AI Governance Hurdles in Defense: Jason Tierney Examines CMMC Barriers for MSPs

[00:00:01] For roughly 300,000 defense contractors in the U.S., CMMC compliance is no longer a future concern. It's a present operational challenge with a hard deadline. As of early 2026, only about 8% of those contractors have earned CMMC Level 2 certification, and the enforcement clock runs out in November. The contractors who aren't there yet aren't failing because they don't care.

[00:00:25] They're failing because navigating CMMC requires change management, cross-team coordination, multi-framework sequencing, and a sustained technical environment that most small defense subcontractors simply don't have in-house. That's where the MSP comes in, not just as a vendor, as a compliance partner. My guest today leads Managed Services in one of the few MSPs in the country that has actually earned dual CMMC Level 2 certifications.

[00:00:51] Separately for their Managed IT practice and their Managed Detection and Response practice. He's been living inside this compliance challenge daily for clients ranging from 10-person defense subcontractors to mid-side DIB primes. He has opinions about what works, what doesn't, and what the rest of the MSP channel can learn about the defense world and what's already been forced to figure out. Jason Tierney joins me on this episode of The Business of Tech.

[00:01:19] Jason Tierney, you are the SVP of Managed Services at C3 Integrated Solutions. Welcome to The Business of Tech. Thanks, Dave. Thanks for having me. All right, so I'm going to start with the ground truth here a little bit. The numbers I've been seeing lately say roughly 8% of defense contractors have earned that CMMC Level 2 certification as of early this year. Enforcement is baked into contracts starting this November. You work with these contractors every day.

[00:01:48] Set the scene for me on people who haven't been living inside this space. Like, what does not yet certified actually look like on the ground? Yeah. Yeah, it's pretty tumultuous, right? You've got DOD contractors that have known about this for a while, didn't know if it was necessarily going to happen. But now you've got contracts that are accelerating the CMMC requirement than what they originally said as well. A couple of years ago when they were first discussing CMMC, it was only a certain percentage.

[00:02:17] It was a small percentage of contracts coming out in November 2026 where we're going to have the requirement. But now it's a lot more. And it's taking hold and it's becoming a real big problem because they don't have enough people that are getting assessed. And assessors and assessment organizations are running out of space to get it done in time. We'll be right back after this message. Here's what I'm hearing from MSPs on backup. They want control.

[00:02:47] Control over storage. Control over costs. Control over what happens when something breaks. Comet Backup gives you that. Bring your own storage, white label it for your clients and keep margins where they belong. With you. It's why Comet Backup keeps showing up when MSPs ask each other what actually works. See for yourself at cometbackup.com. And we're back.

[00:03:15] So, I mean, what is that big hold up? Funding, bandwidth, complexity. Like, what's causing this? Probably all of the three. All three of those. Everybody thinks it costs too much. I was just at CMMC Day and they were talking about cost and they broke it down really, really well. A, this is something you're supposed to have been doing anyway this whole time. B, the bigger your business, of course it's going to cost more.

[00:03:43] The smaller your business, of course it will cost less. And C, it's really a bigger issue about how you're understanding the cost and what you're trying to do there. Right? It needs to go into your SG&A. It needs to be part of your proposals, but it also needs to be something that you're doing as an organization centrally because it's got to be in the blood of your company. Okay.

[00:04:06] Now, I understand there's a distinction between being technically compliant and being assessment ready. Yep. Like, so that's ready for a third party to walk in and do the validation. Like, help me understand the gap. Like, how do you help contractors understand that? Yep. And, you know, what is bridging it look like? So NIST requires three things. It's got three primary verbs, right? Identify, authorize, and enforce. Identify is documentation. If you don't have documentation and documentation in a certain format, you're done.

[00:04:36] You can't even get started. Right? So a lot of organizations don't have that, or they've been trying to do that homegrown in-house because they think they can get through it. And they have these templates that just look like templates. We actually had an assessor come in to a customer that we're not managing compliance for, look at their system security plan and say, no, you guys aren't ready. We're not going to continue at this point.

[00:04:59] And, but the way the schedules go with the assessors, it's, that's like a six, seven month bump in your schedule to get through your assessment. Well, look at the calendar, right? That's November. And that's a huge problem. Okay. So what's like the most common thing that contractors have wrong when they think they're ready, but they actually aren't?

[00:05:22] It's understanding the level of detail that you need to go into with the evidence is where I, is my perspective on that. They, they think that just one or two things here and there will work, that they're not going to get asked to provide evidence for every single question when in fact they probably are. And they don't understand how to properly sit through an assessment. Um, you know, it's important. There's going to be blank space. There's going to be uncomfortable pauses.

[00:05:49] That's because the assessors take notes and a lot of people try to fill that space and they end up shooting themselves in the foot and take things a little bit too far and introduce, introduce things. It absolutely sounds like you've got an example. Can you give me an example? Obviously genericize, but give me an example of what that like, kind of like one of those stumbling pieces is.

[00:06:08] Yeah, so we had an organization, um, no names, of course, um, come through an assessment and we're, we're talking about, um, access control, um, that the first 3.1 domain and, um, administrative accounts. And we're, we're going through a demonstration. We're having a conversation about how we manage administrative accounts, how we make sure that administrative accounts can't do normal function things and normal accounts can't do privileged, privileged functions. Right.

[00:06:34] And, and what had happened that we didn't even know about is over the weekend, he was trying to be on site that I was trying to troubleshoot something. And he assigned a license, uh, a G5 license to his administrative account. Um, and that sort of came up in the middle of an assessment on a screen share. And that's a huge problem, right? Right. Um, so as we're talking things now, we're, now we're trying to, to, to deal with that and everything extends and everything gets, becomes a bigger issue.

[00:07:02] And the whole process takes longer than it costs more because the process takes longer. Gotcha. Now see through yourselves, you achieve dual CMMC level two certifications, both separately for the managed IT and managed detection and response. So, and you've applied that segregation of duties principle. So why does it matter that the MSP itself is certified? And you know, what did going through the process teach you about what your clients are dealing with? Yeah.

[00:07:28] So I know the rules change and the MSPs don't quote have to be certified, but what happens when you do have that level two, um, certification is you're able to leverage that as you work for the assessment. So when our customers come to us, you know, our, our program takes either 50% or 80% of those controls, um, on, on our own risk level. Right. We, we take control of those. Um, a lot of those are things that we have to do and prove ourselves. We have to have the same level of auditing. We have to have the same level of training. We have to have the same level of everything. Right.

[00:07:58] So if I'm not an assessed MSP, well now the MSP for every single one of its customers going through assessment has to basically get assessed themselves for everything they say they're responsible for. Um, and that's, again, it's, it's a huge time suck. It takes, it takes forever to get through all that every time. Um, and then you've got different assessors that interpret things differently.

[00:08:22] And while there's no consulting coming from the assessor, there are ideas of how things work and what it should look like. Um, and if you don't, if you don't convince them that you're doing it the right way, you've got a problem. So you could end up being the MSP as the cause of why your customer can't get assessed. We'll be right back after this message. This episode is supported by Halo. There's a moment many MSPs eventually reach the PSA they started with worked well early on, but as the business grows,

[00:08:51] workflows get harder to manage, automation becomes complicated, and the systems start shaping how the company operates. Halo PSA is designed for service providers who want more control over how their operations run, from ticketing and service delivery to billing and workflow automation. That's one reason Halo PSA often comes up when MSPs start evaluating their next PSA platform. You can learn more at usehalo.com.

[00:09:22] And we're back. Now I got to get into some of the delivery of this because obviously moving into compliance, you're taking on a compliance co-ownership role rather than just selling technology. So that means you got to manage people inside the contractor and how they behave, not just what their systems do. So I got to understand a little bit more about the delivery model. My understanding is CMMC requires contractors to change policies, processes, and employee behavior to move beyond just being a checklist.

[00:09:50] Like how do you structure the change management side of that to make sure that you roll it out well? And I'm sure you've got an area where like this is where it typically breaks down. Yeah, we have two primary different models for our CMMC customers. One where we take 80% of the assessment objectives and that's where we're managing the compliance as well. The other we take 50% of the compliance objectives. And that's where there's a third party or an in-house compliance team.

[00:10:15] So all that policy writing and all the procedures and all the bean counting to make sure everybody's done the training and done that is managed by somebody else. Right? So when we look at the 80%, we have a very locked down environment. Our customers don't have admin accounts in the environment in most cases. They have break glass accounts. We monitor those. We check for those. We audit those. Right? So we're not keeping them hostage or anything. But we're keeping them from hurting themselves, like the example I gave before. Right?

[00:10:45] So we're going in there with our processes that we've developed and vetted through not only our level two compliance, but now, you know, dozens of actual customer assessments that we've been through and passed through and ensuring that we're following our change management process. We're following our documentation process. We're adhering to our audit requirements. And that's how we're handling that. And the customers where we're only handling 50%, it gets a little more open. Right?

[00:11:13] That's where some customers do have co-admin capability. And in that way, we have a contractual engagement with them. So we, you know, we tell them, great, you want to be able to be an admin? Fine. You can be an admin. But now we're going to have a change board meeting every month. And we're going to talk about every change that you did. And why? Make sure it's in my system. Make sure that we have it fully documented and everything that needs to be there is there. Right? And then we can go ahead and have that.

[00:11:39] But if we find something that you didn't tell us about, and we're sitting in front of an assessor, the contract says that's on you. And we can't be held liable or accountable for that. And it sounds so businessy and legally, but it's the way the world has to move. Well, it is. And so I also want to make sure that people understand like this has a scale problem too, right? Because everyone thinks defense subcontractor, that must be a massive organization. That's not necessarily true, right? A 20 person defense subcontractor and they may not be in technology, right?

[00:12:08] They're delivering a particular truck part or they're delivering a, you know, a component to the supply chain or, you know, some of these pieces that, of course, the defense industry wants to consume. Like, how do you price and scope manage compliance for them? Like, how do you draw the minimum lines? How do you make sure that you're able to deliver it? Because, you know, this feels like a typical mom and pop SMB because it is. Yeah, because it is. And that's exactly right. We have a bunch of clients like that.

[00:12:37] We focus on an on enclave approach for those customers. So instead of trying to bring your laptops in and rebuild your entire network in this CMMC focused environment because you make a screw for an airplane, we have that customer. They make a screw for an airplane and that's why they have to be compliant. Right. And we focus on an enclave. So we take the data that needs that requirement and the users that need that requirement. And maybe it's five people. Right. And we put them into an Azure virtual desktop environment hosted in Azure Gov.

[00:13:06] We deploy the applications they need to work with that data. We deploy communication infrastructure so they can get that data where it needs to go. And they can do it in a securely auditable fashion. So say a little bit more about how that works for them, because my instinct sort of says the moment you're carving out bit, they have a lot of workflow issues and they're probably not great at that. Like, talk to me through how that feels to them in day to day operations and how they integrate it together. Sure. So they all get a little confused at first. A lot of people still don't understand what a virtual desktop is. Right.

[00:13:35] So so there's the first learning gap that we get through. The second is is understanding why the security protocols are in place the way that they are. Why can't I share my screen when I'm in a team's meeting is a big question that we got. Right. Okay. Because, you know, because that's exposing CUI and that's potential data leakage. That's why you can't. Right. So all the we've gone through all those different controls and put all that together. So what we find is the data usually comes in in one or two ways and it goes out in one or two ways. Right.

[00:14:05] So we're able to set up a separate identity. So, you know, maybe it's business of tech dot com, but you've got a government identity business of tech dot us. So if you're working with the government organization and they're sending you CUI for you to do what you do with it, they send it to your dot us address. Right. And so you receive it there. It lives in the SharePoint over there. You work in whatever application you need to work it in, put it back in SharePoint, and then you send it back by email the same way it came in.

[00:14:35] Gotcha. And so there's some other things in place that we can do as well. Some people have CNC machines and have to have to do actual manufacturing. Right. So we we do some things with removable storage that we can we can allow certain ones and document and track. Right. So that you can get that data out of the enclave to your CNC into your manufacturing environment. Got it. But on the whole, it's a lot of documents. Sure. A lot of document management. Right. Which is which is what we all do now. I got a you're an expert in this. And so I feel like you're the person to talk about.

[00:15:03] So on the Daily Show, I've been covering like this wave of tooling and the investment in compliance as a service for MSPs. These governance platforms, audit ready, AI, multiple, you know, all the sequencing tools. So the premise is that compliance is becoming a recurring service line. Right. That's that's the premise. Now, C3 has been running that model in one of the most demanding compliance and endurance for a while. So it feels like you're the right person to ask a lot of this.

[00:15:29] You know, I have points research published this spring found that governance, not skill, is the barrier to AI adoption for MSPs and their clients. You're in that world. What does AI governance look like in a CMMC compliant environment? Like, is that a problem? Are you working on what's that? That's really difficult to deal with. Right. That point is a great solution and got a lot of great programs or we're big friends with that point. Yeah. And we like their solution a lot.

[00:15:58] The way the way that it plugs in and looks at the permissions. Right. But but to really directly answer your question, it's kind of the same. But the tools really the issue because it's all about permissions. Right. You've got to make sure that you're protecting the data that needs to be protected. Only the users that should access that data can get to it and all those things. Right. So the tools that you need to follow and the rules are the same, but it's it's now you're looking for on prem versus cloud.

[00:16:23] FedRamp moderate if it's going to be touching your data and who has FedRamp moderate solutions. And do those work for your particular need and data types? Right. So that's where it gets sketchy in terms of governance, because those tools aren't there yet. Right. The FedRamp moderate. I mean, I have points there. Yes. But in you know, there's not a lot of competition there in that space. Well, to be fair, I'm just focused on their research, not their product. Right. I'm looking at this. I'm looking at this idea of governance as really the bit like so I want to get a little sense.

[00:16:52] Like, do you think defense contractors are ahead of the rest of the market on AI governance or just more regulated in general? They're behind. Because of the enclave approach that people take because of the strict CMMC requirements, it's very difficult to properly deploy AI in an environment where you're also using CUI. Okay. So Microsoft just released Copilot and GCCI not that long ago. So we do see some adoption on that, but it's inside the enclave. So we can use that. Right.

[00:17:22] We don't see a lot of interactivity with a third party AI. We don't see Anthropic. We don't see open AI. We don't see any of those things. Right. There's just there's too many questions and too much openness. I think people are afraid and they should be. The penalties for CMMC are very, very real and very, very bad. Okay. So I wouldn't want to put my name on something if I knew that one of the potential outcomes is I was going to go to jail. Right. Sure.

[00:17:48] So I'm also curious, like I've been watching a wave of compliance tooling come to the market. Right. And they're focused on the general MSP channel. Long list of, you know, we long list of vendors. I'm not going to name them, you know, but we know that there's a lot of these players that are coming in compliance in the name, tell you a version of it. They're building what you built for industrial, the industrial space. They're building on the multi-tenant SAS version. Yep.

[00:18:14] Like when you look at that, do you think the kinds of skills that you've built here are transferable or do you think CMMC compliance is particularly specialized and that the general MSP channel shouldn't try and replicate it? I think that there's a lot of stuff that can be replicated. Okay. That is pretty general in that regard.

[00:18:38] The issue with the MSP industry at large is there's such a gap to it to what's what I'm looking for. There's such a barrier to entry in terms of pricing. Right. Because, you know, and I started this conversation with pricing. Right. So when you look at your general MSP, three, $4 million a year business, right, working with a bunch of small businesses that need to have a compliance thing, you're going to spend $200,000 maybe for that size of an organization just to get yourself the way you need to be and be compliant.

[00:19:08] And then you're going to be looking at other tools that are available in the commercial space and not be able to use them. Okay. So, so I don't want to pick on any one of the vendors, but they all have their AI plugin and their this plugin near that plugin. And they're all in AWS US commercial. Right. So, so you're going to be a problem for your compliance and theirs. We'll be right back after this message. One of the hardest problems in managed services isn't technology.

[00:19:37] It's delivering projects predictably and profitably. Every MSP has lived this moment. You estimate a project at 40 hours and it ends up taking 90. Not because your team isn't capable, but because projects have dependencies, shared engineers, shifting priorities, and timelines that change constantly. That's where Movala comes in. Movala uses automation and AI driven scheduling to build accurate project timelines and continuously adjust them as conditions change.

[00:20:06] That means you know with certainty when a project will actually finish, when engineers will become available, and when you can safely take on new work. For MSPs trying to run a more mature, predictable operation, that kind of visibility is a big deal. If you want to deliver projects without the constant overruns, visit Movala.com.mspradio. That's M-O-O-V-I-L-A.com.mspradio to learn more.

[00:20:35] And we're back. Now let's reverse that a little bit. How much do you think sort of general compliance space or, you know, using the security tooling, how much do you think that space can learn from CMMC? I think a lot. Okay. I think that, you know, as I think about tooling and kind of AI in general, because that's where it's all going, right? There's a lot that can be done.

[00:21:02] But it also scares me because it's not so much can you use AI for it. Of course you can. You can send AI probes out to your network and bring back data and settings and configurations, and you can have it write your system security plan for you and do all these things. But that's not quite good enough for CMMC. Okay. That might get you passed some others. I'm not an expert in others. I'm not going to pick on any other one, right? I don't know if it would or wouldn't pass. But I know for CMMC that we see assessors that are, you know, this is too much of a template.

[00:21:31] You clearly didn't put enough energy into this and you clearly didn't do your homework the right way. Or you look at things and it just doesn't even apply, right? And so you start talking about, let's say it goes on a diatribe about mobile devices and mobile device management and your MDM policy. And then three controls later, you've got a statement, we don't use any mobile devices in your environment. Well, what in the world is that there for? It's because the AI was like, oh, you should talk about MDM and your BYOD policy. Right.

[00:22:01] And you didn't think enough to go pull it out. So while I think AI is a great tool and can be leveraged, I think all these GRCs that are building those AI, I think there's a lot of power there. It doesn't remove the human in the loop requirement. Much like anything else that you send out that's AI generated, right? You still got to have that person who understands what it is they're doing to validate and to correct those issues. Gotcha.

[00:22:27] Now, as we wrap up our time here, I want to get your take a little bit, kind of a broader one here. Like the, so there's critics that argue that CMMC created essentially a lucrative consulting industry that profits from contractor anxiety. Right. And they would argue that actual security outcomes for the defense industrial base still are unproven. Like, what's your take? Is there a legitimate version of that critique?

[00:22:52] And how do you think about the difference between compliance and genuine security? There's always going to be people that feed on anxiety. I've been in managed services for, gosh, forever now. There was a one in front of the year, I like to say. And, you know, there's always been the people that sell on fear. Right. FUD is a thing. Right. I don't like to think of myself as one of those people. I don't think that C3 operates that way.

[00:23:20] It's more of a very, very matter of fact, this is what the requirement is. Right. And let's break every requirement down and let's look at it. And that's why the solution that we bring you is the solution that you need, because it touches this requirement, this requirement, this requirement. You know, it hits everything on the mark. And that's what CMMC needs. I feel like there is space for profit, but everything. I mean, that's why we're in business. It's why we have a business because we want to make money. We need to send our kids to school.

[00:23:50] Like, right. So every everybody needs their space and their piece. But I think that that that fear sale is not not really a fair assessment of the market. Do you think or how much is there a gap of what the compliance regulations are versus actually achieving the principle of secure, you know, secure environments? Like, are we close to the mark? Is CMMC on? Is it way off? Like, what's your take? It's pretty close.

[00:24:18] There's there's there's gaps and there's gaps because there's this 800-171-REV2 and that's old. And it doesn't account for a lot of things. And so we sit in assessments and we talk about certain things in 800-171-REV2 and we're like, why? Why is this even a thing? It doesn't make sense anymore. Right. Rev three is is coming out. The the government recently announced that they're going to be working on the rulemaking to bring CMMC up to Rev three. Now, that's the government beginning of rulemaking.

[00:24:47] So it's going to be a minute. But the plan would be to roll that out and that's going to bring in a little bit more current with modern times. But at the end of the day, you know, when you break down CMMC to its core, it's are you running a quality MFA? Do you have permissions in place? And are you running least required privilege? Right. And are you managing your devices? Excuse me. I missed that last one. Right.

[00:25:09] As long as you're doing that, you're you're still meeting the spirit of what cybersecurity needs to have today in today's industry and keeping it all segmented and off the general cloud anyway is just good practice. Always comes back to the basics. Jason, if people are interested in reaching out, learning more, what's the best way for them to do so? Hit our website. C3isit.com. Awesome. Jason, this has been great joining me today. Thanks. Thanks so much for taking the time. Yeah, thanks, Dave. Had a great time.

[00:25:37] Want more from the business of tech? Join business of tech plus for ad free episodes, early interviews, extended cuts, subscriber only shows and exclusive member perks and analysis. Sign up at business of dot tech slash plus and follow this show on your podcast app. And if you're on YouTube, hit subscribe and the bell. So you never miss a story. Reviews and comments help spread the word to interested in advertising.

[00:26:04] Head to mspradio.com slash engage. The business of tech is written and produced by me, Dave Sobel under ethics guidelines posted at business of dot tech. Thanks for listening. I'll see you on the next episode. Produced by picture this video. Part of the MSP radio network. I hope you're here for this video. I hope you'll see you on the next episode. Good luck in the episode. We will see you everywhere.