Unforeseen events in August caused a flurry of activity for both the Department of Defense and Industry. Specifically, the unintended release of draft materials for CMMC 2.1 Levels 1, 2, and 3, including scoping guidelines, which are the focus of this blog.


Background – It’s not CUI so why are MSPs/MSSPs going to be considered to be in scope for CMMC assessments?


When the Cybersecurity Maturity Model Certification (CMMC) version 1.0 framework was introduced over three years ago, there were considerable “spirited debates” among a wide array of stakeholders about what constitutes CUI within a Government Contractor’s (GovCon’s) control. One category of CUI is known as Information Systems Vulnerability Information or ISVI. A question was raised if ISVI on the GovCon’s system are in play for being construed as CUI.

This approach for evaluation as a criteria is faulty for the following reasons:

    1. If using your GovCon networking infrastructure in support of a Government Contract (-i.e.: hosting material information about military personnel in an AWS Cloud that you control), it is highly likely the government will define this matter as Controlled Defense Information (CDI) and potentially where cyber vulnerabilities are identified could be construed as Controlled Technical Information (CTI). This is because the networking infrastructure owned by the GovCon is being paid for by a Government contract.

Whereas if your corporate enterprise is merely being used as a General Support System for commercial purposes in support of a Government contract, then it will not be construed as ISVI, CDI, or CTI

    1. If an individual or entity (i.e. MSP or MSSP) has administrative rights on the GovCon’s system, the CUI debate is the wrong one to have. This flawed concept was further illustrated when CMMC 2.0 came out in 2021 where scoping guidance pertaining to “Security Protection Assets” was defined. This was a key turning point and, in my opinion, clearly telegraphing the direction the Government intends to go with the use of External Service Providers (ESP), also known as Managed Service Providers (MSPs) and/or Managed Security Services Providers (MSSPs).


Twelve months before the draft CMMC 2.1 documents were inadvertently made public, SoundWay’s Chief Cybersecurity Officer, Carter Schoenberg, examined this concept during an interview with Dana Mantilia and provided insights as to what MSPs and MSSPs should be doing to align with future obligations.

NOTICE: All information released in early August was marked as “DRAFT” and nothing about these documents should be taken as a final disposition. However, with narratives describing Organizations Seeking Assessments (OSAs), apparently the future replacement of Organizations Seeking Certification (OSCs), requiring a CMMC L2 certification for MSPs or MSSPs if they support a GovCon being assessed at Level 2. In my opinion, this is very telling.At the request of the Cyber-AB, we will not be releasing any snippets from the documents as their release was unapproved by the Government.

When re-evaluating the debate if an External Service Provider (ESP) has access to CUI or not now becomes irrelevant.


A Tale of Two Verticals – OSAs & ESPs

As of the date of this blog, 48 C3PAOs are approved by the Cyber-AB. While SoundWay is proud to be the 24th C3PAO authorized to conduct assessments, there are more important numbers for you to consider.

  • 300,000 – The number used by the Government from 2019-2022 regarding the number of GovCons in scope for CMMC considerations.
  • 10% – The anticipated percentage of said GovCons that will need an independent assessment (~ roughly 30,000 will be required to be independently certified).
  • 200,000 – The number used by the DoD CISO in early 2023 regarding the number of GovCons.
  • 80,000 – The number of GovCons anticipated to require independent certification (so now roughly 40% will be required to be independently certified – big jump).

Not to mention the unknown number of MSPs or MSSPs that will need to go into the queue for CMMC Level 2 certification – competing with GovCons and even candidate C3PAOs.

But arguably the most important number is one (1). Why? Because one (1) is the number of MSP/MSSP’s you use. If they are not considering an approach now for CMMC conformance, this could potentially prevent you from achieving CMMC Level 2 for your own organization.


Did you know that SoundWay’s CMMC Adaptive & Managed Operations (CAMO) is already on an approved C3PAO’s list to be assessed within 45 calendar days of final ruling? To learn more about CAMO, contact us at CMMC@soundwayconsulting.com.