The Pentagon’s cyber rules leave MSPs as an attack vector
The Pentagon’s cyber rules leave MSPs as an attack vector
https://www.nextgov.com/ideas/2026/05/pentagons-cyber-rules-leave-msps-attack-vector/413495/
Publish Date: 2026-05-12 16:31:00
Source Domain: www.nextgov.com
At a time when China, Russia and criminal groups are increasingly targeting military supply chains, a narrow regulatory gap has created an attack vector adversaries can exploit to undermine national security.
The Cybersecurity Maturity Model Certification (CMMC) program, which took effect in late 2025, is designed to protect those supply chains. By requiring contractors that handle Controlled Unclassified Information (CUI) to implement NIST SP 800-171 controls and undergo third-party verification, CMMC seeks to eliminate weak links across the Defense Industrial Base (DIB).
But as CMMC shifts from regulation to real-world enforcement, a fundamental question looms: Who actually holds the keys to military contractor information systems?
Overlooked impact of MSPs
Managed Service Providers (MSPs) are an indispensable part of protecting the DIB, giving small and medium-sized businesses (SMBs) access to IT expertise that would otherwise be cost-prohibitive. By outsourcing network, system and cloud management to MSPs, contractors can slash compliance costs while accelerating CMMC readiness, transforming a burdensome solo effort into a streamlined, scalable option.
Done correctly, with MSPs held to the same rigorous standards as their clients, these providers strengthen security through specialized knowledge, proactive threat hunting and shared best practices, hardening the entire supply chain against evolving threats.
Where CMMC falls short
If MSPs are not held to equivalent standards, they become a critical attack vector. MSP personnel routinely hold privileged administrative access to patch vulnerabilities, reset credentials and tune defenses. Compromised access can expose entire contractor networks. This “privileged access” reality is central to modern cybersecurity. But CMMC does not fully address it.
Many contractors, especially resource-constrained SMBs, depend on MSPs to meet and sustain compliance. Yet CMMC’s governing regulation treats MSPs as “External…
