This article was written by Mike Semel, CMMC Certified Assessor, a former MSP and president of Semel Consulting.
You may think CMMC is still on the horizon, but federal enforcement of defense cybersecurity rules is already in full swing. The Department of Defense (DoD) and the Department of Justice are cracking down on defense contractors for noncompliance with existing obligations, hitting even small businesses with multimillion-dollar penalties. If you’re an MSP supporting even one defense contractor client, this affects you now—not “someday” when CMMC arrives.
There was a recent $4.6 million federal False Claims Act settlement against a small defense contractor for violating the current cybersecurity requirements—before CMMC becomes a requirement. If they had used an MSP, it’s possible that the MSP could have been charged with causing the false claims to be made.
This is a wake-up call for MSPs supporting defense contractors. MSPs may be unknowingly putting their defense clients—and themselves—at risk. But where there’s risk, there’s also opportunity. MSPs who step up now can become indispensable compliance partners and unlock high-margin, sticky services that will grow their business.
And there may be even more opportunity ahead. At a recent CMMC conference, David McKeown. Acting DoD CISO, said that Acting DoD CIO Katie Arrington has talked to President Trump about pushing CMMC through and even expanding it to other federal agencies. This would expand CMMC beyond defense contractors.
Where the Risks Are—and Where the Opportunity Begins
If you’re treating defense contractors like your general business clients—using the same commercial-grade email, backup, and storage solutions—you could be causing them to breach their DoD contracts. If you lead a client to claim that their cybersecurity meets the requirements, such as by helping them calculate their SPRS (Supplier Performance Risk System) score, you can be charged under the False Claims Act for causing the false attestation.
You might even be exposing your own business to expensive federal cybersecurity requirements if you host their backups yourself.
The focus on CMMC has been a distraction. Contractors must already comply with active contract clauses under the Defense Federal Acquisition Regulation Supplement (DFARS).
Here’s the truth: CMMC is not the starting line. It’s just the audit mechanism for rules that have been in place since 2017.
And clients are expecting—and paying—for MSPs who can help them navigate this now.
Understanding Current Mandatory Requirements: DFARS Explained
Defense contractors have already agreed to comply with several DFARS clauses that are referenced in 80% of defense contracts, including:
- DFARS 252.204-7008: By accepting the contract, contractors agree to implement the cybersecurity requirements specified in DFARS 252.204-7012 or request a waiver from the DoD CIO.
- DFARS 252.204-7012: This key clause requires contractors to:
- Implement the 110 cybersecurity requirements in NIST SP 800-171 rev 2.
- Only store Controlled Unclassified Information (CUI) in FedRAMP Moderate or equivalent cloud services (including email and backups).
- Report cybersecurity incidents to the DoD within 72 hours.
- Flow these requirements down to all subcontractors.
Contractors were required to meet these requirements by December 31, 2017, and price them into their bids.
- DFARS 252.204-7019: Contractors must perform a self-assessment of their NIST SP 800-171 implementation using the DoD assessment methodology and post their score to the SPRS database. Posting a “spurs score” is considered a legal attestation under the False Claims Act.
- DFARS 252.204-7020: Contractors grant the DoD the right to audit their systems based on the NIST SP 800-171A rev.2 assessment guide, which breaks down the 110 requirements into 320 detailed assessment objectives.
Failure to comply can result in federal False Claims Act penalties, which can be assessed against businesses or individuals:
- Repayment of three times what was received in government funds (treble damages)
- Civil fines
- Whistleblower lawsuits (with rewards of 15%-30% of recovered amounts)
This is happening now. Not when CMMC rulemaking finishes.
In the recent False Claims Act penalty, Morsecorp, a small business based in Massachusetts, agreed to pay the government $4.6 million—within 60 days—after a former employee became a whistleblower and turned them in for:
- Using an email provider that was not FedRAMP Moderate (most aren’t)
- Misrepresenting their SPRS score (104 out of a perfect 110)
- Not having a System Security Plan (SSP)
- Not changing their SPRS score after an independent cybersecurity consultant told them their real score was –142 (246 points lower than what they posted; only 22% of the NIST SP 800-171 controls had been implemented). Note: The scoring methodology starts with a perfect score of 110 and then deducts points based on the importance of the practice. The lowest score is –203.
- Submitting invoices to the government after misrepresenting their cybersecurity
Morsecorp also paid almost $200,000 to cover the whistleblower’s legal fees, and the whistleblower was awarded over $800,000 for reporting the cybersecurity fraud.
Why This Is an MSP Growth Opportunity
Defense contractors urgently need MSPs who:
- Understand the difference between “we help you comply” and “we took the time to understand your compliance and assessment requirements and consistently deliver services that will stand up to regulatory scrutiny”
- Know how to build compliant environments using FedRAMP Moderate providers
- Can guide clients through accurate NIST 800-171 self-assessments and SPRS scoring
- Provide the documentation contractors must have for audits
- Prepare them for the upcoming third-party CMMC assessments
Most MSPs haven’t made this investment yet. Those who do will lock in:
- Premium pricing for compliance expertise
- Long-term client loyalty based on critical business survival, not just IT support. If an MSP helps their client through their $30K–$100K assessment and then the client wants to switch MSPs, they must undergo another expensive assessment. Talk about stickiness!
- Expansion opportunities as CMMC becomes required in 2025 and beyond
Rather than seeing CMMC as a burden, smart MSPs see it as a path to high-margin, sticky services that competitors can’t easily replicate.
8 Action Steps to Protect and Grow Your Business
Here are steps you can take now to protect your clients and yourself, and get ahead of the competition.
Verify Contract Clauses. Ask your clients whether they are currently subject to DFARS 252.204-7012, 7019, and 7020 clauses. If yes, they must comply now.
Reassess Security Controls. Use the NIST SP 800-171A guide to verify each of the 320 assessment objectives. If even one is missing, adjust the score accordingly.
Fix SPRS Scores. If the client’s posted SPRS score isn’t fully supported with the documentation described in the assessment guide, either provide documentation validating the current score or advise the client to post a corrected score. Even a low accurate score is better than a fraudulent high one.
Implement Missing Controls. For every unmet practice, develop a Plan of Action and Milestones (POA&M) to document how and when it will be corrected.
Upgrade Cloud Services. Ensure any environment handling CUI uses FedRAMP Moderate-approved services and FIPS 140-2 encryption. The most popular commercial email and backup services offered by MSPs currently do not meet these requirements.
Offer Documentation-as-a-Service. Provide regular compliance reporting so clients are prepared for an audit—and so you have proof you delivered compliant services. Charge for this because clients need it and it is not included with basic managed services.
Learn from Certified Professionals and CMMC Level 2 Certified MSPs. CMMC Certified Professionals (CCP) and CMMC Certified Assessors (CCA) have more validated knowledge than CMMC Registered Practitioners. If you are serious about CMMC you should become a CCP or CCA
Also, consider joining the MSP Collective to meet with like-minded MSPs and check out their ESP Directory for a current list of MSPs that have had their services independently certified for CMMC. (RELATED: MSPs on the Front Lines of CMMC: How the MSP Collective Is Driving Change)
Educate and Lead. Be proactive. Clients may not understand these requirements. Guide them now, before regulators or whistleblowers force their hand.
In addition, when clients complain about the high costs of cybersecurity required by the DoD, remind them that since 2017 the DoD has expected that prices offered by contractors need to cover the costs of securing systems to DoD specifications. As I recently said to the CEO of a defense contractor, “Raise your prices.”
The Bottom Line
CMMC is not just another regulatory headache. It’s a massive chance to transform your MSP into a high-value compliance partner—securing bigger contracts, stronger client relationships, and a higher company acquisition value.
If you act now, you won’t just protect yourself from client blame or lawsuits. You’ll seize the lead while other MSPs are still paralyzed by indecision.
Defense contractors are under pressure. Be the MSP they trust to survive—and thrive.
Photo Illustration: created from royalty-free photos licensed through 123rf
