Managed IT Services for Defense Contractors: What CMMC Actually Requires (and How to Choose One)

Which managed IT path fits your defense contract?

What are managed IT services for defense contractors?

Managed IT services for defense contractors are outsourced IT and security operations built for the realities of DoD work: FCI and CUI handling, DFARS clauses, NIST SP 800-171, CMMC scope, a compliant cloud, endpoint and identity management, logging, incident response, and audit-ready evidence. A standard MSP keeps your systems running. A defense-grade provider makes your environment explainable, supportable, and provable when an assessor asks.

The gap between those two things is where contractors lose money — sometimes their contracts.

A typical commercial MSP is measured on uptime and ticket response. In a CMMC world, your IT environment has to produce evidence: who has access to CUI, how it’s logged, how it’s patched, how an incident gets escalated, and how all of that maps to specific security requirements. A provider that can’t generate that evidence isn’t “almost there.”

Four roles matter here, because the marketing blurs them on purpose:

• MSP (managed service provider):runs your IT — identity, endpoints, patching, backups, helpdesk.
• MSSP (managed security services provider): monitors and responds — logging, alerting, a security operations center (SOC), incident escalation. Many DIB suppliers need both functions, from one provider or two.
• RPO (Registered Provider Organization):a Cyber AB-registered readiness consultant. Helps you scope, write your System Security Plan (SSP), build your Plan of Action and Milestones (POA&M), and remediate gaps.
• C3PAO (CMMC Third-Party Assessment Organization): the independent firm authorized to perform your formal Level 2 assessment. Keep it entirely separate from the firms that prepared you.

The real question: does your IT provider pull you into your CMMC assessment?

It can — and this is the single most expensive thing most contractors miss. Under 32 CFR Part 170, an outside IT provider becomes an External Service Provider (ESP) when it processes, stores, or transmits your CUI, or handles the Security Protection Data that protects your environment. When that happens, the provider’s relevant services are assessed inside your assessment, and the rule requires a written Customer Responsibility Matrix (CRM) documenting who does what.

The rule defines an ESP as external people, technology, or facilities used to provide and manage IT or cybersecurity services. The trigger is data: to count as an ESP under CMMC, the provider has to handle your CUI oryour Security Protection Data (SPD) — the logs, configuration data, vulnerability findings, and credentials used to protect your assessed environment — on its own systems.

Here’s the part that surprises people. Your MSP doesn’t have to touch a single CUI file to land in your assessment. If it deploys a remote monitoring and management (RMM) tool on your machines and that tool collects data used to protect your environment — logs, configurations, patch status, admin credentials — that’s Security Protection Data. It makes the provider a Security Protection Asset (SPA), and SPAs are assessed against the Level 2 requirements relevant to what they do.

There was panic in 2023 and 2024 that every MSP handling CUI would have to get its own CMMC certification. That was theproposed rule. The final rule changed it.Most ESPs do not need their own CMMC certificate — but their relevant services are still assessed within your scope, against the applicable Level 2 requirements (32 CFR 170.17, 170.19).

Does your IT provider land in your CMMC assessment?

The written matrix in the last column is the Customer Responsibility Matrix (CRM)— sometimes called a Shared Responsibility Matrix. 32 CFR 170.19 requires that an ESP’s relationship and services be documented in your SSP and described in the ESP’s service description and CRM. A CRM accounts for the Level 2 requirements by showing which are met by the provider, which are yours, and which are shared. If a provider can’t produce one — or doesn’t know what one is — you’ve learned something important before signing.

Does your MSP need to be CMMC certified?

Usually no. The CMMC final rule does not require most external service providers that handle CUI to hold their own CMMC certificate. The real question is whether the provider touches your CUI or your Security Protection Data — if it does, its relevant services are assessed inside your assessment, and you need a Customer Responsibility Matrix documenting who does what.

So when an MSP advertises that it’s “CMMC certified,” treat it as a useful signal, not a finish line. What protects your certification is the scope documentation, the CRM, and evidence that the provider’s piece of your environment will hold up — not a logo.

Regulation-stated vs. what actually happens

Do you actually need a specialist — or can your current MSP work?

Not every defense contractor has to fire its MSP. The honest question isn’t “does my provider say the word CMMC on its website” — it’s whether the provider can document what it touches and produce evidence for it. That answer sorts your current MSP into one of three buckets: keep, augment, or replace.

A note on “we’ve handled compliance before.” Lots of providers have. The ones you can trust answer with documents — diagrams, logs, reports, a CRM, an assessment-support clause. The ones you can’t answer with confidence and a handshake. In a False Claims Act environment, a handshake is not evidence.

Which NIST SP 800-171 families should your provider support?

CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families. A managed IT provider can meaningfully own or share many of them — especially the technical families like access control, audit and logging, configuration management, and system integrity. But you keep the families that depend on business judgment, and you always keep responsibility for the truth of your SSP and your affirmation.

Here’s the map, family by family. Bring this table to your next vendor meeting.

Read down the “what stays yours” column: the provider can build and run the machinery, but the decisions — who sees CUI, what risk you accept, what you swear to in SPRS — never leave your building. That’s not a loophole to close. It’s the design.

What to ask before you hire — or renew

The right questions force a provider to reveal responsibility boundaries and evidence instead of confidence. A provider you can trust answers with matrices, diagrams, logs, and an assessment-support commitment. A provider you can’t answers with “we’re secure” and “trust us.”

Use these before you sign a new provider and before you renew an existing one. The renewal trap is real — contractors auto-renew an MSP they’ve outgrown and discover the gap mid-assessment.

1. Do you process, store, transmit, back up, ticket, scan, or remotely access any of our CUI?
2. Do your tools store our Security Protection Data — logs, configs, vulnerability data, credentials, alerts?
3. Will you give us a Customer Responsibility Matrix mapped to our CMMC scope? (If the answer is "a what?", you have your answer.)
4. Exactly which of your systems, tools, people, subcontractors, and cloud services support our environment?
5. Which of your tools will be in scope for evidence, and can you export that evidence on request?
6. Can you support NIST SP 800-171 Revision 2 evidence — the version CMMC Level 2 actually uses?
7. Will you commit, in the contract, to participate in our C3PAO assessment interviews?
8. How do you handle privileged access to our environment?
9. How are your own RMM, ticketing, backup, EDR, SIEM, and password-vault tools secured?
10. Where are your support personnel located, and do any offshore staff or subcontractors touch our environment? (This matters enormously for export-controlled work.)
11. Can you support Microsoft 365 GCC High, Azure Government, AWS GovCloud, or a CUI enclave if we need it?
12. What happens to our data, our access, and our evidence if we terminate the agreement?

GCC High, GCC, or commercial Microsoft 365 — which do you actually need?

It depends on your data, and most pages get this wrong by telling everyone they need GCC High. Commercial Microsoft 365 is fine for FCI only. For CUI, you need a cloud that meets FedRAMP Moderate (or equivalent) under DFARS 252.204-7012 — a properly configured GCC tenant can qualify for non-export-controlled CUI, while export-controlled data (ITAR/EAR) points decisively to GCC High. Either way, the platform is necessary, not sufficient: you still implement all 110 controls on top of it.

GCC High runs on Azure Government, carries a FedRAMP High authorization, and uses screened U.S.-based support personnel — which is why it’s the standard answer for ITAR and EAR data. One caveat worth knowing: Microsoft notes that its support channels sit outside the service’s accreditation boundary, so even in GCC High you control what you share with support. And “positioned for ITAR and recommended” isn’t the same as “legally mandatory for every byte of CUI.”

Two practical realities your provider should tell you up front: a GCC High migration commonly runs about 12 to 24 weeks (tenant provisioning, identity, data migration, user transition), and the licensing premium over commercial runs into the tens of thousands of dollars a yearfor a mid-sized team. Anyone quoting you a one-week “switch” hasn’t done one. (We go deeper in our GCC High for CMMC guide.)

What do managed IT services for defense contractors cost?

There’s no honest universal price — it depends on your CUI scope, user and endpoint counts, current maturity, cloud, and how much has to be rebuilt. Here’s the part most pages skip: DoD’s official cost estimate covers only the assessment and annual affirmations, not the work of actually getting compliant. DoD’s published figure for a small-business Level 2 third-party cycle is about $104,670 over three years — but that assumes you’ve been meeting NIST SP 800-171 since 2017.

DoD published its estimates in the CMMC rule’s Regulatory Impact Analysis (32 CFR Part 170, Federal Register, October 15, 2024). These are the precise, citable numbers:

Source: DoD Regulatory Impact Analysis, 32 CFR Part 170, Federal Register, October 15, 2024. These figures cover assessment, certification, and affirmation only — not control implementation.

Those figures cover assessment, certification, and affirmation only. They explicitly assume you were already implementing NIST SP 800-171 since 2017. The expensive part — scoping, remediation, documentation, a compliant cloud, new tooling — is not in that number.

What’s the real number? Industry cost analyses (PreVeil, IBSS, CISPOINT and others, as of mid-2026) converge on a realistic first-year range of roughly $75,000 to $300,000+for a small-to-mid contractor that isn’t already compliant, with the C3PAO assessment fee alone running $30,000 to $150,000depending on size and scope. Treat these as estimates — any provider quoting a firm number without scoping your environment first is guessing. (See our full CMMC Level 2 cost breakdown.)

• Maturity pays.Organizations already running NIST SP 800-171 controls spend far less; the gap between “starting from scratch” and “tightening an existing program” can be the majority of the bill.
• Cost may be recoverable.Depending on your contract type, CMMC-related costs can be allowable under federal cost principles (FAR Part 31). Confirm with your contracting and accounting people — not a blog.
• The assessor pipeline is real.C3PAO waitlists run months. The cost of waiting isn’t just a rush premium — it’s the risk of not getting a slot before Phase 2.

Can your MSP also run your CMMC assessment?

No — and this is a hard line, not a preference. A C3PAO is prohibited from assessing an organization it advised on CMMC readiness within the prior three years. The conflict is obvious: nobody should grade their own homework. The separation is built into the Cyber AB’s Code of Professional Conduct, the CMMC program rules (32 CFR 170.8), and the international accreditation standard (ISO/IEC 17020) that C3PAOs operate under.

This is where the role definitions earn their keep:

• A readiness provider(an RPO, or a CMMC-focused MSP/MSSP) prepares you — scoping, SSP, POA&M, remediation, running the controls.
• A C3PAO independently assesses the prepared environment. It uploads results to the CMMC instance of eMASS, your CMMC Status is recorded in SPRS, and a Certificate of CMMC Status is issued for a passing third-party assessment (32 CFR 170.17).
• DIBCAC— the Defense Industrial Base Cybersecurity Assessment Center, part of the Defense Contract Management Agency — conducts government-led assessments at Level 3.

A firm can be bothan RPO and a C3PAO — but not for the same client. When a provider implies it can implement your controls andcertify them in one tidy package, that’s not a convenience. It’s a red flag.

CMMC timing: why the calendar changes your move

CMMC is no longer hypothetical. The CMMC Program Rule (32 CFR Part 170) took effect December 16, 2024, and the DFARS acquisition rule that puts CMMC into contracts took effect November 10, 2025. We are now in Phase 1, which runs November 10, 2025 through November 9, 2026. Phase 2 — when Level 2 third-party (C3PAO) certification starts appearing as a condition of award in applicable solicitations — begins November 10, 2026. If your contracts will require a third-party assessment, the clock is real and short.

DoD is phasing CMMC in over roughly three years (32 CFR 170.3). Phase 2 begins November 10, 2026, broadening the requirement for Level 2 C3PAO certification. That date is the one to plan around, because a readiness program plus a GCC High migration plus an assessment is not a 90-day project.

Two DFARS clauses do the heavy lifting for your decision:

• DFARS 252.204-7012— in force since 2017 — requires you to implement NIST SP 800-171 and report cyber incidents to DoD within 72 hours. It’s also the clause that pushes a cloud handling CUI to meet FedRAMP Moderate (or equivalent).
• DFARS 252.204-7021— the CMMC clause. Once it’s in your contract, your CMMC status is a condition of award, and a lapse is a contractual default, not just a security incident. It also carries flow-down, annual affirmation, and POA&M-closeout obligations.

You’ll also see DFARS 252.204-7025, the solicitation notice provision that signals a CMMC level is coming and requires you to list your CMMC Unique Identifiers in your proposal. Under 252.204-7025, an offeror generally isn’t eligible for award unless the required current CMMC status and affirmation are in SPRS; 252.204-7021 then requires you to maintain that status during performance.

On flow-down: if you’re a prime, you set your subcontractors’ requirements based on what they receive. A sub that only handles FCI is generally a Level 1 case; DoD has stated it does not require CMMC flow-down to subcontractors that receive neither FCI nor CUI. Throughout, your status lives in SPRS— contracting officers are directed not to award unless SPRS reflects your required CMMC status.

Provider categories, compared

The right model depends on what a provider touches, not what it calls itself. Most DIB suppliers need readiness and managed operations first; secure cloud and enclaves solve specific problems; governance software is a supporting layer, not a whole CMMC solution; and a C3PAO belongs at the end, kept separate. Compare categories before you compare logos.

How we source-check providers.When The Defense Compliance Report names a specific provider, we document the provider’s category, check its Cyber AB Marketplace status where relevant, state what we actually reviewed, disclose any compensation relationship, note how deeply we evaluated it, and stamp the date we verified. We don’t call a page a “review” unless we did the evaluation to back the word.

Where this goes wrong (so it doesn’t go wrong for you)

The real risks aren’t exotic. They’re a provider that doesn’t realize it’s in your scope, a missing or vague CRM, “compliant cloud” sold as “compliant company,” POA&M items that can’t actually be closed in time, and multi-vendor environments where one weak link drags down an otherwise-ready assessment.

The most common failure is the vendor blind spot. A contractor does the hard work, gets its own house in order — and then a single service provider that quietly touches CUI, without the right controls, becomes the thing that stalls the assessment.

A concrete, on-the-record example: in November 2025, CyberSheath, a managed compliance provider in the DIB, publicly described helping a manufacturer, Kampi Components, reach CMMC Level 2 in a complex multi-vendor environment — and its account centered on mapping every provider’s access and removing or replacing the services that couldn’t meet the requirements. (Provider-stated, not independently verified by us, and not necessarily typical.) It illustrates the failure mode precisely: your weakest vendor can become your compliance ceiling.

The other quiet killers: a CRM that exists but doesn’t cover the services the provider actually performs; a beautiful GCC High tenant sold as if the platform alone equals compliance (it doesn’t); a POA&M strategy that assumes you can defer requirements you actually can’t; and switching providers in the final stretch before an assessment, which can scatter the evidence you’re about to be graded on. Each is avoidable with the verification work this page is built around.

What we actually verified

We don’t expect you to take regulatory claims on faith. Here’s what we checked:

• CMMC Program Rule (32 CFR Part 170): read on the eCFR, including definitions (170.4), Level 2 assessment and ESP rules (170.17), and scoping (170.19). Effective December 16, 2024. The rule defines the security requirements as 15 (Level 1), 110 (Level 2, from NIST SP 800-171 Rev. 2), and 24 (Level 3, selected from NIST SP 800-172).
• DFARS acquisition rule (DFARS Case 2019-D041): confirmed via the Federal Register; effective November 10, 2025. Clause functions for 252.204-7012, -7021, and the -7025 notice provision confirmed against Acquisition.gov. The February 1, 2026 class-deviation changes to 252.204-7019 / -7020 are reflected in the deviation set; the codified DFARS still lists the older clauses, so confirm your specific solicitation.
• CMMC phase timing and levels: confirmed against DoD CMMC materials. Phase 1: November 10, 2025 – November 9, 2026; Phase 2 begins November 10, 2026.
• NIST SP 800-171: Level 2 maps to Revision 2 (110 requirements, 14 families), confirmed against NIST’s Computer Security Resource Center. Revision 3 exists but does not currently control for CMMC.
• GCC / GCC High requirements: cross-checked against DFARS 252.204-7012 and Microsoft’s government-cloud documentation, including Microsoft’s support-boundary caveat.
• C3PAO conflict-of-interest rules: confirmed against the Cyber AB Code of Professional Conduct, 32 CFR 170.8, and ISO/IEC 17020 — including the three-year separation between consulting and assessing.
• POA&M and affirmations: the 180-day POA&M closeout and the three-year assessment cycle with annual affirmation are stated in the rule.
• Cost figures: DoD assessment-and-affirmation estimates are from the rule’s Regulatory Impact Analysis; market ranges are aggregated from named industry analyses as of June 2026 and labeled as estimates.

This page carries a “last verified” date at the top. Regulatory facts and the clause set are on our quarterly re-check list. Confirm anything contract-critical against the primary source and your own solicitation before you act.

Which provider category fits your situation

• You likely need an MSP (Managed Service Provider) to run identity, endpoints, patching, backups, and helpdesk — and if it touches your CUI or Security Protection Data, its relevant services are assessed inside your CMMC assessment.
• You likely need an MSSP (Managed Security Service Provider)when you need security operations — monitoring, alerting, and incident response through a SOC — which a pure IT MSP may not deliver.
• You likely need an RPO (Registered Provider Organization)or readiness consultant to prepare your scope, SSP, and evidence — separate from whoever ultimately assesses you.
• A C3PAO (CMMC Third-Party Assessment Organization) performs your formal Level 2 assessment, and the same firm cannot both prepare and assess you within the prior three years.
• You don’t need a C3PAO yet if your scope, SSP, evidence, and remediation aren’t mature enough to be graded — start with readiness and managed operations first.

Managed IT services for defense contractors: FAQ