The elite group of IT service providers that qualified for the now-suspended Cybersecurity Maturity Model Certification phase 2 requirements have no regrets.
The U.S. Department of Defense on Monday announced it was suspending its Nov. 10 requirement date for CMMC phase 2. The DoD said it was lowering the barrier to entry for small but “innovative” firms that want to service military contractors in the defense industrial base. It’s a boon for the vast majority of IT service providers that are not caught up with the requirements.
“We’re seeing that there’s over 100,000 DIB businesses still that needed a third-party assessment conducted and somewhere in the neighborhood of 100, maybe a little over 100 assessors that are available for that,” DoD CIO Kirsten Davies told Breaking Defense. “So the math just simply doesn’t math for small to medium-sized businesses to even get compliant by … the former transition date November 10, 2026,” Davies said.
It was a heavy lift to make phase 2 requirements, with partners meeting 110 criteria.
“It's a bit frustrating because there are a lot of organizations who have already put in a lot of time and effort into becoming CMMC-compliant,” Corsica Technologies CISO Ross Filipek told Channel Dive. “Basically now finding out that until further notice, at least level two compliance really isn't going to be enforced.”
BanaTech Managing Partner and Founder Bana Qashu said she was about to launch a campaign geared toward educating clients about CMMC but will hold off for now.
“Phase 1 is essentially check-the-boxes,” Qashu said. “Well, you already do that for HIPAA and PCI, so what's the difference? Now you're just doing it for data.”
JP Panzica, CEO of Florida-based technology advisor Accelerate Partners, is closely watching how the changes affect consulting opportunities.
“There is still the need for phase one, which is self-assessment, in which the DIB needs assistance from a CMMC provider like C3,” Panzica said. “Although firms were moving hard towards phase 2 compliance, the projects now get paused which could negatively affect the advisor's pocket for now.”
A change in enforcement
The sky isn’t falling for compliant MSPs.
C3 Integrated Solutions Chief Growth Officer Bill Wootton said the cybersecurity industry conflated CMMC phase 2 as a deadline rather than a next step. In the latest phase, contracting officers would have the option to put CMMC requirements into their contracts, according to a DoD memo.
“There unfortunately became a perception in the industry that Nov. 10 every contract was getting controlled unclassified information and a third-party assessment, and it was going to be a light-switch type of event,” Wootton said.
Although phase 2 has been suspended, CMMC remains the law of the land, and cybersecurity concerns remain top of mind for military contractors and the channel partners that support them.
“For MSPs and MSSPs who can deliver services in a CMMC-compliant fashion, there's always been a lot of opportunity there,” Filipek said.
Corsica and other firms that made the plunge into compliance have always been a select group due to the vast majority of MSPs staying out of the defense industry.
“When the CMMC program first came to fruition, you had a lot of MSPs take a look at those requirements and say, ‘Hey, I'm not going to touch that with a 10-foot pole,” Filipek said. “I'll just make that decision to exit the market and not offer services to defense contractors.”
Third-party assessments are just one part of the equation. Wootton said C3 undertook the certification as an ancillary — yet strategic — add-on to its core managed IT and security services. The core IT services remain critical for military contractors, Wootton said.
“Deploying compliance solutions, respecting data sovereignty requirements, investments in the cyber appropriate investments in the cybersecurity, engaging with MSPs that understand the burden of compliance and can support that with their clients are all things that defense contractors can do today and should be doing in order to protect the data that they hold,” Wootton said.