IT Support for Government Contractors: CMMC, NIST 800-171, and What to Look For

If your business works with the Department of Defense, holds federal government contracts, or serves as a subcontractor to a prime contractor, your IT environment isn't just a business concern — it's a legal and contractual one.

The Cybersecurity Maturity Model Certification (CMMC) framework, NIST SP 800-171, and Controlled Unclassified Information (CUI) handling requirements impose specific technical controls that most off-the-shelf MSP packages don't cover. And unlike commercial compliance frameworks, the penalties for non-compliance with federal requirements can include contract termination and False Claims Act liability.

Here's what you need to understand — and what to look for in an IT provider who can actually help.

What is CMMC 2.0 and who does it apply to?

CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's framework for verifying that defense contractors and subcontractors meet baseline cybersecurity requirements. As of 2025, CMMC 2.0 is being phased into DoD contracts with three levels:

• Level 1 (Foundational) — 17 basic cybersecurity practices. Required for all contractors that handle Federal Contract Information (FCI). Self-assessment annually.
• Level 2 (Advanced) — 110 practices aligned to NIST SP 800-171. Required for contractors that handle Controlled Unclassified Information (CUI). Third-party assessment required for most contracts.
• Level 3 (Expert) — 24 additional practices from NIST SP 800-172. Required for the most sensitive DoD programs involving critical defense systems.

A critical point many businesses miss: flow-down requirements apply to subcontractors. If you are a second- or third-tier subcontractor on a DoD program that involves CUI, you may be subject to CMMC Level 2 even if you never interact directly with DoD. Check your contracts carefully — or have a legal review done if you're uncertain.

What NIST 800-171 actually requires — the parts businesses fail

NIST SP 800-171 covers 14 control families with 110 specific requirements. The areas where most small businesses fail during CMMC assessments:

• Access Control (AC) — Limit access to CUI to users who need it; enforce least privilege; terminate sessions after inactivity; use separate accounts for privileged vs. standard user activity
• Audit and Accountability (AU) — Maintain audit logs of user actions, system events, and security incidents; retain logs for at least 90 days
• Configuration Management (CM) — Establish and maintain baseline configurations for all systems; track and control changes; prevent use of unauthorized software
• Identification and Authentication (IA) — MFA required for all privileged access and all remote network access; enforce password complexity and expiration
• System and Communications Protection (SC) — Encrypt CUI in transit and at rest; implement network segmentation to isolate CUI systems from general business systems
• System and Information Integrity (SI) — Scan for malware; apply patches promptly; alert on security alerts from system components

The Microsoft 365 problem: you might already be non-compliant

One of the most common — and expensive — mistakes government contractors make is using commercial Microsoft 365 plans (Business Basic, Business Standard, or Business Premium) to store or transmit CUI. These plans are not FedRAMP High authorized and do not meet the data residency and access control requirements for CUI.

If you handle CUI, you need Microsoft 365 Government Community Cloud (GCC) or, for more sensitive data, GCC High. The migration is not trivial, but it is required. If your current IT provider doesn't know this distinction, that tells you something important about their federal compliance experience.

What to ask an MSP before hiring them for government contractor IT

Not all MSPs are equipped for CMMC work. These questions will separate the ones who are from the ones who will learn at your expense:

• "Have any of your clients completed a CMMC Level 2 third-party assessment (C3PAO assessment)? What was the outcome?"
• "Do you maintain a System Security Plan (SSP) and Plan of Action and Milestones (POAM) for clients? Who owns it?"
• "Is your own internal environment CMMC-compliant? How do you handle CUI you access on behalf of clients?"
• "Do you use FedRAMP-authorized cloud services for storing and processing CUI?"
• "Can you help us calculate and submit our SPRS (Supplier Performance Risk System) score?"

If an MSP is vague or unfamiliar with any of these questions, they are not the right provider for DoD contractor work — regardless of how good they are for commercial clients.

Common mistakes that trip up government contractors

• Using commercial M365 instead of GCC/GCC High for CUI — by far the most common finding
• Treating CMMC compliance as a one-time certification project rather than an ongoing compliance program
• Failing to account for CUI that flows to employee personal devices, home networks, or personal email
• No documented Incident Response Plan (required by NIST 800-171 IR.3.098) before assessors ask for it
• Relying on a non-CMMC-experienced MSP who presents a general SOC 2 report as equivalent to federal compliance (it is not)

Where to start if you don't know where you stand

If you're uncertain about your current compliance posture, start with a gap assessment against NIST 800-171. Your MSP should be able to produce a scored SSP that tells you which of the 110 controls you meet and which are gaps. From there, build a POAM to close the gaps before your next assessment window.

Before engaging any MSP for this work, use the IT RFP Generator to document your federal compliance requirements — it ensures every provider you evaluate is quoting against the same scope, which makes comparison meaningful and prevents scope creep surprises after you've signed.