The Pentagon’s cyber rules leave MSPs as an attack vector

At a time when China, Russia and criminal groups are increasingly targeting military supply chains, a narrow regulatory gap has created an attack vector adversaries can exploit to undermine national security.

The Cybersecurity Maturity Model Certification (CMMC) program, which took effect in late 2025, is designed to protect those supply chains. By requiring contractors that handle Controlled Unclassified Information (CUI) to implement NIST SP 800-171 controls and undergo third-party verification, CMMC seeks to eliminate weak links across the Defense Industrial Base (DIB).

But as CMMC shifts from regulation to real-world enforcement, a fundamental question looms: Who actually holds the keys to military contractor information systems?

Overlooked impact of MSPs

Managed Service Providers (MSPs) are an indispensable part of protecting the DIB, giving small and medium-sized businesses (SMBs) access to IT expertise that would otherwise be cost-prohibitive. By outsourcing network, system and cloud management to MSPs, contractors can slash compliance costs while accelerating CMMC readiness, transforming a burdensome solo effort into a streamlined, scalable option.

Done correctly, with MSPs held to the same rigorous standards as their clients, these providers strengthen security through specialized knowledge, proactive threat hunting and shared best practices, hardening the entire supply chain against evolving threats.

Where CMMC falls short

If MSPs are not held to equivalent standards, they become a critical attack vector. MSP personnel routinely hold privileged administrative access to patch vulnerabilities, reset credentials and tune defenses. Compromised access can expose entire contractor networks. This “privileged access” reality is central to modern cybersecurity. But CMMC does not fully address it.

Many contractors, especially resource-constrained SMBs, depend on MSPs to meet and sustain compliance. Yet CMMC’s governing regulation treats MSPs as “External Service Providers” (ESPs) under vague scoping rules and voluntary certification.

Voluntary compliance is inadequate when the provider controls the environment. Multi-tenant architectures, standardized toolsets deployed across hundreds of clients and potential overseas operations make it impossible for any single contractor to rigorously validate an MSP’s security posture. The result: contractors face clear obligations, while MSPs with operational control over CUI environments can escape equivalent certification — creating a high-leverage entry point for adversaries.

Real threats to the DIB

This is not theoretical. The 2020 SolarWinds attack used trusted software updates to breach dozens of defense contractors. The 2021 Kaseya VSA ransomware campaign hit MSPs directly, encrypting systems at hundreds of downstream clients. In early 2026, ransomware groups Qilin and Akira targeted IT service providers and manufacturing supply chains, with Akira breaching providers serving defense and government sectors. Nation-state actors, including Chinese-linked Mustang Panda, continue persistent espionage through third-party vectors. Supply-chain attacks are surging, AI is amplifying extortion and MSP privileged access remains a prime vulnerability.

The legislative fix

The solution is not to abandon MSPs. It is to hold them to appropriate standards. The fix requires neither a sweeping overhaul nor undue burdens on small businesses. It demands targeted oversight and discrete updates, beginning with the House Armed Services Committee (HASC).

A foundational challenge is visibility: DoW lacks a reliable inventory of MSP usage among Level 2 and Level 3 contractors. There is no record of which contractors rely on MSPs for CUI-related systems, which providers are involved or their certification status. Industry estimates suggest tens of thousands of MSPs serve U.S. businesses, with widespread adoption among defense manufacturers, yet only approximately 40 have attained CMMC Level 2 certification. Without this baseline, the Pentagon is operating blind.

First, HASC should direct DoW to conduct a focused survey of Level 2 contractors: Do they use MSPs for systems that process, store or transmit CUI? Which MSPs? Are those providers certified commensurate with their level of privileged access? This inventory would illuminate real exposure without excessive red tape.

Second, Congress should close the gap surgically. Congress has already defined “managed service provider” in 6 U.S.C. § 650(18) as entities providing ongoing network, infrastructure or security services — a statutory foundation ready to be applied. Congress should amend 32 CFR Part 170 to incorporate that definition and require MSPs with administrative access to CUI environments to obtain certification matching their client contractor’s CMMC level.

These steps enforce a core principle: if an entity holds functional control over CUI systems, it must meet verifiable standards aligned with that responsibility. MSPs already help SMBs achieve security and compliance more affordably and quickly; clear rules will promote CMMC-ready partners and further harden the supply chain.

CMMC promises genuine protection across the DIB, not checkbox compliance. Treating privileged access as an edge case invites preventable vulnerabilities at a moment when threats from ransomware to nation-state espionage are intensifying. The changes are narrow, the rationale clear and the stakes — safeguarding systems essential to warfighters and national security — are immense.

Amy Edwards is a U.S. Army veteran and Director of Legislative Affairs for the Managed Service Provider Collective. Michael McLaughlin is a U.S. Navy veteran and Co-Leader of the Cybersecurity and Data Privacy Practice Group at the law firm of Buchanan Ingersoll & Rooney, PC.