Using a standard (non-CMMC-compliant) MSP (Managed Service Provider) to support a manufacturer seeking CMMC Level 2 compliance introduces significant risks, gaps, and compliance issues. Here’s a structured breakdown:
1. Compliance and Regulatory Concerns
- Shared Responsibility Gaps:
- CMMC Level 2 requires 110 NIST 800-171 controls. A non-compliant MSP may not implement or document many of these controls, creating gaps in your System Security Plan (SSP).
- Without a clear RACI (Responsibility Matrix), you risk failing an audit because certain controls (e.g., logging, MFA, incident response) are “assumed” to be handled by the MSP but are not properly implemented.
- Flow-down Requirements:
- As a DoD contractor or subcontractor, you must ensure that all external service providers that handle or access CUI (Controlled Unclassified Information) meet the same requirements.
- If your MSP processes, stores, or transmits CUI on your behalf, you are responsible for ensuring their environment is compliant (NIST 800-171 3.1.19, 3.13.1, etc.).
- If they are not, you risk DFARS 252.204-7012 noncompliance and potential loss of contracts.
- Evidence and Audit Readiness:
- CMMC assessments require proof (policies, procedures, logs, system configurations) that security requirements are met. A non-compliant MSP may not provide adequate documentation or artifacts for assessors, leading to failed certification.
2. Security Risks
- Inadequate Cyber Hygiene:
- Many MSPs focus on uptime and helpdesk support, not DoD-grade cybersecurity. They may lack:
- Endpoint detection and response (EDR)
- Encrypted communications and storage for CUI
- SIEM and log retention for 90+ days (NIST 3.3.1)
- Proper incident response plan aligned to DoD 7012 reporting
- Many MSPs focus on uptime and helpdesk support, not DoD-grade cybersecurity. They may lack:
- Credential Management Issues:
- Non-compliant MSPs often rely on shared admin accounts, do not enforce MFA, or store passwords insecurely—direct violations of CMMC practices.
- Remote Access Vulnerabilities:
- Many MSPs use remote management tools (RMM) that are not hardened, potentially creating a backdoor to your network that is non-compliant with access control and boundary protection requirements.
3. Data Handling Concerns
- Improper CUI Segregation:
- A standard MSP may mix your data with other clients’ backups or cloud environments, creating risk of cross-contamination and data spillage.
- Non-compliant Storage/Backup Locations:
- They may store data on servers or in public cloud instances that are not FedRAMP Moderate or DoD IL4 equivalent, violating DoD contract requirements.
- Lack of Encryption:
- CUI in transit or at rest may not be encrypted with FIPS-validated cryptography, failing specific NIST 800-171 controls (3.13.11, 3.13.16).
4. Contractual and Liability Issues
- No Binding Flow-down Clauses:
- If the MSP contract does not include clauses for safeguarding CUI, incident reporting within 72 hours (DFARS 7012), and CMMC adherence, you (the manufacturer) assume full liability for any data breach or compliance failure.
- Insurance Limitations:
- Cyber liability coverage may not cover incidents if you knowingly engage a provider that is not meeting government-mandated standards.
5. Long-term Business Risk
- Barrier to Certification:
- During a CMMC Level 2 assessment, your use of a non-compliant MSP may immediately trigger findings that block certification or require costly remediation before you can pass.
- Lost Contracts:
- Primes increasingly require suppliers to prove current NIST 800-171 self-assessment scores in SPRS. If your MSP cannot support your POAM (Plan of Actions & Milestones) or security architecture, you may lose DoD contract eligibility.
- Transition Costs:
- Moving from a non-compliant MSP to a compliant enclave or IT model later is often disruptive and expensive, especially if you must rearchitect networks or rehost systems.
✅ Best Practice
- Use a CMMC-aligned or RPO/RP-certified MSP or enclave provider that:
- Signs flow-down clauses and incident reporting commitments
- Documents all NIST 800-171 controls in your SSP
- Provides artifact evidence for C3PAO assessments
- Implements secure architecture for handling CUI (FedRAMP cloud, MFA, SIEM, encrypted file transfer)



