You found a managed service provider, signed the contract, and assumed your IT and compliance needs were covered. What happens when it's not.
This article was created on the heels of the shuttering of NeoSystems LLC and firms dealing with the fallout of losing their trusted CMMC partner. We wish the best for any firms or employees impacted by these events and present the following as a resource. If you have been impacted by these events, please feel free to reach out and we will do our best to guide you to solutions and trusted partners.
The scenario: You found a managed service provider, signed the contract, and assumed your IT and compliance needs were covered. Alternatively, your long time MSP provider has assured you multiple times that they are ready to tackle your CMMC assessment.
Then reality comes to pass. Your CMMC audit is approaching and your MSP is scrambling. They stopped returning calls. They stop offering concrete solutions. Or, in the case detailed above, they just vanish.
Whatever the situation, you are not stuck. Here is what you need to know about the three most common ways an MSP relationship breaks down, and what to do about each one.
Scenario 1: Your MSP Can't Meet CMMC Standards
This is more common than most defense contractors realize. Not every MSP understands CMMC, and understanding it is very different from being able to execute it. Many providers will tell you they can "help with compliance”, leaning on their background in a different compliance framework, without having the relevant experience or detailed processes to go from scoping to a successful assessment. CMMC is comprised of a specialized set of controls, and just because your MSP can tackle compliance doesn’t mean they are ready to handle CMMC.
Do they need to be CMMC certified themselves?
This is one of the most frequently asked questions we hear, and the answer is nuanced. Your MSP or External Service Provider (ESP) is not required to hold a CMMC certification of their own. But if they manage, process, or transmit Controlled Unclassified Information (CUI) on your behalf, their systems and practices become part of your compliance boundary. That means their security posture directly affects your certification status.
In practical terms: if your MSP handles your email, stores your files, or touches your network, their gaps become your gaps. An MSP that cannot demonstrate strong security practices, document their controls, or support your System Security Plan (SSP) is going to make your certification harder, not easier. This could put you and your contracts at risk. Instead, relying on a firm with solid foundations and CMMC certification is preferable.
What to look for
Ask your current MSP directly: Have they supported other organizations through CMMC Level 2 certification? Can they show you their own documented controls? Do they understand what CUI is and how to identify it in your environment? If the answers are vague, it is unlikely that they will be successful with your firm.
The bottom line is that CMMC compliance requires a partner with specific, demonstrable expertise. Don’t gamble on an MSP/ESP that is learning alongside you.
Additionally, it’s important to if you get certified with one MSP/ESP and have to transition, you will need to be recertified. Ensuring you have a strong partner is crucial.
Scenario 2: Your MSP Disappears on You
It happens—providers get acquired, run into financial trouble, lose key staff, or simply shut down with little warning. When that happens to a defense contractor close to a compliance deadline, the consequences can be serious.
What to do immediately
First, take stock of what you own and what you don't. Your data belongs to you; but your documentation, configurations, and compliance records may be tied up in your provider's systems. If you still have access, pull everything you can: your SSP, your asset inventory, your incident response plans, your network diagrams, and any audit logs or assessment reports.
If you have already lost access, contact the provider's principals directly and in writing. You have a right to your own data, and in many cases you can recover it even after a provider shuts down.
Stabilize before you optimize
Be systematic and take small steps. Identify your most critical systems and make sure they are operational and monitored. If you are mid-assessment or have a pending audit, notify your Contracting Officer. Proactive communication is almost always viewed more favorably than silence.
Once you are stabilized, you can make a clear-eyed decision about your next provider rather than choosing under pressure.
What a new provider needs to know
When you bring in a replacement MSP or ESP, they will need to understand your current compliance posture from day one. The more documentation you preserved, the faster that transition will go. A qualified CMMC-focused provider will know what questions to ask and how to assess where you stand quickly.
Scenario 3: Transitioning Away From Your Current MSP
Sometimes there is no dramatic failure. You have simply outgrown your provider, or you have come to realize they are not equipped to support your CMMC goals. Transitioning MSPs is disruptive, but it is manageable when done carefully.
Don't wait until you're desperate
The worst time to switch providers is when you are already behind on compliance or facing an imminent audit. If you have concerns about your current MSP's capabilities, start exploring your options now. A good transition takes time, and rushing it introduces risk.
Plan the handoff carefully
Work with your current provider to document everything before you leave. This includes your network architecture, your user accounts and access controls, your security tools and configurations, and your compliance documentation. Even if the relationship has soured, a clean handoff protects you.
Review your contract carefully. Understand your notice period, any data portability provisions, and what support your current provider is obligated to provide during the transition.
Vet the new provider thoroughly
Before you sign with a new MSP or ESP, ask hard questions. Have they successfully supported CMMC Level 2 certifications for other defense contractors? Can they provide references? What does their onboarding process look like, and how do they handle the compliance gap period during transition?
A provider who has done this before will have clear answers and a solid track record. One who hasn't will be learning on your timeline and your dime.
The Bigger Picture
Your MSP is not just an IT provider, the are a compliance partner and an integral component in the success of your business. For many defense contractors, choosing the right provider affects your ability to hold and win government contracts. Investing in a company that care about your success as well as theirs is the key to a great relationship.
About Us
Stratus is Alaska's first CMMC Level 2 certified managed IT service provider. We have helped defense contractors across the country achieve their CMMC Level 2 certification and take the time with our clients to make sure they understand what we are doing and why. If you are dealing with any of the situations described above – or you just want an honest assessment of where your compliance posture stands – we are here to help.
Reach out to the Stratus team to start the conversation. Alternatively, we recommend reviewing MSPs/ESPs listed on the Cyber-AB Marketplace or MSPs for the Protection of Critical Infrastructure directories to find a qualified service provider.
