A long-standing question on whether MSPs providing outsourced IT services to DoD contractors would need to be CMMC certified gained much more clarity during a recent webinar[3] by the Defense Acquisition University thanks to the presenter Christopher Newborn, a member of DoD’s Acquisition and Cybersecurity Workforce. For MSPs who have followed the CMMC since before it’s publishing, this decision is understandable since it is not possible to have a company (MSP) who manages the IT infrastructure of a DoD contractor exempt from this regulation, yet still have this regulation cover all CUI and FCI in the DIB. If your organization has a contracted MSP providing technology services, and that MSP has not discussed with you their plans for CMMC compliance, then you and that MSP may be in for a rude awakening. To put it simply, the federal government has told the DoD it needs to do a better job protecting CUI in it’s private contractors, and there is no way MSPs in this mix can be exempted from this wide-scale adoption.