CMMC 2.0 and DFARS 252.204-7012 in Defense Contractor MSSP M&A Diligence: Scoping, Assessments, and Continuity

Defense contractor acquisitions occupy a distinct compliance tier in the MSSP market. A managed security services provider serving the Defense Industrial Base is not simply a cybersecurity company with government clients. It is a participant in a federally mandated security framework that carries affirmative obligations, third-party assessment requirements, federal reporting duties, and flow-down clauses that extend through every layer of the supply chain. When that MSSP is an acquisition target, all of those obligations are part of the diligence scope.

The Cybersecurity Maturity Model Certification 2.0 program, DFARS clause 252.204-7012, and the implementing regulations under 32 CFR Part 170 together create a layered compliance architecture that shapes what the seller can represent, what the buyer is acquiring, and what happens if certification continuity is broken after close. An MSSP that loses its CMMC certification post-close may be ineligible to perform on active defense contracts, which makes certification continuity a transaction-critical issue, not a post-close integration detail.

This article is a sub-article within the MSSP Cybersecurity M&A Legal Guide cluster. It covers the CMMC 2.0 tier structure, DFARS 252.204-7012 obligations and flow-down mechanics, 32 CFR Part 170 rollout timelines, CUI boundary scoping in MSSP environments, C3PAO assessment continuity in M&A, SPRS score handling, and the specific purchase agreement representations that defense MSSP acquisitions require. Related articles in this cluster address SOC 2 Type II attestation transfer, cyber insurance tail coverage, and broader MSSP diligence frameworks.

Buyers approaching defense MSSP acquisitions should also review the M&A due diligence guide and the representations and warranties guide for the broader transaction framework into which the CMMC-specific provisions fit.

CMMC 2.0 Framework: Level 1, Level 2, Level 3 Tiers and NIST 800-171 Alignment

The Cybersecurity Maturity Model Certification 2.0 program establishes a tiered compliance framework for contractors in the Defense Industrial Base. The program replaced the earlier CMMC 1.0 model, which had five maturity levels, with a streamlined three-level structure that aligns more directly with existing NIST cybersecurity standards and reduces the compliance burden on contractors that do not handle the most sensitive defense information.

Level 1 addresses the baseline cybersecurity hygiene required of any contractor that handles Federal Contract Information. FCI is information provided by or generated for the government under contract that is not intended for public release. Level 1 requires implementation of 15 practices derived from FAR clause 52.204-21, covers basic safeguarding obligations such as access control, identification and authentication, and media protection, and is satisfied through annual self-assessment. No third-party assessor is required for Level 1. An annual affirmation by a senior company official is submitted to the Supplier Performance Risk System.

Level 2 is the tier that applies to the largest share of defense contractors and MSSPs serving the DIB. It covers contractors that handle Controlled Unclassified Information under DoD contracts. Level 2 maps directly to the 110 security requirements in NIST Special Publication 800-171, Revision 2. For most contracts involving CUI, Level 2 requires a third-party assessment by a Certified Third-Party Assessment Organization every three years, followed by an annual affirmation. A narrow subset of Level 2 contracts, those assessed as involving lower-risk CUI, may be permitted to use self-assessment rather than a C3PAO assessment. The distinction between C3PAO-required and self-assessment-eligible Level 2 contracts is determined by the DoD program office for each specific contract.

Level 3 is reserved for contractors working on the most critical DoD programs. It builds on Level 2 and adds requirements drawn from NIST SP 800-172, which addresses enhanced security requirements for critical programs and high-value assets. Level 3 assessments are conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by C3PAOs. Very few contractors will be required to achieve Level 3, and the programs that require it are identified in specific contract solicitations.

For an MSSP acquisition, the buyer must determine which CMMC level the target holds, what the assessment pathway was (C3PAO or self-assessment), when the three-year assessment period expires, and which contracts require which level. A target that has achieved Level 2 through a C3PAO assessment and whose client contracts require Level 2 is in a fundamentally different position than a target that relied on self-assessment for contracts that now require C3PAO-validated assessment under the final rule implementation schedule.

DFARS 252.204-7012 Safeguarding and Incident Reporting Requirements

DFARS clause 252.204-7012 predates CMMC and remains the operative contractual vehicle through which the DoD imposes cybersecurity obligations on defense contractors and their subcontractors. The clause is included in most DoD contracts where the contractor may handle covered defense information, which encompasses both CUI and operationally critical support information. For MSSPs serving defense clients, the clause is almost certainly present in the contracts governing the MSSP's service delivery, either directly or through subcontractor flow-down.

The safeguarding obligation in DFARS 252.204-7012 requires the contractor to implement the security requirements in NIST SP 800-171 on all covered contractor information systems where covered defense information is processed, stored, or transmitted. Where a contractor cannot implement a requirement, the clause requires development of a plan of action with milestones documenting how and when the gap will be addressed. The contractor must maintain a system security plan (SSP) documenting the implementation status of each NIST SP 800-171 control, and that SSP must be available for review by the DoD and its authorized representatives, including the Defense Contract Management Agency.

The cyber incident reporting obligation is one of the most operationally significant aspects of DFARS 252.204-7012. The clause requires contractors to report cyber incidents to the DoD Cyber Crime Center within 72 hours of discovery. A cyber incident under the clause is a broad category that includes unauthorized access, data exfiltration, malware introduction, and any other event that affects the confidentiality, integrity, or availability of covered defense information or that affects the contractor's ability to provide operationally critical support. The reporting obligation is not limited to incidents that result in confirmed data exfiltration: the obligation attaches upon discovery that a cyber incident may have occurred.

Post-incident, the contractor must preserve and protect images of all known affected systems and provide the DoD with access to those images and to any other technical information necessary for forensic analysis. The DoD may conduct its own damage assessment for incidents involving covered defense information. The contractor must submit a comprehensive cyber incident report to DC3 using the online reporting portal, and that report becomes part of the contractor's compliance record. In an MSSP acquisition, the buyer must determine whether any DFARS-reportable incidents occurred during the diligence period or the lookback period, and whether all required reporting was completed on time and in proper form.

32 CFR Part 170 Rollout Timeline and Effective Dates

The final rule implementing CMMC 2.0 was published at 32 CFR Part 170 in October 2024, establishing the regulatory foundation for CMMC requirements in defense contracts. The rule establishes CMMC as a condition of contract award for applicable contracts and formalizes the assessment, certification, and affirmation infrastructure that had been operating under interim guidance. However, the final rule does not make CMMC requirements immediately applicable to all defense contracts. The implementation follows a phased rollout schedule that buyers must understand when evaluating a target's current compliance status and projected compliance obligations.

Under the 32 CFR Part 170 implementation framework, CMMC requirements are incorporated into defense contracts through a separate DFARS rulemaking process that adds CMMC provisions to solicitations and awards. The rollout is phased, with the DoD designating specific programs and contract types for early CMMC requirement inclusion. Initial implementation focused on contracts identified as requiring heightened cybersecurity, with broader inclusion in new solicitations following over a multi-year ramp. The full implementation schedule, including effective dates for specific contract categories, is tracked through DoD policy issuances and DFARS interim and final rules that accompany 32 CFR Part 170.

For a defense MSSP acquisition, the rollout timeline is diligence-relevant in two directions. First, the buyer must confirm whether the target's existing contracts already contain CMMC requirements as solicitation conditions or contract clauses, and if so, what level is required and whether the target has met it. Second, the buyer must assess which contracts that do not yet include CMMC requirements will be subject to CMMC at their next renewal or re-competition. A contract that is currently exempt from CMMC under the phased rollout but whose next option period will include a CMMC requirement creates a forward-looking compliance cost that must be priced into the transaction.

The phased rollout also means that a CMMC self-assessment that was adequate at the time of contract award may not be adequate at renewal if the DoD designates the contract for C3PAO-required assessment in the next solicitation cycle. Buyers acquiring defense MSSPs with contracts currently on self-assessment pathways should model the cost and timeline of a C3PAO assessment as a probable post-close expenditure, not an optional one.

Phased Contract Flow-Down and External Service Provider Considerations

CMMC requirements flow down through the defense supply chain through contract clauses that prime contractors are required to include in subcontracts where the subcontractor may handle CUI or FCI, or where the subcontractor provides services that are within the prime's CMMC assessment boundary. The flow-down mechanism means that MSSP compliance with CMMC cannot be evaluated by looking only at the MSSP's direct contracts with DoD agencies. The buyer must trace the MSSP's compliance obligations back through the prime contractor relationships that generate those obligations.

The External Service Provider concept is central to understanding how MSSPs fit into the CMMC flow-down architecture. An ESP is an entity whose services are used by a contractor in a way that places the ESP within the scope of the contractor's CMMC assessment. MSSPs that manage security tools, provide security operations center monitoring, administer identity and access management systems, or handle other security functions for a defense contractor are typically ESPs for that contractor's CMMC assessment. As ESPs, MSSPs have their controls, people, and processes evaluated as part of the contractor's C3PAO assessment, even if the MSSP is not itself the prime contractor or a direct DoD subcontractor.

In a defense MSSP acquisition, the buyer must identify every client relationship in which the MSSP is designated as an ESP, understand what scope of assessment that designation entails for each client's C3PAO assessment cycle, and assess whether the MSSP's own infrastructure and controls are documented and maintained in a manner that supports clean C3PAO evaluation. An MSSP that is within multiple clients' CMMC assessment scopes carries a higher compliance burden than one that is assessed independently.

The phased nature of CMMC rollout interacts with the ESP designation in a way that creates forward compliance risk even for contracts that have not yet included CMMC requirements. An MSSP that becomes an ESP for a client whose next contract renewal includes CMMC Level 2 requirements will find itself subject to C3PAO assessment scope even if the MSSP itself was previously operating under a self-assessment approach. The buyer must model these scenarios and confirm that the MSSP's current security posture can support C3PAO scrutiny within the assessment windows likely to be triggered by the client contract portfolio.

Controlled Unclassified Information Boundary Scoping in MSSP Environments

The CUI boundary, sometimes called the assessment boundary or CMMC boundary, defines the specific systems, networks, personnel, and services that fall within the scope of a CMMC assessment. For a traditional defense contractor, the CUI boundary often corresponds to a specific enclave or set of systems that process defense contract data. For an MSSP, the boundary is more complex because the MSSP's infrastructure, tooling, and personnel may touch multiple client environments, some of which involve CUI and some of which do not.

Proper CUI boundary scoping is critical because it defines the perimeter within which all NIST SP 800-171 controls must be implemented and assessed. A poorly scoped boundary, one that is drawn too narrowly and excludes systems that actually handle CUI, creates DFARS compliance exposure because NIST SP 800-171 is not being applied to all covered systems. An overly broad boundary that captures systems without CUI exposure creates unnecessary compliance cost by requiring those systems to meet NIST SP 800-171 standards.

For an MSSP, common CUI boundary scoping issues include: remote access tools that connect MSSP personnel to client environments handling CUI (if those tools are within scope, all related MSSP systems may be scoped in); shared security platforms that process security data from both defense and non-defense clients (if the platform processes data that includes CUI, it is within scope); SIEM and monitoring systems that receive logs from client systems handling CUI; identity and access management infrastructure that controls access to CUI environments; and MSSP personnel with administrative access to client systems where CUI is processed.

In an MSSP acquisition, the buyer should request the target's complete system security plan and boundary documentation for each assessed environment. The SSP should clearly identify which systems are within the CUI boundary, what CUI categories flow through those systems, what access controls segment CUI-bearing systems from out-of-scope systems, and how personnel access is controlled and audited within the boundary. Integration activities planned post-close, such as migrating the target to the buyer's SIEM or consolidating identity management platforms, should be evaluated against the CUI boundary to determine whether they trigger a re-scoping requirement.

Third-Party Assessor (C3PAO) vs Self-Assessment Eligibility

The distinction between C3PAO-assessed and self-assessed CMMC compliance is one of the most commercially significant factors in evaluating a defense MSSP acquisition. A C3PAO assessment provides an independent, DoD-authorized validation of the contractor's implementation of all 110 NIST SP 800-171 requirements. A self-assessment is a contractor-prepared evaluation that the contractor affirms in SPRS without independent validation. The two pathways carry very different levels of assurance and very different risk profiles in an M&A context.

Under CMMC 2.0, Level 2 contracts are divided into two categories based on the criticality of the programs and CUI involved. For contracts that the DoD determines require a higher level of assurance, a C3PAO assessment is mandatory as a condition of contract award. For contracts assessed as involving lower-criticality CUI, a self-assessment may be permitted. The program office for each contract makes this determination, and the solicitation will specify whether a C3PAO assessment or self-assessment is required. Buyers should request copies of all relevant solicitations and confirm the assessment pathway required for each contract in the target's portfolio.

A C3PAO assessment, once completed, is reflected as a CMMC Level 2 certification in the CMMC database (known as eMASS or the Cyber AB marketplace). The certification is issued to the assessed entity for the specific boundary that was evaluated, is valid for three years, and requires annual affirmation to remain active. The DoD can see the certification status of any contractor before award. A self-assessed Level 2 score is reflected in SPRS as a contractor-affirmed score without independent validation, and the DoD may treat it differently for award purposes than a C3PAO-validated certification.

For a buyer evaluating a defense MSSP, the assessment pathway matters not just for current contract eligibility but for post-close contract opportunities. A buyer that intends to grow the defense practice through new contract bids will need to hold the CMMC level required by those contracts. If the target's existing certification was achieved through self-assessment and new target contracts require C3PAO validation, the buyer must plan and budget for a C3PAO assessment before bidding on those contracts.

Affirmation Obligations and Annual Certifications

CMMC 2.0 and DFARS 252.204-7012 both include affirmation obligations that require a senior company official to certify the accuracy of the contractor's compliance representations on an annual basis. These affirmation obligations carry legal significance that distinguishes them from typical compliance certifications: a false affirmation creates potential liability under the False Claims Act, which allows the government and private whistleblowers to bring fraud actions against contractors who knowingly submit false certifications in connection with government contracts.

Under CMMC 2.0, the affirming official must be a senior organization official, typically an executive-level employee, who has the authority to bind the company on compliance matters. The affirmation states that the company has implemented the required security controls as described in its system security plan and that the SSP accurately reflects the company's current security posture. For Level 2 C3PAO-assessed certifications, the annual affirmation confirms that the conditions under which the certification was granted remain in place. For self-assessed certifications, the affirmation represents the company's own evaluation of its compliance without independent validation.

In an M&A context, the annual affirmation cycle creates a specific diligence obligation. The buyer should review each annual affirmation submitted by the target during the lookback period, confirm that the affirming official had actual knowledge of the security posture at the time of each affirmation, and assess whether any changes in the target's systems or controls between affirmations could have rendered prior affirmations inaccurate. An affirmation submitted when the contractor knew or should have known that controls were not in place is a potential False Claims Act exposure that travels with the business in a stock acquisition.

The affirmation obligation also has implications for post-close governance. The buyer must designate a new senior official to make annual affirmations post-close, confirm that the official has actual knowledge of the company's security posture, and establish internal processes to verify that the security controls described in the SSP are in fact implemented before each affirmation cycle. Buyers who acquire defense MSSPs without establishing this governance framework risk submitting false affirmations as the business evolves and systems change after close.

Assessment Transfer: Does CMMC Certification Survive Change of Control?

Assessment continuity is one of the most commercially significant CMMC questions in any defense contractor acquisition. The answer depends on the transaction structure, the post-close corporate configuration, the Cyber AB's position on the specific transaction, and whether the people, processes, and technology that supported the original assessment remain in place.

CMMC certification is issued to a specific legal entity for a specific assessment boundary. In a stock acquisition where the certified legal entity is preserved as a subsidiary or operating entity of the buyer, and where the people, processes, systems, and controls underlying the original assessment remain materially unchanged, the certification may remain valid for the remainder of the three-year certification term. However, the Cyber AB has indicated that significant changes to the certified entity's organizational structure, key personnel, or technical environment can affect the validity of the certification even in a stock deal, and that buyers should notify the Cyber AB of material changes.

In an asset acquisition, the buyer is a new entity and the seller's CMMC certification does not transfer. The buyer must undergo its own CMMC assessment before the acquired operations can hold a certification in the buyer's name. This assessment gap is a real operational risk: if the buyer intends to continue performing on defense contracts that require CMMC certification as an award condition, it must either ensure the seller retains the certified entity through close (in a stock structure) or plan an expedited assessment pathway. C3PAO scheduling currently involves significant lead times, and an assessment scheduled post-close may not be complete before a contract renewal requires certification.

Buyers should engage with the Cyber AB directly during diligence to confirm the certification status of the target, the Cyber AB's position on the proposed transaction structure, and the notification obligations that apply to the deal. This engagement should happen before signing, not after, so that any required restructuring can be addressed in the deal design phase.

Supplier Performance Risk System Scores and Purchase Agreement Representations

The Supplier Performance Risk System is the DoD's centralized platform for tracking contractor cybersecurity compliance self-assessments and C3PAO-validated certifications. For Level 1 and self-assessed Level 2, the contractor enters its own score based on its self-evaluation of how many of the applicable NIST SP 800-171 practices are fully implemented. For C3PAO-assessed Level 2, the C3PAO submits the assessment results to SPRS directly. The DoD uses SPRS scores as a factor in evaluating contractor cybersecurity risk before contract award and option exercise.

The SPRS scoring methodology for NIST SP 800-171 self-assessments assigns a maximum score of 110, representing full implementation of all 110 practices. Each unimplemented practice reduces the score by a weighted amount based on the practice's assigned point value. A contractor with gaps in implementation will report a score below 110, and a contractor with a plan of action for addressing gaps must include the plan of action date and expected completion date in its SPRS entry.

For an MSSP acquisition, the buyer must verify the target's SPRS entry directly through the government portal (with appropriate access) or through representations from the seller accompanied by documentation. A seller that represents a high SPRS score but cannot document the underlying assessment methodology and control implementation status is presenting a diligence risk. False SPRS scores have been the subject of False Claims Act enforcement actions, and buyers who inherit a business with a materially inaccurate SPRS entry face both legal exposure and practical risk if the DoD audits the score post-close.

Purchase agreement representations related to SPRS should require the seller to represent and warrant: that the SPRS score disclosed in the disclosure schedules is accurate and reflects the contractor's actual implementation status as of the date of assessment; that the SPRS entry has been updated to reflect any material changes in security posture since the last assessment; that no plan of action is overdue or has lapsed; and that the SPRS entry has not been submitted with knowledge of any material inaccuracy. Indemnification provisions should address post-close discovery that the represented SPRS score was inaccurate.

FCI and CUI Data Handling in Cloud MSSP Environments and FedRAMP Moderate Equivalency

Cloud infrastructure is central to how modern MSSPs deliver services, and the intersection of cloud architecture with DFARS 252.204-7012's cloud service requirements creates a distinct compliance layer in MSSP acquisitions. DFARS 252.204-7012 requires that cloud services used to process, store, or transmit covered defense information meet security requirements equivalent to those established by the Federal Risk and Authorization Management Program at the Moderate baseline. FedRAMP Moderate authorization is the DoD's minimum acceptable cloud security baseline for systems handling covered defense information.

In practice, FedRAMP Moderate equivalency means that the cloud service provider must either hold a current FedRAMP Moderate Authorization to Operate (ATO) for the specific services used, or must demonstrate that its security controls are equivalent to FedRAMP Moderate requirements through a separate assessment process. The DoD has not accepted self-certification of FedRAMP Moderate equivalency by contractors: the burden is on the contractor to demonstrate that the cloud services it uses meet the standard, and the use of cloud services that do not meet the standard is a violation of DFARS 252.204-7012.

For a defense MSSP, the cloud compliance analysis must cover every cloud service in the technology stack that processes, stores, or could access covered defense information. This includes SIEM platforms, security orchestration tools, identity and access management systems, remote monitoring infrastructure, data storage and backup services, and any third-party security intelligence feeds or analytics platforms that receive data from client environments. The MSSP may have dozens of cloud service relationships across its technology stack, and each must be evaluated for FedRAMP Moderate compliance.

In an MSSP acquisition, the buyer should request a complete cloud vendor inventory from the seller, mapped to the assessment boundary for each CMMC-covered client. For each cloud vendor in the boundary, the buyer should confirm current FedRAMP Moderate authorization status using the FedRAMP marketplace (marketplace.fedramp.gov), confirm that the authorized services match the services the MSSP is actually using, and identify any cloud vendors in the boundary that do not hold FedRAMP Moderate authorization. Non-compliant cloud vendors represent DFARS violations that must either be remediated before close or allocated through purchase agreement indemnification provisions.

Defense Industrial Base Client Contract Diligence and Flow-Down Risk

An MSSP's defense client contracts are not simply revenue. They are compliance instruments. Each contract that the MSSP holds as a subcontractor or direct contractor includes or should include DFARS 252.204-7012 flow-down provisions, and those provisions carry independent obligations for the MSSP's cybersecurity posture, incident reporting, and cloud service compliance. A buyer acquiring an MSSP with a defense client base is acquiring not just the revenue from those clients but the compliance obligations embedded in every contract.

The diligence process for defense client contracts in an MSSP acquisition should be structured to answer several specific questions. First, which client contracts include DFARS 252.204-7012 flow-down provisions, and has the MSSP acknowledged and implemented those provisions for each? Second, which contracts include CMMC requirements as solicitation or award conditions, and at what level? Third, are there any contracts where the MSSP's compliance status is in question or where a DCMA review or DIBCAC assessment is pending? Fourth, do any client contracts include government facility access, system access, or other security-sensitive activities that impose additional compliance obligations beyond DFARS 252.204-7012?

Flow-down risk is bidirectional. If the MSSP has failed to implement the DFARS 252.204-7012 requirements applicable to a client contract, the prime contractor for that contract may face its own compliance exposure if its CMMC assessment includes the MSSP as an ESP with inadequate controls. This means that a defense MSSP's compliance gaps can create liability not just for the MSSP but for its clients, and that clients may assert claims against the MSSP for compliance failures that affected the client's own government contract standing. These are potential contingent liabilities that belong in the disclosure schedules.

Buyers should request and review every executed defense client contract, confirm that flow-down clauses are present where required, verify that the MSSP's system security plan documentation addresses each in-scope client contract, and assess whether any client has raised DFARS compliance concerns during the lookback period. Client termination rights triggered by CMMC or DFARS compliance failures are a specific contract risk that should be identified and quantified as part of the defense revenue diligence.

Purchase Agreement Representations: CMMC Level Held, SPRS Score, No DCMA Findings, DFARS Compliance

Generic "compliance with applicable law" representations are structurally inadequate in defense MSSP acquisitions. The regulatory framework governing CMMC 2.0 and DFARS 252.204-7012 is specific enough, and the consequences of non-compliance severe enough, that purchase agreements for defense MSSP transactions require a dedicated set of CMMC and DFARS representations that address each compliance dimension with specificity.

The CMMC level representation should require the seller to identify the specific CMMC level the target currently holds for each assessment boundary, confirm whether the certification was obtained through C3PAO assessment or self-assessment, identify the certification date and expiration of the current three-year period, and represent that no material changes to the people, processes, or technology within the assessment boundary have occurred since the certification was issued that would render the certification inaccurate. For C3PAO-assessed certifications, the representation should confirm that the certification is reflected in the Cyber AB marketplace as active and that no findings from the assessment remain open or unresolved.

The SPRS score representation should require the seller to disclose the exact SPRS score currently reflected in the system, confirm the date of the underlying assessment, identify any plans of action and milestones associated with the score, and represent that the score was submitted with a reasonable good-faith belief in its accuracy. The representation should further confirm that the score has been updated following any material changes in security posture, that no assessment since the submitted score has resulted in a lower accurate score that has not been re-submitted, and that no DoD or agency contracting officer has raised written concerns about the accuracy of the SPRS entry.

The DCMA findings representation should require the seller to disclose all Defense Contract Management Agency reviews, audits, or assessments of the target's government contract compliance during the lookback period, confirm the disposition of any findings (remediated, open, subject to a corrective action plan, or contested), and represent that no open DCMA findings exist regarding the target's NIST SP 800-171 implementation, system security plan adequacy, or DFARS 252.204-7012 compliance. Open DCMA findings are a pre-close compliance deficiency that the buyer should either require to be remediated before close or address through specific indemnification coverage.

The DFARS compliance representation should cover the full scope of 252.204-7012 obligations: implementation of NIST SP 800-171 requirements across all covered contractor information systems; maintenance of system security plans for each covered system; use of cloud services meeting FedRAMP Moderate requirements (or documented equivalency) for all covered defense information processed in cloud environments; timely reporting of all cyber incidents to DC3 during the lookback period; complete and accurate cyber incident reports for all reported incidents; and no outstanding post-incident obligations, including malware preservation or forensic access, from incidents reported during the lookback period.

Survival periods for CMMC and DFARS representations should reflect the False Claims Act's six-year statute of limitations for straightforward false claims and the ten-year limitation for concealment. Buyers of defense MSSPs often negotiate extended survival for these representations specifically, given the potential for post-close DoD or Department of Justice review. Indemnification caps for CMMC and DFARS representations are frequently negotiated separately from the general rep and warranty cap, given the severity of potential penalties.

Frequently Asked Questions

Related Resources

MSSP Cybersecurity M&A Legal Guide

The complete legal framework for buying or selling a managed security services provider, from diligence through close.

Read Guide →

SOC 2 Type II Attestation Transfer in MSSP M&A

How SOC 2 Type II attestations transfer (or fail to transfer) through M&A, and what buyers must negotiate to protect client contract eligibility.

Read Guide →

Cyber Insurance Tail and Prior Acts Coverage in MSSP M&A

Tail coverage requirements, prior acts periods, and cyber insurance continuity issues in managed security services acquisitions.

Read Guide →