The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Not sure which path applies?
Free, no email, dated output
Classify my company →
Independent Research · Last verified:

CMMC for Cybersecurity Companies: Do You Need Your Own Certification, or Just Better Evidence?

By The Defense Compliance Report Editorial Team· Last reviewed: July 2026 · Last verified: July 18, 2026

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense (which currently uses “Department of War” as an authorized secondary title), DCMA DIBCAC, NIST, or any U.S. government agency. This page is educational research — not legal, contractual, or compliance advice.


CMMC for cybersecurity companies has a clear answer, and a lot of what’s circulating about it is out of date.

Here it is. Nothing in 32 CFR Part 170 requires your cybersecurity company to hold its own CMMC Status merely because you serve defense clients. Not your MSP. Not your MSSP. Not your SOC, your incident response practice, or your security SaaS platform. When you handle a client’s data as an outside provider, the rule pulls your serviceinto your client’s assessment. It does not, on that basis alone, require you to go get certified.

That’s the headline. Here are the four facts that actually decide your situation, and you need all four:

  1. Your own contracts. If you hold a DoD prime contract or subcontract carrying DFARS 252.204-7021, you need your own CMMC Status — same as any other defense contractor. Being a cybersecurity company is irrelevant to that.
  2. What your systems touch. If your assets process, store, or transmit a client’s Controlled Unclassified Information (CUI) or Security Protection Data (SPD), your service enters that client’s assessment scope under 32 CFR 170.19.
  3. Your architecture. If you operate a cloud service that holds client CUI, DFARS 252.204-7012 requires your client to use a provider meeting FedRAMP Moderate or documented equivalency — which becomes your problem through your contract with them.
  4. Your ecosystem roles. If you hold a C3PAO authorization, or a CCP or CCA certification, 32 CFR Part 170 Subpart C puts separate conduct, conflict, and eligibility duties on you.

These stack.A firm can be a DoD subcontractor, an outside provider inside three other clients’ assessments, a cloud provider, and an ecosystem member — all at once, with four different sets of obligations.

We read the rule text, DoD’s own technical briefing, and the July 13, 2026 suspension memo to get to this. We also counted something nobody else has published: how many cybersecurity providers appear in the one validated public directory of CMMC-certified service providers.The number is 49. It hasn’t moved since May.

That number changes the math on what your certification is actually worth. We’ll get there.


Who this page is for — and who should leave

This page is written for the people who sell cybersecurity, not the people who buy it.If you run or advise an MSP, MSSP, SOC, MDR practice, vCISO firm, penetration testing shop, incident response team, security SaaS company, GRC platform, VAR, or integrator — and a defense contractor has asked you a question you couldn’t confidently answer — you’re in the right place.

Three readers should go somewhere else right now:

  • You’re a defense contractor trying to figure out whether your MSP needs CMMC. Different question. Start with our guide to CMMC for IT MSPs, or the provider category guide for small business if you’re choosing a vendor.
  • You have no DIB clients and no plan to get any. Then CMMC isn’t your problem, and a certification project would be a poor use of capital. Close the tab. We’d rather lose you than sell you a compliance program you don’t need.
  • You want a list of vendors who sell CMMC services. That’s a buyer’s guide. Try our provider category comparison.

Still here? Good. Start by finding yourself:

Jump to your situation: We hold a DoD contract · We handle client CUI · We handle only logs, configs, or credentials · We operate the cloud service · We’re an RPO, RP, CCP, CCA, or C3PAO


What we actually verified

Every regulatory statement on this page is linked to its source at the point we make it. Here’s the full list and the date we checked each one.

What we checkedSourceVerified
ESP scoping rules, Table 4 and Table 632 CFR 170.19(c)(2) and (d)(2), eCFRJul 18, 2026
ESP, CSP, SPD, and SPA definitions32 CFR 170.4, eCFRJul 18, 2026
Program applicability32 CFR 170.3, eCFRJul 18, 2026
Assessment procedures and scoring32 CFR 170.17, eCFRJul 18, 2026
C3PAO, assessor, and conduct requirements32 CFR Part 170 Subpart C (§§170.8–170.13), full textJul 18, 2026
MSP-versus-CSP test, SPD examples, staff augmentationDoD CIO, Technical Application of CMMC Requirements, February 2025Jul 18, 2026
Phase II suspension termsDoW Memo 26-P-1023, Attachment 1, July 13, 2026Jul 18, 2026
Level 2 cost modelingCMMC Program final rule, 89 FR 83092 (Oct. 15, 2024)Jul 18, 2026
Certified provider listings — we counted every entry ourselvesMSP Collective ESP DirectoryJul 18, 2026
Clause structure under the FAR Overhaul deviationsDoD Class Deviation 2026-O0025Jul 18, 2026

What we did not do:we did not repeat provider marketing claims as verified fact, publish a price range we couldn’t source, rank providers, independently verify any listed firm’s current Cyber AB Marketplace status, or promise anyone a certification outcome.


How does CMMC for cybersecurity companies actually work?

CMMC can reach a cybersecurity company through four separate doors: its own DoD contract, its role inside a client’s assessed environment, its cloud architecture, and any CMMC Ecosystem role it holds. Being a cybersecurity company is not itself the trigger. Under 32 CFR 170.3, CMMC applies to DoD contract and subcontract awardees that process, store, or transmit Federal Contract Information or Controlled Unclassified Information on contractor information systems — a test about contracts and data, not industry category.

Most providers get stuck because they’re asking the wrong question. “Do cybersecurity companies need CMMC?” has no answer, the same way “do trucking companies need a hazmat endorsement?” has no answer. It depends on the load.

Here’s the test we use. Three gates, run in order, each answerable in an afternoon with documents you already have. Run all three — more than one result can apply to the same company, and often to the same service line.

Gate 1 — What does your contract say?

Not what a prospect said on a call. Not what a prime’s business development person implied. What the executed document says.

Pull every DoD prime contract, subcontract, purchase order, task order, and amendment your company holds, and look for two different clauses that do two different jobs:

  • DFARS 252.204-7021 is the CMMC clause. It makes a specified CMMC Status a condition of award, requires you to maintain it during performance, and requires flow-down to applicable subcontracts.
  • DFARS 252.204-7012 is the safeguarding clause. It establishes NIST SP 800-171 implementation, cloud service provider requirements, 72-hour cyber incident reporting, media preservation, and related duties. It does not, by itself, create a CMMC Status.

If 7021 is in your contract, you are a defense contractor who happens to sell cybersecurity. Your obligation is the same as a machine shop’s. Skip to that section.

If neither appears in anything you’ve signed, move to Gate 2 — but keep checking, because contracts change.

On flow-down. A prime’s informal email asking whether you’re “CMMC compliant” is not, by itself, a contractual obligation. A subcontract, purchase order, task order, incorporated clause, amendment, or accepted modification can create one. Under 32 CFR 170.23, the required level flowed to a subcontractor should be no higher than necessary for the information that subcontractor will handle, and acquisitions exclusively for commercially available off-the-shelf items are excluded. Don’t confuse a vendor questionnaire with a contractual requirement.

Gate 2 — What data touches your people and your systems?

This is where the analysis most often goes wrong, in both directions.

32 CFR 170.4 defines an External Service Provider (ESP)as “external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization.” Then it adds the qualifier that decides everything: “In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP.”

Read that last sentence again. No CUI and no Security Protection Data on your assets means you’re not an ESP for that service.That’s the rule’s own language.

Two things about that. It’s a service-leveltest, not a company-level exemption — you can be outside the ESP definition for your advisory practice and inside it for your managed service. And it doesn’t touch Gates 1, 3, or 4.

Security Protection Data (SPD) is the concept most providers have never heard of. Section 170.4 defines it as “data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC’s assessed environment,” with examples: configuration data required to operate a security tool, log files generated by or ingested by that tool, data about the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment.

That last item catches almost everyone. DoD’s February 2025 technical briefingspells it out: if you have offsite technicians or your MSP holds passwords to client equipment, you are “likely holding security protection data (SPD) in the form of admin passwords.”

What your assets process, store, or transmitYour status for that service
Client CUI — drawings, technical data, controlled project filesESP handling CUI
Only logs, configs, vulnerability data, alerts, admin credentialsESP handling SPD
BothApply the CUI path, and document the SPD functions and Security Protection Assets within that scope
NeitherNot an ESP for that service. Re-check Gates 1, 3, and 4 anyway

Source: 32 CFR 170.4 and 170.19(c)(2)(i), Table 4.

Gate 3 — Whose architecture delivers the service?

The last gate determines which set of obligations lands on you, and it carries the biggest cost consequences.

DoD’s February 2025 briefing applies a clean operational test for the question every managed provider asks — am I a Cloud Service Provider?This is DoD technical guidance interpreting the rule, not rule text itself, but it’s the clearest official statement available:

If the cloud tenant is subscribed or licensed to the client — even if you resell the service — you are not a CSP. If you contract with a cloud provider and further modify the basic cloud service, you are a CSP and must meet applicable FedRAMP or equivalency requirements.

DoD adds the practical version: “An MSP which configures an OSA’s subscribed cloud service is not a CSP.” And the warning: “If the MSP owns the cloud tenant and further sub-divides it for customer use, they have probably crossed the line and are offering it as a cloud service.”

This one distinction is the difference between a documentation exercise and a FedRAMP program. Assume the worst and you can budget six figures for an obligation you don’t have.

Translation: isolation is money.A shared multi-tenant environment drags more of your business into your client’s assessment than a segmented one does.

The four paths — and how they stack

Run the three gates and you identify every path that applies to you. They are not mutually exclusive, and treating them as if they were is the most common structural mistake we see in provider compliance planning.

PathYou’re on it whenWhat you oweSource
Your own CMMC StatusGate 1 hits — DFARS 252.204-7021 is in your own contractA CMMC Status for your assessment scope, plus the required posting and annual affirmation32 CFR 170.3, 170.22
Client-scope ESP treatmentGate 2 hits and you’re not a CSPA service description and Customer Responsibility Matrix; your service is assessed inside your client’s assessment32 CFR 170.19(c)(2)
CSP / FedRAMP dutiesGate 3 hits and your cloud holds client CUIYour client must use a CSP meeting FedRAMP Moderate or documented equivalency; your actual duties flow through your contract with themDFARS 252.204-7012, 32 CFR 170.19(c)(2)(i)
Ecosystem role dutiesYou hold a C3PAO authorization, CCP, or CCA certificationConduct, conflict-of-interest, eligibility, and records obligations32 CFR Part 170 Subpart C
None of the four, for nowGate 2 misses on every service line and Gates 1, 3, 4 miss tooDocument why — the analysis is the deliverable, and a prospect will ask for it

“None of the four” doesn’t mean no security obligations. Your client contracts, your insurance, your own risk posture, and any non-CMMC framework you’ve committed to are untouched. It means the CMMC rules don’t reach you on the facts as they stand today.

Decision point.

You now have a repeatable test. Run it on your own company before you read another word of vendor marketing.

Run the Three-Gate Test →

Twelve structured questions. You get a dated, printable result showing every path that applies, with the rule citation behind each one. No email required to see your answer.

Do not submit CUI, drawings, credentials, vulnerability findings, network diagrams, or contract attachments. The tool takes structured answers only.


Which kind of cybersecurity company are you, and what does that mean?

Cybersecurity business models split into materially different CMMC outcomes. A vCISO who reviews sanitized documents, a SOC ingesting client logs, and a SaaS platform hosting client CUI sit in three different regulatory positions, even though all three are “cybersecurity companies.” The variable is the data and the architecture, not the label on the business card.

Find your row. The middle columns state what the regulation establishes. The last column names the fact you still have to verify yourself, because that’s where the answer actually turns.

Your business modelWhat the regulation establishesLikely pathThe fact you must verify
Strategy consultant / vCISO, advice onlyNeither CUI nor SPD on provider assets means no ESP status for that serviceNone of the fourWhether any artifact you retain is CUI or SPD
Staff augmentation on client-owned everythingDelivery through client processes, technology, and facilities keeps provider assets out of the pathOften treated like client staffDevice, account, VPN, and credential-vault ownership
Penetration testing / vulnerability assessmentVulnerability and configuration data about in-scope assets falls within the SPD definitionClient-scope ESPWhere findings are stored, how long, and whether the target data is itself CUI
Incident response / digital forensicsLogs, images, and captures can be SPD; CUI may also be presentClient-scope ESP, plus DFARS 252.204-7012 duties where the clause reaches youWhether you retain artifacts on your infrastructure after closeout
MSP / RMM / help desk / managed administrationPasswords granting access to the in-scope environment are SPDClient-scope ESPWhether client CUI lands in ticketing, backups, or file shares
MSSP / SOC / MDR / managed SIEMLogs generated or ingested by a security tool are the textbook SPD exampleClient-scope ESP, assessed as a Security Protection AssetWhether you also hold CUI, and who owns the cloud tenant
Security SaaS holding only SPDSPD-only services are assessed as Security Protection Assets in the client’s scopeClient-scope ESPWhether your platform has started ingesting CUI
Security SaaS or CSP holding client CUIA CSP holding CUI must meet the FedRAMP requirements in DFARS 252.204-7012CSP / FedRAMPTenant ownership, and whether you modify the underlying cloud service
COTS product reseller, product onlyAcquisitions exclusively for COTS items sit outside the general applicability statementNone of the fourWhether you also sell implementation, hosting, support access, or managed services
VAR / systems integratorProduct resale and service delivery are analyzed separatelyDepends on the service halfPersistent support access, migration work, hosted components
RPO or readiness consultancyConsulting artifacts can contain CUI or SPD; ecosystem conduct rules apply if you hold a credentialClient-scope ESP, plus ecosystem dutiesAny later participation in that client’s certification assessment
C3PAO or assessment firmSubpart C establishes organizational, personnel, and conflict requirementsEcosystem roleCurrent authorization status and prior consulting relationships
Hybrid — DoD sub and MSSPBoth the applicability test and the ESP scoping rules applyTwo or more pathsWhich legal entity and which systems support each role

Framework: The Defense Compliance Report editorial analysis applying 32 CFR 170.3, 170.4, and 170.19. These are likely positions, not legal determinations.

Two rows deserve a warning label.

Staff augmentation is narrower than people think.DoD’s briefing does treat outsourced staff working entirely inside client processes, technology, and facilities as “essentially the same as OSA staff.” But the very next line flags that offsite technicians and MSP-held passwords likely put SPD on your side of the line. If provider-owned laptops, VPNs, password vaults, or ticketing systems enter the delivery path, the clean staff-augmentation fact pattern no longer clearly applies. Re-run Gate 2.

“Temporary access” isn’t a category in the rule.Penetration testers and incident responders often assume short-lived access means no scope. The rule doesn’t measure duration. It measures whether CUI or SPD is processed, stored, or transmitted on your assets. A ninety-minute engagement can still create provider-side scope if the retained report is SPD.


Does your cybersecurity company need its own CMMC certification?

Not because of what your clients do. Under 32 CFR 170.19(c)(2)(i), an External Service Provider that is not a Cloud Service Provider and handles CUI has its services assessed as part of the client’s assessment, not through its own certification. Section 170.19(c)(2)(ii) states the ESP “may voluntarily undergo a CMMC certification assessment.” The word in the rule is voluntarily. A separate obligation exists only if your own contract carries a CMMC clause.

Table 4 to 32 CFR 170.19(c)(2)(i) sets out ESP scoping requirements for CMMC Level 2. Here it is, reproduced from the eCFR:

When the ESP processes, stores, or transmits:If the ESP is a CSPIf the ESP is not a CSP
CUI (with or without SPD)The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012The services provided by the ESP are in the client’s assessment scope and shall be assessed as part of the client’s assessment
SPD (without CUI)The services provided by the CSP are in the client’s assessment scope and shall be assessed as Security Protection AssetsThe services provided by the ESP are in the client’s assessment scope and shall be assessed as Security Protection Assets
Neither CUI nor SPDDoes not meet the CMMC definition of an ESPDoes not meet the CMMC definition of an ESP

Source: 32 CFR 170.19(c)(2)(i), Table 4. Table 6 at 170.19(d)(2)(i) is structurally identical for Level 3.

Find the words “the ESP must be certified” in that table. They aren’t there. What’s there is that your services— not your company — enter your client’s assessment.

Then 170.19(c)(2)(ii) closes the loop: the ESP relationship must be documented in the client’s System Security Plan and described in “the ESP’s service description and customer responsibility matrix (CRM).” And: “Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP’s effort required during the OSA’s assessment.”

DoD’s February 2025 briefing says the same thing twice, in plain English:

  • “ESPs can voluntarily undergo their own CMMC Level 2 C3PAO assessment.”
  • “ESPs that only store SPD or provide an SPA and do not process, store, or transmit CUI do NOT require a separate CMMC assessment, nor do they require FedRAMP authorization or equivalency.”

Why so many sources say the opposite

Three different answers have been circulating, and two of them are out of date. We traced each one.

What you’ve been toldWhere it came fromWhat the current rule says
“Your ESP must be certified at the same level as you”The proposed CMMC rule published December 26, 2023. It was repeated widely in 2024 provider marketing and press releases — much of which is still live and still rankingThe final rule published October 15, 2024, effective December 16, 2024, replaced this with Table 4. Certification became voluntary
“If your MSP touches CUI on its own systems, it needs Level 2”Commentary from Cyber AB Town Hall sessions in 2025Town hall commentary is not the rule. Table 4 requires the services to be assessed within the client’s assessment
“If your MSP touches your logs, it needs Level 2”Conflation of Security Protection Data with CUISPD-only providers are assessed as Security Protection Assets inside the client’s scope. DoD’s February 2025 briefing states they need no separate assessment and no FedRAMP

We’re not calling anyone dishonest. Most of this is honest lag — the proposed rule said one thing, thousands of pages of marketing got written, and the final rule changed it. But the lag is expensive. A ten-person MSP that budgets six figures for a certification the rule doesn’t require has made a real business mistake based on a stale citation.

The catch, stated plainly

Not required is not the same as no obligation. Three things are true at once:

  1. The rule doesn’t require your certification.
  2. The rule does require your services to be assessed inside every client’s assessment, with a service description and Customer Responsibility Matrix for each one — and that’s more than a paperwork exercise. Your personnel may be interviewed. Your implementation may be examined and tested.
  3. Your clients and their primes can impose additional lawful contractual and vendor-risk requirements beyond the CMMC minimum, and many do.

That third point is what actually drives spending. The July 13 memo binds government contracting officers. It doesn’t rewrite a prime’s purchase order or a client’s vendor risk questionnaire.

Decision point.

If you’re an ESP without your own certification, the deliverable your client’s assessor will ask for is a Customer Responsibility Matrix — and a generic control list won’t survive contact with an assessment team.

Download the ESP Evidence Pack →

Three CRM starters, one for each path: non-CSP ESP handling CUI, SPD-only service assessed as Security Protection Assets, and CSP holding CUI. Plus a service description outline, a scoping worksheet, and prospect-response scripts.

Editorial worksheets, not official Cyber AB forms or a compliance determination. Do not submit CUI or client details to receive them.


What actually happens to your company inside a client’s assessment?

When an External Service Provider’s services enter a client’s CMMC assessment scope, the assessment team evaluates the relevant requirements using the examine, interview, and test methods in NIST SP 800-171A, which 32 CFR 170.17(c)(1) requires Level 2 certification assessments to follow. Under 32 CFR 170.19(c)(2)(ii), the ESP relationship must appear in the client’s System Security Plan and be described in the provider’s service description and Customer Responsibility Matrix.

This is the practical reality that “you don’t need certification” doesn’t capture, and it’s where providers get burned.

Here’s the sequence. Your client engages a C3PAO, or runs a self-assessment. Either way, the scoping exercise finds you. Then:

  1. They read your client’s SSP for the description of your relationship and your services.
  2. They ask for your service description — what people, systems, and facilities actually deliver the service.
  3. They ask for your Customer Responsibility Matrix — which requirements you implement, which the client implements, and which are shared with defined boundaries.
  4. For every requirement the CRM assigns to you, they gather evidence. Under 32 CFR 170.17(c)(1), the assessment follows NIST SP 800-171A, which evaluates each assessment objective by examining artifacts, interviewing personnel, and testing mechanisms. If the team can’t obtain sufficient evidence, the objective is scored NOT MET in your client’s assessment.
  5. Under Table 3 to 32 CFR 170.19(c)(1), your Security Protection Assets are assessed “against Level 2 security requirements that are relevant to the capabilities provided.” DoD’s briefing names the usual suspects: SIEM, vulnerability scanners, EDR.

Step 4 is where the cost lives, and it’s not just documents. Your people may sit for interviews. Your configurations may be tested.

What “evidence” means when an assessor says it

ArtifactThe question it has to answerHow it’s likely evaluatedWhere providers fail
Service descriptionExactly which people, systems, and facilities deliver this serviceExamineMarketing copy with no technical boundary
Customer Responsibility MatrixFor each applicable requirement: yours, theirs, or shared — and shared howExamineA generic control list that doesn’t match what the client bought
Data flow diagramWhere CUI and SPD enter, travel, rest, and leaveExamineOmits ticketing, backups, log archives, and admin jump boxes
Asset and hosting inventoryWhich of your assets and which fourth parties deliver the serviceExamineLists client endpoints only, ignores your own stack
Identity and access modelWho administers what, from which devices, from whereExamine, interview, testShared admin accounts and undocumented access paths
Log and vulnerability handlingWhat security data you retain, where, and for how longExamine, testNo classification, no retention rule, no deletion evidence
Incident procedureWho detects, who reports, who preserves, on what clockExamine, interviewAn SLA that conflicts with the client’s 72-hour DFARS 252.204-7012 reporting duty
Personnel availabilityWho on your team can answer for an assigned requirementInterviewNobody scheduled, or the wrong person
Fourth-party mapWhich of your vendors touch client CUI or SPDExamineUnknown downstream cloud and support dependencies
Exit and deletion planHow data, accounts, and evidence are returned or destroyedExamineClient data survives termination indefinitely

If you can produce those on request, you’re a low-friction vendor in a market full of high-friction ones. That’s a sales asset, and it costs a fraction of a certification.

How often? There’s no universal rule setting a provider evidence cadence. Each customer assessment in which your service is in scope may require current evidence and participation from you. The client’s Affirming Official owns the annual affirmation under 32 CFR 170.22— not you — but what they need from you to sign it depends on your contract with them.


How many cybersecurity providers hold a CMMC Level 2 certification?

As of July 18, 2026, the MSP Collective ESP Directory — an opt-in public directory of External Service Providers whose CMMC Level 2 certification the MSP Collective states it validates with the assessing C3PAO — listed 49 entries. All 49 are Level 2 against NIST SP 800-171 Rev. 2. None are Level 3. Listing velocity peaked at 15 in the first quarter of 2025 and fell to four in the second quarter of 2026. This is a dated third-party directory snapshot, not a complete census of every organization holding a CMMC Status.

When the final rule landed, the Cyber AB did not stand up a directory of certified service providers. The MSP Collective — formally, MSPs for the Protection of Critical Infrastructure — built one. Listings are free. Inclusion requires the provider to meet the ESP definition in the final rule, to not be a CSP handling CUI, and to hold a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC). The MSP Collective states that it validates each submitted entry with the assessing C3PAO before publishing. That validation step makes it the best public dataset available on this question.

Directory listings by certification quarter

Quarter certifiedNew listingsRunning total
2025 Q11515
2025 Q21227
2025 Q3532
2025 Q4739
2026 Q1645
2026 Q2449
2026 Q3 (through Jul 18)049

Source: The Defense Compliance Report count of the MSP Collective ESP Directory, July 18, 2026, using each entry’s published certification date. Opt-in directory; not an exhaustive census.

What the snapshot shows

Forty-nine listed providers. Fifteen carry certification dates in a single opening quarter, and nine share the same date — March 7, 2025.

Nothing new since May 18, 2026. That’s the most recent certification date in the directory. When we counted on July 18, that was a 61-day gap in a directory that had been adding four to fifteen entries a quarter for the previous fifteen months. Note the chronology:that gap opened before the July 13 suspension. The suspension may well affect future certification demand, but this snapshot can’t establish why the earlier slowdown happened.

Scale, as two separate facts.DoD’s February 2025 briefing estimates roughly 75,000 DIB companies fall at CMMC Level 2 and roughly 140,000 at Level 1. The directory lists 49 providers. Those are different measurements of different things — one is a population estimate, the other an opt-in listing count — and we’re not going to divide them into a ratio that implies a demand relationship neither number establishes. Read them side by side and draw your own conclusion.

Geography is lopsided. Virginia (9) and Maryland (7) together account for 33 percent of listings. Headquarters appear in 25 U.S. states and one Canadian province.

Everyone is at the same level.All 49 are Level 2 against Rev. 2. Zero are Level 3. Eight of the 49 are MSP Collective members, so the directory isn’t a members’ club.

Listed firms include C3 Integrated Solutions, CorpInfoTech, CyberSheath, Summit 7, OSIbeyond, ProStratus, MAD Security, Ntiva, and RSM US LLP, alongside two dozen regional providers most of the market has never heard of.

To be clear about what this is:we are reporting a third-party directory’s published contents and our own count of them. Naming a firm here reports a directory listing. It is not an endorsement, a recommendation, or a statement that we evaluated its services or independently confirmed its current Cyber AB Marketplace status. Verify any provider’s standing directly before you rely on it.

Decision point.

This snapshot is the clearest public picture of the certified-provider market anyone has published. Take the underlying data with you.

Download the July 18, 2026 directory analysis →

The quarter-by-quarter breakdown, geographic distribution, our raw CSV, the collection method, inclusion and exclusion rules, and version history. Source directory linked. Scheduled for monthly re-verification.


What does certification actually cost — and is it still worth it?

DoD’s regulatory analysis in the CMMC Program final rule models a small-entity Level 2 certification assessment plus initial affirmation at $101,752, and $104,670 over three years including two additional annual affirmations. Other-than-small entities are modeled at $112,345 initially and $117,768 over three years. The C3PAO engagement line alone is modeled at $31,234 for small entities and $52,056 for other-than-small. A small-entity Level 2 self-assessment plus initial affirmation is modeled at $34,277, or $37,196 over three years.

Those are DoD’s numbers, published in the final rule at 89 FR 83092. Read the fine print on them:

What the number isWhat it isn’t
A regulatory burden model built for rulemaking cost analysisA market quote or a rate card
Modeled on an entity that has already implemented NIST SP 800-171 Rev. 2Inclusive of implementation, remediation, or engineering work
Assessment plus affirmation labor and feesThe tooling, enclave, documentation, or staff time to become assessable
A per-entity average across a modeled populationWhat any specific company paid

That last row matters. The variable that determines your real number isn’t the assessment — it’s how far your environment is from ready before anyone shows up.

Here is our damaging admission, and it’s a real one

If your cybersecurity company certified at CMMC Level 2 in 2025, you invested in a credential that cannot currently be newly designated in any procurement requirement.

DoW Memo 26-P-1023suspended the Phase 2 transition. During the suspension, Program Managers and requiring activities “must only include the need for CMMC Level 1 (Self) or Level 2 (Self) assessments in procurement request and requirement documents” and “may not designate CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) assessments during this period.” No waivers are being granted.

DoD modeled the three-year small-entity assessment-and-affirmation burden at $104,670 — and that excludes everything you spent getting ready. We could have buried that. We’re not going to, because you’d find out anyway and because the honest version is more useful than the comfortable one.

Now the part that matters more.

First, the certificate was never the requirement — it was the shortcut.Read Table 4 again. Your Table 4 obligations didn’t move an inch on July 13. The service description, the Customer Responsibility Matrix, the SSP documentation, the Security Protection Asset assessment — those live in 32 CFR 170.19, and the memo didn’t touch 32 CFR 170.19. Section 170.19(c)(2)(ii) says voluntary certification “may reduce the ESP’s effort required during the OSA’s assessment” — it reduces effort, it doesn’t eliminate customer-specific scoping, CRM validation, boundary verification, or your participation. But reducing that effort across a client book is real money.

Second, scarcity is still an asset.Forty-nine listed providers. A DIB that DoD sizes at roughly 75,000 companies at Level 2. If the program returns in a recognizable form — and the memo says “further guidance will be promulgated at the conclusion of the CIO’s 60-day review,” not “the program is cancelled” — that position took eighteen months and a serious investment to build.

Third, there’s an open door with a date on it. More on that below.

If this stings, here’s your off-ramp. Mid-assessment right now? Talk to your C3PAO before you cancel, because a voluntary assessment isn’t prohibited. And if you’re a DIB contractor who booked a Level 2 assessment for a November milestone that’s now suspended, that’s a different calculation: our C3PAO selection frameworkcovers postpone-or-proceed from the contractor’s side.


Did the July 13, 2026 suspension change any of this?

DoW Memo 26-P-1023, dated July 13, 2026, suspended the November 2026 transition to CMMC Phase 2 and pending implementation milestones. During the suspension, only CMMC Level 1 (Self) and Level 2 (Self) may be designated in new procurement requirements; Level 2 (C3PAO) and Level 3 (DIBCAC) may not. Phase 1 self-assessment requirements, DFARS 252.204-7012, and NIST SP 800-171 Rev. 2 remain in force. The ESP scoping rules in 32 CFR 170.19 were not amended.

We read the memo. Here’s exactly what it says, and exactly what it doesn’t.

What was suspended

  • The November 2026 Phase 2 transition and pending and future CMMC implementation milestones.
  • The ability of Program Managers and requiring activities to designate Level 2 (C3PAO) or Level 3 (DIBCAC) assessments. “The allowed designations are CMMC Level 1 (Self) or CMMC Level 2 (Self).”
  • Waivers. “No waivers shall be granted during the review of the program.”

The memo also directs relief on live procurements. Where an active solicitation already carries a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement, requiring activities “must initiate amendments” and contracting officers “must issue a corresponding solicitation amendment as soon as practicable.” For existing contracts, contracting officers are directed to remove those requirements “via modification prior to the exercise of the next option period or during the next scheduled administrative modification.”

What survived untouched

  • Level 1 and Level 2 self-assessment. The memo states DoW “will enforce baseline compliance with NIST SP 800-171 Rev 2 through CMMC Level 1 and CMMC Level 2 self-assessment and select Government-led assessments.”
  • DFARS 252.204-7012. The memo says its requirements “remain in effect,” in those words.
  • NIST SP 800-171 Rev. 2 as the Level 2 standard. The memo states “CMMC Level 2 is aligned with NIST SP 800-171 Rev 2.”
  • 32 CFR 170.19. Not amended. Every provider scoping obligation on this page is current.
  • Voluntary assessments. The memo restricts what contracting officers may designate. It does not prohibit a company from pursuing a certification assessment, and C3PAOs continue to operate.

The three-layer answer nobody is giving

LayerWhat it saysWhat it actually controls
The codified rule — 32 CFR 170.3The four-phase schedule, unamended since December 16, 2024The program’s legal architecture
The policy memo — 26-P-1023, July 13, 2026Phase 2 suspended; only Level 1 (Self) and Level 2 (Self) may be newly designated; solicitations to be amended; contracts to be modified; no waiversWhat contracting officers may do going forward
Your award documentWhatever it says right nowYour actual obligation — until the amendment or modification is issued in writing

That bottom row is the one that costs people money. A press release didn’t modify your contract. If your award or your prime’s subcontract carries a Level 2 (C3PAO) requirement today, that requirement is live for you until the contracting officer issues the amendment or modification. Read the paper. Ask your contracting officer or your prime for it in writing.

When a client asks “is CMMC dead?”, that table is your answer. Neither “nothing changed” nor “it’s over” is accurate, and a provider who says either loses credibility with the buyers who matter.

What’s still unknown

The memo establishes a 60-day review and reporting period, with the CMMC Reform Task Force reporting to the DoW CIO. It does not guarantee a public report or a replacement schedule on any particular date. The post-review program structure and implementation schedule have not been published, and the memo’s own last line is: “Further guidance will be promulgated at the conclusion of the CIO’s 60-day review.”

Anyone telling you they know how it lands is guessing.

Also note: Prime flow-down.A memo binds government contracting officers. It does not rewrite your client’s purchase order with their prime.

Decision point.

This page has a shelf life measured in weeks, and we treat that as our problem, not yours.

Get the ESP Regulatory Watch →

We re-verify this page monthly, re-count the directory, and send a short note when the CMMC Reform Task Force reports. Regulatory updates only. No sales sequence, no provider pitches.


Which clause numbers should you actually be checking in 2026?

Effective February 1, 2026, DoD Class Deviation 2026-O0025 under the Revolutionary FAR Overhaul directs contracting officers, for covered actions, to use revised FAR Part 40 and a new DFARS Part 240 in place of the codified text. Part 240 prescribes DFARS 252.240-7997 for NIST SP 800-171 DoD Medium and High assessments. The codified DFARS 252.204-7019, 252.204-7020, and FAR 52.204-21 remain published and can still appear in older or existing awards, so the solicitation, contract, amendment, modification, and applicable deviation have to be read together.

If you build vendor questionnaires, contract review checklists, or client-facing compliance matrices, this will bite you.

ClauseCodified statusWhat the deviation directs for covered actionsWhat it means for you
DFARS 252.204-7012Published and in forceRetained under the new Part 240 structureSafeguarding CUI, cloud service provider requirements, 72-hour cyber incident reporting, media preservation
DFARS 252.204-7021Published and in forceRetained; not renumberedThe CMMC clause. Establishes the required CMMC Status and flow-down
DFARS 252.204-7019Still published in the codified DFARSNot prescribed for covered actions under the deviationThe standalone “Basic” self-assessment provision is no longer directed for new covered actions — but can appear in older awards
DFARS 252.204-7020Still published in the codified DFARSReplaced for covered actions by DFARS 252.240-7997, covering DoD Medium and High assessmentsGovernment-performed assessments and the resulting records
FAR 52.204-21Still published in the codified FARRelocated for covered actions to FAR 52.240-93The 15 basic safeguarding requirements for Federal Contract Information — content unchanged

Source: DoD Class Deviation 2026-O0025 and the FAR Overhaul Part 40 deviation guide. Verified July 18, 2026.

Three practical consequences.

Your checklist is probably stale.If your vendor questionnaire asks whether a client has posted a “7019 score,” you’re asking about a provision that isn’t prescribed for new covered actions. But don’t overcorrect: it hasn’t been deleted from the codified DFARS, and it can still appear in an existing award.

Don’t treat 252.240-7997 as a clean rename.It covers DoD Medium and High assessments — government-performed evaluations — and the records they produce. CMMC Level 2 self-assessment and affirmation obligations arise separately, through 32 CFR Part 170 and DFARS 252.204-7021 when incorporated. Those are three different mechanisms.

Both numbering systems are live.Because these are class deviations ahead of formal rulemaking, either set of numbers can appear depending on the age and type of the action. Read the actual award document. Don’t infer from a clause number that a requirement appeared or disappeared.

For the full crosswalk, see our breakdown of the CMMC Final Rule and its clause structure.

Who posts what, and where

InformationWho submits itWhere it lands
CMMC Level 1 or Level 2 self-assessment results and affirmationThe contractor, through the process prescribed in 32 CFR Part 170SPRS — the Supplier Performance Risk System
Level 2 certification assessment results and Certificates of CMMC StatusThe C3PAOThe CMMC instantiation of eMASS, which transmits to DoD systems
DoD Medium and High NIST SP 800-171 assessment resultsThe GovernmentDoD assessment records under DFARS 252.240-7997

You don’t post your client’s score. They do — or their C3PAO does. Being clear about that in a sales conversation is a small thing that signals you actually know the program.


Why does CMMC still use NIST editions that NIST has withdrawn?

CMMC Level 2 is assessed against NIST SP 800-171 Revision 2, and CMMC Level 3 uses selected requirements from the February 2021 edition of NIST SP 800-172, because 32 CFR Part 170 incorporates those specific editions by reference. NIST has since published newer revisions and withdrawn the earlier editions from its own catalog. The regulation controls for CMMC purposes until DoD amends it.

NIST withdrew SP 800-171 Revision 2 in May 2024 when it published Revision 3. It withdrew the February 2021 edition of SP 800-172 in May 2026 when it published a new revision. If you look those documents up on the NIST Computer Security Resource Center today, you’ll see withdrawal notices.

None of that changes CMMC. Section 170.14 incorporates SP 800-171 Revision 2 for Level 2 and the February 2021 SP 800-172 for Level 3 by reference. The eCFR shows Part 170 unamended since December 16, 2024. And the July 13, 2026 memo restates it: “CMMC Level 2 is aligned with NIST SP 800-171 Rev 2.”

So there are two accurate statements, and you need to keep them apart:

  • Revision 2 is the current CMMC-controlling edition. True.
  • Revision 2 is NIST’s current publication. False.

Practical advice for a provider: do not build a client’s CMMC Level 2 program to Revision 3 on the theory that it’s “newer and therefore safer.” The assessment methodology, the control set, and the scoring in 32 CFR 170.24 are built on Revision 2. Building to a different revision doesn’t earn you credit — it creates a mapping problem for whoever has to assess it.


What if your cybersecurity company is also a DoD contractor?

A cybersecurity company holding its own DoD prime contract or subcontract is subject to CMMC on the same terms as any other defense contractor. Under 32 CFR 170.3, the trigger is processing, storing, or transmitting Federal Contract Information or Controlled Unclassified Information on contractor information systems in performance of a DoD contract. The required level and assessment type come from the contract, not from the industry the contractor operates in.

This is Gate 1, and it’s the path most cybersecurity companies overlook because they’re focused on their client-side role.

If you sell SOC services directly to a DoD program office, run a cyber range under a defense contract, deliver security engineering as a subcontractor to a prime, or hold a task order carrying DFARS 252.204-7021 — you’re a defense contractor. Your obligation comes from your own award.

What that means in practice:

  • Your level comes from the clause, not from your own view of your maturity. During the suspension, the only designations available to a contracting officer for new requirements are Level 1 (Self) and Level 2 (Self).
  • FCI-only work sits at Level 1 — the 15 basic safeguarding requirements, self-assessed annually.
  • CUI work sits at Level 2 — all 110 NIST SP 800-171 Rev. 2 requirements across 14 control families.
  • You post and you affirm. The annual affirmation of continuing compliance under 32 CFR 170.22 is a signed statement submitted by a designated Affirming Official. With third-party designation suspended, that signature is now the primary external checkpoint on your posture. Treat the accuracy of what you submit as a governance matter.
  • One corporate certification doesn’t cover everything. A CMMC Status attaches to a defined assessment scope and the information systems within it — not to a company. Your production environment and your client-delivery environment may be different scopes.

That last point is why the paths stack. A firm that is a DoD subcontractor and an MSSP to other DIB companies carries two separate documentation burdens on two separate boundaries. Trying to satisfy both with a single enterprise-wide certification claim is where provider positioning most often falls apart under questioning.


Should you become a C3PAO, an RPO, or a Certified CMMC Professional?

These are different things governed by different authorities. C3PAO, CCA, and CCP are roles established in 32 CFR Part 170 Subpart C, with requirements including background investigations and foreign ownership review. RPO and RP are Cyber AB Marketplace designations administered under the Accreditation Body’s own program — we read all six sections of Subpart C (170.8 through 170.13) and neither term appears in any of them.

That finding surprised us, so we’ll show our work. 32 CFR Part 170 Subpart C is titled “CMMC Assessment and Certification Ecosystem” and contains exactly six sections: 170.8 (Accreditation Body), 170.9 (C3PAOs), 170.10 (CAICO), 170.11 (Certified Assessor), 170.12 (Instructor), and 170.13 (Certified Professional). No RPO. No RP.

That doesn’t make RPO status worthless — it’s a recognized Marketplace designation with its own program requirements, and buyers look for it. It does mean “becoming an RPO” and “becoming a C3PAO” aren’t two rungs on the same ladder. One is a Marketplace registration. The other is an Accreditation Body authorization process established by federal rule, with a government-conducted assessment at the end of it.

CredentialWhat it authorizesGoverning authorityWhat it takes
RPO / RP — Registered Provider Organization / Registered PractitionerConsulting, readiness, and implementation advice. Cannot conduct certification assessmentsCyber AB Marketplace program. Not established in 32 CFR Part 170Training and registration under the Accreditation Body’s program
CCP — CMMC Certified Professional“Advice, consulting, and recommendations” to clients; may sit on an assessment team under a Certified Assessor’s oversight32 CFR 170.13CAICO certification valid 3 years, plus a Tier 3 background investigation initiated via SF 86
CCA — CMMC Certified AssessorConducts Level 2 certification assessments in support of a C3PAO32 CFR 170.11Must already be a CCP with 3 years cybersecurity experience, 1 year assessment or audit experience, and a foundational qualification at Intermediate proficiency for the DoD Cyberspace Workforce Framework’s Security Control Assessor (612) work role
Lead CCALeads assessment teams and makes final determinations32 CFR 170.11(b)(10)5 years cybersecurity, 5 years management, 3 years assessment or audit experience, plus Advanced proficiency in the 612 work role
C3PAOConducts Level 2 certification assessments, issues Certificates of CMMC Status32 CFR 170.9See below

What becoming a C3PAO actually requires

We pulled all twenty requirements at 32 CFR 170.9(b). The ones that stop most firms:

  • The government assesses you. A C3PAO must undergo a Level 2 certification assessment conducted by DCMA DIBCAC, not by a peer C3PAO. And it “will not result in a CMMC Status of Level 2 (C3PAO) nor receive a Certificate of CMMC Status.” You do the work; you don’t get the certificate.
  • Foreign ownership review. SF 328 to the Defense Counterintelligence and Security Agency, a National Security Review under 32 CFR 117.11, and a non-disqualifying eligibility determination from the CMMC PMO before you can proceed to the DIBCAC assessment.
  • Background investigations for assessment personnel. Every C3PAO company person participating in the Level 2 certification assessment process — the assessment team and the quality assurance individual — completes a Tier 3 background investigation initiated via SF 86.
  • ISO/IEC 17020:2012 within 27 months of authorization.
  • Team composition is fixed. Minimum two people: a Lead CCA plus at least one other CCA. Your quality assurance individual must be a CCA and cannot be on the team they’re reviewing.
  • Your assessors can’t use their own laptops. Under 32 CFR 170.11(b)(7), assessors may only use IT, cloud services, and endpoints provided by the engaged C3PAO — and that infrastructure must itself have undergone a DIBCAC Level 2 assessment. Personally owned devices are prohibited for assessment-related information.
  • Six-year retention on assessment-related records specified in 170.9(b)(9).

The conflict wall, exactly as written

This is the rule most providers get fuzzy about, and it isn’t fuzzy at all.

32 CFR 170.8(b)(17)(ii)(G) requires the Accreditation Body’s Code of Professional Conduct to “prohibit CMMC Ecosystem members from participating in the Level 2 certification assessment process for an assessment in which they previously served as a consultant to prepare the organization for any CMMC assessment within 3 years.”

Three years. And note the breadth of the phrase: anyCMMC assessment. Preparing a client for a Level 1 self-assessment can bar you from their later Level 2 certification team. For that specific scenario, disclosure doesn’t cure it — the prohibition is on participating.

Two related rules people miss:

  • Instructors can’t consult while instructing. 32 CFR 170.12(c)(7) prohibits CMMC Instructors from providing CMMC consulting services while serving as an instructor — though they may serve on an assessment team, subject to conduct and conflict policies.
  • Accreditation Body departures get a cooling-off period. One year, under 170.8(b)(17)(i)(C).

Our read:if your revenue model is readiness and remediation, C3PAO authorization isn’t an upgrade — it’s a second business you have to run on a different client base. Firms that hold both roles serve different clients in each. Structure it that way from day one, or don’t do it.

There’s also a timing problem on top of the structural one. Level 2 (C3PAO) assessments can’t be newly designated in any procurement during the suspension. Building an assessment practice into that is a bet on the Task Force’s recommendation, not a business plan.

Decision point.

If you’re weighing an ecosystem credential, the constraint that usually decides it is the conflict wall, not the cost.

Compare the five credentials side by side ↑

Role, authority, prerequisites, and what each one bars you from doing. No form, no email.


What can your company accurately say about its CMMC role and status?

CMMC Ecosystem members are bound by conduct rules on how they describe themselves. 32 CFR 170.8(b)(17)(ii)(E) requires the Accreditation Body’s Code of Professional Conduct to compel members to “represent themselves and their companies accurately; to include not misrepresenting any professional credentials or status, including CMMC authorization or CMMC Status, nor exaggerating the services that they or their company are capable or authorized to deliver.”

If you hold any ecosystem credential — RPO, RP, CCP, CCA, C3PAO — this rule governs your website copy. Here’s how we’d audit a provider’s marketing against it. This is our editorial application of the conduct rule, not a legal opinion.

The claimSupported by a verified role or status?The artifact that proves it
“We are CMMC certified”Ambiguous without level, status type, scope, and date — and ambiguity is what the conduct rule targetsCertificate or status record, plus the assessment scope
“We hold CMMC Status of Final Level 2 (C3PAO) for [named scope], assessed [date] by [C3PAO name]”Yes, if trueCertificate, scope definition, date, assessing C3PAO
“Our CMMC Status is Final Level 2 (Self) for [named scope], self-assessed [date], affirmation submitted [date]”Yes, if trueSelf-assessment record, affirmation date
“We are CMMC compliant”No — not a status the rule recognizes. It blurs implementing requirements with holding a status
“We are a Registered Provider Organization”Yes, if currentLive Cyber AB Marketplace listing, checked on a date
“We are CMMC accredited”No, unless you are currently authorized or accredited as a C3PAO and are describing exactly thatC3PAO authorization or accreditation record
“DoD approved” / “Cyber AB approved” / “government approved”No — too generic to be verifiable. State the exact listing, authorization, certification, or Status you holdThe specific record
“We guarantee you’ll pass your assessment”No — no provider can guarantee an assessment outcome
“Our platform makes you CMMC compliant”No — exaggerates capability. The 110 requirements include process, personnel, physical, and documentation controls no platform delivers
“Our managed service is inside a CMMC Level 2 assessment scope certified [date], and we provide the CRM confirmed by our assessing C3PAO”Yes, if trueCertificate, scope, CRM, service description

Framework: The Defense Compliance Report editorial analysis applying 32 CFR 170.8(b)(17)(ii)(E). If you’re unsure about a specific claim, run it past counsel.

The accurate version is usually more persuasive than the vague one anyway. “Certified Level 2 for our managed services, June 2025, CRM available on request” beats “CMMC compliant” with any buyer sophisticated enough to matter.


Does SOC 2, ISO 27001, or FedRAMP cover you for CMMC?

No. None of them produce a CMMC Status. SOC 2 and ISO/IEC 27001 can supply evidence toward specific requirements, and FedRAMP authorization satisfies the cloud service provider requirement in DFARS 252.204-7012 where CUI is involved — but a CMMC Status is produced only through the assessment, scoping, scoring, and affirmation path in 32 CFR Part 170.
What you holdWhat it can support in a CMMC contextWhat it does not establishThe scope mismatch to check
SOC 2 Type IIEvidence of tested controls for a defined system over a period — useful for access control, change management, monitoringA CMMC Status, or implementation of all 110 NIST SP 800-171 Rev. 2 requirementsWhether the SOC 2 system boundary matches the CMMC assessment scope, and whether the report is current
ISO/IEC 27001Evidence of a functioning ISMS and supporting policy and risk artifactsA CMMC Status, or a control-by-control result under NIST SP 800-171AWhether the Statement of Applicability covers the systems in the CMMC boundary
FedRAMP Moderate authorizationSatisfies the cloud service provider requirement in DFARS 252.204-7012 where CUI is in the cloudYour company’s own CMMC Status. It addresses the cloud, not the contractorWhether the authorized service offering is the one your client actually uses
NIST SP 800-171 self-assessment scoreCurrent implementation for a defined system under a defined methodologyEvery CMMC Status, or full contract eligibilityWhether the assessed system is the same one in the CMMC scope, and the score’s date
CMMC StatusAssessment and affirmation result for a defined CMMC assessment scopeEnterprise-wide coverage, or coverage of services outside that scopeWhat’s actually inside the certified scope

Framework: The Defense Compliance Report editorial analysis. No framework listed here is equivalent to another; reuse means an artifact may reduce effort, not that a requirement is satisfied.

If you are a Cloud Service Provider, read this carefully

The FedRAMP path is stricter than most providers realize, and the strictness is where deals die.

Under DFARS 252.204-7012, a contractor using a cloud service to hold covered defense information must require that provider to meet security requirements equivalent to FedRAMP Moderate. The DoD CIO memorandum of December 21, 2023 defines what “equivalent” means: 100 percent compliance with the FedRAMP Moderate baseline, assessed by a FedRAMP-recognized Third Party Assessment Organization, with no POA&Ms resulting from that assessment— all POA&M actions corrected and validated closed by the 3PAO. Self-attestation is not permitted. The provider supplies a complete Body of Evidence including the System Security Plan, Security Assessment Plan, Security Assessment Report, and continuous monitoring evidence.

And here’s the operational trap, straight from DoD’s February 2025 briefing: “There is no registry of offerings that meet equivalency requirements. The OSA must evaluate the CSP’s body of evidence.”Assessors review that Body of Evidence as part of your client’s assessment.

Practically: if you sell a cloud service into the DIB and you’re not on the FedRAMP Marketplace, every single client has to independently evaluate your evidence package, and their assessor has to review it. That’s friction on every deal, forever, until you’re authorized. Build the Body of Evidence into your sales motion or you’ll keep losing deals without ever learning why.


What should your company do in the next 30 days?

The highest-value first month is documentation and contract work, not procurement. Establish which paths apply to each service line, produce a service description and Customer Responsibility Matrix for anything in a client’s scope, and decide whether to respond to DoW’s open Request for Information before it closes at 12:00 p.m. Eastern on Friday, August 14, 2026.
DaysDo thisStop condition before you spend
1–3Pull every DoD contract, subcontract, PO, task order, and amendment. Search for 252.204-7021 and 252.204-7012Don’t budget for your own status until you’ve read the clause that supposedly requires it
3–7Map each service line: does it put CUI or SPD on your assets? Include ticketing, backups, log archives, password vaults, RMMDon’t scope a certification until you know which service lines are actually in scope
7–10For each cloud-delivered service, apply the tenant-ownership test. Who is the tenant licensed to?Don’t budget a FedRAMP program until you’ve confirmed you’re actually the CSP
10–14Assign each service line to every path that appliesDon’t buy anything until this is on paper, dated, and cited
14–21Draft a service description and Customer Responsibility Matrix for every service in a client’s scopeDon’t hire a consultant to write these until you’ve tried; you know your service better than they do
21–25Write your standard answer to “are you CMMC compliant?” and give it to salesDon’t let anyone improvise it on a call again
25–30Decide on the RFI. Then decide on certification — with the classification in handDon’t sign an assessment engagement without the four preceding outputs

The open door, and the clock on it

Alongside the suspension, DoW published a Request for Information titled Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base. Responses are due by 12:00 p.m. Eastern on Friday, August 14, 2026, through the official SAM.gov notice.

The RFI seeks input on cost drivers and administrative burden, which NIST SP 800-171 Rev. 2 controls deliver meaningful risk reduction, how companies are already using commercial cybersecurity tools and managed services, and how the Department might recognize those existing investments in a revised framework. It also asks about leveraging and optimizing self-attestation.

That is a request aimed directly at your business.

If you’ve already built a CMMC-aligned managed service, already certified, already run the tooling, already absorbed the cost — you have real cost data that few respondents will have. This is the fixed public deadline discussed on this page, and it’s a genuine, dated, closing window. Unlike most things labeled urgent in this industry, we didn’t manufacture it.

Go straight to the notice. We’re not putting a form in front of a government comment deadline.


The most expensive mistakes we see in provider compliance planning

Short list. Each one costs real money.

  1. Budgeting for certification before running the three gates. An expensive category error, usually traced to superseded proposed-rule language.
  2. Assuming no CUI means no involvement. SPD is the trigger most providers have never heard of. Admin passwords count.
  3. Assuming CUI means you personally need certification. Table 4 says your services get assessed in your client’s assessment.
  4. Treating the four paths as mutually exclusive. They stack. A subcontractor that’s also an MSSP carries two boundaries.
  5. Treating administrative access as the whole test. The test is what your assets process, store, or transmit — and whose infrastructure delivers it.
  6. Assuming you’re a CSP because you resell cloud. If the tenant is licensed to your client, DoD’s guidance says you’re not.
  7. Producing a generic control list and calling it a CRM. Assessors compare the CRM to the service the client actually bought.
  8. Saying “we’re CMMC compliant.” It isn’t a status, and if you hold an ecosystem credential the conduct rule in 170.8(b)(17)(ii)(E) is in play.
  9. Running readiness and then joining the assessment team for the same client. Three years, per 170.8(b)(17)(ii)(G).
  10. Telling clients CMMC is cancelled — or that their contract changed on July 13. It’s suspended, and a memo doesn’t modify a signed award. Read the amendment.

Frequently asked questions

Does an MSSP need CMMC certification?
Not because of its clients. Under 32 CFR 170.19(c)(2)(i) Table 4, a non-CSP External Service Provider handling CUI has its services assessed within the client’s assessment; 170.19(c)(2)(ii) makes the ESP’s own certification voluntary. An MSSP needs its own CMMC Status only if its own contract carries a CMMC requirement.
Do our client’s logs count as CUI?
Logs are expressly identified as an example of Security Protection Data in 32 CFR 170.4, which is a separate category from CUI. But a log can also contain CUI depending on its contents and origin. Classify the actual data, not the file type.
Does holding our client’s admin passwords put us in scope?
Passwords that grant access to the in-scope environment are Security Protection Data under 32 CFR 170.4. A provider enters the ESP analysis when those passwords are processed, stored, or transmitted on provider assets. DoD’s February 2025 briefing confirms an MSP holding passwords to client equipment is “likely holding security protection data.”
Is our MSP a Cloud Service Provider if we resell Microsoft 365?
Not on those facts, under DoD’s February 2025 technical guidance: if the cloud tenant is subscribed or licensed to the client, the MSP is not a CSP “even if the MSP resells the service.” You become a CSP if you contract with a cloud provider and further modify the basic cloud service, or if you own the tenant and sub-divide it for customer use.
Is a penetration test report CUI or SPD?
It depends on source and content. Vulnerability findings and configuration data about in-scope assets fall within the Security Protection Data definition at 32 CFR 170.4. If the report contains or reproduces marked CUI from the client’s environment, it may also be CUI. Document expected data categories, marking, handling, retention, and deletion in the engagement letter.
Does staff augmentation avoid CMMC scope?
Only where the client genuinely supplies all processes, technology, and facilities. DoD’s briefing treats outsourced staff as essentially the same as client staff in that arrangement — while also warning that offsite technicians or provider-held passwords likely create Security Protection Data. If provider-owned laptops, VPNs, or password vaults enter the delivery path, re-run the ESP analysis.
Does FedRAMP authorization make our SaaS company CMMC compliant?
No. FedRAMP addresses the cloud service provider requirement in DFARS 252.204-7012 where CUI is involved. It does not create a CMMC Status for your company, which comes only through the assessment and affirmation path in 32 CFR Part 170.
Does SOC 2 or ISO 27001 count toward CMMC?
They can provide supporting evidence for specific requirements, but neither produces a CMMC Status. CMMC Level 2 is assessed against all 110 NIST SP 800-171 Rev. 2 requirements using the methodology in NIST SP 800-171A — a different scope and a different standard. Check the boundary match before you assume any artifact is reusable.
Has CMMC been cancelled?
No. DoW Memo 26-P-1023 of July 13, 2026 suspended the Phase 2 transition and pending implementation milestones pending a 60-day review. Phase 1 self-assessment requirements, DFARS 252.204-7012, and NIST SP 800-171 Rev. 2 remain in force, and 32 CFR Part 170 remains on the books.
Can a contracting officer still require a C3PAO assessment right now?
A Program Manager or requiring activity may not newly designate Level 2 (C3PAO) or Level 3 (DIBCAC) during the suspension, and no waivers are being granted. Active solicitations carrying those requirements are to be amended and existing contracts modified — but until that written amendment or modification is issued, the award as written still governs. Verify the paper rather than treating the memo as though it rewrote your contract automatically.
Should we cancel our scheduled Level 2 assessment?
That’s a business decision, not a compliance one, and it depends on your contract book and your competitive position. Talk to your C3PAO before cancelling. The suspension restricts what contracting officers may designate; it does not prohibit voluntary assessments, and C3PAOs continue to operate.
What happened to DFARS 252.204-7019 and 7020?
Effective February 1, 2026, Class Deviation 2026-O0025 directs contracting officers, for covered actions, to use revised FAR Part 40 and new DFARS Part 240 in place of the codified text. Part 240 prescribes DFARS 252.240-7997 for DoD Medium and High assessments, and FAR 52.204-21 relocates to FAR 52.240-93 for covered actions. The codified clauses remain published and can appear in older or existing awards. DFARS 252.204-7012 and 252.204-7021 were not renumbered.
Do we need a Customer Responsibility Matrix?
If your services fall inside a client’s CMMC assessment scope, yes. 32 CFR 170.19(c)(2)(ii) requires the ESP relationship and services to be documented in the client’s System Security Plan and described in the ESP’s service description and customer responsibility matrix.
Can an RPO also be a C3PAO?
A firm may hold multiple ecosystem roles. But a CMMC Ecosystem member may not participate in a Level 2 certification assessment for an organization it served as a consultant to prepare for any CMMC assessment within the previous three years, per 32 CFR 170.8(b)(17)(ii)(G). Other actual, potential, or perceived conflicts must also be disclosed and managed under the applicable conflict policies.
Is RPO status required by the CMMC rule?
No. RPO and RP are Cyber AB Marketplace designations administered under the Accreditation Body’s own program. We read all six sections of 32 CFR Part 170 Subpart C — 170.8 through 170.13 — and neither term appears. The rule establishes the Accreditation Body, C3PAOs, the CAICO, Certified Assessors, Instructors, and Certified Professionals.
Do COTS cybersecurity products require CMMC?
An acquisition exclusively for commercially available off-the-shelf items sits outside the general applicability statement in 32 CFR 170.3. Adding implementation, hosting, customization, support access, or managed services changes the analysis, because those services can put CUI or SPD on your systems.
Why does CMMC still reference NIST SP 800-171 Revision 2 when NIST published Revision 3?
Because 32 CFR 170.14 incorporates Revision 2 by reference for CMMC Level 2, and the rule has not been amended. NIST withdrew Revision 2 from its own catalog in May 2024, and withdrew the February 2021 edition of SP 800-172 in May 2026. Revision 2 is the current CMMC-controlling edition; it is not NIST’s current publication. Don’t build a client’s CMMC program to Revision 3.
What do we say when a prospect asks “are you CMMC compliant?”
Have one approved answer and stop improvising. If you hold a certification assessment status: “Our CMMC Status is Final Level 2 (C3PAO) for [named scope], assessed [date] by [C3PAO name]. Our service description and Customer Responsibility Matrix for [service] are attached.” If you hold a self-assessment status: “Our CMMC Status is Final Level 2 (Self) for [named scope], self-assessed [date], with the required affirmation submitted [date].” If you don’t hold a status: “We don’t hold a CMMC Status for this service. Based on our current service architecture, 32 CFR 170.19 places this service inside your assessment scope rather than requiring a separate provider status. We provide the service description and Customer Responsibility Matrix your assessor will expect, and our people are available for assessment interviews.” That third answer is grounded in the rule and reads as competence.

Where this leaves you

Run the three gates. Identify every path that applies to each service line. Produce the two documents — service description and Customer Responsibility Matrix — for anything inside a client’s scope. Then, and only then, decide whether certification is a business investment worth making.

Forty-nine providers appear in the one validated public directory of certified service providers. DoD sizes the Level 2 DIB at roughly 75,000 companies. What you do with that gap in the next 30 days is a business decision — but make it with the classification in hand, not from a vendor’s slide deck.

Run the Three-Gate Test →

Free, no email, dated and cited output.


Related reading


Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. Providers named on this page are reported from a third-party directory listing; naming them is not an endorsement, a recommendation, or a statement that we evaluated their services or independently confirmed their current Cyber AB Marketplace status.

How this page was produced. Written by The Defense Compliance Report Editorial Team from primary sources: the eCFR text of 32 CFR Part 170, DoD CIO’s Technical Application of CMMC Requirements (February 2025), DoW Memo 26-P-1023 (July 13, 2026), DoD Class Deviation 2026-O0025, the CMMC Program final rule regulatory analysis at 89 FR 83092, and our own count of the MSP Collective ESP Directory on July 18, 2026. Regulatory statements are linked to the issuing authority at the point of use. Business-model classifications and provider-positioning judgments are editorial conclusions derived from those verified facts and are labeled as such. See our editorial standards and corrections policy.

This is educational research, not legal, contractual, or compliance advice.Your contract clause and your CUI handling set your obligations — not a checklist and not this page. Confirm scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization and, where contract interpretation is material, a qualified federal-contracts attorney.

Change log

  • — Initial publication. Verified against 32 CFR Part 170 (eCFR, unamended since Dec 16, 2024), DoD CIO Technical Application of CMMC Requirements(Feb 2025), DoW Memo 26-P-1023 and Attachment 1 (July 13, 2026), DoD Class Deviation 2026-O0025, CMMC Program final rule at 89 FR 83092, and our own count of the MSP Collective ESP Directory on July 18, 2026.

Found an error? Our Corrections policy explains how we handle it.