By: Chor-Ching Fan
The compliance community is no stranger to speculation, especially as the Cybersecurity Maturity Model Certification (CMMC) program evolves. The CMMC Cyber AB, the official accreditation body for CMMC, plays a crucial role in overseeing the certification process, accrediting C3PAOs (Certified Third-Party Assessment Organizations), and ensuring the integrity of CMMC assessments. In the latest Cyber AB Town Hall webinar held on February 25, 2025, industry leaders tackled two myths about CMMC Level 2 certification that are important for organizations seeking certification (OSCs), external service providers (ESPs), and compliance professionals to be aware of.
Myth #1: Non-CSP External Service Providers (MSPs, MSSPs) Only Need Their Shared Responsibility Matrix (SRM) or Customer Responsibility Matrix (CRM) Certified at CMMC Level 2
The Reality:
Some ESPs, including Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs), have been under the mistaken impression that they only need to certify those security requirements they list as inheritable on their SRM or CRM. However, this is not the case.
According to 32 CFR § 170.19(c)(2), an ESP’s information system must conform to all security requirements outlined in NIST SP 800-171 Rev 2—not just those an OSC might inherit. The regulation states that ESPs may voluntarily undergo a CMMC certification assessment to reduce their efforts during an OSC’s assessment, but this does not mean their compliance scope is limited only to inheritable controls. For ESPs working with defense contractors, ensuring full compliance with NIST 800-171 remains critical.
Myth #2: Some Companies in the Defense Industrial Base Are Already “CMMC Certified” at Level 2
The Reality:
While CMMC Level 2 assessments by Certified Third-Party Assessment Organizations (C3PAOs) have begun, no organization has yet been issued a final or conditional certification for CMMC Level 2.
Despite rumors suggesting that certain companies have achieved a FINAL or CONDITIONAL CMMC Level 2 status, the fact remains that no certifications have been completed. Until the Cyber AB and Department of Defense formally issue certifications, any claims of being “CMMC Certified” should be met with skepticism. Organizations should rely on official updates from the DoD and Cyber AB to track certification progress.
How Rizkly Supports CMMC Compliance for OSCs and ESPs
As compliance requirements continue to evolve, OSCs and ESPs need a streamlined approach to achieving and maintaining CMMC compliance. Rizkly’s Guided-Compliance-as-a-Service (GCaaS) platform simplifies the complexities of CMMC requirements, automated evidence tracking, tailored compliance roadmaps, and the option for fractional expert guidance.
Are You a CMMC Advisor or Assessor? Let’s Partner!
Rizkly is actively seeking partnerships with CMMC advisory and assessment firms to support the compliance journey of OSCs. Our platform enhances partners’ services by providing structured compliance workflows, real-time collaboration tools, and expert-backed automation to ensure efficient and cost-effective CMMC readiness.
If you are a C3PAO, RPO, or CMMC consultant, let’s work together to help defense contractors achieve compliance with confidence. Contact us today to explore partnership opportunities!
