My CMMC MSP Went Out of Business: What to Secure First, and What’s Actually at Risk
Independent editorial research — not legal, contractual, or compliance advice. The Defense Compliance Report is not affiliated with the Cyber AB, the U.S. Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.
If your CMMC MSP went out of business, here’s the bottom line before you do anything else: do not sign with a replacement provider yet.Your first job is control and preservation, in this order — (1) confirm your company controls administrator access to every in-scope system that touches your Controlled Unclassified Information (CUI), including company-owned break-glass access, and revoke the defunct provider’s access; (2) secure your encryption keys and backups; (3) confirm which systems contain CUI and which contain Security Protection Data; (4) export your SSP, POA&M, diagrams, and evidence; and (5) determine which provider category you actually need before you request a single quote. That order matters because the mistakes that turn a vendor problem into a compliance problem happen when contractors skip steps 1–4 and go straight to step 5.
Your obligations don’t pause because your provider failed. Nothing in the CMMC rule gives you an extension. If you discover a cyber incident during the gap, your 72-hour reporting clock under DFARS 252.204-7012still runs. Your annual affirmation of continuing compliance still comes due. And if you’re conditionally certified, your 180-day POA&M deadline is still ticking.
One framing that will save you money: the right replacement isn’t always “another MSP.” The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a vendor’s pitch.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category.
Jump to the export checklist ↓
The 60-second triage (start here)
| Your first question | Why it matters | First action | Source anchor |
|---|---|---|---|
| Does your company control admin access? | If the MSP held your tenant and admin credentials, this is now an access and security-control problem. | Confirm/seize Global Admin, create a company-owned break-glass account, verify MFA, licensing, DNS, backups, EDR, and logging; revoke the defunct provider's access. | NIST SP 800-171 Rev. 2, AC & IA families |
| Did the MSP touch CUI? | If yes, the provider relationship was in your CMMC scope and affects your documentation. | Map where CUI lived — their enclave, hosted desktops, ticketing, backups, file shares. | 32 CFR § 170.19 |
| Did they handle only your security logs? | Security Protection Data (logs, configs, scans) can pull a provider's services into scope as Security Protection Assets. | Preserve SIEM exports, alert history, vulnerability scans, endpoint and access records. | 32 CFR § 170.19 |
| Where are your SSP, POA&M, and evidence? | A lost MSP can mean lost proof, not just lost IT help. | Export every compliance artifact before portals and accounts disappear. | 32 CFR § 170.17 |
| What provider category do you need next? | A replacement MSP may not be your first — or only — hire. | Map your situation before you request quotes. | Find My CMMC Path |
My CMMC MSP went out of business — what do I do in the first 72 hours?
Start with control and preservation, not vendor shopping.In the first 72 hours, confirm your company controls administrator access, secure your encryption keys and backups, preserve logs and evidence, and export your compliance documentation — because access and data are what you can permanently lose. Vendor selection comes after you’ve stabilized, not before.
The CMMC MSP Failure Recovery Protocol
| Window | Action | Why it matters | Obligation still running |
|---|---|---|---|
| First 24–72 hrs | Confirm your company holds Global Administrator rights to every in-scope system (M365 GCC High, Azure Gov, firewalls, EDR, SIEM); create a company-owned break-glass admin. | MSPs commonly hold master admin accounts they own. When their systems get decommissioned or sold, you can be locked out of your own environment. | Access control objectives don’t transfer (NIST SP 800-171 Rev. 2, AC) |
| First 24–72 hrs | Revoke the defunct provider's delegated/partner access (GDAP, partner relationships, VPN, service accounts) after preserving the related logs. | Orphaned third-party access into a CUI environment can be a control failure and an open door — review and remove it. | NIST SP 800-171 Rev. 2, AC/IA; DFARS 252.204-7012 |
| First 24–72 hrs | Locate and export encryption keys, recovery keys, and backups you can independently restore. | Lost keys can mean permanently unrecoverable CUI — a continuity failure and a potential compliance and evidence problem. | NIST SP 800-171 Rev. 2, SC/MP |
| First 24–72 hrs | Preserve your ability to report a cyber incident within 72 hours, even with no provider in place. | A provider's collapse is exactly when incidents slip through. The clock does not pause if an incident occurs. | DFARS 252.204-7012 |
| Days 3–14 | Confirm tenant + license ownership. Verify the GCC High / Azure Gov tenant and Microsoft licenses are in your name, not the provider's. | If your CUI lived inside the provider's proprietary, multi-tenant enclave, your data may be trapped or co-mingled. Own-tenant data travels with you; enclave data may not. | Cloud storing CUI must be FedRAMP Moderate or equivalent — DFARS 252.204-7012 |
| Days 3–14 | Export the full documentation set: SSP, POA&M, all policies/procedures, network and data-flow diagrams, asset inventory, and evidence/artifacts. | You may have relied on the MSP's portal for these. If they vanish, so does your proof. | Assessment evidence must be retained 6 years from the CMMC Status Date — 32 CFR § 170.17(a)(4) |
| Days 3–14 | Pull your Shared Responsibility Matrix (SRM) / Customer Responsibility Matrix (CRM) and mark every control the MSP owned or shared. | That list is your blast radius. Every objective they operated may now be unowned. | You remain accountable for all 110 requirements / 320 objectives (32 CFR § 170.14; NIST SP 800-171A) |
| Days 15–90 | Re-baseline your SPRS score against current reality — not the pre-failure state. | Controls the MSP ran may have stopped. An inflated SPRS score is inaccurate and risky. | 32 CFR § 170.24 |
| Days 15–90 | Before your next annual affirmation, confirm what's actually operating. Don't affirm 'continuing compliance' on controls that aren't. Talk to counsel. | A knowingly inaccurate affirmation is a documented enforcement-risk surface (see False Claims Act section below). | 32 CFR § 170.22 |
| Days 15–90 | Check your POA&M clock. If you're Conditional with an open POA&M, the 180-day closeout deadline keeps running. | Miss the closeout window and the Conditional status expires. | 32 CFR § 170.21(b) |
| Days 15–90 | Engage the right replacement category — not just 'an MSP.' | Hiring the wrong category burns the runway you don't have. | Readiness and assessment must stay separate (32 CFR § 170.8(b)(17)) |
What not to do in the first 72 hours
- Don’t casually move CUI to a new platform to “get out fast” — an unplanned migration can expand your scope or expose data in transit.
- Don’t delete the former provider’s accounts before you’ve preserved the logs tied to them.
- Don’t assume your new MSP can simply inherit your old SSP.
- Don’t send your prime or contracting officer anything speculative before contracts/legal has reviewed it.
- Don’t let a vendor convert your panic into a multi-year contract before your scope is even clear.
The honest part: switching to a new MSP feels like the fix, and it’s usually the wrong first move. The contractors who get hurt are the ones who sign a rescue contract in week one, before they know what the old provider actually owned, where their CUI lived, or whether a provider change will reshape their assessment scope. The ones who come out clean slow down for ten days, run the export checklist, map what the MSP owned, and only then go to market — with a scope in hand instead of a panic in hand.
Most results you’ll find for this search are managed-service providers hoping you’ll panic-hire them today. We don’t sell managed services. We help you get the category right — even when that category isn’t us, and even when the right move is to wait a week.
Why are so many CMMC MSPs suddenly shutting down? (the NeoSystems collapse)
The NeoSystems collapse is the clearest 2026 example of why a provider’s stability is part of your compliance posture.In early May 2026, the long-standing Reston, Virginia compliance and managed-services firm wound down after what public reporting described as a deteriorating financial condition. Its IT and CMMC division shut down, roughly 70 employees were terminated, and contractors who relied on it — especially those whose CUI lived in its proprietary “NeoEnclave” hosting environment — were left asking who controls their data now.
| Date | Verified fact | Source | What it does not prove | What it means for you |
|---|---|---|---|---|
| Early May 2026 | NeoSystems was reported to be dissolving after a "deteriorating financial condition"; the IT/CMMC division shut down and ~70 employees were terminated around May 1. | Reston Patch, citing Washington Business Journal | The cause, or any wrongdoing | A provider's finances are part of your continuity risk. Longevity alone is not protection. |
| ~May 1, 2026 | The back-office division (accounting, finance, payroll, HR, systems integration) was acquired by BlueStreet Solutions; the IT/CMMC/hosting division shut down with same-day staff termination. | Reston Patch / WBJ; company statements | The data-control status of any specific client | Same-day shutdowns leave no transition runway. Own your access and evidence before you ever need them. |
| May 14, 2026 | BlueStreet announced that FIT Solutions would assume "service continuity" for the former IT-division customers as a strategic operating partner. | NeoSystems published statement | That any individual client's CUI location, tenant control, evidence, or CMMC status was preserved | A continuity announcement tells you who may run the helpdesk — not where your CUI lives or whether your scope changed. |
| Ongoing | Industry reporting raised questions about the successor's CMMC credentials and hosting environment. | Oxebridge (reported; treat as allegations, not findings) | Established fact about any successor's posture | Confirm any successor operates the GCC High (or equivalent) environment your CUI requires. Don't presume. |
The lesson: a “service continuity” announcement does not automatically answer your CMMC questions.A successor handling the helpdesk doesn’t tell you where your CUI physically lives, whether you still control your tenant, whether your evidence survived, or whether the change reshapes your assessment scope. Those answers come from your own SSP, SRM, and architecture — not from a press release.
Two design choices separated the contractors who recovered quickly from the ones who got stuck. First, own-tenant vs. proprietary enclave: when your environment is built in your own GCC High or Azure Government tenant, you change who administers it and move on. When your CUI sits inside a provider’s proprietary, shared enclave, a shutdown can strand it. Second, evidence ownership:contractors who held their own SSP, POA&M, diagrams, and evidence kept their compliance progress. Contractors who only ever saw those artifacts through the provider’s portal lost their proof along with their provider.
Who owns your data, tenant, and evidence — and what to export before the portals go dark?
When a provider disappears, ownership is the question that decides everything else.Before you assume anything is safe, confirm who actually holds your tenant, your licenses, your encryption keys, and your evidence — and export it now, because a closed provider’s portal can vanish with little warning.
Work down this list and mark each item you control / provider controls / unknown. The “unknown” rows are your most urgent work.
| Asset | Why it matters | Where it may live | Priority |
|---|---|---|---|
| M365 GCC High / Azure Gov tenant | If it's the provider's tenant, your whole environment may be trapped. | Microsoft admin center, provider portal | critical |
| Global admin / break-glass access | Without it, you can't operate or secure your own systems. | Entra ID / Azure AD, IAM, password vault | critical |
| Microsoft licenses (and reseller relationship) | A lapsed reseller agreement can interrupt service and licensing. | Microsoft admin, reseller portal, invoices | critical |
| Encryption / recovery keys | Lost keys can mean permanently unrecoverable CUI. | Key vault, backup console, provider docs | critical |
| Backups and recovery configs | Your independent ability to restore. | Backup console, cloud storage | critical |
| SSP (System Security Plan) | Defines your boundary and your implementation narrative. | GRC tool, SharePoint, provider portal | critical |
| POA&M | Shows open remediation items and their deadlines. | GRC tool, SSP folder, assessment workspace | critical |
| SRM / CRM (shared/customer responsibility matrix) | Shows what the provider owned vs. what you own. | Contract package, provider portal, SSP appendix | critical |
| CUI data-flow + network diagrams | Drive scope and any replacement architecture. | Diagramming tool, SSP package | critical |
| Asset inventory | Supports scope, controls, and evidence. | RMM, CMDB, endpoint tool, GRC | high |
| Audit logs (SIEM, M365, EDR, firewall, cloud) | Support incident review and evidence continuity. | SIEM, security consoles | high |
| Vulnerability scans | Support risk and remediation records. | Scanner portal, provider reports | high |
| Ticket / change records | Show implementation history and operational control. | PSA/ticketing system, email | high |
| Policies & procedures | Support your CMMC evidence and continuity. | GRC, SharePoint, compliance folder | high |
| Prior assessment / gap reports | Help you rebuild the roadmap. | Consultant reports, GRC, email | medium |
Primary-source basis: artifact retention 32 CFR § 170.17; cloud FedRAMP requirement DFARS 252.204-7012; ESP scoping 32 CFR § 170.19.
Does my CMMC certification survive if my MSP shuts down?
Your CMMC certification belongs to your organization, not your MSP — so it doesn’t automatically vanish when they close. But it can be undermined. Your certification describes a specific environment and a set of operating controls. If your provider operated controls that have now stopped, your real-world posture may no longer match your certified or self-assessed status, even though the certificate and the SPRS entry still sit there.
The single most important principle: you are accountable for all 110 security requirements and 320 assessment objectives — and that accountability can’t be outsourced. Under the CMMC Model (32 CFR § 170.14), Level 2 is the 110 requirements of NIST SP 800-171 Rev. 2, measured against the 320 objectives in NIST SP 800-171A. Under 32 CFR § 170.22, it’s yourAffirming Official who must affirm continuing compliance. You can outsource the work; you can’t outsource the accountability.
“Preserve, don’t restart”is the right mental model. Your policies, SSP, POA&M, architecture decisions, and much of your evidence can usually be carried forward. What you’re validating is operational reality: are the controls the MSP ran still running?
Was your MSP actually in your CMMC scope? (the ESP / CSP / SPD test)
Your MSP wasn’t automatically in your CMMC scope just because it supported your IT. Under 32 CFR § 170.19, the questions that decide scope are: did the provider process, store, or transmit your CUI; did it handle your Security Protection Data (SPD); and was it a Cloud Service Provider (CSP) or a non-cloud External Service Provider (ESP)?
The CMMC Final Rule never uses the word “MSP.” It uses External Service Provider (ESP) — defined in 32 CFR § 170.4 as external people, technology, or facilities you use for IT or cybersecurity services, where CUI or Security Protection Data is processed, stored, or transmitted on the provider’s assets.
| What the MSP handled | Provider type | What it means for your CMMC scope | What to recover |
|---|---|---|---|
| CUI, in a cloud they provide | CSP | The cloud service must meet FedRAMP Moderate (or DoD-approved equivalent) under DFARS 252.204-7012 when it stores/processes/transmits covered defense information. | FedRAMP/equivalency evidence, service description, CRM, data-flow diagrams |
| CUI, on their (non-cloud) systems | Non-CSP ESP | Their services are inside your assessment scope and are assessed as part of your assessment. | CRM, SSP references, evidence package, asset inventory, access records |
| Security Protection Data only (logs, SIEM, configs, scans) | CSP or non-CSP | Can be assessed as Security Protection Assets in your scope, even with no CUI. | Logs, SIEM exports, alert history, vulnerability scans, endpoint/security-tool evidence |
| Neither CUI nor SPD | Any | Does not meet the CMMC ESP definition for that relationship. | Contract/service records showing separation from CUI/SPD |
For the full breakdown, see our CMMC External Service Provider requirements guide.
What’s actually broken right now: the orphaned-control problem
When your MSP disappears, the controls it operated don’t transfer to anyone — they become orphaned. Until you reassign and re-establish them, those control objectives may simply not be happening, which means your real security posture and your documented posture have quietly diverged. An MSP failure is rarely one gap; it can span most of the NIST 800-171 families at once.
We mapped the typical blast radius, grounded in NIST SP 800-171 Rev. 2 families and DoD scoping guidance:
| NIST 800-171 Rev. 2 family | What the MSP commonly operated | What goes dark when they vanish | Re-establish via |
|---|---|---|---|
| Access Control (3.1) | Account provisioning/deprovisioning, privileged access, remote access | Onboarding/offboarding stalls; orphaned MSP access lingers; remote-access enforcement unmonitored | Readiness MSP/MSSP or in-house admin |
| Audit & Accountability (3.3) | Centralized logging, log review, SIEM alerting | Logs stop aggregating; no one reviews events; alerts go silent | MSSP/SOC + GRC |
| Configuration Management (3.4) | Baselines, change control, patching | Patches lapse; configuration drifts; change record breaks | Managed IT (MSP) |
| Identification & Authentication (3.5) | MFA enforcement, identity lifecycle | MFA gaps appear; identity hygiene degrades | MSP/MSSP + identity platform |
| Incident Response (3.6) | Monitoring, detection, IR execution, 72-hour reporting support | Detection blind; no one to execute IR; reporting capability at risk | MSSP/SOC — restore first |
| Maintenance (3.7) | Remote/onsite maintenance controls | Maintenance unmanaged | MSP |
| Risk Assessment (3.11) | Vulnerability scanning, remediation tracking | Scans stop; vulnerabilities accumulate untracked | MSSP + GRC |
| System & Communications Protection (3.13) | Boundary protection, FIPS-validated encryption, enclave operation | Boundary/encryption operation unowned; enclave may be inaccessible | CUI enclave provider (own-tenant) |
| System & Information Integrity (3.14) | EDR/AV, flaw remediation, monitoring | Endpoint protection unmanaged; alerts unhandled | MSP/MSSP |
That’s nine of the fourteen NIST SP 800-171 families exposed by a single provider failure. The takeaway is not to panic across all nine — it’s to work from your SRM, mark each control “still operating / degraded / stopped,” and rebuild from there.
Is your SPRS affirmation still true — and could this become a False Claims Act problem?
Let’s be precise about what the affirmation attests to. The rule defines the Affirming Official as the senior representative responsible for ensuring compliance and authorized to affirm the organization’s continuingcompliance. That’s not “we were compliant when we assessed.” It’s a present-tense statement that the requirements are still being met. If your MSSP’s SIEM stopped aggregating logs the day the company folded, several Audit & Accountability and Incident Response objectives may no longer be satisfied.
Here’s the calm version: an MSP going out of business is not, by itself, a violation of anything. The exposure comes from affirming compliance you no longer have without remediating or disclosing. The fix is entirely within your control: re-baseline honestly (under the scoring methodology in 32 CFR § 170.24, SPRS scores run from −203 to +110), close or formally plan the orphaned gaps, and bring your Affirming Official and a qualified federal-contracts attorney into the loop before the affirmation date. See also: CMMC annual affirmation guide and False Claims Act CMMC risk.
Who needs to know: your prime, contracting officer, C3PAO, or SPRS?
Don’t fire off notifications while the facts are still moving. First determine whether the shutdown actually changed your ability to meet contract requirements, affected systems handling FCI/CUI, changed your CMMC status or affirmation, created any indicator of a cyber incident, or altered your assessment evidence. Then loop in legal/contracts before any external communication.
| Who | When they may need to know | What not to do |
|---|---|---|
| Internal leadership | Immediately, if access, CUI, contract eligibility, or operations may be affected. | Don't downplay it as 'just an IT vendor change.' |
| Legal / federal-contracts attorney | Before external notices, if contract performance, CUI, incident reporting, or prime communications may be involved. | Don't interpret your contract obligations from a blog post (including this one). |
| Prime contractor | If flow-down obligations, CUI handling, schedule, CMMC status, or deliverables may be affected. | Don't speculate — communicate verified facts only. |
| Contracting officer (CO) | If counsel/contracts determines a formal notice is required. | Don't self-report vague 'risk' without legal review. |
| Your C3PAO | If you're in pre-assessment, scheduled, or your evidence materially changed. | Don't assume prior evidence is still usable without checking. |
| SPRS | If your posted assessment, CMMC UID/status, or affirmation facts are no longer accurate. | Don't change your score reflexively before a scope/evidence review. |
| DoD cyber-incident channel (DIBNet) | Only if there's a reportable cyber incident under your contract terms. | Don't treat business failure alone as a cyber incident absent indicators. |
On the last row: a provider going out of business is not automatically a cyber incident. But if you see unknown users still holding admin rights, CUI in an unknown location, missing or inaccessible logs, or unexplained access, escalate to internal security, counsel, and incident-response support before drawing conclusions. DFARS 252.204-7012governs the 72-hour cyber-incident reporting obligation — use it as your anchor, but don’t declare an incident you can’t substantiate.
For external communication, factual and reserved beats dramatic. Language in the spirit of: “We are conducting an internal continuity and scope review following a CMMC service-provider disruption. We are preserving evidence, confirming administrative control, and reviewing whether any CUI, Security Protection Data, assessment evidence, or contract deliverables were affected. We will provide verified updates through the appropriate contract channel if required.” Have counsel approve anything you actually send. This is educational framing, not a legal template.
Will losing your MSP trigger a new CMMC assessment?
Sometimes — and it depends on how deeply your MSP was embedded in your assessment scope. A like-for-like tool swap may not change your scope at all. But replacing the provider that ran your CUI enclave, your boundary, or your security operations can materially change your SSP and your assessment boundary.
Where you are in your journey changes the stakes:
- Mid-readiness, no assessment scheduled. This is the most forgiving spot. Stabilize, re-scope, update your SSP to reflect the new provider arrangement, and keep moving. Losing the MSP here is a setback, not a reset.
- Assessment scheduled with a C3PAO.Higher stakes. Your evidence integrity and your readiness package may have changed. Coordinate with your readiness lead and, after a fact review, your C3PAO — don’t assume the prior evidence still stands, and don’t assume the date holds.
- Already certified. The question is whether your environment changed enough to matter. If the provider operated controls inside your certified boundary, validate that those controls still function, and document the change. Note that DoD can also conduct its own DCMA DIBCAC assessment if your status is called into question (32 CFR § 170.16).
One relief valve: the Cyber AB CMMC Assessment Process allows a differentauthorized C3PAO to perform your POA&M closeout than the one that ran your initial assessment. Losing one relationship doesn’t strand your closeout with a single firm.
If you need hands-on help rebuilding and operating your environment, compare the provider categories that handle CMMC readiness and managed compliance before you request a single quote.
Compare CMMC provider categories →What kind of replacement provider do you actually need?
The right replacement is often a sequence, not a single “new MSP.”Depending on what the shutdown affected — access, logs, CUI hosting, evidence, or assessment readiness — you may need access/incident recovery first, then a scope review, then an MSP/MSSP or enclave to rebuild and operate, with a separate C3PAO only when you’re assessment-ready.
Which category fits — and which doesn’t:
Readiness MSP / MSSP / RPO
Fits if: fits if you need your environment rebuilt and controls operated again.
Doesn’t fit if: Doesn't fit if you only need the formal assessment.
CUI enclave provider (own-tenant GCC High / Azure Gov)
Fits if: fits if your CUI was trapped in a closed proprietary enclave.
Doesn’t fit if: Doesn't fit if you already own a clean tenant.
GRC platform
Fits if: fits if you lost your SSP/POA&M/evidence workflow and need to reconstruct it.
Doesn’t fit if: Doesn't fit if your documentation is intact and your gap is technical operation. Software alone does not satisfy CMMC — it's a supporting layer, not the whole solution.
C3PAO
Fits if: fits if you're assessment-ready.
Doesn’t fit if: Doesn't fit if you still need remediation — and don't expect a C3PAO to remediate you and then assess the same work.
| Your situation | First category to consider | Not your first choice if | What to verify |
|---|---|---|---|
| You lost admin access or logs | Internal IT + access/incident recovery | You still lack facts about access and data location | Admin ownership, log preservation, account history |
| You need your CMMC scope rebuilt | RPO/RP or CMMC readiness consultant | You only need routine helpdesk | SSP, boundary, CUI flow, CRM, asset inventory |
| Your MSP ran IT and security operations | CMMC-capable MSP/MSSP | You only need the formal assessment | CUI/SPD handling, CRM, evidence exports, US-person staffing, offboarding terms |
| Your provider hosted your CUI enclave | CUI enclave / secure-collaboration provider | You need full enterprise IT support | CUI boundary, migration plan, FedRAMP/CSP evidence, shared responsibility |
| You lost your evidence workflow | GRC platform (supporting layer) | You have no documented scope yet | SSP/POA&M import, evidence ownership, export rights |
| You're scheduled for a Level 2 assessment | C3PAO coordination after scope/evidence review | You still need remediation from that same party | Independence and conflict-of-interest rules |
| You may have contract/incident exposure | Federal-contracts attorney / IR counsel | You only need a routine MSP swap | Contract clauses, incident facts, prime/CO communication |
One rule that trips people up under deadline pressure: don’t assume one firm can prepare you and then perform your formal Level 2 certification. Under 32 CFR § 170.8(b)(17) and the Cyber AB Code of Professional Conduct, a CMMC ecosystem member is prohibited from participating in your Level 2 certification assessment if they served as your consultant to prepare you within the prior three years.
The most useful five minutes you’ll spend today
Answer a few questions and we’ll point you to the provider category that fits your level, scope, and timeline. Educational triage only. Do not submit CUI, drawings, contract numbers, or sensitive program details.
Map my replacement path →What to verify before you sign with the next provider
Your replacement must prove it can support your CMMC scope, not just claim it’s “CMMC-ready.”And every answer should also be a clause in the contract, so the next disruption — if there ever is one — doesn’t strand you again.
Quick gut-check: there is no official Cyber AB credential called a “CMMC-certified MSP.” A provider can be an authorized C3PAO, a listed RPO with Registered Practitioners, or an ESP that has itself achieved CMMC Level 2 — those are different things. If a provider claims an official Cyber AB role, verify it against the current Cyber AB Marketplace listing.
| Ask | Good sign | Red flag |
|---|---|---|
| Will we own Global Admin and break-glass access? | Yes, documented in the contract. | They insist on exclusive admin control. |
| Do you process, store, or transmit our CUI? | Clear written answer with architecture. | "Don't worry about it." |
| Do you handle our Security Protection Data? | Clearly scoped in the CRM. | No grasp of SPD / Security Protection Assets. |
| Will you provide a CRM before go-live? | Yes, before signature. | "After onboarding." |
| Can we export all evidence and logs, in usable formats? | Yes, with export rights in writing. | Portal-only, no export. |
| Are you an RPO, MSP, MSSP, C3PAO, or something else? | Clear category language. | A blended "we do everything" pitch. |
| Will you also assess us? | No — or a clearly separated entity/role. | "We'll prep and certify you." |
| Is your staff US-based / US persons? (ITAR/EAR) | Yes, documented. | Vague or offshore. |
| What's your written offboarding plan and timeline? | Provided up front. | None. |
For the full vendor-selection playbook, see our companion guides: best CMMC MSP for defense contractors, CMMC scoping, and what a Level 2 program actually costs. This page is your emergency resource; those are your after you’ve stabilized resources.
What if your MSP didn’t close — but dropped CMMC?
This is the same decision with less operational urgency.If your MSP is still running but has declined to pursue CMMC, refuses to provide a CRM, or won’t support a Level 2 assessment, you face the same core questions — does the provider touch CUI or SPD, does your SSP and CRM depend on them — minus the access scramble. You have time to transition deliberately instead of in 72 hours.
| Situation | Treat as emergency? | Next move |
|---|---|---|
| MSP supports IT but not CMMC | No, unless scope/evidence is at risk | Add readiness support, or replace the MSP on a controlled timeline |
| MSP touches CUI but won't provide CRM/evidence | Yes — compliance risk | Re-scope and transition |
| MSP only supports out-of-scope IT | Probably not | Document why it's out of scope |
| MSP put you on the wrong GCC / GCC High path | Possibly | Re-evaluate your CUI data flow against contract requirements |
| MSP can't support C3PAO evidence and you're scheduled | Yes | Rebuild the evidence package |
If your MSP loves the relationship but isn’t built for the DIB, there’s a “best of both worlds” path: keep them for general IT and stand up a separate CUI enclave that a CMMC-capable provider manages. It adds some operational friction, but it can preserve a good IT relationship while still getting you to Level 2. The Find My CMMC Path tool will flag when that pattern fits your situation.
Frequently asked questions
Is my CMMC certification invalid if my MSP goes out of business?
Not automatically. Your certification belongs to your organization, not your MSP. What matters is whether the disruption changed your system boundary, CUI handling, evidence, CMMC status, or your ability to meet contract requirements. Review scope and evidence before you rely on your status for an award, and before your next affirmation.
Does my new MSP need to be CMMC certified?
There's no official Cyber AB credential called a "CMMC-certified MSP" — verify any claimed role on the Cyber AB Marketplace. Whether a provider is even in scope depends on what it touches: under 32 CFR 170.4 and 170.19, a provider that doesn't process, store, or transmit your CUI or Security Protection Data on its own assets isn't an ESP for that relationship. If it does handle your CUI or SPD, the rules branch — a Cloud Service Provider storing CUI must meet FedRAMP Moderate (or DoD-approved equivalent) under DFARS 252.204-7012, while a non-cloud ESP's services are documented in your SSP and assessed within your scope. An ESP can also choose to hold its own CMMC Level 2 certification, but it isn't required to.
Is an MSP an External Service Provider under CMMC?
Often, yes. Under 32 CFR 170.19, the test is whether the provider processes, stores, or transmits your CUI or Security Protection Data on its assets, and whether it's a Cloud Service Provider or a non-cloud ESP. A provider that touches neither your CUI nor your SPD on its own assets isn't an ESP for that relationship.
What if my MSP hosted my CUI enclave?
Treat it as a high-priority scope and continuity issue. Identify where the CUI actually lived, who controls access now, how the data can be exported or migrated without exposure, and how the old and new provider responsibilities are documented in your SSP and CRM. If the enclave was proprietary and the provider is gone, this is the case to escalate first.
What if my MSP only handled our security logs?
Logs still matter. Security Protection Data — logs, configs, SIEM output, scans — can bring a provider's services into scope as Security Protection Assets even with no CUI. Preserve your SIEM exports, alert history, vulnerability scans, and access records before you change tools.
Do I need to update my SSP after losing my MSP?
Usually yes, if the provider relationship, CUI boundary, asset inventory, data flows, security tooling, or shared responsibilities changed. Your System Security Plan must reflect the actual environment and provider roles, not the architecture you had before the shutdown.
Do I need to change my SPRS score?
Not reflexively — but if your implementation, evidence, or scope changed, review your posted score and your affirmation support with qualified help before relying on either. SPRS scores are calculated against NIST SP 800-171 Rev. 2 and run from −203 to +110.
Do I need to tell my prime contractor?
Possibly — if the disruption affects contract performance, flow-down obligations, CUI handling, your CMMC status, or deliverables. Bring in legal/contracts first, and communicate verified facts rather than speculation.
Can my C3PAO help me recover after my MSP closes?
Be careful. A C3PAO's role is the formal assessment, not implementation rescue for the same engagement. Under 32 CFR 170.8(b)(17) and the Cyber AB Code of Professional Conduct, an ecosystem member can't perform your Level 2 certification assessment if they prepared you for an assessment within the prior three years. Keep readiness and assessment separate. A different authorized C3PAO can perform your POA&M closeout if you're conditionally certified.
Should we move to GCC High now?
Not just because your MSP failed. Whether you need GCC High, another enclave, or a different architecture depends on your CUI categories (including export-controlled data), contract requirements, data flows, and current environment. Re-scope first; don't let panic drive an expensive platform decision.
My CMMC MSP went out of business and won't give us admin access — what now?
Preserve all communications, bring in legal/contracts, contact the platform vendors and resellers directly where appropriate, and prioritize account recovery through them. Don't let a new provider start changing your architecture before you've preserved access history and logs.
My CMMC assessment is already scheduled — what do I do?
Notify your readiness lead, and after you understand which evidence changed, talk to your C3PAO. Don't assume your prior evidence still stands or that your date holds. A scheduled assessment is exactly the scenario where moving fast — and in the right order — matters most.
What we actually verified
Primary sources — Last reviewed
- Obligations that keep running — artifact retention (32 CFR § 170.17), POA&M 180-day closeout (32 CFR § 170.21), annual affirmation (32 CFR § 170.22), scoring methodology (32 CFR § 170.24).
- CMMC Model, ESP definition, scoping, conflict of interest — 32 CFR § 170.14 (Level 2 = NIST SP 800-171 Rev. 2), 32 CFR § 170.4 (ESP), 32 CFR § 170.19 (scoping), 32 CFR § 170.8(b)(17) (COI).
- Contract clauses and incident reporting — DFARS 252.204-7021 and DFARS 252.204-7012.
- The standard itself — 110 requirements across 14 families in NIST SP 800-171 Rev. 2. NIST withdrew Rev. 2 on May 14, 2024 and superseded it with Rev. 3, but the CMMC rule still points to Rev. 2.
- False Claims Act exposure — the DOJ Civil Cyber-Fraud Initiative.
- NeoSystems events — corroborated against Reston Patch / Washington Business Journal reporting (May 2026); May 14, 2026 service-continuity announcement (BlueStreet / FIT Solutions) from company’s own published statement. Watchdog allegations are attributed to Oxebridge and treated as reported, not established.
Phase 1 runs November 10, 2025 to November 9, 2026; Phase 2 begins November 10, 2026. What we could not verify: the precise data-control status of any individual displaced contractor’s environment; the successor’s CMMC posture in any given case.
See also: CMMC MSP guide · CMMC readiness checklist · CMMC scoping guide · SPRS score guide
Need help deciding what type of CMMC provider you need?
Map the provider category before you request quotes — because your level, CUI scope, assessment type, environment, and timeline decide whether you need an MSP/MSSP, an RPO/RP, a CUI enclave, a GRC platform, a C3PAO, legal/IR support, or a sequence of more than one.
⚠ Do not submit CUI, drawings, contract numbers, export-controlled data, or sensitive program details.
This article is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your CMMC level — not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance, and is not affiliated with the Cyber AB, the U.S. Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. We do not publish provider rankings, endorsements, “best provider” awards, numeric provider scores, or fabricated reviews or testimonials. Found an error? See our corrections policy and editorial standards.
Find My CMMC Path
The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path →