In May 2026, cybersecurity experts and policy analysts sounded an alarm that should concern every organization in the defense industrial base: the Pentagon’s Cybersecurity Maturity Model Certification (CMMC) program has a critical blind spot—and it’s putting billions in contracts and sensitive national security information at risk.
The problem isn’t what CMMC requires of defense contractors. Rather, it’s what it doesn’t require of the Managed Service Providers (MSPs) who manage their most critical systems.
Interestingly, while tens of thousands of MSPs serve U.S. defense manufacturers, only about 40 have achieved CMMC Level 2 certification. For perspective, that’s less than 0.1% of the MSP industry. Meanwhile, these service providers hold administrative access to the same Controlled Unclassified Information (CUI) that contractors spend millions protecting. They manage patches, control access, and hold the keys to networks that house some of America’s most sensitive defense technology.
This disconnect represents one of the most significant supply chain security gaps in the defense industrial base today—and it’s about to tighten dramatically.
For Intech Hawaii, this moment represents an inflection point. We’re already CMMC Level 2 certified. Consequently, while the industry struggles to understand what’s coming, we’re positioned not just to comply with future regulations, but to lead the conversation around MSP security in the defense sector.
Understanding CMMC: What It Is and Why It Matters
Before diving into the gap, it’s important to understand what CMMC actually is and why the Pentagon created it in the first place.
CMMC is a comprehensive framework designed to protect Controlled Unclassified Information (CUI) within the defense industrial base. Importantly, it’s not a single checklist or a one-time audit. Rather, it’s a maturity model spanning five distinct levels:
- Level 1: Basic cybersecurity hygiene (14 practices)
- Level 2: Intermediate controls aligned with NIST SP 800-171 (110 practices)
- Level 3: Advanced practices for contractors handling more sensitive information
- Levels 4-5: Specialized certifications for organizations handling advanced persistent threat (APT) defense
Why the Pentagon Created CMMC
The Pentagon implemented CMMC because the traditional approach—asking contractors to “self-certify” compliance with NIST standards—wasn’t working. Breaches were rampant. Supply chain attacks were becoming the norm rather than the exception. Additionally, defense contractors were claiming compliance while basic security hygiene was missing.
CMMC introduced a fundamental shift toward accountability. Third-party assessors now conduct on-site audits. Certification expires after three years. Furthermore, contractors must demonstrate continuous compliance. The message was unambiguous: cybersecurity maturity isn’t optional in the defense industrial base.
The Impact on Defense Contractors
For contractors, this has meant significant investment. Organizations have had to overhaul their security practices, hire additional staff, implement new technologies, and undergo rigorous assessments. However, the cost has been worth it—contractors now operate with a baseline of security maturity that simply didn’t exist before.
Ironically, the same maturity standard hasn’t been extended to the organizations managing contractors’ most critical systems.
The MSP Paradox: Access Without Accountability
Here’s the core tension: Managed Service Providers have more access to contractors’ systems than most in-house staff, yet they face minimal security requirements.
What MSPs Actually Do
To illustrate what an MSP typically does:
- Manages network infrastructure and cloud environments
- Installs patches and security updates across all systems
- Creates and manages user accounts and access controls
- Monitors systems 24/7 for threats and anomalies
- Responds to security incidents
- Manages backups and disaster recovery
- Handles vendor relationships and integrations
Consider what happens when a threat actor compromises an MSP. Rather than breach each contractor individually, attackers gain a single point of entry that cascades across dozens, sometimes hundreds of organizations. As a result, one compromised MSP can unlock access to the entire supply chain.
Real-World Examples: When MSPs Become Attack Vectors
This scenario isn’t hypothetical. Recent attacks demonstrate it repeatedly:
SolarWinds (2020): Hackers inserted malicious code into SolarWinds Orion software updates. When thousands of organizations—including federal agencies and Fortune 500 companies—updated their systems, they unknowingly installed a backdoor. Consequently, the attackers gained access to Treasury Department networks, Commerce Department systems, and some of the nation’s most sensitive infrastructure. The damage took years to fully assess.
Kaseya VSA (2021): In a similar fashion, hackers exploited a zero-day vulnerability in Kaseya’s remote management software. Within hours, the attack cascaded across hundreds of small businesses and local governments through their MSPs. Ransomware spread faster than most organizations could respond. Regrettably, some businesses never recovered.
2026 Campaigns: Groups like Qilin and Akira have specifically targeted IT service providers, recognizing them as force multipliers for their attacks. Essentially, one compromised MSP equals dozens of compromised clients.
The Regulatory Disconnect
Yet despite this clear pattern, the regulatory framework hasn’t kept pace. CMMC Level 2 requires contractors to implement 110 security practices aligned with NIST standards. In contrast, MSPs classified as “External Service Providers” face voluntary certification guidance that’s vague, rarely enforced, and largely ignored.
The result is a system where responsibility is unclear and accountability is minimal.
The Regulatory Landscape: Where Industry Stands Today
Today’s cybersecurity regulations for the defense industrial base create a fragmented ecosystem:
For Contractors:
- Must achieve CMMC certification matching their contract requirements
- Undergo third-party assessments every three years
- Implement NIST SP 800-171 controls
- Face contract penalties for non-compliance
- Must maintain compliance continuously or lose contracts
For MSPs:
- No mandatory certification requirement
- Optional, uneven compliance frameworks
- No standardized assessment process
- Minimal oversight from DoD
- Can claim compliance without verification
The Growing Recognition of the Gap
This gap has become impossible to ignore. Recent analyses indicate that while approximately 35,000-40,000 prime contractors need CMMC certification, only about 40 MSPs have achieved Level 2. Furthermore, even among those MSPs already pursuing certification, progress is glacial. The industry lacks standardized training, clear implementation roadmaps, and consistent assessment criteria.
Notably, lawmakers are starting to notice this disparity. Congressional amendments to defense authorization bills have proposed requiring MSPs with administrative access to CUI to achieve equivalent CMMC certification levels. Senators and Representatives from both parties recognize that supply chain security can’t be half-measures.
The question isn’t whether regulations will change. Rather, it’s when—and how quickly MSPs can adapt.
Where the Industry Is Heading: Regulatory Tightening
If you work in cybersecurity, the direction is unmistakable. Regulatory pressure on MSPs will intensify. Here’s what we’re likely to see over the next 18-36 months:
1. Mandatory MSP Certification Requirements
Eventually, the DoD will likely issue updated CMMC guidance requiring MSPs serving CMMC-certified contractors to achieve equivalent certification levels. This won’t be a suggestion—it will be a contract requirement. Organizations that don’t use certified MSPs will face compliance violations that jeopardize their defense contracts.
Importantly, the timeline is accelerating. What was once a “future consideration” is now being discussed in serious policy circles.
2. Supply Chain Audits and Verification
Increasingly, contractors will face pressure from customers and auditors to verify their MSP security posture. This will happen in two ways: through formalized compliance verification and through informal supply chain reviews. Organizations will need to provide proof of MSP certification, not just assurances.
This shift transfers accountability upstream. Essentially, you’re not just responsible for your own security—you’re also responsible for verifying your service provider’s security.
3. Risk Transfer and Liability
As regulations tighten, liability for MSP-related breaches will likely shift. Organizations using non-certified MSPs may find themselves liable for breaches that could have been prevented through proper vendor due diligence. Additionally, insurance policies may exclude coverage for MSP-related incidents if the MSP wasn’t certified.
This creates a cascading effect: contractors pressure MSPs to certify, which in turn creates regulatory momentum for mandatory requirements.
4. Tiered Accountability and Control Requirements
Moving forward, the distinction between “contractor” and “service provider” will increasingly blur. Organizations will be held accountable for the access and control their service providers have, not just for their own systems.
This likely means several critical changes:
- MSPs handling CUI will need to implement equivalent controls to contractors
- Assessment frameworks will expand to include MSP environments
- Responsibility will follow access
5. International and Commercial Sector Adoption
Finally, CMMC-equivalent frameworks are already spreading beyond U.S. defense contractors. NATO allies are developing similar models. Commercial sectors handling sensitive data are adopting comparable standards. What starts as defense policy becomes industry norm.
Intech Hawaii: Already Positioned for What’s Coming
This is where Intech Hawaii’s CMMC Level 2 certification becomes strategically significant.
Notably, while the industry grapples with regulatory uncertainty and most MSPs remain unprepared, we’ve already made the investment. We’ve implemented the controls. We’ve undergone the rigorous third-party assessment. We’ve achieved the maturity standard that the Pentagon is moving toward requiring.
This isn’t just about compliance. Rather, it’s about demonstrating genuine security maturity.
What CMMC Level 2 Certification Actually Means
- 110 Implemented Security Practices: We’ve implemented the full NIST SP 800-171 control set, covering everything from access management and incident response to system monitoring and risk assessment.
- Third-Party Verification: An independent assessor has verified our controls through on-site audits and evidence review. This isn’t self-certification—it’s audited compliance.
- Continuous Compliance: Our certification is maintained through ongoing compliance monitoring and re-assessment every three years. We don’t implement controls and forget about them.
- Supply Chain Readiness: Contractors using Intech Hawaii can confidently state that their MSP meets CMMC Level 2 standards—the same standard the Pentagon will likely require.
Six Concrete Benefits for Our Clients
- Reduced Risk and Liability: You’re partnering with an MSP that has demonstrated security maturity through third-party assessment. Should a breach occur, you can show that you took proper care in vendor selection.
- Supply Chain Confidence: Your customers, auditors, and regulators can verify that your MSP meets CMMC standards. This strengthens your overall supply chain security posture.
- Future-Proofing Your Compliance: When DoD updates CMMC requirements for MSPs, you won’t face emergency compliance remediation. Importantly, you’re already aligned with the trajectory.
- Competitive Differentiation: In a market where MSP certification is still rare (less than 0.1% of the industry), partnering with a certified provider is a competitive differentiator. You can credibly claim supply chain security maturity that most competitors cannot.
- Faster Time to Certification: If you’re pursuing CMMC certification yourself, working with a certified MSP simplifies your assessment. Essentially, you don’t have to worry about MSP-related control failures.
- Regulatory Readiness: When the rules change—and they will—you’ll already be compliant. Other organizations will face expensive emergency upgrades. By contrast, you’ll be ahead of the conversation.
The Broader Industry Implications: What This Moment Represents
We’re at an inflection point in cybersecurity regulation. The gap between contractor and MSP security standards has become untenable. The recent policy attention, Congressional amendments, and expert analysis all point in one direction: regulatory tightening is coming.
Organizations face a critical choice:
Option 1: Wait for Regulations to Clarify
This approach means watching from the sidelines while the industry evolves. When mandatory MSP certification becomes law, you’ll scramble to find compliant providers or rush through your own certification. Subsequently, you’ll incur higher costs, experience implementation delays, and potentially face compliance gaps during transition.
Option 2: Get Ahead of the Curve
By contrast, this approach means partnering with providers—like Intech Hawaii—who have already invested in security maturity. You position yourself as forward-thinking, supply-chain secure, and regulatory-ready. When the rules change, you’re already aligned.
For organizations in the defense industrial base, the second approach isn’t just strategically sound—it’s increasingly necessary for competitive survival.
The Path Forward: What Comes Next
The regulatory environment will continue to evolve. Expect:
- Updated CMMC guidance within 12-24 months requiring MSP certification
- Supply chain security audits becoming standard practice
- Insurance policies adjusting to reflect MSP certification requirements
- Commercial sector adoption of equivalent standards
- International alignment around MSP security requirements
Significantly, the 40 MSPs currently certified at CMMC Level 2 won’t remain rare for long. As regulations tighten, certification will become baseline expectation. The first-mover advantage belongs to organizations that achieve certification now.
For Intech Hawaii and our clients, this moment represents an opportunity. We’re not racing to catch up to regulatory requirements. Rather, we’re already positioned where the industry is heading.
Security Maturity as Competitive Advantage
The Pentagon’s cyber rules leave an obvious gap: MSPs have extraordinary access to defense infrastructure, yet minimal security accountability. This gap will close. Regulatory pressure, Congressional action, and supply chain necessity will demand it.
Ultimately, the question isn’t whether this change is coming. The question is whether you’ll be ready.
Intech Hawaii is ready. We’re CMMC Level 2 certified. We’ve invested in security maturity. We’ve demonstrated our controls through third-party assessment. Consequently, we’re positioned not just to survive regulatory change, but to lead it.
If you’re serious about supply chain security, about regulatory preparedness, and about demonstrating genuine cybersecurity maturity to your customers and auditors, now is the time to partner with an MSP that’s already ahead of the curve. Contact Intech Hawaii today to learn how our CMMC Level 2 certification can strengthen your defense industrial base compliance and position your organization for the regulatory changes ahead.
The rules are changing. The industry is evolving. Therefore, the question is whether you’re going to be prepared for what comes next.
