The Pentagon’s Cyber Rules Leave MSPs as an Attack Vector

The Cybersecurity Maturity Model Certification (CMMC) was rolled out in late 2025 to enforce NIST SP 800‑171 controls across the Defense Industrial Base (DIB). By requiring third‑party verification, the program intends to eliminate weak links that could be exploited by hostile actors. For many small and medium‑sized defense contractors, achieving compliance on their own is cost‑prohibitive, so they turn to Managed Service Providers (MSPs) for network, cloud, and security management. When MSPs are held to the same rigorous standards, they can accelerate CMMC readiness and spread best‑practice defenses throughout the supply chain.

However, the current CMMC rulebook classifies MSPs as "External Service Providers" with only voluntary certification requirements. This creates a blind spot: MSP personnel routinely possess privileged administrative rights to patch, reset credentials, and configure defenses on systems that store Controlled Unclassified Information (CUI). Past incidents—SolarWinds’ 2020 software‑update breach, Kaseya’s 2021 ransomware attack on MSPs, and the 2026 ransomware campaigns by Qilin and Akira—show how compromised MSPs can cascade failures across hundreds of downstream contractors. Nation‑state groups such as China‑linked Mustang Panda continue to exploit these third‑party pathways, amplifying the risk as AI‑driven extortion tools become more sophisticated.

Legislators are proposing a targeted fix rather than a sweeping overhaul. The House Armed Services Committee could direct the Department of Defense to inventory MSP usage among Level 2 and Level 3 contractors, identifying which providers have administrative control over CUI environments. By amending 32 CFR Part 170 to incorporate the statutory definition of "managed service provider" and requiring MSPs with privileged access to obtain certification that mirrors their client’s CMMC level, Congress would close the most exploitable gap. This approach preserves the cost‑effective benefits MSPs deliver while ensuring that any entity with functional control over sensitive data meets verifiable security standards, thereby strengthening the overall resilience of the nation’s defense supply chain.