It has been a busy stretch out there, from a paused federal compliance deadline that will still keep MSPs busy to a fresh warning from Microsoft’s CEO about what businesses are really paying for AI. Here are the five stories from the last day or so that matter most if you are running or advising a small or midsize business.

CMMC Phase 2 is paused, but the security work is not. The Department of War has suspended the second phase of the Cybersecurity Maturity Model Certification program, putting third-party certification requirements on hold while it runs a 60-day review to look for ways to cut costs and simplify the process. Defense contractors still have to meet the underlying NIST SP 800-171 controls and support their SPRS scores through self-assessment, and MSPs who manage firewalls, identity, backups, or cloud environments for those clients are still on the hook to provide supporting evidence. If you serve anyone in the defense industrial base, this is a good moment to reframe CMMC conversations around ongoing risk reduction and contractual obligation rather than a looming audit date, because that framing just got a lot more durable than the deadline did. Read more at MSSP Alert

CISA says attackers are actively exploiting SharePoint Server flaws. CISA warned this week that three vulnerabilities in on-premises SharePoint Server are being actively exploited to bypass authentication, run remote code, and steal server keys for persistence. Nearly 10,000 SharePoint servers are exposed to the internet, and over 800 remain unpatched against two of the three flaws. If any client is running on-prem SharePoint, patching and hardening this now is not optional, and it is a clean, concrete talking point for reminding clients why patch cadence and internet exposure reviews matter. Read more at BleepingComputer

Nearly 12,000 Tricare beneficiaries notified of a data breach, almost three months after it happened. TriWest Healthcare Alliance discovered unauthorized access to its systems in April but did not send notification letters until July, exposing names, benefit numbers, and in a handful of cases Social Security numbers and addresses. The gap between discovery and notification is the real story here, since most state and federal breach notification rules expect faster disclosure, and it is worth using as a reminder to clients that an incident response plan needs a notification timeline built in, not just a technical remediation plan. Read more at Military Times

Satya Nadella says companies using AI are “paying for intelligence twice.” In a blog post this week, Microsoft’s CEO argued that businesses spend on AI tokens while also handing over their most valuable business knowledge for free, since every prompt, correction, and piece of feedback teaches the model something the vendor keeps. His suggested fix is for companies to build their own proprietary learning environments and orchestration layers so they retain ownership of that institutional knowledge instead of quietly training their own future competition. Whatever you make of the framing, it is a useful nudge for any business owner treating AI vendor selection as a simple pricing decision instead of a data strategy decision. Read more at TechCrunch

Anthropic and Blackstone are betting the real AI money is in implementation, not models. The two, along with Hellman & Friedman and other investors, have launched Ode with Anthropic, a $1.5 billion venture that embeds small teams of AI engineers directly inside client organizations to build systems tailored to how that business actually operates. Notably, Ode says its target customers are community banks, regional health systems, and mid-sized manufacturers, the exact kind of organizations too small to have their own AI engineering staff. That is a direct signal that the market sees real money in helping ordinary businesses actually use AI well, which is the same bet a lot of MSPs are quietly making themselves. Read more at TechCrunch


Sponsored by Lucky 13 Solutions

Business in Motion. Tech in Sync. Lucky 13 Solutions is a managed services provider helping small and midsize businesses keep their IT reliable, secure, and well-supported, without needing a full in-house team. Learn more at l13s.com.


Get the Business IT News Roundup in your inbox: