Just looking for opinions and feedback, forgive any simple items or stupid basic questions that I am asking.

Company A is a DoD contractor, they utilize a Cloud provider (infrastructure as a service -vmware vcloud, backup as a service - veer in the same cloud, DR - Zerto in the same cloud) to run their servers/operations. File servers, print servers, AD, etc.

They are asking the cloud provider if they are CMMC v2 or if they intend to be, trying to ascertain what the cloud provider needs to do, or provide to continue to service the customer but not be at risk for not being compliant or not providing compliant solutions. They can provide AES-256, FIPS-102 Level 1 and Level 2 encryption for the data stored in the cloud, if MFA is required to access the infrastructure that is possible as well.

But what else are they missing, rather than go through a giant effort to find out they cant meet the requirements to use the cloud provider, can the CSP continue to service their infrastructure/virtual server/backup needs?