If you’re a Managed Service Provider (MSP) working with defense contractors or handling sensitive government information, CMMC Level 2.0 compliance is essential for securing Department of Defense (DoD) contracts. This certification ensures your cybersecurity measures meet the strict standards required to protect Controlled Unclassified Information (CUI).

Here’s what you need to know:

• Who needs it? MSPs managing systems that process, store, or transmit CUI under DoD contracts. This includes subcontractors and those supporting defense contractors.
• When is it required? Compliance is tied to contracts with DFARS clauses and becomes mandatory for all applicable DoD contracts by November 10, 2028.
• What does it involve? Meeting 110 security controls from NIST SP 800-171, thorough documentation, and third-party assessments every three years.
• Key deadlines: The final CMMC 2.0 rule took effect on December 16, 2024, with enforcement ramping up through 2028.

For MSPs, failing to comply could disqualify you or your clients from DoD contracts. Start by performing a gap assessment, documenting your security measures, and preparing for third-party audits.

What Is CMMC Level 2.0?

CMMC Level 2.0, also referred to as the Advanced Level, is designed to protect Controlled Unclassified Information (CUI). This includes sensitive materials like engineering drawings, technical specs, research data, and software source code - information that could pose risks to national security or economic interests.

To meet Level 2.0 standards, organizations must implement 110 controls outlined in NIST SP 800-171 Revision 2. These controls are spread across 14 categories, such as Access Control, Incident Response, and System & Communications Protection. According to CISA, CMMC 2.0 simplifies the framework by consolidating cybersecurity requirements into three levels and aligning them with established NIST standards.

One key feature of Level 2.0 is the allowance for Plans of Action and Milestones (POA&Ms), which give organizations up to 180 days to address unmet controls. Full assessments are conducted every three years, with annual affirmations required in between. Below, we’ll explore the specific steps and documentation needed to achieve and maintain compliance at this level.

CMMC Level 2.0 Requirements

Achieving Level 2.0 compliance means implementing all 110 NIST SP 800-171 controls and documenting them thoroughly in a System Security Plan (SSP). These controls are evaluated using 320 Assessment Objectives. If any controls are not fully implemented, they must be logged in a POA&M, and all unresolved issues must be addressed within 180 days. Failure to do so results in the expiration of Conditional Level 2 status.

Organizations are also required to keep all assessment-related records for 6 years from the date of their CMMC certification. Additionally, if a Cloud Service Provider is used to manage CUI, they must be either FedRAMP Authorized at the Moderate baseline or meet equivalent security standards. The Department of Defense (DoD) underscores the importance of documentation, stating that "if a process is not documented, it is considered non-existent during an assessment". This makes thorough and accurate documentation a critical component of compliance.

Organizations That Must Comply

CMMC Level 2.0 applies to any organization handling CUI under a DoD contract. This includes prime contractors, subcontractors, and their service providers. Managed Service Providers (MSPs) identified as External Service Providers (ESPs) that process, store, or transmit CUI must also undergo assessment to ensure their services meet Level 2 requirements.

As of early 2026, the DoD has validated 357 entities through DCMA DIBCAC assessments, including major prime contractors. Compliance requirements extend throughout the entire supply chain. If a subcontractor’s role involves handling CUI, they must achieve Level 2 certification to remain eligible for contract awards. This also applies to cloud providers, MSPs, and technology vendors supporting defense contractors - non-compliance could disqualify their clients from securing DoD contracts.

When MSPs Must Comply with CMMC Level 2.0

For Managed Service Providers (MSPs), compliance with CMMC Level 2.0 becomes necessary when certain conditions are met. These include contracts that feature DFARS clauses, handling Controlled Unclassified Information (CUI) for defense contractors, or participating as subcontractors in the Department of Defense (DoD) supply chain. Knowing these triggers is critical for determining if certification is required.

DFARS Contract Clauses

MSPs must adhere to the requirements outlined in DFARS 252.204-7021 for contracts involving Federal Contract Information (FCI) or CUI. The appropriate CMMC status must be recorded in the Supplier Performance Risk System (SPRS). This clause is included in DoD solicitations and contracts that involve the processing, storage, or transmission of FCI or CUI.

"Contractors are required to achieve, at time of award, a CMMC status at the CMMC level specified in the solicitation, or higher, for all information systems used in the performance of the contract, task order, or delivery order that will process, store, or transmit FCI or CUI."
– Subpart 204.7502, DFARS

Until November 9, 2028, the clause applies when program offices determine a specific CMMC level is necessary. After November 10, 2028, it will be included in all relevant DoD solicitations, except for those that solely involve commercially available off-the-shelf (COTS) items.

Handling Controlled Unclassified Information (CUI)

Beyond DFARS requirements, MSPs must comply with CMMC Level 2.0 if their systems process, store, or transmit sensitive CUI. This includes materials like technical specifications, engineering designs, research data, and software source code that are protected under federal law or regulation.

For MSPs acting as External Service Providers (ESPs) - not as Cloud Service Providers - prime contractors will assess their services against all 110 Level 2 controls. In such cases, the MSP's role, services, and the associated Customer Responsibility Matrix (CRM) must be clearly detailed in the contractor's System Security Plan (SSP).

Additionally, MSPs should confirm whether their on-premises infrastructure connects to the contractor's product or service. If it does, this infrastructure will also be subject to the CMMC assessment. Subcontracting roles add another layer of responsibility under CMMC requirements.

Subcontractor Requirements

When MSPs act as subcontractors for prime contractors with DoD contracts, they inherit CMMC responsibilities through flowdown requirements. Prime contractors are obligated to pass down the appropriate CMMC level to all subcontractors and suppliers handling FCI or CUI.

Prime contractors must also verify and regularly monitor MSPs' CMMC status in SPRS throughout the contract's duration. The only exception applies to subcontracts involving solely COTS items. MSPs are required to maintain their CMMC status for the full length of the contract and provide an annual affirmation of continuous compliance in SPRS.

It's essential for MSPs to confirm the specific CMMC level required with their prime contractors. This depends on whether the subcontract involves FCI (Level 1) or CUI (Level 2). Failing to meet these requirements could disqualify both the MSP and the client from receiving contract awards.

sbb-itb-ec1727d

How to Prepare for CMMC Level 2.0 Compliance

If you're aiming for CMMC Level 2.0 compliance, preparation is key. It requires careful planning, evaluating your current security measures, implementing the necessary controls, and ensuring everything is well-documented. Here's how to get started.

Perform a Gap Assessment

Begin by comparing your current security practices to the 110 requirements outlined in NIST SP 800-171 Rev 2. This process, known as a gap assessment, helps pinpoint what you're already doing well and what still needs to be addressed. Focus on five critical areas: People, Process, Technology, Data, and Facility (PPTDF).

Dive deeper into the 110 controls and 320 assessment objectives detailed in NIST SP 800-171A. These objectives outline the specific criteria that Certified Third-Party Assessment Organizations (C3PAOs) will use during formal evaluations. For example, access control requirements go beyond limiting access - they also include factors like user authentication, session management, and audit logging.

Don't overlook the additional baseline security practices, often referred to as NFO (Non-Federal Organization) practices. These aren't always explicitly mentioned in contracts but are expected by assessors. Critical documentation, such as your System Security Plan (SSP) and Plan of Action & Milestones (POA&M), falls under this category. Once you've identified the gaps, you can start addressing them.

Implement NIST SP 800-171 Controls

After identifying your gaps, it's time to implement the missing controls. NIST SP 800-171 groups its 110 requirements into 14 categories, such as Access Control, Incident Response, and System and Communications Protection. Each control must not only be implemented but also thoroughly documented.

As ComplianceForge puts it:

"When it comes to cybersecurity compliance, if it is not documented then it does not exist."

Documentation is non-negotiable. Your SSP should clearly outline system boundaries, operational environments, and specifics about how each control is implemented. If you're using external service providers that aren't classified as CSPs (cloud service providers), make sure their services are documented in your SSP and included in your CMMC assessment scope.

Additionally, maintain all assessment evidence for at least six years from the CMMC Status Date. To ensure the integrity of your evidence, hash the files using a NIST-approved algorithm and keep a record of these hashes for your assessor. With everything in place, consider bringing in expert support to make the process smoother.

Work with Cycore for Compliance Support

For a streamlined approach, Cycore offers end-to-end support for achieving CMMC Level 2.0 compliance. Rather than relying on generic GRC platforms, Cycore works directly with your organization to handle the hands-on tasks required for compliance.

Their team takes the time to understand your technology stack and operational environment, crafting a security program tailored to your needs. This includes writing policies, configuring technical controls, gathering evidence, managing vendor assessments, and maintaining your SSP and POA&M. They even assist with selecting auditors and addressing any findings during the assessment.

For Managed Service Providers (MSPs) overseeing multiple client environments, Cycore’s approach eliminates the burden of compliance-related tasks. This allows your team to focus on delivering services and driving revenue while Cycore ensures you're always ready for audits. Their fixed monthly fee model simplifies the process, offering peace of mind year-round.

Conclusion

CMMC Level 2.0 compliance is a must for MSPs working with DoD contractors or handling Controlled Unclassified Information (CUI). With full enforcement set for 2028 and requirements starting to appear in DoD contracts by late 2025, the clock is ticking. Whether you're directly involved in defense contracts or supporting clients who are, you're likely part of the audit scope as a Security Protection Asset.

Preparation starts with thorough gap assessments and meticulous documentation, including your System Security Plan (SSP) and Plan of Action & Milestones (POA&M). Compliance isn’t a one-and-done task - it demands consistent effort, with annual affirmations and assessments every three years.

For MSPs managing multiple client environments, the compliance workload can feel overwhelming, often pulling resources away from your core business. That’s where Cycore steps in. Unlike traditional GRC platforms that simply track tasks, Cycore takes a hands-on approach - writing policies, configuring controls, gathering evidence, managing vendor assessments, and ensuring your SSP and POA&M are always up to date.

With a fixed monthly fee and specialists who understand your technology stack, Cycore keeps you audit-ready year-round. This proactive support lets you focus on growing your business and delivering excellent services while staying competitive in the Defense Industrial Base. Cycore’s dedicated approach helps MSPs meet compliance demands without sacrificing operational efficiency or their place in the defense sector.

FAQs

What steps should MSPs take to prepare for CMMC Level 2.0 compliance?

To gear up for CMMC Level 2.0 compliance, MSPs should kick things off with a detailed gap analysis based on the 110 practices outlined in NIST SP 800-171. This step is crucial for pinpointing areas where existing processes or controls might be lacking. Afterward, it's important to compile essential documentation, including System Security Plans (SSPs) and incident response plans, while ensuring critical cybersecurity measures - like multi-factor authentication and encryption - are fully in place.

Beyond documentation, MSPs should focus on training their teams to understand compliance requirements, setting up processes for continuous monitoring, and addressing any identified gaps without delay. Starting early and maintaining thorough records will be key to staying on schedule and meeting the compliance deadlines by the end of 2026. Following these steps can help MSPs navigate the compliance journey with clarity and preparedness.

When do MSPs need to comply with CMMC Level 2.0 in the DoD supply chain?

MSPs that operate as subcontractors within the Department of Defense (DoD) supply chain must meet CMMC Level 2.0 standards if they handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). This level of compliance is the baseline requirement to ensure the security of sensitive data in the supply chain.

To meet these standards, MSPs must undergo a third-party assessment to confirm they align with CMMC guidelines. If your organization deals with CUI or FCI, preparing for this certification is essential to maintain eligibility for DoD contracts.

What are the consequences for MSPs that miss the CMMC Level 2.0 compliance deadline?

Failing to meet the CMMC Level 2.0 compliance deadline can spell trouble for Managed Service Providers (MSPs). Without this certification, MSPs risk losing eligibility to work on Department of Defense (DoD) contracts that require compliance. This could mean missing out on valuable business opportunities tied to federal projects.

Beyond lost contracts, non-compliance carries potential legal and regulatory risks. Federal regulations mandate adherence to these standards, and failing to meet them could lead to penalties or other consequences. To steer clear of these setbacks, MSPs should make certification preparation a top priority - well before the deadline approaches.

Related Blog Posts

• The Ultimate Guide to CMMC 2.0: Complete Implementation Checklist
• CMMC 2.0 and What It Means for Your Organization in 2026 and Beyond
• 5 Must-Haves in Your CMMC Compliance Checklist | Cycore Secure
• CMMC 2.0 In Practice - What Defense Contractors Should Do Without Breaking their Budget