How to Evaluate an MDR Provider for CMMC Compliance
When you buy managed detection and response for a DoD contract, you are buying evidence. Here is the 11-question checklist we wish every contractor used before signing.
If you hold DoD contracts and you are shopping for managed detection and response, you are not just buying security. You are buying evidence. When your C3PAO assessor sits down across the table, a chunk of your 110 NIST SP 800-171 controls will live or die on what your MDR provider actually does, what they log, and what they can prove.
Most contractors find this out during the assessment. That is the expensive way to find out.
We have been hunting threats since 2007. This guide is the checklist we wish every contractor had used before signing a monitoring contract, and it applies whether you evaluate us or anyone else.
What CMMC actually asks of your monitoring provider
CMMC Level 2 is 110 security practices from NIST SP 800-171 Rev. 2. Your MDR provider does not satisfy all of them. No provider does, and anyone who implies otherwise should be shown the door. But a real MDR service carries significant weight in three control families:
Audit and Accountability (3.3.x). You must create, retain, and review audit logs, correlate them for investigation, and alert on audit failures. If your MDR provider collects and reviews your logs, their retention policy becomes your retention policy, and their review cadence becomes your evidence.
Incident Response (3.6.x). You need an operational incident handling capability, and under DFARS 252.204-7012 you have 72 hours to report a cyber incident to DIBNet. That clock starts at discovery and does not pause while you figure out what happened. Your provider's detection timeline is the front half of your report.
System and Information Integrity (3.14.x). Monitoring communications for attacks, identifying unauthorized use, acting on alerts. This is the day job of any real hunt operation.
The 11 questions, and why each one has teeth
1. Who actually looks at my alerts, a human or a queue?
Ask how many analysts are on shift at 3 a.m. Sunday. Here is why the hour matters: when the Iranian-nexus operation against a major medtech company culminated this March, the destructive Intune wipe order was issued at 3:30 a.m. EDT, and roughly 200,000 systems were destroyed before most of the world was awake. Our hunt teams documented that kill chain end to end. Attackers schedule around your provider's staffing. Make sure someone is on the watch when it happens.
2. How do you detect what does not log?
This question separates hunt teams from alert-forwarders. When CISA published AR26-113a on the FIRESTARTER backdoor living inside Cisco ASA and Firepower firewalls, the report's hardest finding was that the implant generates no observable log events, so rule-based detection is blind to it. Our team's FIRESTARTER analysis lays out what works instead: reconciling VPN flow records against RADIUS accounting for sessions with no matching authentication, flagging logins on accounts dormant more than 90 days, and watching for unexplained syslog volume drops. Ask your candidate provider how they would catch an implant that never writes a log line. If the answer is a product name, keep interviewing.
3. How long do you retain my logs and who owns them?
Your assessor will ask for your retention period. If your provider dumps logs after 30 days and your policy says one year, you fail that control. Ask what happens to your data if you leave. If you cannot take your logs with you, they were never yours.
4. Which threat actors targeting my sector can you name right now?
The actors working the Defense Industrial Base are specific and documented. Any provider defending contractors should be able to talk fluently about MuddyWater's playbook: the February 2026 campaign opened with password spraying against OWA and VPN portals, spear-phishing, and exploitation of perimeter appliances via CVE-2024-55591 (FortiOS) and CVE-2026-1281 (Ivanti EPMM), staged tooling signed with stolen certificates, and exfiltrated via Rclone to Wasabi and Backblaze B2 buckets. If the sales engineer cannot describe tradecraft at this level of specificity on the call, the hunt team behind them cannot either.
5. What exactly happens when you find something at 2 a.m.?
Walk the timeline minute by minute. Who calls whom, with authority to do what? Get the SLA in writing and ask the penalty when they miss it.
6. Can you contain a threat, or do you just tell me about it?
Detection without response is a smoke alarm with no fire department. Session theft gets exploited fast: Microsoft documented attackers replaying stolen session cookies within five minutes of the phish. An email notification with a four-hour response SLA loses that race every time. Ask whether the provider can isolate a host, kill a session, and disable an account, under pre-agreed rules of engagement.
7. How do you handle false positives?
Alert fatigue is how intrusions get missed. Ask what percentage of alerts forwarded to customers turn out to be nothing, and how they measure it. Then ask their references the same question and compare answers.
8. Do you know what CUI is and where mine lives?
A provider protecting a defense contractor without understanding CUI boundaries is guarding a building without knowing where the vault is. Their scoping conversation should cover your CUI enclave, not just your endpoint count.
9. What do your analysts publish?
Public work is the only way to verify a provider's team before you sign. Ours is on the table: our unified detection pack for the MuddyWater and Handala kill chain ships 25 Sigma rules across six categories, KQL and SPL hunting queries, and a 78-entry IOC set covering file hashes, domains, ASNs, and CVEs. Free, no form, no gate. Ask every provider you evaluate for the equivalent, then have your IT person read it.
10. What does the price do in year two?
Ask for the renewal number in writing, what onboarding costs, and whether incident response beyond containment is included, hourly, or a separate retainer. Our pricing guide covers the questions and the market ranges.
11. What leaves with me if I leave?
Full log export, configurations, documentation. Get the offboarding process in the contract, not the sales deck.
Red flags that should end the conversation
A provider guarantees CMMC compliance outright. A provider cannot name the analysts who would work your account. A provider will not put response times in writing. A provider treats log retention as an upsell. A provider has never sat through a customer's C3PAO assessment. A provider's most recent published research is a product announcement.
Where we fit
ThreatHunter.ai has run 24/7 human hunt teams backed by our MILBERT AI platform since 2007, with 47,000+ threats detected and 12,800+ attacks prevented. Our Hunt, Hunt + Respond, and Hunt + Respond + Manage tiers map to the control families above, and our JAXBERT platform carries the compliance side: the 110-practice NIST SP 800-171 assessment, your live SPRS score, your SSP and POA&M, and the C3PAO package. Our detection packs are public so you can grade our work before you ever talk to sales.
Ask us the 11 questions. We wrote them because we like how we answer them.
Frequently Asked Questions
Does using an MDR provider satisfy CMMC Level 2?
No single provider satisfies CMMC Level 2. An MDR service carries significant weight in the audit and accountability, incident response, and system integrity control families, but the contractor owns the certification and the remaining controls.
What log retention does CMMC require?
NIST SP 800-171 does not set a fixed retention period; your policy sets it and your assessor verifies you meet it. Your MDR provider’s retention must meet or exceed your stated policy.
Keep reading
What Does Managed Threat Hunting Cost?
Real market ranges and the factors that move the number.
Read moreMDR for Small Defense Contractors
Why subcontractors are targeted, and what coverage looks like.
Read moreThe CMMC November 2026 Deadline
What Level 2 certification requires and how little runway is left.
Read more