AI Governance Hurdles in Defense: Jason Tierney Examines CMMC Barriers for MSPs

The episode details a tightening regulatory environment driven by new enforcement timelines for Cybersecurity Maturity Model Certification (CMMC), altering how MSPs and IT service providers are expected to deliver both compliance and operational services for U.S. defense contractors. Structural pressure stems from the Department of Defense making CMMC Level 2 compliance a contractual mandate for approximately 300,000 defense contractors, shifting risk and accountability towards providers who manage compliance workflows, technical environments, and client behaviors. C3 Integrated Solutions and their dual CMMC Level 2 certifications exemplify this transition, with clear implications for co-ownership of compliance outcomes and increased scrutiny on provider practices.

The most consequential development is the substantial gap between compliance requirements and the current readiness of the defense contractor base. As of early 2026, only around 8% of contractors have obtained CMMC Level 2 certification, despite enforcement being implemented in contracts starting in November of the same year, according to Dave and Jason. Challenges arise from cost, organizational bandwidth, and complexity, with MSPs serving as pivotal partners to small subcontractors lacking in-house resources for process documentation and change management. Assessment scheduling bottlenecks and insufficient documentation are delaying certifications, increasing risk that many contractors and their service partners will miss the rapidly approaching deadlines.

Related developments reinforce the central issue of operational risk and governance complexity. Jason Tierney illustrates the difference between technical compliance and true assessment readiness, citing real-world examples where insufficient evidence and poor understanding of process details lead to significant assessment delays. The rise of compliance-as-a-service offerings, enclave computing environments, and specialized governance tooling are attempts to address those gaps, but also introduce new layers of pricing, platform selection, and accountability concerns, especially when third-party tools fail to meet strict requirements such as FedRAMP moderate for handling sensitive data.

For MSPs and IT leaders, the shift imposes higher barriers to entry, increased legal and contractual exposure, more rigorous documentation and process controls, and the need for customized delivery models that support both technical defenses and organizational behavior change. Providers must navigate conflicting requirements between specialized regulatory environments and multi-tenant tooling, manage escalating costs for both themselves and clients, and clarify responsibility boundaries in shared compliance scenarios. The requirement for human oversight—particularly in automated or AI-assisted compliance tooling—remains non-negotiable, reflecting the ongoing gap between technical implementation and credible assessment outcomes.

Supported by:
CometBackup https://cometbackup.com/?utm_source=mspradio&utm_medium=podcast&utm_campaign=sponsorship
Moovila https://www.moovila.com/mspradio/
HaloPSA https://usehalo.com/halopsa

💼 All Our Sponsors

Support the vendors who support the show:
👉 https://businessof.tech/sponsors/

⸻

🚀 Join Business of Tech Plus

Get exclusive access to investigative reports, vendor analysis, leadership briefings, and more.
👉 https://businessof.tech/plus

⸻

🎧 Subscribe to the Business of Tech

Want the show on your favorite podcast app or prefer the written versions of each story?
📲 https://www.businessof.tech/subscribe

⸻

📰 Story Links & Sources

Looking for the links from today’s stories?
Every episode script — with full source links — is posted at:
🌐 https://www.businessof.tech

⸻

🎙 Want to Be a Guest?

Pitch your story or appear on Business of Tech: Daily 10-Minute IT Services Insights:
💬 https://www.podmatch.com/hostdetailpreview/businessoftech

⸻

🔗 Follow Business of Tech

LinkedIn: https://www.linkedin.com/company/28908079
YouTube: https://youtube.com/mspradio
Bluesky: https://bsky.app/profile/businessof.tech
Instagram: https://www.instagram.com/mspradio
TikTok: https://www.tiktok.com/@businessoftech
Facebook: https://www.facebook.com/mspradionews