By Leia Kupris Shilobod, CCP, CISM
For companies operating in the Defense Industrial Base (DIB), choosing an IT or cybersecurity provider is no longer a routine outsourcing decision or a battle of who can come in the cheapest. Your Managed Service Provider (MSP), Managed Security Service Provider (MSSP), and Cloud Service Provider (such your backup or email security provider) can directly impact whether you pass or fail a CMMC Level 2 certification assessment.
In a post-CMMC world, IT providers are not just vendors. They are extensions of your compliance boundary, your risk surface, and your contractual obligations to the Department of Defense (now Department of War).
Yet many DIB contractors don’t realize how much risk their providers introduce until they’re deep into assessment preparation—when it’s often too late to change course easily.
Here’s some insight into the hidden risks embedded in IT and security provider selection, how CMMC changes the rules, and what DIB contractors must do to protect themselves.
IT Providers Are Now Part of Your Compliance Scope
Under the CMMC Final Rule, compliance does not stop at your internal network. Any third party that:
- Has administrative or unattended remote access to your systems
- Manages your endpoints, network, or M365/GCC High environment
- Operates security tools such as EDR, SIEM, SOC, vulnerability scanners, VPNs, or SASE
- Stores or processes logs, configurations, credentials, backups, or vulnerability data
…is almost certainly considered an External Service Provider (ESP).
Even if a provider never “sees” Controlled Unclassified Information (CUI), the moment they can affect its confidentiality—or handles Security Protection Data (SPD)—they fall into scope.
This is one of the most common and costly misunderstandings DIB contractors make:
“Our MSP isn’t in scope. This is our assessment.”
That assumption is wrong.
MSP, MSSP, and CSP: Why the Distinction Matters
MSPs and MSSPs
Most MSPs and MSSPs supporting DIB contractors are ESPs by definition. They typically have privileged access, manage security tooling, and maintain operational control over critical systems.
Unless they already hold a CMMC Level 2 certification, they will be reviewed and interviewed during your assessment. Assessors will examine:
- The controls your provider supports
- Their baseline configurations and documentation
- Their staff’s training and access controls
- How their tools and processes support NIST SP 800-171
If they cannot demonstrate compliance, you fail.
Why am I so adamant that you’ll fail instead of just having a POAM-able finding? Because the controls you are permitted to have assessed as “NOT MET” during assessment that you can fix in Phase IV (remediation) won’t have anything to do with your MSP or MSSP.
When an ESP Becomes a CSP
A provider becomes a Cloud Service Provider (CSP) when they deliver cloud-based services that process, store, or transmit CUI. Common examples include:
- Microsoft GCC or GCC High tenants hosting CUI
- Cloud-based backups storing CUI
- Hosted VDI environments used for CUI access
- Third-party platforms where CUI flows through or resides (such as spam filters or data sharing/storage tools)
Once a provider becomes a CSP handling CUI, FedRAMP authorization is mandatory under DFARS 252.204-7012.
Using non-FedRAMP commercial cloud services for CUI can result in:
- Immediate assessment halt or even failure
- Contractual noncompliance
- Reportable data spillage incidents
Understanding where your CUI flows—and who touches it—is not optional.
Your Provider Will Be Evaluated—Whether You Like It or Not
Unless your MSP or MSSP is FedRAMP-authorized (for CSP services) or already CMMC Level 2 certified, assessors may:
- Interview provider staff involved in in-scope services
- Review shared responsibility documentation
- Examine how provider tools meet specific control objectives
- Validate how risks are managed and documented
This is why selecting the right provider can save—or cost—hundreds of thousands of dollars in remediation, delays, or failed assessments.
How to Choose the Right MSP or MSSP
When evaluating providers, adopt an assessment mindset:
If you can’t confidently defend your provider’s answers to an assessor, the answers don’t count.
Non-Negotiable Questions to Ask
At a minimum, your provider should be able to answer yes to the following:
- Do you employ CCPs, RPAs, CISSPs, CISM, or CISA-certified staff?
- Have you implemented NIST SP 800-171 internally?
- Will you participate in my certification assessment if required?
- Can you provide a Customer Responsibility Matrix (CRM)?
- Are your tools FedRAMP-authorized or implemented to NIST 800-171 standards?
Red flags include statements like:
- “We’ll figure it out with you.”
- “Don’t worry—we have CMMC covered.”
Confidence without evidence is a liability.
Your Provider Must Run Their Own Governance, Risk, and Compliance (GRC) Program
A provider that does not maintain its own cybersecurity compliance program cannot reliably support yours.
A mature MSP or MSSP should be able to demonstrate:
- Documented policies and procedures
- A defined Service Delivery Scope
- Risk assessments and a maintained risk register
- Incident response planning and tabletop exercises
- Asset management for people and technology
- Ongoing training and insider threat awareness
In short, they must treat compliance as a program, not a product they install.
If they don’t practice what they preach, they will fail you.
Why Compliant IT & Security Services Cost More
Compliance-driven IT and security services cost more because they do more—continuously, measurably, and defensibly.
Operating a compliant MSP or MSSP is expensive due to:
- FedRAMP and compliant tooling costs
- Increased documentation and evidence collection
- Time-intensive change tracking and baselining
- Ongoing training and control maintenance
If a proposal looks no more expensive than the MSP “down the street,” it is almost certainly not compliant.
DIB contractors understand this reality from their own compliance journey. Providers feel the same pressure—and legitimate compliance costs must be expected.
The Hard Truth About Switching Providers
Most contractors don’t change providers because they’re unhappy with service. They change because not switching becomes riskier.
Breaking up with an MSP or MSSP is difficult, disruptive, and often expensive. It involves:
- Transferring documentation, credentials, and baselines
- Migrating tools without introducing gaps
- Coordinating handoffs between providers
- Rebuilding compliance artifacts if documentation is missing
Because switching is hard, choosing correctly upfront is critical.
How To Approach Selecting an ESP? Choose Partners, Not Vendors
In the Defense Industrial Base, your IT and security providers are not just vendors. They are partners in your compliance, risk management, and contract survivability.
Ask hard questions. Demand clarity. Require proof.
Because if your provider cannot withstand assessment scrutiny, they don’t just put your certification at risk—they become your largest uncontrolled risk.
Choose partners, Not Vendors.
