Hosting Defense Contractors? You May Be Closer to CMMC Than You Think

Writer: Jordan Sprogis

Jordan Sprogis, Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

Editor: Lillian Castro

Lillian Castro, Senior Editor

Lillian Castro brings more than 30 years of editing and journalism experience to our team. She has written and edited for major news organizations, including The Atlanta Journal-Constitution and the New York Times, and she previously served as an adjunct instructor at the University of Florida. Today, she edits HostingAdvice content for clarity, accuracy, and reader engagement.

Reviewer: Cristian Lopez

Cristian Lopez, News Manager

Cristian Lopez uses his Business Marketing background from the University of Illinois at Chicago to create comfortable environments for customers, clients, and colleagues to share their thoughts and ideas openly. From interviewing tech leaders to conducting UX market research projects, Cristian knows the importance of storytelling — a key variable for innovation and inspiration. His goal at HostingAdvice is to wow readers on the ever-evolving nature of the tech industry and bring his audience the most reliable and exciting content on all things hosting.

Follow the HostingAdvice team for a daily dose of tech news, trending IT discussions, and interviews with the web's most innovative technologists.
Follow Us:
2.7k
1k

If you host, colocate, or manage infrastructure for anyone who’s working with a Department of Defense (DoD) contract, there’s a compliance deadline coming up that most of the hosting industry may not even be aware of.

Phase 2 of the Cybersecurity Maturity Model Certification (CMMC) will go into effect on November 10. Until last year, a contractor could implement security controls and just tell the government they’d done it. After November, they’re going to need a third-party assessor to confirm it.

Could You Be Part of a Client’s CMMC Scope?

☐ Host defense contractors

☐ Handle CUI

☐ Manage cloud environments

☐ Have administrative access

➡ If you checked multiple boxes, your services may be part of a client’s CMMC compliance review.

Now, to be clear, hosting and MSPs don’t automatically need their own CMMC certification just because a client happens to be a defense contractor.

But if their infrastructure hosts any of that client’s CUI — things like the email server, administering the cloud tenant, admin access — the provider is automatically part of that client’s compliance.

The Compliance Bar Is Going Up, Up, Up…

Cyrus Robinson, the VP of Security Operations at C3 Integrated Solutions, has a very unique view from inside the compliance world that’s serving the Defense Industrial Base.

“For organizations supporting highly regulated industries, especially the Defense Industrial Base, the attack surface is no longer limited to a single application, server, or vulnerability list,” he said.

This environment is built on APIs, cloud platforms, automation workflows, identity systems, and plenty of third-party integrations that are all constantly sharing data and triggering actions across several platforms. A small change can have a tsunami effect.

More than 50% of organizations have delayed application rollouts because of API security concerns

“A system may pass testing or review at a point in time but later become exposed because the environment changed faster than governance, documentation, and operational review processes could keep up,” Robinson added.

In December, a federal grand jury indicted a now-former CEO of a cybersecurity consulting firm, claiming that she falsely stated her company conducted independent cybersecurity assessments for defense contractors. The U.S. Department of Justice says that the company was actually consulting the same clients on how to pass the assessments.

Yikes.

This is all happening at a time when more than 50% of organizations have delayed application rollouts over API security concerns, and 58% monitor their APIs less than daily.

That’s a tale as old as time: Governance simply isn’t keeping up with the pace of how fast technology is changing. In 2026, we’re looking down the barrel of the API and AI systems gun.

Are APIs the Blind Spot Nobody’s Watching?

Out with the old, in with the new. Problems, that is.

“APIs have evolved into the operational control plane for modern applications, connecting services, workflows, AI systems and infrastructure across environments that security teams often cannot fully observe or govern in real time,” said Craig Riddell, Global Field CISO at Wallarm.

In fact, Wallarm’s own report found that broken authentication caused 52% of the API incidents, with unsafe API consumption behind another 27%.

What's Driving Today's API Security Incidents?

Source: Wallarm

  • Broken Authentication
  • Unsafe API Consumption
  • Other Causes

“Modern risk rarely comes from a single vulnerability,” Riddell explained. “It increasingly emerges through chains of interactions across APIs, third-party services, AI agents and automated workflows.”

It’s why point-in-time scanning tools keep missing things. An application, as Robinson said, can pass a security test and still expose the business through an integration or permissions that nobody thought was “risky” enough.

After all, at the end of the day, we’re all just human. But humans being human is forgivable, right? AI agents being AI agents is a whole different liability category.

“AI is no longer just a tool developers use to write code, it is an endpoint,” warned Hari Srinivasan, the Global Head of Products at Lineaje. “They sit in the API call path, receiving traffic, making decisions, and triggering downstream actions.”

Organizations Can’t Secure What They Can’t See

One recent study found that direct prompt injection attacks against agents running on GPT-5 and Gemini succeeded more than 79% of the time.

How, you ask? The same way it always has: malicious instructions embedded into otherwise ordinary-looking data. And once that hits a customer’s end point, all hell can easily break loose. So Srinivasan’s advice is simple: Treat AI like any other software dependency and keep track of where it comes from, how it’s used, and what risks it may be bringing.

Only 19% of organizations know exactly where AI is being used in their software development process

“Visibility without governance is still just noise,” he said, “but now that includes visibility into which models you are running, what they were trained on, and what API traffic they receive. An AI Bill of Materials is not optional when agents and models make business decisions.”

The current state of AI Bills of Materials — AIBOMS — makes it hard, though. While Gartner predicts that SBOM (software) adoption will rise from 56% in 2025 to 85% by 2028, the adoption rate for AIBOMs hasn’t even been determined yet because it’s so fresh.

Go figure: Cycode found that only 19% of organizations have full visibility into how AI is being used across their own development pipelines, just as the DoD is rolling out CMMC requirements that expect organizations to know exactly what’s happening inside their environments.

It’s as Srinivasan said: “When the model is an endpoint, AI governance is application security. Organizations that treat them as separate programs will find the gap between them is exactly where attacks land.”

Hosts Can’t Sit This One Out

If a federal grand jury indictment doesn’t scare you, maybe a fine will.

IBM’s cost of a data breach report priced the average supply chain compromise at $4.91 million, with a 267-day average detection-and-containment window. Verizon found that third-party involvement in breaches doubled in a single year (15% to 30%).

Put those together, and yeah, it’s scary.

No, hosting providers aren’t the ones training models or writing AI governance policy…but they are the infrastructure for all of this. So when an AI agent sends a malicious API call, or a client’s compliance regulations change to include the AI tools (which they will, undoubtedly), the provider’s name is already on the asset list whether they like it or not.

About the Author

Contributing Expert

Jordan Sprogis is a creative writer and tech researcher who has been working on online content for the better part of a decade. She holds a bachelor's degree in professional writing from Western Connecticut State University and has devoted much of her career to crafting content for various web verticals, including CyberSpyder and The Echo. Since joining HostingAdvice, Jordan has combined her storytelling ability with her fascination for advancements in technology to pen over 500 articles geared toward industry pros and newcomers alike.

« BACK TO: BLOG

Meet the Experts

Our team of experts with a combined 50+ years of experience in web hosting serve insight and advice to more than 20 million users!

We Know Hosting

$

4

8

,

2

8

3

spent annually on web hosting!