARS Change 5/7/2026) | Regulatory fact | Evidence and rights section |
| Class Deviation 2026-O0025 effective February 1, 2026, now at Revision 2 dated July 16, 2026; introduced DFARS 252.240-7997 for covered actions. Separately verified that DFARS 252.204-7019, DFARS 252.204-7020, and FAR 52.204-21 remain in the codified acquisition regulations | DARS class deviation index; Acquisition.gov | Regulatory fact | Clause section |
| Three-year restriction on a CMMC Ecosystem member that served as a consultant preparing an organization for a CMMC assessment; C3PAO conflict-of-interest and ISO/IEC 17020:2012 obligations | 32 CFR § 170.8(b)(17); 32 CFR § 170.9 | Regulatory fact | Provider category section |
| LOGZONE Inc. — $507,144; self-reported 110 score; DCMA assessment result of –170; range –203 to 110; no relator identified; allegations only | DOJ Office of Public Affairs, June 18, 2026 | Public enforcement record | Enforcement section |
| Georgia Tech Research Corporation — $875,000; qui tam origin; $201,250 relator share; allegations included a score based on a "fictitious" or "virtual" environment; denied, no admission of liability | DOJ Office of Public Affairs, September 30, 2025 | Public enforcement record | Enforcement section |
| CMMC Level 2 assesses against NIST SP 800-171 Revision 2, not Revision 3 | 32 CFR § 170.14; NIST CSRC | Regulatory fact | Throughout |
| Service module framework, RFP questions, delivery-model comparison, category fit, decision heuristics | Derived from the verified facts above | DCR editorial judgment | Matrix, categories, capability test |
What we did not do.We did not observe your systems. We can’t tell you which level your contract requires — the clause and your CUI handling set that. We did not evaluate or rank named providers on this page, which is why none are recommended here. We publish no dollar range for monitoring services because we don’t yet have a scope-normalized dataset of current quotes; when we do, we’ll publish the methodology alongside it.
Our editorial methodology, editorial standards, and corrections policy are public. Found a source or status change? Send us the authority and publication date and we’ll update this page.
Frequently asked questions
- Are CMMC compliance monitoring services required?
- No. Outsourcing is not required by any CMMC rule. CMMC Level 2 requires that security controls be monitored on an ongoing basis (NIST SP 800-171 Rev. 2 §3.12.3, CMMC practice CA.L2-3.12.3), but a contractor may perform that work internally, through one provider, or through a co-managed combination, as long as the process is effective and evidenced.
- Does CMMC Level 2 require a 24/7 SOC?
- Not as a blanket rule. Some activities are explicitly real-time — such as scanning files from external sources under §3.14.5 — but Level 2 does not require around-the-clock analyst coverage of every control. Whether 24/7 coverage is appropriate depends on your exposure, log volume, staffing, and documented risk decision.
- Is a SIEM required for CMMC Level 2?
- No specific SIEM product is named as universally mandatory. You still have to satisfy the applicable audit, monitoring, alerting, correlation, and response objectives in the AU (§3.3) and SI (§3.14) families. A smaller, stable environment may be able to meet them with centralized logging plus a documented review and response process, depending on its scope, implementation, and evidence.
- Will hiring an MSSP put them in my CMMC assessment scope?
- It does when the provider’s assets process, store, or transmit your CUI or Security Protection Data. Under 32 CFR § 170.4, Security Protection Data expressly includes log files generated by or ingested by a Security Protection Asset, so a provider that ingests your security logs is generally an External Service Provider whose services are assessed as Security Protection Assets under 32 CFR § 170.19.
- What is Security Protection Data?
- Under 32 CFR § 170.4, Security Protection Data is data stored or processed by Security Protection Assets that are used to protect your assessed environment. It expressly includes configuration data required to operate a Security Protection Asset, log files generated by or ingested by one, data related to the configuration or vulnerability status of in-scope assets, and passwords granting access to the in-scope environment. It matters because a provider can handle it without ever touching a CUI document and still fall inside your assessment scope.
- Is Security Protection Data the same as CUI?
- No. Security Protection Data is not automatically CUI. But if a log, report, or record contains information that falls under a CUI category, it must be handled according to CUI requirements — which can change how the provider’s services are treated under 32 CFR § 170.19.
- Does my monitoring provider need to give me a Customer Responsibility Matrix?
- Under 32 CFR § 170.19, the use of an External Service Provider, its relationship to your organization, and the services provided must be documented in your System Security Plan and described in the provider’s service description and Customer Responsibility Matrix. Ask for it before signing. You still have to validate it and incorporate it into your SSP yourself.
- Can a monitoring provider make my company CMMC compliant?
- No provider can produce or guarantee a CMMC status. A provider can operate controls, produce evidence, and support your documentation, but the organization remains responsible for scope, truthful documentation, self-assessment results, and the Affirming Official’s attestation in SPRS.
- Did the July 2026 Phase II suspension eliminate monitoring obligations?
- No. The Department of War suspended the transition to Phase II third-party assessments on July 13, 2026 and paused pending milestones. Phase I self-assessment requirements, DFARS 252.204-7012 duties where the clause applies, annual affirmation for organizations holding an applicable CMMC Status, and select Government-led assessments all remain.
- Does CMMC use NIST SP 800-171 Revision 2 or Revision 3?
- CMMC Level 2 currently assesses against Revision 2. NIST has published a Revision 3 in its general publication series, but CMMC continues to use Revision 2 until future rulemaking incorporates a change. Don’t let a vendor swap Revision 3 control numbers into a Level 2 program.
- Are DFARS 252.204-7019 and 252.204-7020 still in effect?
- Both remain in the codified DFARS. For covered actions, Class Deviation 2026-O0025 directs Department of War contracting officers to use the revised DFARS Part 240 construct, including DFARS 252.240-7997 for the Government assessment mechanics it addresses, and removes the “Basic” assessment references. Existing instruments may still contain the codified clauses, so confirm which text controls your specific contract.
- How long do I have to keep monitoring data?
- NIST SP 800-171 does not set a universal log-retention period. Two specific rules apply: where DFARS 252.204-7012 is applicable, paragraph (e) requires preserving affected-system images and relevant monitoring and packet-capture data for at least 90 days after submitting a cyber-incident report; and under 32 CFR Part 170, artifacts used as evidence for a Level 2 assessment are retained for six years from the CMMC Status Date. Set your ordinary operational retention by contract terms, risk, and evidence strategy.
- Can the same firm monitor us and then perform our assessment?
- Under 32 CFR § 170.8(b)(17), a CMMC Ecosystem member that served as a consultant to prepare an organization for a CMMC assessment may not participate in that organization’s Level 2 certification assessment within three years. Operational monitoring is not automatically assessment-preparation consulting, so determine what the engagement actually includes. C3PAOs are also bound by Accreditation Body conflict-of-interest policies and ISO/IEC 17020:2012 impartiality requirements.
- Can a GRC platform replace an MSP or MSSP?
- Usually not. A GRC platform coordinates control mapping, tasks, evidence, and reporting, but it does not patch systems, manage identities, monitor telemetry, or respond to incidents. Treat it as a supporting layer within a monitoring program rather than the program itself.
- What should I never send to a provider-matching form?
- Do not submit CUI, drawings, source code, credentials, security logs, IP addresses, vulnerability details, network diagrams, contract-controlled documents, or sensitive contract identifiers. Routing decisions never require any of it.
The bottom line
Buying CMMC compliance monitoring services isn’t really a purchase decision. It’s a scoping decision with an invoice attached.
Get the sequence right and everything else follows. Confirm what your contract actually requires after any modification. Map where CUI and Security Protection Data flow, including to any provider you’re considering. Identify which recurring activities have no effective owner. Then — and only then — send every prospective provider the same scope and compare what comes back. Skip to the last step and you’ll buy the module that demos best instead of the one you’re missing.
The suspension removed a deadline. It didn’t remove a duty, and it didn’t create a grace period for whatever your contract already requires. Your affirmation is still a senior official’s signature on a statement about a live environment, and ongoing monitoring is one of the disciplines that keeps that statement supportable in month fourteen.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Find My CMMC Path routes to a provider category, not a named-provider ranking or a certification guarantee.
Find my CMMC provider category →Primary sources referenced on this page
- 32 CFR § 170.4 — definitions of External Service Provider, Security Protection Data, Security Protection Assets, and “periodically”
- 32 CFR § 170.19 — CMMC scoping; Level 2 asset categories; ESP scoping requirements; SSP, service description, and Customer Responsibility Matrix
- 32 CFR § 170.22 — affirmation of continuing compliance
- 32 CFR § 170.8 and § 170.9 — conflict of interest; three-year consulting restriction; C3PAO requirements
- 32 CFR Part 170 — CMMC Program Rule, including § 170.14, § 170.16, § 170.17, § 170.21
- NIST SP 800-171 Revision 2 — §3.3.x, §3.4.x, §3.11.2, §3.12.x, §3.14.x
- NIST SP 800-171A (June 2018) — assessment objectives and methods
- DoD CMMC Level 2 Scoping Guide — Security Protection Assets and the SIEM/ESP example
- DFARS 252.204-7012 — safeguarding, 72-hour reporting, 90-day preservation, FedRAMP requirement for external CSPs
- DoD Class Deviation 2026-O0025 — Revolutionary FAR Overhaul Part 40 / DFARS Part 240 (DARS index)
- U.S. Department of War, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements,” July 13, 2026
- DOJ, LOGZONE Inc. settlement, June 18, 2026
- DOJ, Georgia Tech Research Corporation settlement, September 30, 2025