Free, no email, dated outputClassify my company →
CMMC for Cybersecurity Companies: Do You Need Your Own Certification, or Just Better Evidence?
CMMC for cybersecurity companies has a clear answer, and a lot of what’s circulating about it is out of date.
Here it is. Nothing in 32 CFR Part 170 requires your cybersecurity company to hold its own CMMC Status merely because you serve defense clients. Not your MSP. Not your MSSP. Not your SOC, your incident response practice, or your security SaaS platform. When you handle a client’s data as an outside provider, the rule pulls your serviceinto your client’s assessment. It does not, on that basis alone, require you to go get certified.
That’s the headline. Here are the four facts that actually decide your situation, and you need all four:
- Your own contracts. If you hold a DoD prime contract or subcontract carrying DFARS 252.204-7021, you need your own CMMC Status — same as any other defense contractor. Being a cybersecurity company is irrelevant to that.
- What your systems touch. If your assets process, store, or transmit a client’s Controlled Unclassified Information (CUI) or Security Protection Data (SPD), your service enters that client’s assessment scope under 32 CFR 170.19.
- Your architecture. If you operate a cloud service that holds client CUI, DFARS 252.204-7012 requires your client to use a provider meeting FedRAMP Moderate or documented equivalency — which becomes your problem through your contract with them.
- Your ecosystem roles. If you hold a C3PAO authorization, or a CCP or CCA certification, 32 CFR Part 170 Subpart C puts separate conduct, conflict, and eligibility duties on you.
These stack.A firm can be a DoD subcontractor, an outside provider inside three other clients’ assessments, a cloud provider, and an ecosystem member — all at once, with four different sets of obligations.
We read the rule text, DoD’s own technical briefing, and the July 13, 2026 suspension memo to get to this. We also counted something nobody else has published: how many cybersecurity providers appear in the one validated public directory of CMMC-certified service providers.The number is 49. It hasn’t moved since May.
That number changes the math on what your certification is actually worth. We’ll get there.
Who this page is for — and who should leave
This page is written for the people who sell cybersecurity, not the people who buy it.If you run or advise an MSP, MSSP, SOC, MDR practice, vCISO firm, penetration testing shop, incident response team, security SaaS company, GRC platform, VAR, or integrator — and a defense contractor has asked you a question you couldn’t confidently answer — you’re in the right place.
Three readers should go somewhere else right now:
- You’re a defense contractor trying to figure out whether your MSP needs CMMC. Different question. Start with our guide to CMMC for IT MSPs, or the provider category guide for small business if you’re choosing a vendor.
- You have no DIB clients and no plan to get any. Then CMMC isn’t your problem, and a certification project would be a poor use of capital. Close the tab. We’d rather lose you than sell you a compliance program you don’t need.
- You want a list of vendors who sell CMMC services. That’s a buyer’s guide. Try our provider category comparison.
Still here? Good. Start by finding yourself:
Jump to your situation: We hold a DoD contract · We handle client CUI · We handle only logs, configs, or credentials · We operate the cloud service · We’re an RPO, RP, CCP, CCA, or C3PAO
What we actually verified
Every regulatory statement on this page is linked to its source at the point we make it. Here’s the full list and the date we checked each one.
| What we checked | Source | Verified |
|---|---|---|
| ESP scoping rules, Table 4 and Table 6 | 32 CFR 170.19(c)(2) and (d)(2), eCFR | Jul 18, 2026 |
| ESP, CSP, SPD, and SPA definitions | 32 CFR 170.4, eCFR | Jul 18, 2026 |
| Program applicability | 32 CFR 170.3, eCFR | Jul 18, 2026 |
| Assessment procedures and scoring | 32 CFR 170.17, eCFR | Jul 18, 2026 |
| C3PAO, assessor, and conduct requirements | 32 CFR Part 170 Subpart C (§§170.8–170.13), full text | Jul 18, 2026 |
| MSP-versus-CSP test, SPD examples, staff augmentation | DoD CIO, Technical Application of CMMC Requirements, February 2025 | Jul 18, 2026 |
| Phase II suspension terms | DoW Memo 26-P-1023, Attachment 1, July 13, 2026 | Jul 18, 2026 |
| Level 2 cost modeling | CMMC Program final rule, 89 FR 83092 (Oct. 15, 2024) | Jul 18, 2026 |
| Certified provider listings — we counted every entry ourselves | MSP Collective ESP Directory | Jul 18, 2026 |
| Clause structure under the FAR Overhaul deviations | DoD Class Deviation 2026-O0025 | Jul 18, 2026 |
How does CMMC for cybersecurity companies actually work?
CMMC can reach a cybersecurity company through four separate doors: its own DoD contract, its role inside a client’s assessed environment, its cloud architecture, and any CMMC Ecosystem role it holds. Being a cybersecurity company is not itself the trigger. Under 32 CFR 170.3, CMMC applies to DoD contract and subcontract awardees that process, store, or transmit Federal Contract Information or Controlled Unclassified Information on contractor information systems — a test about contracts and data, not industry category.
Most providers get stuck because they’re asking the wrong question. “Do cybersecurity companies need CMMC?” has no answer, the same way “do trucking companies need a hazmat endorsement?” has no answer. It depends on the load.
Here’s the test we use. Three gates, run in order, each answerable in an afternoon with documents you already have. Run all three — more than one result can apply to the same company, and often to the same service line.
Gate 1 — What does your contract say?
Not what a prospect said on a call. Not what a prime’s business development person implied. What the executed document says.
Pull every DoD prime contract, subcontract, purchase order, task order, and amendment your company holds, and look for two different clauses that do two different jobs:
- DFARS 252.204-7021 is the CMMC clause. It makes a specified CMMC Status a condition of award, requires you to maintain it during performance, and requires flow-down to applicable subcontracts.
- DFARS 252.204-7012 is the safeguarding clause. It establishes NIST SP 800-171 implementation, cloud service provider requirements, 72-hour cyber incident reporting, media preservation, and related duties. It does not, by itself, create a CMMC Status.
If 7021 is in your contract, you are a defense contractor who happens to sell cybersecurity. Your obligation is the same as a machine shop’s. Skip to that section.
If neither appears in anything you’ve signed, move to Gate 2 — but keep checking, because contracts change.
On flow-down. A prime’s informal email asking whether you’re “CMMC compliant” is not, by itself, a contractual obligation. A subcontract, purchase order, task order, incorporated clause, amendment, or accepted modification can create one. Under 32 CFR 170.23, the required level flowed to a subcontractor should be no higher than necessary for the information that subcontractor will handle, and acquisitions exclusively for commercially available off-the-shelf items are excluded. Don’t confuse a vendor questionnaire with a contractual requirement.
Gate 2 — What data touches your people and your systems?
This is where the analysis most often goes wrong, in both directions.
32 CFR 170.4 defines an External Service Provider (ESP)as “external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization.” Then it adds the qualifier that decides everything: “In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”
Read that last sentence again. No CUI and no Security Protection Data on your assets means you’re not an ESP for that service.That’s the rule’s own language.
Two things about that. It’s a service-leveltest, not a company-level exemption — you can be outside the ESP definition for your advisory practice and inside it for your managed service. And it doesn’t touch Gates 1, 3, or 4.
Security Protection Data (SPD) is the concept most providers have never heard of. Section 170.4 defines it as “data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC’s assessed environment,” with examples: configuration data required to operate a security tool, log files generated by or ingested by that tool, data about the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.
That last item catches almost everyone. DoD’s February 2025 technical briefingspells it out: if you have offsite technicians or your MSP holds passwords to client equipment, you are “likely holding security protection data (SPD) in the form of admin passwords.”
| What your assets process, store, or transmit | Your status for that service |
|---|---|
| Client CUI — drawings, technical data, controlled project files | ESP handling CUI |
| Only logs, configs, vulnerability data, alerts, admin credentials | ESP handling SPD |
| Both | Apply the CUI path, and document the SPD functions and Security Protection Assets within that scope |
| Neither | Not an ESP for that service. Re-check Gates 1, 3, and 4 anyway |
Gate 3 — Whose architecture delivers the service?
The last gate determines which set of obligations lands on you, and it carries the biggest cost consequences.
DoD’s February 2025 briefing applies a clean operational test for the question every managed provider asks — am I a Cloud Service Provider?This is DoD technical guidance interpreting the rule, not rule text itself, but it’s the clearest official statement available:
If the cloud tenant is subscribed or licensed to the client — even if you resell the service — you are not a CSP. If you contract with a cloud provider and further modify the basic cloud service, you are a CSP and must meet applicable FedRAMP or equivalency requirements.
DoD adds the practical version: “An MSP which configures an OSA’s subscribed cloud service is not a CSP.” And the warning: “If the MSP owns the cloud tenant and further sub-divides it for customer use, they have probably crossed the line and are offering it as a cloud service.”
This one distinction is the difference between a documentation exercise and a FedRAMP program. Assume the worst and you can budget six figures for an obligation you don’t have.
Translation: isolation is money.A shared multi-tenant environment drags more of your business into your client’s assessment than a segmented one does.
The four paths — and how they stack
Run the three gates and you identify every path that applies to you. They are not mutually exclusive, and treating them as if they were is the most common structural mistake we see in provider compliance planning.
| Path | You’re on it when | What you owe | Source |
|---|---|---|---|
| Your own CMMC Status | Gate 1 hits — DFARS 252.204-7021 is in your own contract | A CMMC Status for your assessment scope, plus the required posting and annual affirmation | 32 CFR 170.3, 170.22 |
| Client-scope ESP treatment | Gate 2 hits and you’re not a CSP | A service description and Customer Responsibility Matrix; your service is assessed inside your client’s assessment | 32 CFR 170.19(c)(2) |
| CSP / FedRAMP duties | Gate 3 hits and your cloud holds client CUI | Your client must use a CSP meeting FedRAMP Moderate or documented equivalency; your actual duties flow through your contract with them | DFARS 252.204-7012, 32 CFR 170.19(c)(2)(i) |
| Ecosystem role duties | You hold a C3PAO authorization, CCP, or CCA certification | Conduct, conflict-of-interest, eligibility, and records obligations | 32 CFR Part 170 Subpart C |
| None of the four, for now | Gate 2 misses on every service line and Gates 1, 3, 4 miss too | Document why — the analysis is the deliverable, and a prospect will ask for it | — |
“None of the four” doesn’t mean no security obligations. Your client contracts, your insurance, your own risk posture, and any non-CMMC framework you’ve committed to are untouched. It means the CMMC rules don’t reach you on the facts as they stand today.
Decision point.
You now have a repeatable test. Run it on your own company before you read another word of vendor marketing.
Run the Three-Gate Test →Which kind of cybersecurity company are you, and what does that mean?
Cybersecurity business models split into materially different CMMC outcomes. A vCISO who reviews sanitized documents, a SOC ingesting client logs, and a SaaS platform hosting client CUI sit in three different regulatory positions, even though all three are “cybersecurity companies.” The variable is the data and the architecture, not the label on the business card.
Find your row. The middle columns state what the regulation establishes. The last column names the fact you still have to verify yourself, because that’s where the answer actually turns.
| Your business model | What the regulation establishes | Likely path | The fact you must verify |
|---|---|---|---|
| Strategy consultant / vCISO, advice only | Neither CUI nor SPD on provider assets means no ESP status for that service | None of the four | Whether any artifact you retain is CUI or SPD |
| Staff augmentation on client-owned everything | Delivery through client processes, technology, and facilities keeps provider assets out of the path | Often treated like client staff | Device, account, VPN, and credential-vault ownership |
| Penetration testing / vulnerability assessment | Vulnerability and configuration data about in-scope assets falls within the SPD definition | Client-scope ESP | Where findings are stored, how long, and whether the target data is itself CUI |
| Incident response / digital forensics | Logs, images, and captures can be SPD; CUI may also be present | Client-scope ESP, plus DFARS 252.204-7012 duties where the clause reaches you | Whether you retain artifacts on your infrastructure after closeout |
| MSP / RMM / help desk / managed administration | Passwords granting access to the in-scope environment are SPD | Client-scope ESP | Whether client CUI lands in ticketing, backups, or file shares |
| MSSP / SOC / MDR / managed SIEM | Logs generated or ingested by a security tool are the textbook SPD example | Client-scope ESP, assessed as a Security Protection Asset | Whether you also hold CUI, and who owns the cloud tenant |
| Security SaaS holding only SPD | SPD-only services are assessed as Security Protection Assets in the client’s scope | Client-scope ESP | Whether your platform has started ingesting CUI |
| Security SaaS or CSP holding client CUI | A CSP holding CUI must meet the FedRAMP requirements in DFARS 252.204-7012 | CSP / FedRAMP | Tenant ownership, and whether you modify the underlying cloud service |
| COTS product reseller, product only | Acquisitions exclusively for COTS items sit outside the general applicability statement | None of the four | Whether you also sell implementation, hosting, support access, or managed services |
| VAR / systems integrator | Product resale and service delivery are analyzed separately | Depends on the service half | Persistent support access, migration work, hosted components |
| RPO or readiness consultancy | Consulting artifacts can contain CUI or SPD; ecosystem conduct rules apply if you hold a credential | Client-scope ESP, plus ecosystem duties | Any later participation in that client’s certification assessment |
| C3PAO or assessment firm | Subpart C establishes organizational, personnel, and conflict requirements | Ecosystem role | Current authorization status and prior consulting relationships |
| Hybrid — DoD sub and MSSP | Both the applicability test and the ESP scoping rules apply | Two or more paths | Which legal entity and which systems support each role |
Two rows deserve a warning label.
Staff augmentation is narrower than people think.DoD’s briefing does treat outsourced staff working entirely inside client processes, technology, and facilities as “essentially the same as OSA staff.” But the very next line flags that offsite technicians and MSP-held passwords likely put SPD on your side of the line. If provider-owned laptops, VPNs, password vaults, or ticketing systems enter the delivery path, the clean staff-augmentation fact pattern no longer clearly applies. Re-run Gate 2.
“Temporary access” isn’t a category in the rule.Penetration testers and incident responders often assume short-lived access means no scope. The rule doesn’t measure duration. It measures whether CUI or SPD is processed, stored, or transmitted on your assets. A ninety-minute engagement can still create provider-side scope if the retained report is SPD.
Does your cybersecurity company need its own CMMC certification?
Not because of what your clients do. Under 32 CFR 170.19(c)(2)(i), an External Service Provider that is not a Cloud Service Provider and handles CUI has its services assessed as part of the client’s assessment, not through its own certification. Section 170.19(c)(2)(ii) states the ESP “may voluntarily undergo a CMMC certification assessment.” The word in the rule is voluntarily. A separate obligation exists only if your own contract carries a CMMC clause.
Table 4 to 32 CFR 170.19(c)(2)(i) sets out ESP scoping requirements for CMMC Level 2. Here it is, reproduced from the eCFR:
| When the ESP processes, stores, or transmits: | If the ESP is a CSP | If the ESP is not a CSP |
|---|---|---|
| CUI (with or without SPD) | The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012 | The services provided by the ESP are in the client’s assessment scope and shall be assessed as part of the client’s assessment |
| SPD (without CUI) | The services provided by the CSP are in the client’s assessment scope and shall be assessed as Security Protection Assets | The services provided by the ESP are in the client’s assessment scope and shall be assessed as Security Protection Assets |
| Neither CUI nor SPD | Does not meet the CMMC definition of an ESP | Does not meet the CMMC definition of an ESP |
Find the words “the ESP must be certified” in that table. They aren’t there. What’s there is that your services— not your company — enter your client’s assessment.
Then 170.19(c)(2)(ii) closes the loop: the ESP relationship must be documented in the client’s System Security Plan and described in “the ESP’s service description and customer responsibility matrix (CRM).” And: “Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP’s effort required during the OSA’s assessment.”
DoD’s February 2025 briefing says the same thing twice, in plain English:
- “ESPs can voluntarily undergo their own CMMC Level 2 C3PAO assessment.”
- “ESPs that only store SPD or provide an SPA and do not process, store, or transmit CUI do NOT require a separate CMMC assessment, nor do they require FedRAMP authorization or equivalency.”
Why so many sources say the opposite
Three different answers have been circulating, and two of them are out of date. We traced each one.
| What you’ve been told | Where it came from | What the current rule says |
|---|---|---|
| “Your ESP must be certified at the same level as you” | The proposed CMMC rule published December 26, 2023. It was repeated widely in 2024 provider marketing and press releases — much of which is still live and still ranking | The final rule published October 15, 2024, effective December 16, 2024, replaced this with Table 4. Certification became voluntary |
| “If your MSP touches CUI on its own systems, it needs Level 2” | Commentary from Cyber AB Town Hall sessions in 2025 | Town hall commentary is not the rule. Table 4 requires the services to be assessed within the client’s assessment |
| “If your MSP touches your logs, it needs Level 2” | Conflation of Security Protection Data with CUI | SPD-only providers are assessed as Security Protection Assets inside the client’s scope. DoD’s February 2025 briefing states they need no separate assessment and no FedRAMP |
We’re not calling anyone dishonest. Most of this is honest lag — the proposed rule said one thing, thousands of pages of marketing got written, and the final rule changed it. But the lag is expensive. A ten-person MSP that budgets six figures for a certification the rule doesn’t require has made a real business mistake based on a stale citation.
The catch, stated plainly
Not required is not the same as no obligation. Three things are true at once:
- The rule doesn’t require your certification.
- The rule does require your services to be assessed inside every client’s assessment, with a service description and Customer Responsibility Matrix for each one — and that’s more than a paperwork exercise. Your personnel may be interviewed. Your implementation may be examined and tested.
- Your clients and their primes can impose additional lawful contractual and vendor-risk requirements beyond the CMMC minimum, and many do.
That third point is what actually drives spending. The July 13 memo binds government contracting officers. It doesn’t rewrite a prime’s purchase order or a client’s vendor risk questionnaire.
Decision point.
If you’re an ESP without your own certification, the deliverable your client’s assessor will ask for is a Customer Responsibility Matrix — and a generic control list won’t survive contact with an assessment team.
Download the ESP Evidence Pack →What actually happens to your company inside a client’s assessment?
When an External Service Provider’s services enter a client’s CMMC assessment scope, the assessment team evaluates the relevant requirements using the examine, interview, and test methods in NIST SP 800-171A, which 32 CFR 170.17(c)(1) requires Level 2 certification assessments to follow. Under 32 CFR 170.19(c)(2)(ii), the ESP relationship must appear in the client’s System Security Plan and be described in the provider’s service description and Customer Responsibility Matrix.
This is the practical reality that “you don’t need certification” doesn’t capture, and it’s where providers get burned.
Here’s the sequence. Your client engages a C3PAO, or runs a self-assessment. Either way, the scoping exercise finds you. Then:
- They read your client’s SSP for the description of your relationship and your services.
- They ask for your service description — what people, systems, and facilities actually deliver the service.
- They ask for your Customer Responsibility Matrix — which requirements you implement, which the client implements, and which are shared with defined boundaries.
- For every requirement the CRM assigns to you, they gather evidence. Under 32 CFR 170.17(c)(1), the assessment follows NIST SP 800-171A, which evaluates each assessment objective by examining artifacts, interviewing personnel, and testing mechanisms. If the team can’t obtain sufficient evidence, the objective is scored NOT MET in your client’s assessment.
- Under Table 3 to 32 CFR 170.19(c)(1), your Security Protection Assets are assessed “against Level 2 security requirements that are relevant to the capabilities provided.” DoD’s briefing names the usual suspects: SIEM, vulnerability scanners, EDR.
Step 4 is where the cost lives, and it’s not just documents. Your people may sit for interviews. Your configurations may be tested.
What “evidence” means when an assessor says it
| Artifact | The question it has to answer | How it’s likely evaluated | Where providers fail |
|---|---|---|---|
| Service description | Exactly which people, systems, and facilities deliver this service | Examine | Marketing copy with no technical boundary |
| Customer Responsibility Matrix | For each applicable requirement: yours, theirs, or shared — and shared how | Examine | A generic control list that doesn’t match what the client bought |
| Data flow diagram | Where CUI and SPD enter, travel, rest, and leave | Examine | Omits ticketing, backups, log archives, and admin jump boxes |
| Asset and hosting inventory | Which of your assets and which fourth parties deliver the service | Examine | Lists client endpoints only, ignores your own stack |
| Identity and access model | Who administers what, from which devices, from where | Examine, interview, test | Shared admin accounts and undocumented access paths |
| Log and vulnerability handling | What security data you retain, where, and for how long | Examine, test | No classification, no retention rule, no deletion evidence |
| Incident procedure | Who detects, who reports, who preserves, on what clock | Examine, interview | An SLA that conflicts with the client’s 72-hour DFARS 252.204-7012 reporting duty |
| Personnel availability | Who on your team can answer for an assigned requirement | Interview | Nobody scheduled, or the wrong person |
| Fourth-party map | Which of your vendors touch client CUI or SPD | Examine | Unknown downstream cloud and support dependencies |
| Exit and deletion plan | How data, accounts, and evidence are returned or destroyed | Examine | Client data survives termination indefinitely |
If you can produce those on request, you’re a low-friction vendor in a market full of high-friction ones. That’s a sales asset, and it costs a fraction of a certification.
How often? There’s no universal rule setting a provider evidence cadence. Each customer assessment in which your service is in scope may require current evidence and participation from you. The client’s Affirming Official owns the annual affirmation under 32 CFR 170.22— not you — but what they need from you to sign it depends on your contract with them.
How many cybersecurity providers hold a CMMC Level 2 certification?
As of July 18, 2026, the MSP Collective ESP Directory — an opt-in public directory of External Service Providers whose CMMC Level 2 certification the MSP Collective states it validates with the assessing C3PAO — listed 49 entries. All 49 are Level 2 against NIST SP 800-171 Rev. 2. None are Level 3. Listing velocity peaked at 15 in the first quarter of 2025 and fell to four in the second quarter of 2026. This is a dated third-party directory snapshot, not a complete census of every organization holding a CMMC Status.
When the final rule landed, the Cyber AB did not stand up a directory of certified service providers. The MSP Collective — formally, MSPs for the Protection of Critical Infrastructure — built one. Listings are free. Inclusion requires the provider to meet the ESP definition in the final rule, to not be a CSP handling CUI, and to hold a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC). The MSP Collective states that it validates each submitted entry with the assessing C3PAO before publishing. That validation step makes it the best public dataset available on this question.
Directory listings by certification quarter
| Quarter certified | New listings | Running total |
|---|---|---|
| 2025 Q1 | 15 | 15 |
| 2025 Q2 | 12 | 27 |
| 2025 Q3 | 5 | 32 |
| 2025 Q4 | 7 | 39 |
| 2026 Q1 | 6 | 45 |
| 2026 Q2 | 4 | 49 |
| 2026 Q3 (through Jul 18) | 0 | 49 |
What the snapshot shows
Forty-nine listed providers. Fifteen carry certification dates in a single opening quarter, and nine share the same date — March 7, 2025.
Nothing new since May 18, 2026. That’s the most recent certification date in the directory. When we counted on July 18, that was a 61-day gap in a directory that had been adding four to fifteen entries a quarter for the previous fifteen months. Note the chronology:that gap opened before the July 13 suspension. The suspension may well affect future certification demand, but this snapshot can’t establish why the earlier slowdown happened.
Scale, as two separate facts.DoD’s February 2025 briefing estimates roughly 75,000 DIB companies fall at CMMC Level 2 and roughly 140,000 at Level 1. The directory lists 49 providers. Those are different measurements of different things — one is a population estimate, the other an opt-in listing count — and we’re not going to divide them into a ratio that implies a demand relationship neither number establishes. Read them side by side and draw your own conclusion.
Geography is lopsided. Virginia (9) and Maryland (7) together account for 33 percent of listings. Headquarters appear in 25 U.S. states and one Canadian province.
Everyone is at the same level.All 49 are Level 2 against Rev. 2. Zero are Level 3. Eight of the 49 are MSP Collective members, so the directory isn’t a members’ club.
Listed firms include C3 Integrated Solutions, CorpInfoTech, CyberSheath, Summit 7, OSIbeyond, ProStratus, MAD Security, Ntiva, and RSM US LLP, alongside two dozen regional providers most of the market has never heard of.
Decision point.
This snapshot is the clearest public picture of the certified-provider market anyone has published. Take the underlying data with you.
Download the July 18, 2026 directory analysis →What does certification actually cost — and is it still worth it?
DoD’s regulatory analysis in the CMMC Program final rule models a small-entity Level 2 certification assessment plus initial affirmation at $101,752, and $104,670 over three years including two additional annual affirmations. Other-than-small entities are modeled at $112,345 initially and $117,768 over three years. The C3PAO engagement line alone is modeled at $31,234 for small entities and $52,056 for other-than-small. A small-entity Level 2 self-assessment plus initial affirmation is modeled at $34,277, or $37,196 over three years.
Those are DoD’s numbers, published in the final rule at 89 FR 83092. Read the fine print on them:
| What the number is | What it isn’t |
|---|---|
| A regulatory burden model built for rulemaking cost analysis | A market quote or a rate card |
| Modeled on an entity that has already implemented NIST SP 800-171 Rev. 2 | Inclusive of implementation, remediation, or engineering work |
| Assessment plus affirmation labor and fees | The tooling, enclave, documentation, or staff time to become assessable |
| A per-entity average across a modeled population | What any specific company paid |
That last row matters. The variable that determines your real number isn’t the assessment — it’s how far your environment is from ready before anyone shows up.
Here is our damaging admission, and it’s a real one
If your cybersecurity company certified at CMMC Level 2 in 2025, you invested in a credential that cannot currently be newly designated in any procurement requirement.
DoW Memo 26-P-1023suspended the Phase 2 transition. During the suspension, Program Managers and requiring activities “must only include the need for CMMC Level 1 (Self) or Level 2 (Self) assessments in procurement request and requirement documents” and “may not designate CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) assessments during this period.” No waivers are being granted.
DoD modeled the three-year small-entity assessment-and-affirmation burden at $104,670 — and that excludes everything you spent getting ready. We could have buried that. We’re not going to, because you’d find out anyway and because the honest version is more useful than the comfortable one.
Now the part that matters more.
First, the certificate was never the requirement — it was the shortcut.Read Table 4 again. Your Table 4 obligations didn’t move an inch on July 13. The service description, the Customer Responsibility Matrix, the SSP documentation, the Security Protection Asset assessment — those live in 32 CFR 170.19, and the memo didn’t touch 32 CFR 170.19. Section 170.19(c)(2)(ii) says voluntary certification “may reduce the ESP’s effort required during the OSA’s assessment” — it reduces effort, it doesn’t eliminate customer-specific scoping, CRM validation, boundary verification, or your participation. But reducing that effort across a client book is real money.
Second, scarcity is still an asset.Forty-nine listed providers. A DIB that DoD sizes at roughly 75,000 companies at Level 2. If the program returns in a recognizable form — and the memo says “further guidance will be promulgated at the conclusion of the CIO’s 60-day review,” not “the program is cancelled” — that position took eighteen months and a serious investment to build.
Third, there’s an open door with a date on it. More on that below.
If this stings, here’s your off-ramp. Mid-assessment right now? Talk to your C3PAO before you cancel, because a voluntary assessment isn’t prohibited. And if you’re a DIB contractor who booked a Level 2 assessment for a November milestone that’s now suspended, that’s a different calculation: our C3PAO selection frameworkcovers postpone-or-proceed from the contractor’s side.
Did the July 13, 2026 suspension change any of this?
DoW Memo 26-P-1023, dated July 13, 2026, suspended the November 2026 transition to CMMC Phase 2 and pending implementation milestones. During the suspension, only CMMC Level 1 (Self) and Level 2 (Self) may be designated in new procurement requirements; Level 2 (C3PAO) and Level 3 (DIBCAC) may not. Phase 1 self-assessment requirements, DFARS 252.204-7012, and NIST SP 800-171 Rev. 2 remain in force. The ESP scoping rules in 32 CFR 170.19 were not amended.
We read the memo. Here’s exactly what it says, and exactly what it doesn’t.
What was suspended
- The November 2026 Phase 2 transition and pending and future CMMC implementation milestones.
- The ability of Program Managers and requiring activities to designate Level 2 (C3PAO) or Level 3 (DIBCAC) assessments. “The allowed designations are CMMC Level 1 (Self) or CMMC Level 2 (Self).”
- Waivers. “No waivers shall be granted during the review of the program.”
The memo also directs relief on live procurements. Where an active solicitation already carries a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement, requiring activities “must initiate amendments” and contracting officers “must issue a corresponding solicitation amendment as soon as practicable.” For existing contracts, contracting officers are directed to remove those requirements “via modification prior to the exercise of the next option period or during the next scheduled administrative modification.”
What survived untouched
- Level 1 and Level 2 self-assessment. The memo states DoW “will enforce baseline compliance with NIST SP 800-171 Rev 2 through CMMC Level 1 and CMMC Level 2 self-assessment and select Government-led assessments.”
- DFARS 252.204-7012. The memo says its requirements “remain in effect,” in those words.
- NIST SP 800-171 Rev. 2 as the Level 2 standard. The memo states “CMMC Level 2 is aligned with NIST SP 800-171 Rev 2.”
- 32 CFR 170.19. Not amended. Every provider scoping obligation on this page is current.
- Voluntary assessments. The memo restricts what contracting officers may designate. It does not prohibit a company from pursuing a certification assessment, and C3PAOs continue to operate.
The three-layer answer nobody is giving
| Layer | What it says | What it actually controls |
|---|---|---|
| The codified rule — 32 CFR 170.3 | The four-phase schedule, unamended since December 16, 2024 | The program’s legal architecture |
| The policy memo — 26-P-1023, July 13, 2026 | Phase 2 suspended; only Level 1 (Self) and Level 2 (Self) may be newly designated; solicitations to be amended; contracts to be modified; no waivers | What contracting officers may do going forward |
| Your award document | Whatever it says right now | Your actual obligation — until the amendment or modification is issued in writing |
That bottom row is the one that costs people money. A press release didn’t modify your contract. If your award or your prime’s subcontract carries a Level 2 (C3PAO) requirement today, that requirement is live for you until the contracting officer issues the amendment or modification. Read the paper. Ask your contracting officer or your prime for it in writing.
When a client asks “is CMMC dead?”, that table is your answer. Neither “nothing changed” nor “it’s over” is accurate, and a provider who says either loses credibility with the buyers who matter.
What’s still unknown
The memo establishes a 60-day review and reporting period, with the CMMC Reform Task Force reporting to the DoW CIO. It does not guarantee a public report or a replacement schedule on any particular date. The post-review program structure and implementation schedule have not been published, and the memo’s own last line is: “Further guidance will be promulgated at the conclusion of the CIO’s 60-day review.”
Decision point.
This page has a shelf life measured in weeks, and we treat that as our problem, not yours.
Get the ESP Regulatory Watch →Which clause numbers should you actually be checking in 2026?
Effective February 1, 2026, DoD Class Deviation 2026-O0025 under the Revolutionary FAR Overhaul directs contracting officers, for covered actions, to use revised FAR Part 40 and a new DFARS Part 240 in place of the codified text. Part 240 prescribes DFARS 252.240-7997 for NIST SP 800-171 DoD Medium and High assessments. The codified DFARS 252.204-7019, 252.204-7020, and FAR 52.204-21 remain published and can still appear in older or existing awards, so the solicitation, contract, amendment, modification, and applicable deviation have to be read together.
If you build vendor questionnaires, contract review checklists, or client-facing compliance matrices, this will bite you.
| Clause | Codified status | What the deviation directs for covered actions | What it means for you |
|---|---|---|---|
| DFARS 252.204-7012 | Published and in force | Retained under the new Part 240 structure | Safeguarding CUI, cloud service provider requirements, 72-hour cyber incident reporting, media preservation |
| DFARS 252.204-7021 | Published and in force | Retained; not renumbered | The CMMC clause. Establishes the required CMMC Status and flow-down |
| DFARS 252.204-7019 | Still published in the codified DFARS | Not prescribed for covered actions under the deviation | The standalone “Basic” self-assessment provision is no longer directed for new covered actions — but can appear in older awards |
| DFARS 252.204-7020 | Still published in the codified DFARS | Replaced for covered actions by DFARS 252.240-7997, covering DoD Medium and High assessments | Government-performed assessments and the resulting records |
| FAR 52.204-21 | Still published in the codified FAR | Relocated for covered actions to FAR 52.240-93 | The 15 basic safeguarding requirements for Federal Contract Information — content unchanged |
Three practical consequences.
Your checklist is probably stale.If your vendor questionnaire asks whether a client has posted a “7019 score,” you’re asking about a provision that isn’t prescribed for new covered actions. But don’t overcorrect: it hasn’t been deleted from the codified DFARS, and it can still appear in an existing award.
Don’t treat 252.240-7997 as a clean rename.It covers DoD Medium and High assessments — government-performed evaluations — and the records they produce. CMMC Level 2 self-assessment and affirmation obligations arise separately, through 32 CFR Part 170 and DFARS 252.204-7021 when incorporated. Those are three different mechanisms.
Both numbering systems are live.Because these are class deviations ahead of formal rulemaking, either set of numbers can appear depending on the age and type of the action. Read the actual award document. Don’t infer from a clause number that a requirement appeared or disappeared.
For the full crosswalk, see our breakdown of the CMMC Final Rule and its clause structure.
Who posts what, and where
| Information | Who submits it | Where it lands |
|---|---|---|
| CMMC Level 1 or Level 2 self-assessment results and affirmation | The contractor, through the process prescribed in 32 CFR Part 170 | SPRS — the Supplier Performance Risk System |
| Level 2 certification assessment results and Certificates of CMMC Status | The C3PAO | The CMMC instantiation of eMASS, which transmits to DoD systems |
| DoD Medium and High NIST SP 800-171 assessment results | The Government | DoD assessment records under DFARS 252.240-7997 |
You don’t post your client’s score. They do — or their C3PAO does. Being clear about that in a sales conversation is a small thing that signals you actually know the program.
Why does CMMC still use NIST editions that NIST has withdrawn?
CMMC Level 2 is assessed against NIST SP 800-171 Revision 2, and CMMC Level 3 uses selected requirements from the February 2021 edition of NIST SP 800-172, because 32 CFR Part 170 incorporates those specific editions by reference. NIST has since published newer revisions and withdrawn the earlier editions from its own catalog. The regulation controls for CMMC purposes until DoD amends it.
NIST withdrew SP 800-171 Revision 2 in May 2024 when it published Revision 3. It withdrew the February 2021 edition of SP 800-172 in May 2026 when it published a new revision. If you look those documents up on the NIST Computer Security Resource Center today, you’ll see withdrawal notices.
None of that changes CMMC. Section 170.14 incorporates SP 800-171 Revision 2 for Level 2 and the February 2021 SP 800-172 for Level 3 by reference. The eCFR shows Part 170 unamended since December 16, 2024. And the July 13, 2026 memo restates it: “CMMC Level 2 is aligned with NIST SP 800-171 Rev 2.”
So there are two accurate statements, and you need to keep them apart:
- Revision 2 is the current CMMC-controlling edition. True.
- Revision 2 is NIST’s current publication. False.
Practical advice for a provider: do not build a client’s CMMC Level 2 program to Revision 3 on the theory that it’s “newer and therefore safer.” The assessment methodology, the control set, and the scoring in 32 CFR 170.24 are built on Revision 2. Building to a different revision doesn’t earn you credit — it creates a mapping problem for whoever has to assess it.
What if your cybersecurity company is also a DoD contractor?
A cybersecurity company holding its own DoD prime contract or subcontract is subject to CMMC on the same terms as any other defense contractor. Under 32 CFR 170.3, the trigger is processing, storing, or transmitting Federal Contract Information or Controlled Unclassified Information on contractor information systems in performance of a DoD contract. The required level and assessment type come from the contract, not from the industry the contractor operates in.
This is Gate 1, and it’s the path most cybersecurity companies overlook because they’re focused on their client-side role.
If you sell SOC services directly to a DoD program office, run a cyber range under a defense contract, deliver security engineering as a subcontractor to a prime, or hold a task order carrying DFARS 252.204-7021 — you’re a defense contractor. Your obligation comes from your own award.
What that means in practice:
- Your level comes from the clause, not from your own view of your maturity. During the suspension, the only designations available to a contracting officer for new requirements are Level 1 (Self) and Level 2 (Self).
- FCI-only work sits at Level 1 — the 15 basic safeguarding requirements, self-assessed annually.
- CUI work sits at Level 2 — all 110 NIST SP 800-171 Rev. 2 requirements across 14 control families.
- You post and you affirm. The annual affirmation of continuing compliance under 32 CFR 170.22 is a signed statement submitted by a designated Affirming Official. With third-party designation suspended, that signature is now the primary external checkpoint on your posture. Treat the accuracy of what you submit as a governance matter.
- One corporate certification doesn’t cover everything. A CMMC Status attaches to a defined assessment scope and the information systems within it — not to a company. Your production environment and your client-delivery environment may be different scopes.
That last point is why the paths stack. A firm that is a DoD subcontractor and an MSSP to other DIB companies carries two separate documentation burdens on two separate boundaries. Trying to satisfy both with a single enterprise-wide certification claim is where provider positioning most often falls apart under questioning.
Should you become a C3PAO, an RPO, or a Certified CMMC Professional?
These are different things governed by different authorities. C3PAO, CCA, and CCP are roles established in 32 CFR Part 170 Subpart C, with requirements including background investigations and foreign ownership review. RPO and RP are Cyber AB Marketplace designations administered under the Accreditation Body’s own program — we read all six sections of Subpart C (170.8 through 170.13) and neither term appears in any of them.
That finding surprised us, so we’ll show our work. 32 CFR Part 170 Subpart C is titled “CMMC Assessment and Certification Ecosystem” and contains exactly six sections: 170.8 (Accreditation Body), 170.9 (C3PAOs), 170.10 (CAICO), 170.11 (Certified Assessor), 170.12 (Instructor), and 170.13 (Certified Professional). No RPO. No RP.
That doesn’t make RPO status worthless — it’s a recognized Marketplace designation with its own program requirements, and buyers look for it. It does mean “becoming an RPO” and “becoming a C3PAO” aren’t two rungs on the same ladder. One is a Marketplace registration. The other is an Accreditation Body authorization process established by federal rule, with a government-conducted assessment at the end of it.
| Credential | What it authorizes | Governing authority | What it takes |
|---|---|---|---|
| RPO / RP — Registered Provider Organization / Registered Practitioner | Consulting, readiness, and implementation advice. Cannot conduct certification assessments | Cyber AB Marketplace program. Not established in 32 CFR Part 170 | Training and registration under the Accreditation Body’s program |
| CCP — CMMC Certified Professional | “Advice, consulting, and recommendations” to clients; may sit on an assessment team under a Certified Assessor’s oversight | 32 CFR 170.13 | CAICO certification valid 3 years, plus a Tier 3 background investigation initiated via SF 86 |
| CCA — CMMC Certified Assessor | Conducts Level 2 certification assessments in support of a C3PAO | 32 CFR 170.11 | Must already be a CCP with 3 years cybersecurity experience, 1 year assessment or audit experience, and a foundational qualification at Intermediate proficiency for the DoD Cyberspace Workforce Framework’s Security Control Assessor (612) work role |
| Lead CCA | Leads assessment teams and makes final determinations | 32 CFR 170.11(b)(10) | 5 years cybersecurity, 5 years management, 3 years assessment or audit experience, plus Advanced proficiency in the 612 work role |
| C3PAO | Conducts Level 2 certification assessments, issues Certificates of CMMC Status | 32 CFR 170.9 | See below |
What becoming a C3PAO actually requires
We pulled all twenty requirements at 32 CFR 170.9(b). The ones that stop most firms:
- The government assesses you. A C3PAO must undergo a Level 2 certification assessment conducted by DCMA DIBCAC, not by a peer C3PAO. And it “will not result in a CMMC Status of Level 2 (C3PAO) nor receive a Certificate of CMMC Status.” You do the work; you don’t get the certificate.
- Foreign ownership review. SF 328 to the Defense Counterintelligence and Security Agency, a National Security Review under 32 CFR 117.11, and a non-disqualifying eligibility determination from the CMMC PMO before you can proceed to the DIBCAC assessment.
- Background investigations for assessment personnel. Every C3PAO company person participating in the Level 2 certification assessment process — the assessment team and the quality assurance individual — completes a Tier 3 background investigation initiated via SF 86.
- ISO/IEC 17020:2012 within 27 months of authorization.
- Team composition is fixed. Minimum two people: a Lead CCA plus at least one other CCA. Your quality assurance individual must be a CCA and cannot be on the team they’re reviewing.
- Your assessors can’t use their own laptops. Under 32 CFR 170.11(b)(7), assessors may only use IT, cloud services, and endpoints provided by the engaged C3PAO — and that infrastructure must itself have undergone a DIBCAC Level 2 assessment. Personally owned devices are prohibited for assessment-related information.
- Six-year retention on assessment-related records specified in 170.9(b)(9).
The conflict wall, exactly as written
This is the rule most providers get fuzzy about, and it isn’t fuzzy at all.
32 CFR 170.8(b)(17)(ii)(G) requires the Accreditation Body’s Code of Professional Conduct to “prohibit CMMC Ecosystem members from participating in the Level 2 certification assessment process for an assessment in which they previously served as a consultant to prepare the organization for any CMMC assessment within 3 years.”
Three years. And note the breadth of the phrase: anyCMMC assessment. Preparing a client for a Level 1 self-assessment can bar you from their later Level 2 certification team. For that specific scenario, disclosure doesn’t cure it — the prohibition is on participating.
Two related rules people miss:
- Instructors can’t consult while instructing. 32 CFR 170.12(c)(7) prohibits CMMC Instructors from providing CMMC consulting services while serving as an instructor — though they may serve on an assessment team, subject to conduct and conflict policies.
- Accreditation Body departures get a cooling-off period. One year, under 170.8(b)(17)(i)(C).
Our read:if your revenue model is readiness and remediation, C3PAO authorization isn’t an upgrade — it’s a second business you have to run on a different client base. Firms that hold both roles serve different clients in each. Structure it that way from day one, or don’t do it.
There’s also a timing problem on top of the structural one. Level 2 (C3PAO) assessments can’t be newly designated in any procurement during the suspension. Building an assessment practice into that is a bet on the Task Force’s recommendation, not a business plan.
Decision point.
If you’re weighing an ecosystem credential, the constraint that usually decides it is the conflict wall, not the cost.
Compare the five credentials side by side ↑What can your company accurately say about its CMMC role and status?
CMMC Ecosystem members are bound by conduct rules on how they describe themselves. 32 CFR 170.8(b)(17)(ii)(E) requires the Accreditation Body’s Code of Professional Conduct to compel members to “represent themselves and their companies accurately; to include not misrepresenting any professional credentials or status, including CMMC authorization or CMMC Status, nor exaggerating the services that they or their company are capable or authorized to deliver.”
If you hold any ecosystem credential — RPO, RP, CCP, CCA, C3PAO — this rule governs your website copy. Here’s how we’d audit a provider’s marketing against it. This is our editorial application of the conduct rule, not a legal opinion.
| The claim | Supported by a verified role or status? | The artifact that proves it |
|---|---|---|
| “We are CMMC certified” | Ambiguous without level, status type, scope, and date — and ambiguity is what the conduct rule targets | Certificate or status record, plus the assessment scope |
| “We hold CMMC Status of Final Level 2 (C3PAO) for [named scope], assessed [date] by [C3PAO name]” | Yes, if true | Certificate, scope definition, date, assessing C3PAO |
| “Our CMMC Status is Final Level 2 (Self) for [named scope], self-assessed [date], affirmation submitted [date]” | Yes, if true | Self-assessment record, affirmation date |
| “We are CMMC compliant” | No — not a status the rule recognizes. It blurs implementing requirements with holding a status | — |
| “We are a Registered Provider Organization” | Yes, if current | Live Cyber AB Marketplace listing, checked on a date |
| “We are CMMC accredited” | No, unless you are currently authorized or accredited as a C3PAO and are describing exactly that | C3PAO authorization or accreditation record |
| “DoD approved” / “Cyber AB approved” / “government approved” | No — too generic to be verifiable. State the exact listing, authorization, certification, or Status you hold | The specific record |
| “We guarantee you’ll pass your assessment” | No — no provider can guarantee an assessment outcome | — |
| “Our platform makes you CMMC compliant” | No — exaggerates capability. The 110 requirements include process, personnel, physical, and documentation controls no platform delivers | — |
| “Our managed service is inside a CMMC Level 2 assessment scope certified [date], and we provide the CRM confirmed by our assessing C3PAO” | Yes, if true | Certificate, scope, CRM, service description |
The accurate version is usually more persuasive than the vague one anyway. “Certified Level 2 for our managed services, June 2025, CRM available on request” beats “CMMC compliant” with any buyer sophisticated enough to matter.
Does SOC 2, ISO 27001, or FedRAMP cover you for CMMC?
No. None of them produce a CMMC Status. SOC 2 and ISO/IEC 27001 can supply evidence toward specific requirements, and FedRAMP authorization satisfies the cloud service provider requirement in DFARS 252.204-7012 where CUI is involved — but a CMMC Status is produced only through the assessment, scoping, scoring, and affirmation path in 32 CFR Part 170.
| What you hold | What it can support in a CMMC context | What it does not establish | The scope mismatch to check |
|---|---|---|---|
| SOC 2 Type II | Evidence of tested controls for a defined system over a period — useful for access control, change management, monitoring | A CMMC Status, or implementation of all 110 NIST SP 800-171 Rev. 2 requirements | Whether the SOC 2 system boundary matches the CMMC assessment scope, and whether the report is current |
| ISO/IEC 27001 | Evidence of a functioning ISMS and supporting policy and risk artifacts | A CMMC Status, or a control-by-control result under NIST SP 800-171A | Whether the Statement of Applicability covers the systems in the CMMC boundary |
| FedRAMP Moderate authorization | Satisfies the cloud service provider requirement in DFARS 252.204-7012 where CUI is in the cloud | Your company’s own CMMC Status. It addresses the cloud, not the contractor | Whether the authorized service offering is the one your client actually uses |
| NIST SP 800-171 self-assessment score | Current implementation for a defined system under a defined methodology | Every CMMC Status, or full contract eligibility | Whether the assessed system is the same one in the CMMC scope, and the score’s date |
| CMMC Status | Assessment and affirmation result for a defined CMMC assessment scope | Enterprise-wide coverage, or coverage of services outside that scope | What’s actually inside the certified scope |
If you are a Cloud Service Provider, read this carefully
The FedRAMP path is stricter than most providers realize, and the strictness is where deals die.
Under DFARS 252.204-7012, a contractor using a cloud service to hold covered defense information must require that provider to meet security requirements equivalent to FedRAMP Moderate. The DoD CIO memorandum of December 21, 2023 defines what “equivalent” means: 100 percent compliance with the FedRAMP Moderate baseline, assessed by a FedRAMP-recognized Third Party Assessment Organization, with no POA&Ms resulting from that assessment— all POA&M actions corrected and validated closed by the 3PAO. Self-attestation is not permitted. The provider supplies a complete Body of Evidence including the System Security Plan, Security Assessment Plan, Security Assessment Report, and continuous monitoring evidence.
And here’s the operational trap, straight from DoD’s February 2025 briefing: “There is no registry of offerings that meet equivalency requirements. The OSA must evaluate the CSP’s body of evidence.”Assessors review that Body of Evidence as part of your client’s assessment.
Practically: if you sell a cloud service into the DIB and you’re not on the FedRAMP Marketplace, every single client has to independently evaluate your evidence package, and their assessor has to review it. That’s friction on every deal, forever, until you’re authorized. Build the Body of Evidence into your sales motion or you’ll keep losing deals without ever learning why.
What should your company do in the next 30 days?
The highest-value first month is documentation and contract work, not procurement. Establish which paths apply to each service line, produce a service description and Customer Responsibility Matrix for anything in a client’s scope, and decide whether to respond to DoW’s open Request for Information before it closes at 12:00 p.m. Eastern on Friday, August 14, 2026.
| Days | Do this | Stop condition before you spend |
|---|---|---|
| 1–3 | Pull every DoD contract, subcontract, PO, task order, and amendment. Search for 252.204-7021 and 252.204-7012 | Don’t budget for your own status until you’ve read the clause that supposedly requires it |
| 3–7 | Map each service line: does it put CUI or SPD on your assets? Include ticketing, backups, log archives, password vaults, RMM | Don’t scope a certification until you know which service lines are actually in scope |
| 7–10 | For each cloud-delivered service, apply the tenant-ownership test. Who is the tenant licensed to? | Don’t budget a FedRAMP program until you’ve confirmed you’re actually the CSP |
| 10–14 | Assign each service line to every path that applies | Don’t buy anything until this is on paper, dated, and cited |
| 14–21 | Draft a service description and Customer Responsibility Matrix for every service in a client’s scope | Don’t hire a consultant to write these until you’ve tried; you know your service better than they do |
| 21–25 | Write your standard answer to “are you CMMC compliant?” and give it to sales | Don’t let anyone improvise it on a call again |
| 25–30 | Decide on the RFI. Then decide on certification — with the classification in hand | Don’t sign an assessment engagement without the four preceding outputs |
The open door, and the clock on it
Alongside the suspension, DoW published a Request for Information titled Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base. Responses are due by 12:00 p.m. Eastern on Friday, August 14, 2026, through the official SAM.gov notice.
The RFI seeks input on cost drivers and administrative burden, which NIST SP 800-171 Rev. 2 controls deliver meaningful risk reduction, how companies are already using commercial cybersecurity tools and managed services, and how the Department might recognize those existing investments in a revised framework. It also asks about leveraging and optimizing self-attestation.
That is a request aimed directly at your business.
If you’ve already built a CMMC-aligned managed service, already certified, already run the tooling, already absorbed the cost — you have real cost data that few respondents will have. This is the fixed public deadline discussed on this page, and it’s a genuine, dated, closing window. Unlike most things labeled urgent in this industry, we didn’t manufacture it.
Go straight to the notice. We’re not putting a form in front of a government comment deadline.
The most expensive mistakes we see in provider compliance planning
Short list. Each one costs real money.
- Budgeting for certification before running the three gates. An expensive category error, usually traced to superseded proposed-rule language.
- Assuming no CUI means no involvement. SPD is the trigger most providers have never heard of. Admin passwords count.
- Assuming CUI means you personally need certification. Table 4 says your services get assessed in your client’s assessment.
- Treating the four paths as mutually exclusive. They stack. A subcontractor that’s also an MSSP carries two boundaries.
- Treating administrative access as the whole test. The test is what your assets process, store, or transmit — and whose infrastructure delivers it.
- Assuming you’re a CSP because you resell cloud. If the tenant is licensed to your client, DoD’s guidance says you’re not.
- Producing a generic control list and calling it a CRM. Assessors compare the CRM to the service the client actually bought.
- Saying “we’re CMMC compliant.” It isn’t a status, and if you hold an ecosystem credential the conduct rule in 170.8(b)(17)(ii)(E) is in play.
- Running readiness and then joining the assessment team for the same client. Three years, per 170.8(b)(17)(ii)(G).
- Telling clients CMMC is cancelled — or that their contract changed on July 13. It’s suspended, and a memo doesn’t modify a signed award. Read the amendment.
Frequently asked questions
- Does an MSSP need CMMC certification?
- Not because of its clients. Under 32 CFR 170.19(c)(2)(i) Table 4, a non-CSP External Service Provider handling CUI has its services assessed within the client’s assessment; 170.19(c)(2)(ii) makes the ESP’s own certification voluntary. An MSSP needs its own CMMC Status only if its own contract carries a CMMC requirement.
- Do our client’s logs count as CUI?
- Logs are expressly identified as an example of Security Protection Data in 32 CFR 170.4, which is a separate category from CUI. But a log can also contain CUI depending on its contents and origin. Classify the actual data, not the file type.
- Does holding our client’s admin passwords put us in scope?
- Passwords that grant access to the in-scope environment are Security Protection Data under 32 CFR 170.4. A provider enters the ESP analysis when those passwords are processed, stored, or transmitted on provider assets. DoD’s February 2025 briefing confirms an MSP holding passwords to client equipment is “likely holding security protection data.”
- Is our MSP a Cloud Service Provider if we resell Microsoft 365?
- Not on those facts, under DoD’s February 2025 technical guidance: if the cloud tenant is subscribed or licensed to the client, the MSP is not a CSP “even if the MSP resells the service.” You become a CSP if you contract with a cloud provider and further modify the basic cloud service, or if you own the tenant and sub-divide it for customer use.
- Is a penetration test report CUI or SPD?
- It depends on source and content. Vulnerability findings and configuration data about in-scope assets fall within the Security Protection Data definition at 32 CFR 170.4. If the report contains or reproduces marked CUI from the client’s environment, it may also be CUI. Document expected data categories, marking, handling, retention, and deletion in the engagement letter.
- Does staff augmentation avoid CMMC scope?
- Only where the client genuinely supplies all processes, technology, and facilities. DoD’s briefing treats outsourced staff as essentially the same as client staff in that arrangement — while also warning that offsite technicians or provider-held passwords likely create Security Protection Data. If provider-owned laptops, VPNs, or password vaults enter the delivery path, re-run the ESP analysis.
- Does FedRAMP authorization make our SaaS company CMMC compliant?
- No. FedRAMP addresses the cloud service provider requirement in DFARS 252.204-7012 where CUI is involved. It does not create a CMMC Status for your company, which comes only through the assessment and affirmation path in 32 CFR Part 170.
- Does SOC 2 or ISO 27001 count toward CMMC?
- They can provide supporting evidence for specific requirements, but neither produces a CMMC Status. CMMC Level 2 is assessed against all 110 NIST SP 800-171 Rev. 2 requirements using the methodology in NIST SP 800-171A — a different scope and a different standard. Check the boundary match before you assume any artifact is reusable.
- Has CMMC been cancelled?
- No. DoW Memo 26-P-1023 of July 13, 2026 suspended the Phase 2 transition and pending implementation milestones pending a 60-day review. Phase 1 self-assessment requirements, DFARS 252.204-7012, and NIST SP 800-171 Rev. 2 remain in force, and 32 CFR Part 170 remains on the books.
- Can a contracting officer still require a C3PAO assessment right now?
- A Program Manager or requiring activity may not newly designate Level 2 (C3PAO) or Level 3 (DIBCAC) during the suspension, and no waivers are being granted. Active solicitations carrying those requirements are to be amended and existing contracts modified — but until that written amendment or modification is issued, the award as written still governs. Verify the paper rather than treating the memo as though it rewrote your contract automatically.
- Should we cancel our scheduled Level 2 assessment?
- That’s a business decision, not a compliance one, and it depends on your contract book and your competitive position. Talk to your C3PAO before cancelling. The suspension restricts what contracting officers may designate; it does not prohibit voluntary assessments, and C3PAOs continue to operate.
- What happened to DFARS 252.204-7019 and 7020?
- Effective February 1, 2026, Class Deviation 2026-O0025 directs contracting officers, for covered actions, to use revised FAR Part 40 and new DFARS Part 240 in place of the codified text. Part 240 prescribes DFARS 252.240-7997 for DoD Medium and High assessments, and FAR 52.204-21 relocates to FAR 52.240-93 for covered actions. The codified clauses remain published and can appear in older or existing awards. DFARS 252.204-7012 and 252.204-7021 were not renumbered.
- Do we need a Customer Responsibility Matrix?
- If your services fall inside a client’s CMMC assessment scope, yes. 32 CFR 170.19(c)(2)(ii) requires the ESP relationship and services to be documented in the client’s System Security Plan and described in the ESP’s service description and customer responsibility matrix.
- Can an RPO also be a C3PAO?
- A firm may hold multiple ecosystem roles. But a CMMC Ecosystem member may not participate in a Level 2 certification assessment for an organization it served as a consultant to prepare for any CMMC assessment within the previous three years, per 32 CFR 170.8(b)(17)(ii)(G). Other actual, potential, or perceived conflicts must also be disclosed and managed under the applicable conflict policies.
- Is RPO status required by the CMMC rule?
- No. RPO and RP are Cyber AB Marketplace designations administered under the Accreditation Body’s own program. We read all six sections of 32 CFR Part 170 Subpart C — 170.8 through 170.13 — and neither term appears. The rule establishes the Accreditation Body, C3PAOs, the CAICO, Certified Assessors, Instructors, and Certified Professionals.
- Do COTS cybersecurity products require CMMC?
- An acquisition exclusively for commercially available off-the-shelf items sits outside the general applicability statement in 32 CFR 170.3. Adding implementation, hosting, customization, support access, or managed services changes the analysis, because those services can put CUI or SPD on your systems.
- Why does CMMC still reference NIST SP 800-171 Revision 2 when NIST published Revision 3?
- Because 32 CFR 170.14 incorporates Revision 2 by reference for CMMC Level 2, and the rule has not been amended. NIST withdrew Revision 2 from its own catalog in May 2024, and withdrew the February 2021 edition of SP 800-172 in May 2026. Revision 2 is the current CMMC-controlling edition; it is not NIST’s current publication. Don’t build a client’s CMMC program to Revision 3.
- What do we say when a prospect asks “are you CMMC compliant?”
- Have one approved answer and stop improvising. If you hold a certification assessment status: “Our CMMC Status is Final Level 2 (C3PAO) for [named scope], assessed [date] by [C3PAO name]. Our service description and Customer Responsibility Matrix for [service] are attached.” If you hold a self-assessment status: “Our CMMC Status is Final Level 2 (Self) for [named scope], self-assessed [date], with the required affirmation submitted [date].” If you don’t hold a status: “We don’t hold a CMMC Status for this service. Based on our current service architecture, 32 CFR 170.19 places this service inside your assessment scope rather than requiring a separate provider status. We provide the service description and Customer Responsibility Matrix your assessor will expect, and our people are available for assessment interviews.” That third answer is grounded in the rule and reads as competence.
Where this leaves you
Run the three gates. Identify every path that applies to each service line. Produce the two documents — service description and Customer Responsibility Matrix — for anything inside a client’s scope. Then, and only then, decide whether certification is a business investment worth making.
Forty-nine providers appear in the one validated public directory of certified service providers. DoD sizes the Level 2 DIB at roughly 75,000 companies. What you do with that gap in the next 30 days is a business decision — but make it with the classification in hand, not from a vendor’s slide deck.
Related reading
- CMMC Phase 2 suspended: what changed on July 13, 2026
- CMMC for IT MSPs
- CMMC scoping guide
- The CMMC Final Rule and its clause structure
- CMMC Level 1 vs Level 2 vs Level 3
- SPRS score: what contractors need to know
- How to choose a C3PAO for CMMC Level 2
- CMMC for shipbuilders
- CMMC for machine shops
- CMMC provider categories compared