IT Support for Government Contractors
CMMC Level 2 is now a contract requirement, not a recommendation. If your IT provider can't produce a System Security Plan, explain CUI scoping, and deploy Microsoft 365 GCC High — you're either out of compliance or you're about to be.
CMMC Levels: What's Required and What Your IT Provider Must Do
Most defense subcontractors fall under Level 2. If your contract has CUI markings, you're in scope.
| CMMC Level | Applies To | Control Requirements | Assessment Type | IT Provider's Role |
|---|---|---|---|---|
| Level 1 — Foundational | All contractors handling FCI (Federal Contract Information) — any contract with clause FAR 52.204-21 | 17 practices from FAR 52.204-21; basic cyber hygiene (antivirus, MFA, access control basics) | Annual self-assessment; submit score to SPRS (Supplier Performance Risk System) | Implement the 17 controls; help document the self-assessment; maintain evidence; upload SPRS score |
| Level 2 — Advanced | Contractors handling CUI under DFARS 252.204-7012; most DoD primes and Tier 1–3 subcontractors | 110 practices from NIST SP 800-171 across 14 domains; documented SSP and POA&M required | Third-party C3PAO assessment every 3 years + annual affirmation; SPRS score required | Develop SSP; implement all 110 controls; manage POA&M; prepare for C3PAO assessment; provide continuous compliance evidence; manage GCC High if applicable |
| Level 3 — Expert | Highest-priority DoD programs with most sensitive CUI; very small subset of contractors | 110 NIST 800-171 + additional practices from NIST SP 800-172 | DIBCAC government-led triennial assessment | Deep federal compliance program management; requires specialized federal IT experience; not achievable with a standard MSP |
The SPRS Score: What It Is and Why It Matters
Every DoD contractor must calculate and submit a cybersecurity score to SPRS (Supplier Performance Risk System). The maximum score is 110 points; each unimplemented NIST 800-171 control reduces the score. Scores are visible to government contracting officers during source selection. A low SPRS score can cost you contracts even if you're technically compliant — because contracting officers use it as a risk signal. Your IT provider should know your current SPRS score and have a plan to improve it.
NIST SP 800-171: The 14 Domains Your IT Provider Must Cover
All 110 controls fall into these 14 domains. Your MSP should be able to map their services to each one.
1. Access Control (AC) — 22 controls
Who can access what systems and data; least privilege; remote access; mobile device policies; CUI access restrictions
2. Awareness and Training (AT) — 3 controls
Security awareness training; role-based training for users with privileged access; insider threat awareness
3. Audit and Accountability (AU) — 9 controls
Audit log creation, review, and protection; user activity traceability; audit log retention
4. Configuration Management (CM) — 9 controls
Baseline configurations; configuration change control; least functionality; unauthorized software restrictions
5. Identification and Authentication (IA) — 11 controls
User identification; multi-factor authentication; password management; authenticator management
6. Incident Response (IR) — 3 controls
Incident response capability; incident handling; incident reporting to DoD within 72 hours of discovery
7. Maintenance (MA) — 6 controls
Controlled maintenance; media sanitization; maintenance tools; remote maintenance controls
8. Media Protection (MP) — 9 controls
Media access controls; CUI on digital and physical media; media transport; media sanitization and disposal
9. Personnel Security (PS) — 2 controls
Personnel screening; termination and transfer; personnel actions; third-party personnel
10. Physical Protection (PE) — 6 controls
Physical access controls; visitor management; monitoring physical access; managing physical access devices
11. Risk Assessment (RA) — 3 controls
Risk assessments; vulnerability scanning; remediation of identified vulnerabilities
12. Security Assessment (CA) — 4 controls
System security assessment; plan of action and milestones (POA&M); monitoring security controls; system connections
13. System and Communications Protection (SC) — 16 controls
Network boundary protection; CUI in transit encryption; network segmentation; architectural and design controls
14. System and Information Integrity (SI) — 7 controls
Flaw remediation; malicious code protection; security alerts and advisories; information system monitoring
Microsoft 365 Tiers: Which One Do You Need?
This is one of the most common compliance mistakes in the defense supply chain — contractors storing CUI in the wrong cloud environment.
| Environment | FCI Compliant | CUI / DFARS Compliant | ITAR Compliant | Use Case |
|---|---|---|---|---|
| M365 Commercial | Partial | No | No | Non-CUI administrative tasks only; email and docs with no controlled content |
| M365 GCC (Government Community Cloud) | Yes | Limited | No | Federal civilian work; some DoD use cases; NOT approved for DoD CUI per DFARS 7012 |
| M365 GCC High | Yes | Yes | Yes | DoD CUI and ITAR data; required for DFARS 252.204-7012 cloud compliance; operated by US persons in US-only data centers |
| M365 DoD | Yes | Yes | Yes | DoD agencies themselves (not contractors); requires .mil domain |
GCC High Migration: What to Expect
Migrating from commercial M365 to GCC High is a significant project. Expect 4–12 weeks depending on data volume, custom domains, and application integrations. Third-party apps that work in commercial M365 may not work in GCC High. Teams federation with commercial tenants is restricted. Your IT provider should have documented GCC High migration experience — not just commercial M365 experience. Ask for a reference from a defense contractor they've migrated.
ITAR IT Controls: The Basics
ITAR isn't just an export control issue — it has direct implications for how you configure IT systems, especially around access control.
Foreign National Access Prohibition
ITAR technical data cannot be accessed by foreign nationals — including dual citizens and green card holders — without a license. Your IT systems must enforce this through role-based access, and your IT provider's own staff should be US persons if they touch ITAR data.
Cloud Residency Requirements
ITAR data must remain within US borders and be accessible only to US persons. GCC High satisfies this. Standard commercial cloud does not. Backup systems, DR sites, and collaboration tools must all meet this standard if ITAR data flows through them.
Email and Collaboration Controls
Emailing ITAR-controlled technical data to a foreign national — even inadvertently via CC or reply-all — constitutes an unauthorized export. Email DLP (Data Loss Prevention) policies should flag and block outbound ITAR-marked content to foreign recipients.
Remote Access and VPN
Remote workers accessing ITAR-controlled systems must be US persons and should connect via a US-based, encrypted VPN. Geo-blocking or conditional access policies should prevent logins from foreign IP addresses to ITAR-scoped systems.
Get Matched With a GovCon IT Provider
Tell us about your contracts and compliance posture. We'll match you with MSPs who have documented CMMC, NIST 800-171, and GCC High experience.