CMMC, The More Your Know, Uncategorized

Compliance Isn’t Complicated. But Your MSP Might Be.

Posted on by David Dillion

Navigating CMMC Compliance, and the realities of DoD cybersecurity requirements on the Front Range.

TL;DR Summary

  • Scoping is everything: CMMC compliance depends on the specific data you handle—like Controlled Unclassified Information (CUI)—not just the existence of a government contract.
  • The real deadline: Phase 2 mandatory third-party (C3PAO) certifications begin November 10, 2026.
  • Accountability cannot be outsourced: An MSP can guide and support your compliance journey, but the legal responsibility remains entirely yours.
  • Start with discovery: Success requires an honest gap analysis before buying any “compliance product.”
David Dillion, Chief Services Officer and Director of Technology, standing confidently in a modern, illuminated server room. He is wearing a dark suit with his hand in his pocket. A bold text overlay reads "DAVID DILLION", flanked by the titles "CHIEF SERVICES OFFICER" on the left and "DIRECTOR OF TECHNOLOGY" on the right, set against a background of glowing server racks, geometric color overlays, and an orange grated floor.
TrinWare Chief Services Officer and Director of Technology, David Dillion. TrinWare provides expert CMMC discovery, gap analysis, and cybersecurity solutions for Colorado defense contractors.

When a business on the Front Range calls me about compliance, the first question is, ” Who is requiring this, and why?”

Sometimes a client has received a letter suggesting they pursue compliance, but the requirement is conditional on work they don’t actually do.

Sometimes they’ve been told by a prime contractor that CMMC compliance is required, without being told what level, whether self-attestation is sufficient, or whether a third-party C3PAO audit is involved. Often, they simply don’t know what Controlled Unclassified Information (CUI) they have, or where it lives on their network.

The honest answer to most of those questions at the start of every engagement is: I don’t know yet. And that’s fine. That is exactly what discovery and a gap analysis are for. The problem arises when an MSP skips those foundational questions entirely and starts selling a compliance solution before understanding what’s legally required.

What CMMC Compliance Actually Is (And What It Isn’t)

One of the most common misconceptions on the Front Range is that any government contract triggers compliance requirements. That’s not accurate.

Right now, the Cybersecurity Maturity Model Certification (CMMC) applies specifically to Department of Defense (DoD) contracts. The final DFARS rule took effect in 2025, and CMMC requirements are now appearing in new DoD solicitations.

Here is the timeline you need to know:

  • Phase 1 (Current): Level 1 and Level 2 self-assessments are the primary requirement.
  • Phase 2 (Starts Nov. 10, 2026): Mandatory third-party C3PAO certification becomes the standard for most contracts involving CUI.
  • Full Implementation (By Nov. 10, 2028): Mandatory compliance across the entire defense supply chain.

Non-defense federal contracts operate under a completely different framework. For most Front Range businesses, the date you should be planning around right now is November 2026, not 2028.

Compliance level and assessment path is dictated by their prime contractor, not the DoD directly.

A prime contractor receiving CMMC requirements must flow those requirements down to subcontractors handling Federal Contract Information (FCI) or CUI. The required level follows the information, not the tier.

A machine shop receiving technical drawings handles CUI just as the engineering firm that created them, and may have no idea CMMC applies to them at all.

Many small businesses in the defense supply chain are far less prepared for formal cybersecurity assessments than they realize. The DoD estimates approximately 80,000 contractors will need Level 2 C3PAO certification. That gap exists not because the requirements are impossible, but because nobody explains them clearly.

The Mystical Shroud Around Compliance

Compliance frameworks have a reputation for being impenetrable. Some of that reputation is earned. NIST SP 800-171, which forms the foundation of CMMC Level 2, contains 110 security controls across 14 domains. For a small business without a dedicated security team, the documentation requirements alone can feel overwhelming.

But much of the confusion is manufactured. Vendors with a financial interest in making compliance feel impossible are happy to let it feel that way. Once the scope is understood, the path forward is often straightforward.

NIST SP 800-171 is enforceable only through the DFARS clause 252.204-7012 included in a contract. The framework itself has no independent legal authority. Whether you’re subject to it at all depends entirely on what your contract says and what information you actually handle. That’s a scoping question, not a compliance emergency.

For small businesses in the Defense Industrial Base (DIB), addressing a significant portion of the 110 controls comes down to:

  • A solid cybersecurity foundation
  • Proper network and Active Directory hygiene
  • Documented IT policies
  • A well-configured security stack

The gap between where organizations start and where should be is real. Experts consistently put the preparation timeline at six to twelve months, depending on baseline maturity. It’s a project, not a crisis provided you start with an honest assessment.

Where MSPs Get This Wrong

The Cyber AB made this explicit at its April 2025 Town Hall: CMMC compliance cannot be outsourced.

The Organization Seeking Certification is accountable for all 110 requirements and 320 assessment objectives under Level 2. An MSP can support the process, but they cannot own it on a client’s behalf.

That distinction matters

Some MSPs sell compliance as a managed service without clarifying where their accountability ends and the clients’ begins. A client who believes their MSP “has compliance handled” is a client who may discover otherwise during an audit.

The harder problem to fix

MSPs who engage in compliance work without genuinely understanding it themselves, or without the capability to support a C3PAO assessment. According to research cited by CMMC.com, only 46% of contractors in the DIB feel ready for Level 2 certification.

Before trusting an MSP to guide a compliance effort, ask a simple question:

Have they successfully helped organizations prepare for the specific level of assessment you are facing?

The most common reason for failing a CMMC audit is incorrect scoping. Specifically, failing to understand their CUI boundary before the assessment begins. That is a foundational question that should be resolved in the very first conversation, not discovered during a third-party audit.

Why This Matters on the Front Range Right Now

Colorado has become one of the most significant defense and aerospace markets in the country.
Northrop Grumman opened a new 100,000-square-foot facility near Centennial Airport, citing the I-25 corridor as a strategic aerospace hub.

Lockheed Martin, United Launch Alliance, and Raytheon all maintain major operations along the Front Range. Colorado defense contractors have been awarded over $120 billion across more than 6,300 contractors, statewide.

The supply chain supporting those prime contractors runs through thousands of smaller Front Range businesses. Many of whom are facing CMMC requirements for the first time.

How TrinWare Approaches Compliance

The first thing we do is ask the right questions:

  • Who requires this?
  • What level?
  • What is the timeline?
  • What CUI does the client have?

Discovery and gap analysis come before any solution is proposed, followed by the majority of what NIST 800-171 requires:

  • A properly implemented security stack
  • Disciplined network
  • Active Directory hygiene
  • We document existing gaps.
  • We build a remediation plan
  • Work toward compliance that can withstand scrutiny.
  • C3PAO audit is addressed, if the contract requires one.

Compliance isn’t a product you buy. It’s a state you achieve and maintain. The MSP advising you should be capable of standing in that audit alongside you.

If you’re on the Front Range and trying to make sense of what compliance actually requires for your business, reach out.
The first conversation is just questions, and that’s exactly where it should start.

Connect with TrinWare

David Dillion, Chief of Service Officer and Director of Technology, who leads TrinWare's dedicated IT help desk and service delivery teams for Colorado businesses. CMMC Compliance. NIST SP 800-171, DFARS clause 252.204-7012, DoD contractor cybersecurity, C3PAO audit, CUI (Controlled Unclassified Information), Defense Industrial Base (DIB), Front Range IT compliance.

Contact David Dillion
Chief Service Officer
Director of Technology 
Direct: 720.409.3718

Email Me
Book a Call
LinkedIn

Internal + External Resources

Explore how TrinWare Procurement Solutions protects against evolving supply chain issues, in your MSP.
Download the Trin|Fortress Guide
Learn More about our Managed IT Services
Best MSPs in Denver Guide

Sources: DoD/Department of War CMMC FAQ v2.3 (dodcio.defense.gov), DoD DFARS Final Rule via Intersecinc.com, Federal News Network CMMC Readiness Report 2026, NIST SP 800-171 via NIST.gov, Agile IT NIST 800-171 Compliance Guide, Radicl NIST 800-171 Guide for Defense Contractors, Cyber AB April 2025 Town Hall via CMMC.com, CorpInfoTech CMMC Audit Failure Analysis, Denver Gazette Northrop Grumman Colorado Expansion 2025, Government Contracts Won Colorado Defense Data.

Estimated reading time: 6 minutes

Table of contents

Home » TrinBlog » Compliance Isn’t Complicated. But Your MSP Might Be.