The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 2 · Tools & Architecture · Last verified

CMMC Compliant RMM: What It Really Means in 2026

Independent Research · By The Defense Compliance Report Editorial Team · Published July 2026 · Last reviewed · Regulatory and FedRAMP Marketplace facts last verified · Methodology · Editorial & Advertising Policy

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Confirm your scope and applicability with a Registered Practitioner before you act.

Phase 1 is live: November 10, 2025 – November 9, 2026. Phase 2 begins November 10, 2026, when DoD intends to include Level 2 (C3PAO) in applicable solicitations and contracts. (Source: 32 CFR § 170.3(e); DoD CMMC FAQ.)

Let’s settle the phrase you searched right away: there is no official, product-level “CMMC compliant RMM.” CMMC assessments evaluate a contractor’s information system and the assets inside its defined assessment scope, and the resulting CMMC Status attaches to that system — not to a piece of software. A specific cloud service might have a SOC 2 report, a FedRAMP Marketplace listing, or a NIST CMVP certificate, but none of those creates a CMMC Status for a remote monitoring and management (RMM) tool or for you. The first — and most important — fork is whether the tool processes, stores, or transmits Controlled Unclassified Information (CUI), only Security Protection Data (SPD: logs, configs, and security telemetry), or neither. If it handles only SPD, your RMM is in scope but the rule does notforce it to be FedRAMP authorized. If it handles CUI and it’s cloud-based, that cloud offering must be FedRAMP Authorized at the Moderate baseline or higher, or meet FedRAMP Moderate equivalency under DoD policy (DFARS 252.204-7012; 32 CFR § 170.17).

Quick read — which situation are you in? (Editorial application of 32 CFR § 170.19 and the current DoD Level 2 Scoping Guide; not an assessment determination. Last verified .)

If your RMM…Starting CMMC treatmentThe question that decides the branch
Collects logs, configs, vulnerability status, and credentials but no CUI-bearing screen, file, clipboard, recording, or ticketUsually a Security Protection Asset (in scope; no automatic FedRAMP trigger)Can you prove, technically, that no CUI reaches the tool?
Displays, transfers, records, or stores CUI through a vendor cloudPotential CUI cloud pathDoes the exact cloud offering have FedRAMP Moderate — or a documented equivalency Body of Evidence?
Is fully self-hosted inside your controlled boundaryCUI Asset or Security Protection Asset, by useCan you harden, patch, log, monitor, and evidence it yourself?
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

One thing before we go deep.The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Pathtool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.

Map my CMMC path →

The admission that changes how you should read the rest of this page.No vendor badge, FedRAMP listing, FIPS certificate, customer responsibility matrix, or “CMMC-ready” banner makes your RMM — or your company — CMMC compliant on its own. Some contractors can keep the RMM they already run by technically constraining its data paths and building the missing evidence. Others will need a separate remote-support path, a different edition, or a migration. What this page is built to prevent are the two expensive failure modes: buying a government-cloud edition when the service never handles CUI, and clinging to a commercial service whose remote-control, recording, or file-transfer feature quietly moves CUI into a provider boundary no one documented.

Is there really a CMMC compliant RMM?

No official, product-level “CMMC compliant RMM” designation exists.CMMC assigns an assessment status to a contractor’s information system against a defined scope; the required status is set by the contract, and NIST SP 800-171 Revision 2’s 110 requirements across 14 families are the yardstick at Level 2. A tool can supply capabilities and evidence that help you meet requirements — it cannot certify you. (Source: 32 CFR Part 170; DFARS 252.204-7021.)

So when a vendor says “CMMC compliant,” what can they honestlymean? Usually one of these: a deployment designed for CMMC use; a specific cloud offering with a FedRAMP Marketplace status; a FIPS-validated cryptographic module; a customer responsibility matrix (CRM); or a control-mapping capability. All useful. None of it certifies your organization — and the honest vendors say so. N-able, for one, states on its own government page that N–central and its bundled MDR “are not themselves CMMC compliant solutions.” That’s the correct posture, and it’s the one every buyer should adopt.

Here’s what no product claim can establish for you: your required CMMC Status, your actual CUI boundary, your assessment type, whether an optional module is in scope, whether your technicians share admin accounts, whether a session recording captured CUI, whether FIPS mode is actually enabled, or whether your System Security Plan (SSP) describes what really happens.

The current contract clause, DFARS 252.204-7021, provides for four level/status selections: Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC)— and 32 CFR Part 170 distinguishes Conditional from Finalstatus where a passing-but-incomplete score lands you on a Plan of Action and Milestones (POA&M). This page focuses on the Level 2 cases because that’s where CUI and RMM tooling collide. Level 3 (DIBCAC) requires a Final Level 2 (C3PAO) status first and layers on NIST SP 800-172 requirements, assessed by DCMA DIBCAC. (Source: 32 CFR §§ 170.16–170.18; DFARS 252.204-7021.)

What each “proof” actually proves

Because the confusion here is really about artifacts, here’s what the common ones do and don’t establish. This one table combines verification regimes that usually live on five different sites.

ArtifactIssued / defined byWhat it coversWhat it provesWhat it does not proveRefresh trigger
CMMC StatusC3PAO (Level 2) or DCMA DIBCAC (Level 3), posted in SPRSYour information system, within its scopeThat system passed at the stated level and dateAnything about a product, or a different scopeReassessment / affirmation cycle
FedRAMP Marketplace recordFedRAMP programAn exact cloud service offeringThe offering’s lifecycle status (Ready / In Process / Certified) and impact classThat your configuration or every module is coveredStatus/boundary change
NIST CMVP certificateNIST/CCCS CMVPAn exact cryptographic module + versionThe module was validated in a defined environment and approved modeThat your RMM component uses it, or that it’s still ActiveVersion change; Historical/Revoked move
SOC 2 reportAn audit firmA defined service and trust criteriaControls were examined over a periodCMMC status, or CUI-handling eligibilityAnnual
Customer Responsibility Matrix (CRM)The providerWho owns which controlThe split of responsibilities you must documentThat you implemented your sideProduct/service revision
Control mappingThe vendorFeature-to-control alignmentThe tool can support certain objectivesThat the requirement is implemented or evidencedProduct change
“CMMC-ready” statementThe vendor (marketing)Nothing formalThat the vendor wants your defense businessAnything an assessor will accept

The line to keep: a badge is not a boundary, and a capability is not an implementation.

How does CMMC classify an RMM in a Level 2 environment?

An RMM is classified by what it actually does with data.If it processes, stores, or transmits CUI, the relevant assets are CUI Assets and face all 110 Level 2 requirements. If it provides security functions or handles Security Protection Data, it is generally a Security Protection Asset (SPA) that is in scope and assessed against the requirements relevant to what it does. It is out of scope only if it can’t touch CUI andprovides no security protection for the CUI environment. (Source: 32 CFR § 170.19(c)(1), Table 3.)

Key definitions

CUI Asset
An asset that can process, store, or transmit CUI. The CMMC definition of “process” is broad: data being accessed, entered, edited, generated, manipulated, or printed. An interactive remote session can constitute processing when it gives a user access to CUI — even if the vendor keeps no document. (Source: DoD CMMC Level 2 Scoping Guide.)
Security Protection Asset (SPA)
An asset that provides security functions for your CUI environment (patching, monitoring, remote administration, MFA). SPAs are in scope, assessed against the Level 2 requirements relevant to their capabilities. The DoD Level 2 Scoping Guide gives a cloud-based SIEM as an example of a Security Protection Asset that does not process CUI. (Source: 32 CFR § 170.19(c)(1), Table 3; DoD CMMC Level 2 Scoping Guide.)
Security Protection Data (SPD)
Data an SPA stores or processes to protect your environment. The rule’s examples include “configuration data required to operate a Security Protection Asset” and “log files generated by or ingested by” one. Many routine RMM data types — configuration data, logs, vulnerability or configuration status, and credentials — fit those examples. (Source: 32 CFR § 170.4.)
External Service Provider (ESP)
External people, technology, or facilities you use to provide and manage IT or cybersecurity. CUI orSPD must be processed, stored, or transmitted on the ESP’s assets for it to count as an ESP. Your MSP running your RMM is the textbook example. (Source: 32 CFR § 170.4.)
Contractor Risk Managed Asset (CRMA)
An asset that canhandle CUI but isn’t intended to, governed by policy. A CRMA must be documented in your asset inventory, SSP, and risk-based security policies; if documentation or other findings raise questions, § 170.19 lets the assessor perform a limited check. (Source: 32 CFR § 170.19(c)(1).)

Why “we don’t put CUI in the RMM” isn’t enough on its own: there is a gap between stated intent and enforced configuration. Level 2 assessments use the examine, interview, and test methods from NIST SP 800-171A, so a written prohibition falls apart when the technical capability is still enabled and operational evidence contradicts the policy.

The CMMC RMM Scope & Evidence Matrix

Our editorial application of the official asset categories, the CSP/ESP treatment, the FedRAMP trigger, and the evidence obligations to eight common RMM deployment patterns. This is not an assessment determination.The “starting classification” is the rule’s category; the “minimum evidence” column is what you must operationally verify and show. Confirm your actual architecture with a CMMC Registered Practitioner (RP), an RPO, or a qualified federal-contracts attorney.

#RMM deployment / useWhat crosses the boundaryStarting classificationFedRAMP questionMinimum evidence to showDecision signal
1SaaS RMM collects configs, logs, vulnerability status, credentials — but no CUI screen, file, clipboard, recording, or ticketSecurity Protection Data onlySecurity Protection Asset; if the provider furnishes a cloud service, it’s a CSP handling SPD without CUI under § 170.19 Table 4Not automatically required if no CUI is processed, stored, or transmittedData-flow diagram; feature inventory; CRM; SSP treatment; proof CUI paths are disabled; logsKeep or reconfigure if you can demonstrate the no-CUI boundary
2SaaS RMM displays a CUI desktop, transfers files/clipboard, records sessions, or stores CUI screenshotsCUI may pass through or persist in the vendor cloudRelevant path may be a CUI cloud (CSP) pathTriggered when the cloud actually processes, stores, or transmits CUIExact Marketplace package or equivalency Body of Evidence; session/encryption architecture; recording + retention rules; CRMGovernment cloud, redesign, or migrate unless you eliminate the CUI path
3Self-hosted RMM fully inside your controlled CUI boundaryCUI and/or SPD stays in your environmentCUI Asset or SPA, by useNo separate SaaS trigger for the local software; separately evaluate any underlying cloud IaaS or backupHardening guide; inventory; network diagram; SSP; CMVP mapping; audit logs; backups; update sourceKeep if you can operate, patch, monitor, and evidence it
4MSP-hosted RMM handling only SPD (service confirmed not to meet the CMMC/NIST cloud-computing definition)Logs, configs, vulnerability status, telemetryMSP service is an ESP/SPA in your scopeNo trigger merely because a provider is involvedService description; CRM; provider assets/personnel; evidence-access rights; SSP; logsKeep if the provider will supply evidence and join your assessment
5MSP-hosted RMM handling CUI (service confirmed not to meet the cloud-computing definition)CUI on provider systemsProvider assets/service included in yourassessment scope; a non-cloud ESP doesn’t automatically need its own certificateFedRAMP applies only if the service is a cloud serviceProvider asset inventory; personnel/facility evidence; CRM; assessment participation; CUI-handling termsKeep only with full provider participation; otherwise redesign
6SaaS RMM used for monitoring only— remote control, shell, file transfer, clipboard, screenshots, recording technically disabledSPD, if the restrictions are realSecurity Protection AssetNo trigger if the vendor cloud receives no CUITenant configuration exports; change control; recurring tests; feature-license records; alerts on config changesReconfigure and keep if enforced technically, not by policy alone
7Technicians connect through an in-scope jump host or tightly controlled VDIDepends on whether CUI can copy, save, print, capture, or transferEndpoint may be an out-of-scope candidate under narrow keyboard/video/mouse-only conditions; classify the RMM and cloud separatelyDepends on what reaches the cloud RMM or remote-support serviceServer-side block of clipboard, file transfer, drive mapping, printing, screenshots, recording; separate MFA; test evidencePossible scope reduction — ordinary remote desktop is not automatically the DoD VDI example
8Base RMM and remote-support component are separate productsBase RMM may get SPD while remote support gets CUIClassify each component separatelyA FedRAMP/FIPS status for one does not cover the otherExact product/module/version list; integration diagram; component-specific responsibility mappings, service descriptions, and evidenceSplit, replace, or isolate the weak module — don’t replace the whole platform

Because “process” includes accessing CUI, an interactive session can matter even when the vendor keeps no file. Whether the vendor cloud itselfprocesses or transmits that session content depends on the exact relay, encryption, recording, and storage design — which is why the evidence request below asks the vendor to draw that path.

Does a CMMC compliant RMM need FedRAMP Moderate?

Not automatically. The FedRAMP trigger fires when a cloud serviceprocesses, stores, or transmits CUI — then it must be FedRAMP Authorized at the Moderate baseline or higher, or meet FedRAMP Moderate equivalency under DoD policy (DFARS 252.204-7012(b)(2)(ii)(D); 32 CFR § 170.17(a)(5)). A cloud RMM that receives only Security Protection Data stays in your assessment scope as a security service but does notrequire FedRAMP just because it’s an RMM. (Source: DoD CMMC Level 2 Scoping Guide; DoD CMMC FAQ.)

Three things decide the trigger: it has to actually be a cloudservice (on-premises software you run yourself doesn’t create a SaaS FedRAMP obligation for the application — evaluate any underlying cloud hosting separately); CUI has to actually enter that cloud; and the status has to apply to the exact offeringyou’re buying, not to another product the same company sells. When a CSP is used to handle CUI in a Level 2 environment, your on-premises infrastructure connecting to that CSP is also part of your assessment scope, and the CRM’s security requirements must be documented or referenced in your SSP. (Source: 32 CFR § 170.16(a)(2), § 170.17(a)(5).)

If it does touch CUI, equivalency is a high bar — and it’s mostly the CSP’s job, not yours.The DoD CIO’s December 21, 2023 memo defines FedRAMP Moderate Equivalency as a FedRAMP-recognized third-party assessment organization (3PAO) assessing the cloud service offering against 100% of the FedRAMP Moderate baseline with zero control-implementation findings/open POA&Msat the conclusion of that assessment — documented in a Body of Evidence, with no self-attestation. Yourjob is to verify it, contractually require it, obtain and retain the Body of Evidence for your C3PAO, implement your customer-responsibility controls, and meet the DFARS 252.204-7012(c)–(g) incident-reporting, preservation, access, and damage-assessment duties. (Source: DoD CIO FedRAMP Moderate Equivalency memorandum, Dec. 21, 2023; 32 CFR § 170.17.)

And the practical takeaway: if you use a CSP that is FedRAMP Authorized at Moderate or higher, you don’t have to separately establish its FedRAMP compliance; if it isn’t authorized, you must determine and document equivalency yourself, and you inherit that risk.

“FedRAMP Certified” is not “FedRAMP Ready” — and one vendor proves why it matters.

The current FedRAMP Marketplace displays an offering’s lifecycle status (FedRAMP Ready, FedRAMP In Process, FedRAMP Certified), a certification class, an authorization path, and an authorization count. On we pulled both NinjaOne records directly from the Marketplace:

  • NinjaOne for Government — package FR2430847803: FedRAMP Certified, Class C (Moderate), Rev 5, Agency path, two authorizations (as of ).
  • NinjaOne for Government – FedRAMP High — package FR2620841940: FedRAMP Ready, Class D (High), Rev 5, Agency path, zero authorizations (as of ).

Same vendor, two very different statuses. “Ready” means the offering is positioned to pursue authorization; it is not an authorization to operate. When describing the legal requirement, use the rule’s language — “FedRAMP Authorized at Moderate or higher.” When reporting a live record, quote the Marketplace’s current fields exactly and record the date. (Source: FedRAMP Marketplace, packages FR2430847803 and FR2620841940, verified .)

And encrypting CUI does not make the cloud requirement disappear.The DoD’s CMMC FAQ is explicit: CUI stays controlled until it is formally decontrolled, so encrypted CUI keeps the control designation of its plaintext counterpart. A cloud offering that is neither FedRAMP Authorized at Moderate or higher nor supported by an acceptable FedRAMP Moderate-equivalency Body of Evidence cannot be used to store encrypted CUI merely because the data is encrypted. (Source: DoD CMMC FAQ; 32 CFR Part 2002.)

Not sure whether your RMM touches CUI or only Security Protection Data?That answer establishes the first FedRAMP branch — and it’s the difference between a documentation task and a migration. Route your required level, CUI scope, environment, and timeline through The Defense Compliance Report’s Find My CMMC Path tool: seven non-sensitive questions, about two minutes, and it points you to the provider category to compare first. It’s a general category router, not an RMM scope determination. Do not submit CUI, drawings, or contract details.

Map my CMMC path →

Does an RMM need FIPS-validated cryptography for CMMC?

When a remote session protects the confidentiality of CUI, yes — and “FIPS compliant” is not the same as “FIPS validated.”NIST SP 800-171 Rev. 2 control 3.13.11 requires FIPS-validated cryptography when used to protect the confidentiality of CUI, and 3.1.13 requires cryptographic protection of remote-access sessions. “Validated” means the exactcryptographic module and version holds a NIST CMVP validation certificate and is used within the validated module’s boundary, operational environment, and approved mode — not merely a vendor name or an algorithm like “AES-256.” Record whether the certificate is Active, Historical, or Revoked, because CMVP maintains all three. (Source: NIST SP 800-171 Rev. 2, 3.13.11 and 3.1.13; NIST CMVP.)

Two things make this an RMM-specific trap:

A missing FIPS validation is not an automatic assessment failure. Under 32 CFR § 170.21(a)(2)(ii), the CUI-encryption control SC.L2-3.13.11 may be placed on a POA&M when encryption is employed but is not FIPS-validated — it carries a point value of 3 in the scoring methodology, and like any Level 2 POA&M it must be closed within 180 days to move from Conditional to Final status. (Source: 32 CFR § 170.21(a)(2)(ii); § 170.24.)

What to record from CMVP, once, and keep in your SSP

FieldCapture
Certificate numberExact number
Module name & versionExact, as validated
StandardFIPS 140-2 or FIPS 140-3
Operational environmentThe platform/config the certificate covers
Approved modeHow it's enabled and verified
StatusActive / Historical / Revoked
Transition effectImpact of the Sept 21, 2026 move for 140-2
RMM componentWhich product component invokes it
Evidence ownerVendor, MSP, or you

For the deeper control-by-control breakdown, see our guide to CMMC FIPS 140-2 requirements.

Which CMMC Level 2 requirements matter most for RMM and remote support?

An RMM can’t satisfy all 110 Level 2 requirements, but it can decisively support — or quietly undermine — the ones about remote access, maintenance, authentication, audit, configuration, flaw remediation, and transmission protection.The assessment question is never “does the product have the feature” — it’s whether you’ve implemented the requirement and can produce examine, interview, and test evidence. NIST SP 800-171A defines 320 assessment objectives behind the 110 requirements; a feature list closes none of them on its own. (Source: NIST SP 800-171 Rev. 2; NIST SP 800-171A.)

Requirement (NIST SP 800-171 Rev. 2)Why the RMM mattersEvidence ownerCommon tool limitation
3.1.12 — Monitor and control remote access sessionsThe RMM creates and brokers the sessionsYou + providerLogs show connect time, not who approved it or what happened
3.1.13 — Cryptographically protect remote sessionsSessions may expose CUIYou + vendor“AES-256” with no validated-module mapping
3.1.14 — Route remote access via managed access control pointsThe RMM often is the managed access pointYouTechnicians can bypass the intended gateway
3.1.15 — Authorize remote execution of privileged commands / access to security-relevant infoScripts, shells, service control are privilegedYouEvery tech gets unrestricted scripting/shell
3.1.7 — Prevent non-privileged users from privileged functions; log themThe RMM executes privileged actions at scaleYouShared admin accounts; thin command detail
3.5.3 — MFA for local and network access to privileged accounts, and network access to non-privileged accountsThe RMM is a primary admin pathYou + providerMFA on portal login but not local/API/emergency access
3.7.5 — MFA for nonlocal maintenance sessions via external connections; terminate when completeThe RMM is a primary nonlocal maintenance pathYou + providerSessions not terminated; local accounts exempt
3.3.1–3.3.9 — Audit generation, retention, review, protectionThe RMM produces valuable, sensitive admin evidenceYou + providerLogs can’t export, lack command detail, or expire too soon
3.4.x — Baselines, inventory, change controlThe RMM discovers assets and pushes changesYouIncomplete inventory; changes not tied to authorization
3.11.2 — Vulnerability scanningSome RMMs supply vulnerability/missing-patch dataYouPatch inventory presented as a full vulnerability scan
3.14.1 / 3.14.2 — Flaw remediation; malicious-code protectionThe RMM patches and deploys softwareYou“Patch deployed” confused with “installed and verified”
3.1.20 — Control connections to external systemsVendor cloud, MSP consoles, APIs, integrations are external connectionsYouUndocumented integrations or support paths
3.13.8 / 3.13.11 — Protect CUI in transmission; use FIPS-validated cryptoCUI may ride remote sessions, transfers, or APIsYou + vendorCertificate belongs to a different component

The model that keeps you out of trouble: there’s daylight between feature available → licensed → enabled → configured correctly → operationally followed → evidenced → requirement met. Assessors live in the last three boxes. And an RMM that “deploys” a patch has not necessarily verifiedit installed, handled exceptions, caught end-of-life software, or scanned for vulnerabilities — which is why patching is its own discipline; see CMMC patch-management requirements and CMMC MFA requirements for the deeper control detail.

What do current RMM offerings actually prove in 2026?

Public evidence is useful only when it names the exact offering, cloud package, component, cryptographic module, document version, and the date you checked it. A company-level claim should never be promoted into a conclusion about a commercial tenant, a government tenant, an embedded remote-support component, or your specific configuration. The snapshot below is a dated, non-rankedlook at what a few widely used offerings publicly demonstrate — and what they don’t. Last verified . Inclusion is not endorsement; no provider paid for placement.

Exact offeringEvaluation depthEvidence locatedWhat it provesWhat it does not proveCompensation status
NinjaOne for Government (FedRAMP Moderate)Official Marketplace record (DCR-verified)FedRAMP Marketplace FR2430847803— Certified, Class C (Moderate), Rev 5, Agency, two authorizations, verified The named government offering holds that Marketplace status and impact classNothing about a commercial NinjaOne tenant, every module/integration, your configuration, or your CMMC statusNone as of
NinjaOne for Government – FedRAMP HighOfficial Marketplace record (DCR-verified)FedRAMP Marketplace FR2620841940— Ready, Class D (High), Rev 5, Agency, zero authorizations, verified The offering has reached Ready status. NinjaOne states its native remote-access component falls within the government offering (verify the exact package boundary with the vendor)Ready is not Certified; the High package shows no authorizations as of the verified dateNone as of
N-able N-central for CMMC ComplianceProvider documentation (reviewed, not independently tested)N-able states N–central for CMMC is generally available with a dedicated on-premise edition; documentation lists included and excluded features. N-able states the product is not itself a CMMC-compliant solutionThe vendor offers a documented deployment path and publishes an honest boundaryThat every N–central function, an integrated remote-support component, or your configuration is coveredNone as of
Kaseya (Datto RMM, VSA X, and others)Company announcement (DCR verified the announcement, not the implementation)Kaseya stated in an August 19, 2025 announcement that it engaged ControlCase to document and validate product-specific Customer Responsibility Matrices, including Datto RMM, VSA X, and IT GlueThat Kaseya published CRMs for cloud-based Security Protection AssetsAssessment acceptance, exact version coverage, current product configuration, or a third party’s current C3PAO statusNone as of

Two offerings we deliberately did not include as verified rows, and why:

  • Microsoft’s government-cloud endpoint stack(Intune, Defender for Endpoint, Microsoft Sentinel via Azure Government or Microsoft 365 GCC High) is a well-established FedRAMP High/Moderate path for CUI-touching endpoint management. But those are separate services with separate boundaries and authorizations — not one product with one inherited status. If you go this route, confirm the exact service and that you’re on the government tenant, and reflect it in your SSP and CRM. See Best GCC High providers for CMMC and AWS GovCloud for CMMC.
  • Widely used commercial-cloud RMMs.We did not locate a FedRAMP Marketplace authorization for the standard commercial offering of ConnectWise, Kaseya/Datto, Atera, or Syncro under the vendors’ common product names as of — but Marketplace records and product editions change. Verify the exact offering yourself before you rule it in or out; don’t treat the absence of a record we found as proof that none exists.

The habit worth building: record the exact product, edition, cloud package, module, version, approved mode, integrations, and date. That single discipline prevents most of the surprises that surface on assessment day.

What evidence should an RMM vendor give you before you buy?

A defensible RMM decision needs more than a security white paper. At minimum, get the exact offering and component boundaries, an architecture and data-flow diagram, a current customer/shared responsibility matrix, a FedRAMP package or equivalency evidence when the CUI trigger applies, a CMVP module mapping, identity and logging detail, support-personnel controls, data-retention terms, incident obligations, and a written list of excludedmodules and integrations. (Source: 32 CFR § 170.19(c)(2)(ii).)

The RMM evidence request packet

Copy this straight into your vendor questionnaire.

  1. Exact legal/contracting entity and the exact product and edition.
  2. Exact hosting package or tenant type (commercial vs. government).
  3. Full architecture and data-flow diagram, including one interactive remote session.
  4. Complete list of modules and integrations, and what data each sends to the provider.
  5. Treatment of screen content, clipboard, files, shell output, screenshots, and recordings.
  6. Ticket, attachment, diagnostic, crash-dump, telemetry, and backup handling.
  7. Current CRM / shared-responsibility matrix (with version and date).
  8. FedRAMP Marketplace package ID or the equivalency Body-of-Evidence process, when CUI is in play.
  9. Current NIST CMVP certificate, plus the exact product/module/version/approved-mode mapping.
  10. MFA and identity-provider support; treatment of local, emergency/break-glass, service, and API accounts.
  11. RBAC and privileged-command authorization.
  12. Audit-event catalog; log export, retention, timestamping, and integrity.
  13. Support-personnel locations, workstations, screening, and access model.
  14. Subprocessors and data residency.
  15. Incident-notification and forensic-support obligations; service-termination, data-return, and deletion terms.
  16. Every excluded module, integration, and deployment pattern.

Five questions that expose a weak vendor in one call:

  • “Show us the exact data path for one interactive remote session.”
  • “Which CMVP certificate covers that path, and how do we prove approved mode?”
  • “Which FedRAMP package covers the offering on our quote?”
  • “Which responsibilities stay ours, and where is that written?”
  • “Which components are excluded from your CMMC documentation?”

Red flags, in the vendor’s own words:

“Our company is FedRAMP” (no package ID). • “FIPS encryption” (no certificate, no mode). • “CMMC certified software.” • “Our other customers passed.” • “The assessor will accept it.” • “It’s encrypted, so FedRAMP doesn’t matter.” • “The MSP owns compliance.” • “The CRM is confidential.” • “The commercial tenant is the same code as government.” • “Remote control is included” (without naming the embedded component).

If the vendor cannot provide the applicable evidence to you or your assessor under appropriate confidentiality protections, treat the issue as unresolved before purchase— a legitimate reason to slow down, not a reason to sign.

Before a demo turns into a migration, price the boundary — not the brand.The evidence packet above is yours to lift straight into your next vendor questionnaire. If you’d rather see where your gaps sit across all 14 control families first, download the CMMC Readiness Checklist — a quick email-gated download, no CUI.

Download the CMMC Readiness Checklist →

Which RMM deployment model fits your CMMC situation?

There’s no universally “safest” deployment.A FedRAMP-authorized government-cloud offering can resolve the cloud-CUI question but usually adds cost and still doesn’t certify you. Self-hosting keeps data inside your boundary but hands you the operational and evidence burden. The right model depends on your CUI flow, staffing, current maturity, assessment type, and the provider’s evidence — so decide by the data, not by the logo.

Deployment modelBest fitMain advantageThe honest downsideEvidence burden
FedRAMP-authorized SaaSYou need a provider cloud to handle CUIAn authorized package resolves a major CSP questionAdds cost; still doesn’t certify you or every integrationExact package/boundary, CRM, modules, tenant config, your controls
Commercial SaaS, SPD-onlyYou can technically keep CUI out of the toolAvoids an unnecessary government-cloud purchaseRequires credible proof that no interactive/support path can move CUIData-flow tests, disabled features, change control, CRM, logs
Contractor self-hosted / on-premYou have operational capacity and a controlled enclaveKeeps the primary service inside your boundaryYou inherit hardening, uptime, patching, backup, monitoring, evidenceFull system evidence, hosting, crypto, logging, recovery, update path
MSP-hosted (non-cloud)You rely on a provider that will join your assessmentCentralized managed operationsProvider assets/personnel may enter your assessment scopeCRM, provider evidence, contract rights, interviews/tests
Split RMM + separate remote supportYou want SaaS telemetry but a controlled CUI session pathAvoids forcing every function into one boundaryMore products, identities, logs, and integration workSeparate classification and evidence per component
Jump host / tightly constrained VDIYou can force admin through a controlled access pointCan reduce endpoint exposure and standardize evidenceScope reduction depends on real technical restrictions, not the word “VDI”KVM-only controls, separate MFA, blocked transfer/capture, tests

A short decision sequence beats a scorecard. Ask, in order: Does the provider cloud actually receive CUI? Is there an exact applicable FedRAMP package or equivalency Body of Evidence? Can the CUI paths be technically disabled? Can you operate the platform yourself? Is the remote-support component separable? Will the provider participate in your assessment? Your answers point to keep, reconfigure, split, self-host, or migrate.

The official DoD VDI endpoint example— use it as a design template, not an approval of your setup. The CMMC FAQ describes a narrow case where an endpoint used only for keyboard/video/mouse access to a VDI can be out of scope when copy-paste, file transfer, drive mounting, and printing are blocked; only KVM data transits the session; separate multifactor authentication (a hardware token or PKI credential with PIN) protects the VDI; and access is limited to authorized users and locations — all enforced server-side and verified. It’s a precise recipe; it does not make an ordinary RMM remote-control session an out-of-scope endpoint. (Source: DoD CMMC FAQ, VDI.)

Your “RMM problem” might be a readiness, enclave, GRC, or assessment problem in disguise.Tell us your required level, CUI scope, current deployment, and timeline, and we’ll match you to the source-checked provider category that fits — readiness/MSP-MSSP, CUI enclave, GRC platform, or (only when you’re assessment-ready) a C3PAO. We route to a category, not a name, and it’s not a score or a ranking. No CUI, drawings, or contract details.

Compare provider categories →

Can you keep your current RMM and reduce CMMC scope?

Sometimes — but only when the scope reduction is technically enforced, documented, tested, and change-controlled. Disabling file transfer, clipboard, recording, shell access, screenshots, or direct remote control can change the data path so the RMM stays an SPD-only Security Protection Asset. A policy or an unused button does not prove CUI cannot reach the service; server-side enforcement and evidence do. (Source: DoD CMMC Level 2 Scoping Guide.)

Start with a feature-and-data-flow inventory, then prove each restriction. Use this as your verification worksheet:

RMM featureWhy it mattersEnforce itProof artifact
Screen relay / remote controlCan display CUI to a technician or the cloud relayServer-side; restrict who and whenConfig export, session log, test transcript
File transferMoves CUI to/from the endpoint or providerDisable tenant-wide; block local re-enableConfig export, transfer-attempt test
Clipboard syncSilent CUI pathDisable in session policyConfig export, paste test
Shell / scriptsPrivileged action at scaleRBAC + command authorization + loggingRole definitions, command logs
Session recordingMay capture CUI at rest in the cloudDisable, or route to a CUI-approved storeConfig export, retention policy
ScreenshotsSame as recordingDisableConfig export
Ticket attachmentsEasy place for CUI to leakRestrict/scan; document treatmentDLP policy, sample review
Backups / diagnosticsBulk CUI or SPDDefine scope and location; encryptBackup config, location evidence
API accessUndocumented external pathInventory and authorizeConnection approvals, API logs
Support diagnosticsVendor may pull dataContract terms + access controlsSupport-access model, DTA/NDA

When the vendor won’t disclose the architecture, CUI handling can’t be disabled, the FedRAMP or CMVP evidence you need doesn’t exist, logs lack unique attribution, shared accounts can’t be eliminated, or the provider won’t join your assessment — migration is the safer call. And when the weak link is a single embedded remote-control component, check whether it can be disabled and replaced independently — splitting that component is usually cheaper than replacing the whole platform.

Does your MSP or RMM provider need its own CMMC assessment?

It depends on whether the provider is a Cloud Service Provider (CSP) or another kind of External Service Provider, whether its systems receive CUI or only Security Protection Data, and how the service participates in your assessment.A non-cloud MSP handling only SPD does not automatically need its own CMMC certificate; a cloud service handling CUI must meet FedRAMP Moderate (or equivalency). Either way, the provider’s services can be assessed inside your scope. (Source: 32 CFR § 170.16, § 170.19(c)(2); DoD CMMC FAQ.)

Provider situationAssessment treatmentFedRAMP triggerCRM / documentationSeparate CMMC certificate?
CSP handling CUIIn your scopeYes — Authorized at Moderate+ or equivalencyRequired, referenced in your SSPNo (but must meet FedRAMP/equivalency)
CSP handling SPD onlyIn your scope as an SPANoRequiredNo
Non-CSP ESP handling CUIIn your scopeNo (not a cloud service)RequiredNo (assessed within your scope)
Non-CSP ESP handling SPD onlyIn your scope as an SPANoRequiredNo
Provider handling neither CUI nor SPDNot an ESP under the ruleNoNot required as an ESPNo

Two points from the DoD FAQ that resolve most real arguments:

  • “We don’t hold CUI” does not settle it. Under the CMMC definition, a provider is an ESP when CUI or SPD is processed, stored, or transmitted on its assets. Administrative access to systems that handle CUI can create that condition.
  • The contractual and technical service relationship helps determine CSP status. If youhold the cloud tenant subscription and the MSP merely administers it — even when the MSP resold it — the MSP is not the CSP for that cloud service. If the MSP contracts for, modifies, and delivers the cloud service, it may itself be the CSP.

The documentation obligation is yours. Our guides on CMMC requirements for MSPs and the MSP dual-role question go deeper. And if you’re an MSP reading this: if your RMM stores, processes, or transmits your client’s CUI or SPD, that service is in your client’s scope — and if your own systems or people touch CUI, you may have a path of your own to walk.

What will a C3PAO ask to see about your RMM?

A C3PAO evaluates the contractor information system within its defined Level 2 CMMC Assessment Scope — it does not approve or certify products.For a Level 2 certification assessment, expect the team to examine your SSP and scope, asset and data-flow diagrams, the ESP service description and CRM, exact tenant and module boundaries, FedRAMP or equivalency evidence when applicable, CMVP mapping, MFA and privileged-access configuration, session and command logs, retention and export settings, provider participation, and test evidence showing that your documented restrictions actually work. (Source: 32 CFR § 170.17; NIST SP 800-171A.)

Assemble a pre-assessment RMM evidence folder so nothing is improvised on assessment day:

  1. 01-Architecture-and-Scope — SSP boundary, network and data-flow diagrams
  2. 02-Asset-Inventory — every RMM component, agent, console, and integration
  3. 03-Service-and-Provider-Contracts — ESP terms, assessment-participation rights
  4. 04-CRM-SRM — current, versioned responsibility matrix
  5. 05-FedRAMP-or-Equivalency — package IDs or the Body of Evidence, where CUI applies
  6. 06-CMVP-and-Cryptography — certificate, version, approved-mode evidence per component
  7. 07-Identity-MFA-RBAC — identity-provider config, roles, privileged-command authorization
  8. 08-Remote-Access-Configuration — tenant settings, disabled features, managed access points
  9. 09-Audit-Logs-and-Retention — event catalog, retention, export, integrity
  10. 10-Patching-Config-and-Vulnerabilities — policies, deployment records, exceptions
  11. 11-Tests-and-Validation — reproducible tests proving the restrictions hold
  12. 12-Exceptions-and-POA-Ms — anything not yet met, with the plan to close it

One reproducible test is worth a folder of screenshots. Walk it: a named technician requests access; the authorization is recorded; MFA occurs; the session routes through the approved access point; you attempt a file transfer and a clipboard paste and show they’re blocked; a privileged command runs and is attributed to that technician; the session terminates; you export the log and demonstrate retention and review. Stale screenshots from a prior tenant or version won’t carry the same weight — evidence should reflect the current tenant, version, configuration, identities, contract, and Marketplace/CMVP status.

See also: CMMC Level 2 self-assessment vs. C3PAO for the practical dividing line between the two paths.

Getting close to a Level 2 (C3PAO) assessment?The readiness and evidence work — and the formal assessment — should be handled by different kinds of partner, because under 32 CFR § 170.8(b)(17)(ii)(G) the people who prepared you generally can’t also assess that work (more on that below). Use Find My CMMC Path to line up readiness and assessment categories, kept properly separate.

Map my CMMC path →

What actually drives CMMC RMM cost?

There is no authoritative universal price for a “CMMC compliant RMM,” and any page quoting a tidy range is selling false precision.Real cost depends on the exact edition, endpoint and technician counts, modules, log-retention tier, any government-cloud minimums, self-hosting infrastructure, implementation and evidence work, migration, and provider participation — plus the controls the tool doesn’t supply. We publish the cost drivers, not invented numbers.

Price four buckets separately: subscription (per endpoint, per technician, per tenant, minimum commitment, government-cloud premium, log-retention tier, API/integration charges); implementation (architecture, tenant hardening, identity integration, RBAC, baselines, scripts, patch policies, logging, documentation, evidence collection, testing, training); migration (agent removal and redeployment, overlap period, script rewriting, policy conversion, historical-log retention, integration replacement, downtime, rollback); and self-hosting operations (infrastructure, database, backup, monitoring, certificates, administration, uptime, upgrades, security testing, recovery, staffing).

The bucket contractors ignore until it bites: the cost of unresolved evidence— a delayed assessment, extra readiness consulting, repeated evidence collection, an emergency migration, scope expansion, prime-contractor escalation, lost staff time. These can exceed the license cost, but the amount depends on your organization, assessment stage, migration, and provider contract. Define the boundary before you compare total costs. For dollar-level detail by scope and company size, see our CMMC Level 2 cost guide.

What RMM mistakes create the most CMMC assessment risk?

The costliest mistakes come from treating labels as evidence and treating unused capabilities as technically impossible. Each of the errors below maps to a rule or control, a missing artifact, and a test that would expose it.

What should you do next if your RMM evidence is incomplete?

Don’t start with a replacement shortlist. Start with a map.Inventory the functions and data, classify the assets and provider relationships, request the missing evidence, test the controls, update your SSP and responsibility allocation — then decide whether the remaining gap is best solved by reconfiguration, a separate remote-support path, self-hosting, migration, or provider help.

  1. Freeze assumptions. Stop calling the tool compliant, non-compliant, FedRAMP, or FIPS until the exact evidence is in hand.
  2. Map functions and data— remote sessions, files, clipboard, recordings, tickets, telemetry, logs, scripts, APIs, support.
  3. Classify every component— base RMM, remote-control module, vendor cloud, MSP console, technician endpoint, jump host, integrations.
  4. Request evidence using the packet above.
  5. Test implementation— MFA, RBAC, privileged commands, restrictions, logging, retention, approved cryptographic mode.
  6. Update documentation— SSP, network diagram, asset inventory, data-flow diagram, CRM, policies, procedures.
  7. Decide— keep, reconfigure, split, self-host, or migrate.

Where the gap points, so does the provider category: a Registered Provider Organization (RPO) / Registered Practitioner (RP) for scoping, SSP, evidence, and implementation gaps; a Managed Security Service Provider (MSSP) or CMMC-focused MSP for ongoing operations and control ownership; a CUI enclave to shrink the primary environment (see CMMC secure enclaves); a GRC platform for responsibility, evidence, and SSP/POA&M workflow; a C3PAO only when you’re assessment-ready; and a qualified federal-contracts attorneyfor clause interpretation, flow-down, and contractual applicability. Keep readiness and formal assessment separate — under 32 CFR § 170.8(b)(17)(ii)(G), the Accreditation Body must prohibit CMMC Ecosystem members from participating in a Level 2 certification assessment for an organization they served as a consultant to prepare for any CMMC assessment within the preceding three years.

Need help deciding what type of CMMC provider you need?Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Seven non-sensitive questions, about two minutes. Provider matching may generate referral compensation if you engage a provider; no provider is ranked here because they paid for placement. Do not submit CUI, drawings, credentials, vulnerability data, or sensitive contract details.

Frequently asked questions

Visible HTML text — all answers in View Source. FAQPage schema intentionally omitted per Google’s current guidelines for non-government/health sites.

Is any RMM officially “CMMC compliant”?
No official, product-level CMMC designation exists. CMMC evaluates a contractor’s information system within a defined scope; it does not certify software. A product can provide relevant capabilities and supporting evidence, but your CMMC status depends on your environment, configuration, and evidence. (Source: 32 CFR Part 170.)
What is the best RMM for CMMC Level 2?
There isn’t a universal “best.” The right choice depends on whether CUI reaches the tool, the required cloud status, the exact cryptographic evidence, which modules are in scope, provider participation, logging, your internal staffing, and your assessment scope. Decide by your data flow, not by a ranking.
Does every RMM need FedRAMP Moderate?
No. FedRAMP is triggered when the cloud offering processes, stores, or transmits CUI. A cloud RMM handling only Security Protection Data stays in scope but does not automatically require FedRAMP. (Source: DoD CMMC Level 2 Scoping Guide; DoD CMMC FAQ.)
Is viewing a CUI desktop over remote control “processing” CUI?
It can be. The CMMC definition of “process” includes data being accessed, so interactive viewing can count as processing when it gives a user access to CUI. Whether the vendor cloud also processes or transmits that session content depends on the relay, encryption, recording, and storage design — which is why you should require a data-flow diagram. (Source: DoD CMMC Level 2 Scoping Guide.)
Can we disable file transfer and keep our current RMM?
Possibly. The restriction must be technically enforced server-side, documented, tested, monitored for change, and reflected in your SSP and data-flow analysis. A policy alone won’t satisfy an assessor. See the feature-disable worksheet above.
Does hosting the RMM on-premises eliminate FedRAMP?
It can remove the SaaS-cloud trigger for the application itself when the tool is fully local, but any underlying cloud hosting, backup, telemetry, update, or support path must still be evaluated — and self-hosting shifts operational and evidence responsibility to you.
Is FIPS 140-2 still acceptable, or do we need FIPS 140-3?
Don’t answer by the number alone. Check the exact module’s current NIST CMVP status, version, operational environment, and approved mode. CMVP will move remaining active FIPS 140-2 certificates to the Historical List on September 21, 2026; Historical is not Revoked (existing systems may continue; new procurements should not include them), and agencies make a risk determination. Under 32 CFR § 170.21(a)(2)(ii), SC.L2-3.13.11 can be placed on a POA&M if encryption is used but not FIPS-validated. (Source: NIST CMVP; 32 CFR § 170.21.)
Is “FedRAMP Ready” good enough?
Ready is not Certified and cannot be represented as such. The NinjaOne High package we checked currently shows zero authorizations; determine whether the exact status satisfies your specific procurement requirement. (Source: FedRAMP Marketplace.)
Does our MSP need its own CMMC certificate?
Not automatically. It depends on whether the provider is a CSP or another ESP, whether it receives CUI or only SPD, and whether its service is assessed within your scope. Not sending CUI to the MSP does not, by itself, remove it from scope. (Source: DoD CMMC FAQ; 32 CFR § 170.19(c)(2).)
Can an RMM satisfy all 110 Level 2 requirements?
No. An RMM can support and evidence a subset — mostly remote access, maintenance, audit, configuration, and integrity controls — but Level 2 covers the full NIST SP 800-171 Rev. 2 set across your entire assessment scope. (Source: NIST SP 800-171 Rev. 2.)
Can Microsoft Intune replace an RMM for CMMC?
They overlap on some management functions but aren’t interchangeable by label. Evaluate the enabled functions, data flows, remote-support path, evidence, responsibilities, cloud package (commercial vs. GCC High / Azure Government), and control coverage for the architecture you’re proposing.
Should a C3PAO approve our RMM before we buy it?
No. A C3PAO evaluates your information system within its defined scope, not products. A readiness advisor can help analyze architecture and evidence; the formal assessor must preserve independence.
Does this analysis apply to CMMC Level 1?
The product-badge warning still applies, but the CUI, FedRAMP, and Level 2 assessment analysis usually doesn’t fit an FCI-only Level 1 environment. Confirm what your contract requires before buying a Level 2-oriented deployment. For the level breakdown, see CMMC levels.

What we verified, and how —

Primary regulatory facts, verified against the issuing source:

  • Asset categories, ESP/CSP scoping, and the CRM documentation requirement in 32 CFR §§ 170.4, 170.16, 170.17, 170.19 (eCFR).
  • The CSP-in-Level-2 rule and Conditional/Final statuses in §§ 170.16–170.18, and the FIPS-encryption POA&M provision in § 170.21(a)(2)(ii) (eCFR).
  • The three-year consultant-participation prohibition in § 170.8(b)(17)(ii)(G) (eCFR, verbatim).
  • The cloud-CUI FedRAMP requirement in DFARS 252.204-7012(b)(2)(ii)(D) (Acquisition.gov) and the DoD CIO FedRAMP Moderate Equivalency memo (Dec. 21, 2023).
  • NIST SP 800-171 Rev. 2 control text and NIST CMVP validated/Historical/Revoked definitions, including the September 21, 2026 FIPS 140-2 transition (NIST CSRC).

Current official records, directly checked:

  • Both NinjaOne FedRAMP Marketplace records (FR2430847803 = Certified/Moderate; FR2620841940 = Ready/High).

Provider-stated claims reviewed (we verified the statement, not the underlying implementation):

  • N-able N-central for CMMC availability, on-premise edition, and N-able’s own “not a CMMC-compliant solution” statement.
  • Kaseya’s August 19, 2025 announcement that it engaged ControlCase to document and validate product CRMs, including Datto RMM.

Editorial conclusions:

The scope matrix, deployment guidance, feature-disable worksheet, and keep/reconfigure/split/self-host/migrate framework are our application of the verified facts above.

What we did not do:

  • Conduct hands-on security testing of any product, or review any vendor’s private FedRAMP package or equivalency Body of Evidence.
  • Validate any specific customer deployment, or verify any vendor’s assessment-pass claims.
  • Endorse, rank, or certify any product, or determine your contract’s applicability for you.
  • Replace an RP/RPO, a C3PAO, an assessor, or a federal-contracts attorney.

Who / how / why. This guide was researched and written by The Defense Compliance Report Editorial Team through direct review of primary regulatory, program, standards, and marketplace sources. See our methodology, editorial standards, and corrections policy.

Disclosure. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. No provider paid for inclusion or position on this page, and we hold no compensation relationship with the named RMM vendors above as of .

Not legal advice. This page is educational research, not legal, contractual, assessment, or compliance advice. Confirm your required status, assessment scope, CUI handling, provider relationship, and contract applicability with a CMMC Registered Practitioner or RPO and, where contract interpretation is involved, a qualified federal-contracts attorney.

Primary sources

Re-verify FedRAMP Marketplace and NIST CMVP statuses and vendor documentation monthly while procuring or approaching an assessment; re-verify regulatory citations and Phase dates quarterly. Update the “last verified” date only when the checks are actually repeated.