Your Compliance Provider Is Gone. Now What?

A 30-day continuity playbook for DoD contractors

By the Stehrling team

If you are reading this, you may have just learned that your CMMC compliance partner, your managed services provider, or your enclave host has ceased operations. You have contracts with CMMC requirements. You have an assessment timeline that does not pause. You have a stack of urgent questions and no one to answer them.

The next few weeks matter. They are also more manageable than they feel right now.

This is a practical guide for what to do. It is written for the person who needs to make decisions tomorrow morning, not next quarter. We will not waste your time on what could have been done differently. The situation is what it is. Here is the path back to stable.

The first 72 hours

The most important thing you can do today is gather. Before anything else, make sure you have copies of the documents and information that define your compliance program. If your former provider hosted these for you, time is short.

1. Pull your documentation. System Security Plan (SSP), Plan of Action and Milestones (POA&M), network diagrams, hardware and software inventory, policies and procedures, evidence repository, any work products from your assessment preparation. These belong to you. Get copies into your direct control.
2. Inventory what lives where. Identify which systems, data, mailboxes, and tenants are in your provider's environment versus your own. If your CUI resides in their GCC High tenant, that is your most urgent issue and needs immediate attention.
3. Pull your contracts. Identify which of your DoD contracts have CMMC requirements, what your timeline obligations are, and whether any contracts have incident reporting or notification requirements that are time-sensitive regardless of provider status.
4. Confirm your C3PAO relationship. If you were engaged with a Certified Third-Party Assessment Organization through your provider, confirm the contractual status directly with the C3PAO. If the relationship was direct, document where things stand.
5. Pause new compliance-affecting work. If you can, do not create new evidence or change configurations in the affected systems until you have a plan. You do not want to widen the gap between your documented state and your actual state during a transition.

This list is not glamorous. It is the foundation everything else rests on.

What is actually at risk, and what is not

The instinct in a situation like this is to assume the worst. The reality is more measured.

Your CMMC obligations do not pause. They also do not accelerate. You have time to make sound decisions.

Your existing SSP, POA&M, and program documentation belong to you, even when a provider helped author them. They are your records, governing your environment, and they remain valid working documents during a transition.

The Department of Defense does not penalize contractors whose providers fail. Acting in good faith to restore your program, with appropriate documentation of the transition, is the expected response. Program offices and contracting officers have seen provider transitions before.

Your data, if it lives in your former provider's tenant, has legal protections. Most managed services contracts include data return obligations that survive termination, and these protections typically remain enforceable through receivership or wind-down proceedings. This is rarely a fast process, but it is a recoverable one.

Your assessment timeline, if you have one, can usually be adjusted in coordination with your C3PAO. They understand the realities of provider continuity and have processes for accommodating reasonable transitions.

You are not as exposed as you feel. The fire is real. It is also contained.

The 30-day plan

The first month is about restoring stability and setting direction. The order of operations matters.

Engage a compliance partner first. Before you select a new managed services provider, before you migrate any infrastructure, before you change any tooling, work with a compliance partner to assess where your program actually stands. The reason for this sequence is practical: infrastructure decisions made without compliance context lead to expensive rework. A compliance partner can help you understand the current state of your evidence, what gaps the transition has created, and what your infrastructure actually needs to support, so that the rebuild is right-sized and properly architected.

Conduct a current-state assessment. Where are you against the NIST 800-171 controls? What evidence exists, what evidence has been lost or made inaccessible, what evidence is intact but needs validation? This becomes the working document for the rest of the transition.

Plan the infrastructure transition with intention. New enclave host, data migration, identity transition, security tooling, monitoring and logging. This is real work, and it is well-understood work. Done in the right sequence with the right partners, it is also predictable work.

Communicate with your DoD customers. A short, factual notification that you are transitioning compliance providers and that your program continues. No drama, no apology, no excessive detail. Most program offices and prime contractor flow-down managers will treat this as routine if you treat it as routine.

Document the transition itself. The decisions you make, the partners you engage, the timeline, the rationale. This becomes part of your evidence trail and demonstrates the kind of governance that matters in an assessment.

The 90-day path

By month three, a well-managed transition has the following in place:

• A new compliance program structure with clear, separately contracted accountability for each function
• New infrastructure operational, with CUI properly resident in your control or in a properly contracted enclave
• SSP and POA&M updated to reflect the new environment, current configurations, and any changes to your control implementations
• Assessment timeline reset or confirmed with your C3PAO based on the new state of the program
• Internal documentation of lessons learned, useful for your own governance and for future provider selection

This is not a fast timeline. It is also not an unreasonable one. Contractors successfully transition compliance programs every year, for many reasons. The infrastructure exists. The expertise exists. Your program is recoverable.

How to set this up so it does not happen again

Once stability is restored, there is a structural question worth thinking about.

The contractors who recover fastest from a provider failure are the ones whose compliance programs are built with independent, separately contracted accountability for each function. A compliance partner. An infrastructure provider. A C3PAO. Each contracted directly with you. Each accountable for their domain. None dependent on the others' financial health, strategic direction, or operational continuity.

This is not about distrust of any particular provider. It is about resilience. The same logic applies to any critical business function: concentrating operational dependencies in a single vendor creates a single point of failure. In a regulated environment with contractual obligations that do not pause, that concentration is a risk most contractors do not need to carry.

A multi-party program structure costs no more than a bundled one when priced fairly. It typically costs less, because each provider is competing in their own discipline rather than discounting one service to win another. And it is materially more durable.

This is the model we recommend, and the one we build.

A word on what comes next

The next few weeks will be uncomfortable. That is the honest assessment. There will be decisions to make under time pressure, conversations to have with customers, and operational gaps to navigate.

That said, contractors do this successfully. The work is well-understood. The path back to a stable, certifiable program is clear, even if the immediate experience is not. Your CMMC program is recoverable, and your business does not stop while you recover it.

If you are in this situation and want to talk through your specific circumstances, we are available. The first conversation is just to help you triage what you are actually facing and what your real options look like. No sales process, no commitment. Sometimes a clear-eyed second opinion is what you need to know which decision to make first.

Stehrling builds CMMC compliance programs for Defense Industrial Base contractors, working alongside independent infrastructure and assessment partners in a transparent, multi-party structure.

If you need a hand, reach out. We will pick up the phone.