News, Trends, and Insights for IT & Managed Services Providers
News, Trends, and Insights for IT & Managed Services Providers
New Regulatory Shifts for MSPs: CMMC 2.0

So, three big ones in the world of MSP regulations.
Michael Duffey, President Donald Trump’s nominee for undersecretary of defense for acquisition and sustainment, has committed to reviewing the Pentagon’s controversial Cybersecurity Maturity Model Certification 2.0 initiative if confirmed. The revamped program, which went into effect in December, mandates defense contractors handling controlled unclassified information to comply with one of three levels of cybersecurity standards to qualify for Department of Defense contracts. Concerns have been raised regarding the burden these regulations may impose, particularly on smaller firms. A recent report by Redspin indicated that over fifty percent of respondents felt unprepared for the program’s requirements. Duffey emphasized the need to balance security and regulatory burdens, highlighting that small and medium-sized businesses are crucial to national defense but often more vulnerable to cyberattacks due to limited resources. He plans to explore options for improving the requirements and implementation of the Cybersecurity Maturity Model to ensure industry compliance with current cybersecurity best practices.

The General Services Administration is set to unveil significant changes to the Federal Risk Authorization Management Program, or FedRAMP, aimed at making the process leaner and more automated. The new 2025 plan will focus on establishing standards and policies rather than approving cloud authorization packages, which previously extended the process for up to 11 months. The GSA intends to reduce reliance on external support services, with only a small number of federal employees managing the program. Notably, the GSA plans to automate at least eighty percent of current requirements, allowing cloud service providers to demonstrate compliance more efficiently.
Meanwhile, across the Atlantic, The UK government has announced a comprehensive Cyber Security and Resilience Bill aimed at strengthening the nation’s defenses against growing cyber threats. The bill aims to bring more firms under regulatory oversight, addressing vulnerabilities in supply chains that could disrupt essential services.   Managed Service Providers are specifically named, providing core IT services and having extensive access to clients’ systems⁠⁠​

The new regulations define a managed service as one that meets all these criteria⁠⁠: Provided to external organizations⁠⁠​, Uses network and information systems⁠⁠​, Involves ongoing IT management, administration or monitoring⁠⁠​, Requires network connection/access to customer systems⁠⁠.  This would make them managed entities.  The proposed legislation also includes measures to enhance incident reporting requirements and improve the Information Commissioner’s Office’s capacity to identify and mitigate cyber risks proactively.

Why do we care?

On the US side, the shifting waters of CMMC send a confusing message.   While it seemed locked in.. is it now?   What to do?  Uncertainty is distinctly a negative for the market.   Changes to FedRAMP might be more positive, although over-automation could lead to compliance gaps or false assumptions of security. MSPs will still need human oversight to ensure comprehensive compliance.

On the UK side, Some MSPs may lack the in-house capabilities to meet the new regulatory expectations, especially regarding incident reporting and proactive risk management.  By recognizing MSPs as managed entities, the government is setting expectations for heightened cybersecurity practices.   The Information Commissioner’s Office will gain more power to enforce compliance.   The days of anyone hanging out a shingle in the UK may be about to disappear.

Choose your upgrade:

Get the full benefits of Business of Tech Plus

Insider Access

$12/month

Perfect for MSPs and ITSPs that want full interviews, early access, and ad-free listening

  • Programmatic Ad-free private podcast feedSame show, little interruptions
  • Channel Chatter previews1–2 topics with light insights
  • Early access to interview episodesHear it days before public release
  • Monthly Insider BriefTighter analysis you can share internally
  • Extra audio segmentsCut interviews, behind-the-scenes commentary, quick competitive notes
  • Become an Insider for $12/month

    Leadership Access

    $149/month

    Perfect for MSPs and Vendors that run a team and need the extended tactics, executive summaries, and weekly alignment brief

  • All Insider Access benefits plus . . .
  • Invite your teamIncludes access for 5 team members with option to add more
  • Vendor Strategy BriefsThe entire library, plus new analysis every month
  • Channel ChatterAll topics, full insights, complete vendor discussion + sentiment list
  • Quarterly State of the Channel Briefing
  • Monthly AMA submission priorityAsk Dave direct questions, and skip the line
  • Get the Leadership Edge for $149/month

    Vendor Partner

    $500/month

    Perfect for channel companies or vendors looking to deepen their engagement with the show.

  • All Leadership Access benefits plus . . .
  • Get highlighted as a show sponsor You'll get placement in the show notes, throughout the website, and on our dedicated sponsors page.
  • Enjoy regular shout outs You'll be featured in a rotating format during the show
  • Become a show sponsor for $500/month

    Search all stories