CMMC Level 2 · Tools & Architecture · Last verified
CMMC Compliant RMM: What It Really Means in 2026
Phase 1 is live: November 10, 2025 – November 9, 2026. Phase 2 begins November 10, 2026, when DoD intends to include Level 2 (C3PAO) in applicable solicitations and contracts. (Source: 32 CFR § 170.3(e); DoD CMMC FAQ.)
Let’s settle the phrase you searched right away: there is no official, product-level “CMMC compliant RMM.” CMMC assessments evaluate a contractor’s information system and the assets inside its defined assessment scope, and the resulting CMMC Status attaches to that system — not to a piece of software. A specific cloud service might have a SOC 2 report, a FedRAMP Marketplace listing, or a NIST CMVP certificate, but none of those creates a CMMC Status for a remote monitoring and management (RMM) tool or for you. The first — and most important — fork is whether the tool processes, stores, or transmits Controlled Unclassified Information (CUI), only Security Protection Data (SPD: logs, configs, and security telemetry), or neither. If it handles only SPD, your RMM is in scope but the rule does notforce it to be FedRAMP authorized. If it handles CUI and it’s cloud-based, that cloud offering must be FedRAMP Authorized at the Moderate baseline or higher, or meet FedRAMP Moderate equivalency under DoD policy (DFARS 252.204-7012; 32 CFR § 170.17).
Quick read — which situation are you in?
| If your RMM… | Starting CMMC treatment | The question that decides the branch |
|---|---|---|
| Collects logs, configs, vulnerability status, and credentials but no CUI-bearing screen, file, clipboard, recording, or ticket | Usually a Security Protection Asset (in scope; no automatic FedRAMP trigger) | Can you prove, technically, that no CUI reaches the tool? |
| Displays, transfers, records, or stores CUI through a vendor cloud | Potential CUI cloud path | Does the exact cloud offering have FedRAMP Moderate — or a documented equivalency Body of Evidence? |
| Is fully self-hosted inside your controlled boundary | CUI Asset or Security Protection Asset, by use | Can you harden, patch, log, monitor, and evidence it yourself? |
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.
One thing before we go deep.The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Pathtool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.
The admission that changes how you should read the rest of this page.No vendor badge, FedRAMP listing, FIPS certificate, customer responsibility matrix, or “CMMC-ready” banner makes your RMM — or your company — CMMC compliant on its own. Some contractors can keep the RMM they already run by technically constraining its data paths and building the missing evidence. Others will need a separate remote-support path, a different edition, or a migration. What this page is built to prevent are the two expensive failure modes: buying a government-cloud edition when the service never handles CUI, and clinging to a commercial service whose remote-control, recording, or file-transfer feature quietly moves CUI into a provider boundary no one documented.
Is there really a CMMC compliant RMM?
No official, product-level “CMMC compliant RMM” designation exists.CMMC assigns an assessment status to a contractor’s information system against a defined scope; the required status is set by the contract, and NIST SP 800-171 Revision 2’s 110 requirements across 14 families are the yardstick at Level 2. A tool can supply capabilities and evidence that help you meet requirements — it cannot certify you. (Source: 32 CFR Part 170; DFARS 252.204-7021.)
So when a vendor says “CMMC compliant,” what can they honestlymean? Usually one of these: a deployment designed for CMMC use; a specific cloud offering with a FedRAMP Marketplace status; a FIPS-validated cryptographic module; a customer responsibility matrix (CRM); or a control-mapping capability. All useful. None of it certifies your organization — and the honest vendors say so. N-able, for one, states on its own government page that N–central and its bundled MDR “are not themselves CMMC compliant solutions.” That’s the correct posture, and it’s the one every buyer should adopt.
Here’s what no product claim can establish for you: your required CMMC Status, your actual CUI boundary, your assessment type, whether an optional module is in scope, whether your technicians share admin accounts, whether a session recording captured CUI, whether FIPS mode is actually enabled, or whether your System Security Plan (SSP) describes what really happens.
The current contract clause, DFARS 252.204-7021, provides for four level/status selections: Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC)— and 32 CFR Part 170 distinguishes Conditional from Finalstatus where a passing-but-incomplete score lands you on a Plan of Action and Milestones (POA&M). This page focuses on the Level 2 cases because that’s where CUI and RMM tooling collide. Level 3 (DIBCAC) requires a Final Level 2 (C3PAO) status first and layers on NIST SP 800-172 requirements, assessed by DCMA DIBCAC. (Source: 32 CFR §§ 170.16–170.18; DFARS 252.204-7021.)
What each “proof” actually proves
| Artifact | Issued / defined by | What it covers | What it proves | What it does not prove | Refresh trigger |
|---|---|---|---|---|---|
| CMMC Status | C3PAO (Level 2) or DCMA DIBCAC (Level 3), posted in SPRS | Your information system, within its scope | That system passed at the stated level and date | Anything about a product, or a different scope | Reassessment / affirmation cycle |
| FedRAMP Marketplace record | FedRAMP program | An exact cloud service offering | The offering’s lifecycle status (Ready / In Process / Certified) and impact class | That your configuration or every module is covered | Status/boundary change |
| NIST CMVP certificate | NIST/CCCS CMVP | An exact cryptographic module + version | The module was validated in a defined environment and approved mode | That your RMM component uses it, or that it’s still Active | Version change; Historical/Revoked move |
| SOC 2 report | An audit firm | A defined service and trust criteria | Controls were examined over a period | CMMC status, or CUI-handling eligibility | Annual |
| Customer Responsibility Matrix (CRM) | The provider | Who owns which control | The split of responsibilities you must document | That you implemented your side | Product/service revision |
| Control mapping | The vendor | Feature-to-control alignment | The tool can support certain objectives | That the requirement is implemented or evidenced | Product change |
| “CMMC-ready” statement | The vendor (marketing) | Nothing formal | That the vendor wants your defense business | Anything an assessor will accept | — |
How does CMMC classify an RMM in a Level 2 environment?
An RMM is classified by what it actually does with data.If it processes, stores, or transmits CUI, the relevant assets are CUI Assets and face all 110 Level 2 requirements. If it provides security functions or handles Security Protection Data, it is generally a Security Protection Asset (SPA) that is in scope and assessed against the requirements relevant to what it does. It is out of scope only if it can’t touch CUI andprovides no security protection for the CUI environment. (Source: 32 CFR § 170.19(c)(1), Table 3.)
- CUI Asset
- An asset that can process, store, or transmit CUI. The CMMC definition of “process” is broad: data being accessed, entered, edited, generated, manipulated, or printed. An interactive remote session can constitute processing when it gives a user access to CUI — even if the vendor keeps no document. (Source: DoD CMMC Level 2 Scoping Guide.)
- Security Protection Asset (SPA)
- An asset that provides security functions for your CUI environment (patching, monitoring, remote administration, MFA). SPAs are in scope, assessed against the Level 2 requirements relevant to their capabilities. The DoD Level 2 Scoping Guide gives a cloud-based SIEM as an example of a Security Protection Asset that does not process CUI. (Source: 32 CFR § 170.19(c)(1), Table 3; DoD CMMC Level 2 Scoping Guide.)
- Security Protection Data (SPD)
- Data an SPA stores or processes to protect your environment. The rule’s examples include “configuration data required to operate a Security Protection Asset” and “log files generated by or ingested by” one. Many routine RMM data types — configuration data, logs, vulnerability or configuration status, and credentials — fit those examples. (Source: 32 CFR § 170.4.)
- External Service Provider (ESP)
- External people, technology, or facilities you use to provide and manage IT or cybersecurity. CUI orSPD must be processed, stored, or transmitted on the ESP’s assets for it to count as an ESP. Your MSP running your RMM is the textbook example. (Source: 32 CFR § 170.4.)
- Contractor Risk Managed Asset (CRMA)
- An asset that canhandle CUI but isn’t intended to, governed by policy. A CRMA must be documented in your asset inventory, SSP, and risk-based security policies; if documentation or other findings raise questions, § 170.19 lets the assessor perform a limited check. (Source: 32 CFR § 170.19(c)(1).)
Why “we don’t put CUI in the RMM” isn’t enough on its own: there is a gap between stated intent and enforced configuration. Level 2 assessments use the examine, interview, and test methods from NIST SP 800-171A, so a written prohibition falls apart when the technical capability is still enabled and operational evidence contradicts the policy.
The CMMC RMM Scope & Evidence Matrix
| # | RMM deployment / use | What crosses the boundary | Starting classification | FedRAMP question | Minimum evidence to show | Decision signal |
|---|---|---|---|---|---|---|
| 1 | SaaS RMM collects configs, logs, vulnerability status, credentials — but no CUI screen, file, clipboard, recording, or ticket | Security Protection Data only | Security Protection Asset; if the provider furnishes a cloud service, it’s a CSP handling SPD without CUI under § 170.19 Table 4 | Not automatically required if no CUI is processed, stored, or transmitted | Data-flow diagram; feature inventory; CRM; SSP treatment; proof CUI paths are disabled; logs | Keep or reconfigure if you can demonstrate the no-CUI boundary |
| 2 | SaaS RMM displays a CUI desktop, transfers files/clipboard, records sessions, or stores CUI screenshots | CUI may pass through or persist in the vendor cloud | Relevant path may be a CUI cloud (CSP) path | Triggered when the cloud actually processes, stores, or transmits CUI | Exact Marketplace package or equivalency Body of Evidence; session/encryption architecture; recording + retention rules; CRM | Government cloud, redesign, or migrate unless you eliminate the CUI path |
| 3 | Self-hosted RMM fully inside your controlled CUI boundary | CUI and/or SPD stays in your environment | CUI Asset or SPA, by use | No separate SaaS trigger for the local software; separately evaluate any underlying cloud IaaS or backup | Hardening guide; inventory; network diagram; SSP; CMVP mapping; audit logs; backups; update source | Keep if you can operate, patch, monitor, and evidence it |
| 4 | MSP-hosted RMM handling only SPD (service confirmed not to meet the CMMC/NIST cloud-computing definition) | Logs, configs, vulnerability status, telemetry | MSP service is an ESP/SPA in your scope | No trigger merely because a provider is involved | Service description; CRM; provider assets/personnel; evidence-access rights; SSP; logs | Keep if the provider will supply evidence and join your assessment |
| 5 | MSP-hosted RMM handling CUI (service confirmed not to meet the cloud-computing definition) | CUI on provider systems | Provider assets/service included in yourassessment scope; a non-cloud ESP doesn’t automatically need its own certificate | FedRAMP applies only if the service is a cloud service | Provider asset inventory; personnel/facility evidence; CRM; assessment participation; CUI-handling terms | Keep only with full provider participation; otherwise redesign |
| 6 | SaaS RMM used for monitoring only— remote control, shell, file transfer, clipboard, screenshots, recording technically disabled | SPD, if the restrictions are real | Security Protection Asset | No trigger if the vendor cloud receives no CUI | Tenant configuration exports; change control; recurring tests; feature-license records; alerts on config changes | Reconfigure and keep if enforced technically, not by policy alone |
| 7 | Technicians connect through an in-scope jump host or tightly controlled VDI | Depends on whether CUI can copy, save, print, capture, or transfer | Endpoint may be an out-of-scope candidate under narrow keyboard/video/mouse-only conditions; classify the RMM and cloud separately | Depends on what reaches the cloud RMM or remote-support service | Server-side block of clipboard, file transfer, drive mapping, printing, screenshots, recording; separate MFA; test evidence | Possible scope reduction — ordinary remote desktop is not automatically the DoD VDI example |
| 8 | Base RMM and remote-support component are separate products | Base RMM may get SPD while remote support gets CUI | Classify each component separately | A FedRAMP/FIPS status for one does not cover the other | Exact product/module/version list; integration diagram; component-specific responsibility mappings, service descriptions, and evidence | Split, replace, or isolate the weak module — don’t replace the whole platform |
Does a CMMC compliant RMM need FedRAMP Moderate?
Not automatically. The FedRAMP trigger fires when a cloud serviceprocesses, stores, or transmits CUI — then it must be FedRAMP Authorized at the Moderate baseline or higher, or meet FedRAMP Moderate equivalency under DoD policy (DFARS 252.204-7012(b)(2)(ii)(D); 32 CFR § 170.17(a)(5)). A cloud RMM that receives only Security Protection Data stays in your assessment scope as a security service but does notrequire FedRAMP just because it’s an RMM. (Source: DoD CMMC Level 2 Scoping Guide; DoD CMMC FAQ.)
Three things decide the trigger: it has to actually be a cloudservice (on-premises software you run yourself doesn’t create a SaaS FedRAMP obligation for the application — evaluate any underlying cloud hosting separately); CUI has to actually enter that cloud; and the status has to apply to the exact offeringyou’re buying, not to another product the same company sells. When a CSP is used to handle CUI in a Level 2 environment, your on-premises infrastructure connecting to that CSP is also part of your assessment scope, and the CRM’s security requirements must be documented or referenced in your SSP. (Source: 32 CFR § 170.16(a)(2), § 170.17(a)(5).)
If it does touch CUI, equivalency is a high bar — and it’s mostly the CSP’s job, not yours.The DoD CIO’s December 21, 2023 memo defines FedRAMP Moderate Equivalency as a FedRAMP-recognized third-party assessment organization (3PAO) assessing the cloud service offering against 100% of the FedRAMP Moderate baseline with zero control-implementation findings/open POA&Msat the conclusion of that assessment — documented in a Body of Evidence, with no self-attestation. Yourjob is to verify it, contractually require it, obtain and retain the Body of Evidence for your C3PAO, implement your customer-responsibility controls, and meet the DFARS 252.204-7012(c)–(g) incident-reporting, preservation, access, and damage-assessment duties. (Source: DoD CIO FedRAMP Moderate Equivalency memorandum, Dec. 21, 2023; 32 CFR § 170.17.)
And the practical takeaway: if you use a CSP that is FedRAMP Authorized at Moderate or higher, you don’t have to separately establish its FedRAMP compliance; if it isn’t authorized, you must determine and document equivalency yourself, and you inherit that risk.
“FedRAMP Certified” is not “FedRAMP Ready” — and one vendor proves why it matters.
The current FedRAMP Marketplace displays an offering’s lifecycle status (FedRAMP Ready, FedRAMP In Process, FedRAMP Certified), a certification class, an authorization path, and an authorization count. On we pulled both NinjaOne records directly from the Marketplace:
- NinjaOne for Government — package FR2430847803: FedRAMP Certified, Class C (Moderate), Rev 5, Agency path, two authorizations (as of ).
- NinjaOne for Government – FedRAMP High — package FR2620841940: FedRAMP Ready, Class D (High), Rev 5, Agency path, zero authorizations (as of ).
Same vendor, two very different statuses. “Ready” means the offering is positioned to pursue authorization; it is not an authorization to operate. When describing the legal requirement, use the rule’s language — “FedRAMP Authorized at Moderate or higher.” When reporting a live record, quote the Marketplace’s current fields exactly and record the date. (Source: FedRAMP Marketplace, packages FR2430847803 and FR2620841940, verified .)
And encrypting CUI does not make the cloud requirement disappear.The DoD’s CMMC FAQ is explicit: CUI stays controlled until it is formally decontrolled, so encrypted CUI keeps the control designation of its plaintext counterpart. A cloud offering that is neither FedRAMP Authorized at Moderate or higher nor supported by an acceptable FedRAMP Moderate-equivalency Body of Evidence cannot be used to store encrypted CUI merely because the data is encrypted. (Source: DoD CMMC FAQ; 32 CFR Part 2002.)
Not sure whether your RMM touches CUI or only Security Protection Data?That answer establishes the first FedRAMP branch — and it’s the difference between a documentation task and a migration. Route your required level, CUI scope, environment, and timeline through The Defense Compliance Report’s Find My CMMC Path tool: seven non-sensitive questions, about two minutes, and it points you to the provider category to compare first. It’s a general category router, not an RMM scope determination. Do not submit CUI, drawings, or contract details.
Does an RMM need FIPS-validated cryptography for CMMC?
When a remote session protects the confidentiality of CUI, yes — and “FIPS compliant” is not the same as “FIPS validated.”NIST SP 800-171 Rev. 2 control 3.13.11 requires FIPS-validated cryptography when used to protect the confidentiality of CUI, and 3.1.13 requires cryptographic protection of remote-access sessions. “Validated” means the exactcryptographic module and version holds a NIST CMVP validation certificate and is used within the validated module’s boundary, operational environment, and approved mode — not merely a vendor name or an algorithm like “AES-256.” Record whether the certificate is Active, Historical, or Revoked, because CMVP maintains all three. (Source: NIST SP 800-171 Rev. 2, 3.13.11 and 3.1.13; NIST CMVP.)
Two things make this an RMM-specific trap:
- The remote-support module is often a different product from the base RMM. Screen control, file transfer, and agent-to-console traffic can each use different cryptographic components. A certificate covering the management agent may not cover the remote-control relay. Map the exact component that protects CUI to a specific certificate.
- A FIPS 140-2 transition is on the calendar. NIST CMVP will move all remaining active FIPS 140-2 certificates to the Historical List on September 21, 2026; FIPS 140-3 is the forward path. Historical is not the same as Revoked: modules on the Historical List may continue to be used in existing systems, but federal agencies should not include them in newprocurements. Plan early if your RMM’s crypto rides on a 140-2 module. (Source: NIST CMVP, FIPS 140-3 Transition Effort.)
A missing FIPS validation is not an automatic assessment failure. Under 32 CFR § 170.21(a)(2)(ii), the CUI-encryption control SC.L2-3.13.11 may be placed on a POA&M when encryption is employed but is not FIPS-validated — it carries a point value of 3 in the scoring methodology, and like any Level 2 POA&M it must be closed within 180 days to move from Conditional to Final status. (Source: 32 CFR § 170.21(a)(2)(ii); § 170.24.)
What to record from CMVP, once, and keep in your SSP
| Field | Capture |
|---|---|
| Certificate number | Exact number |
| Module name & version | Exact, as validated |
| Standard | FIPS 140-2 or FIPS 140-3 |
| Operational environment | The platform/config the certificate covers |
| Approved mode | How it's enabled and verified |
| Status | Active / Historical / Revoked |
| Transition effect | Impact of the Sept 21, 2026 move for 140-2 |
| RMM component | Which product component invokes it |
| Evidence owner | Vendor, MSP, or you |
For the deeper control-by-control breakdown, see our guide to CMMC FIPS 140-2 requirements.
Which CMMC Level 2 requirements matter most for RMM and remote support?
An RMM can’t satisfy all 110 Level 2 requirements, but it can decisively support — or quietly undermine — the ones about remote access, maintenance, authentication, audit, configuration, flaw remediation, and transmission protection.The assessment question is never “does the product have the feature” — it’s whether you’ve implemented the requirement and can produce examine, interview, and test evidence. NIST SP 800-171A defines 320 assessment objectives behind the 110 requirements; a feature list closes none of them on its own. (Source: NIST SP 800-171 Rev. 2; NIST SP 800-171A.)
| Requirement (NIST SP 800-171 Rev. 2) | Why the RMM matters | Evidence owner | Common tool limitation |
|---|---|---|---|
| 3.1.12 — Monitor and control remote access sessions | The RMM creates and brokers the sessions | You + provider | Logs show connect time, not who approved it or what happened |
| 3.1.13 — Cryptographically protect remote sessions | Sessions may expose CUI | You + vendor | “AES-256” with no validated-module mapping |
| 3.1.14 — Route remote access via managed access control points | The RMM often is the managed access point | You | Technicians can bypass the intended gateway |
| 3.1.15 — Authorize remote execution of privileged commands / access to security-relevant info | Scripts, shells, service control are privileged | You | Every tech gets unrestricted scripting/shell |
| 3.1.7 — Prevent non-privileged users from privileged functions; log them | The RMM executes privileged actions at scale | You | Shared admin accounts; thin command detail |
| 3.5.3 — MFA for local and network access to privileged accounts, and network access to non-privileged accounts | The RMM is a primary admin path | You + provider | MFA on portal login but not local/API/emergency access |
| 3.7.5 — MFA for nonlocal maintenance sessions via external connections; terminate when complete | The RMM is a primary nonlocal maintenance path | You + provider | Sessions not terminated; local accounts exempt |
| 3.3.1–3.3.9 — Audit generation, retention, review, protection | The RMM produces valuable, sensitive admin evidence | You + provider | Logs can’t export, lack command detail, or expire too soon |
| 3.4.x — Baselines, inventory, change control | The RMM discovers assets and pushes changes | You | Incomplete inventory; changes not tied to authorization |
| 3.11.2 — Vulnerability scanning | Some RMMs supply vulnerability/missing-patch data | You | Patch inventory presented as a full vulnerability scan |
| 3.14.1 / 3.14.2 — Flaw remediation; malicious-code protection | The RMM patches and deploys software | You | “Patch deployed” confused with “installed and verified” |
| 3.1.20 — Control connections to external systems | Vendor cloud, MSP consoles, APIs, integrations are external connections | You | Undocumented integrations or support paths |
| 3.13.8 / 3.13.11 — Protect CUI in transmission; use FIPS-validated crypto | CUI may ride remote sessions, transfers, or APIs | You + vendor | Certificate belongs to a different component |
The model that keeps you out of trouble: there’s daylight between feature available → licensed → enabled → configured correctly → operationally followed → evidenced → requirement met. Assessors live in the last three boxes. And an RMM that “deploys” a patch has not necessarily verifiedit installed, handled exceptions, caught end-of-life software, or scanned for vulnerabilities — which is why patching is its own discipline; see CMMC patch-management requirements and CMMC MFA requirements for the deeper control detail.
What do current RMM offerings actually prove in 2026?
Public evidence is useful only when it names the exact offering, cloud package, component, cryptographic module, document version, and the date you checked it. A company-level claim should never be promoted into a conclusion about a commercial tenant, a government tenant, an embedded remote-support component, or your specific configuration. The snapshot below is a dated, non-rankedlook at what a few widely used offerings publicly demonstrate — and what they don’t. Last verified . Inclusion is not endorsement; no provider paid for placement.
| Exact offering | Evaluation depth | Evidence located | What it proves | What it does not prove | Compensation status |
|---|---|---|---|---|---|
| NinjaOne for Government (FedRAMP Moderate) | Official Marketplace record (DCR-verified) | FedRAMP Marketplace FR2430847803— Certified, Class C (Moderate), Rev 5, Agency, two authorizations, verified | The named government offering holds that Marketplace status and impact class | Nothing about a commercial NinjaOne tenant, every module/integration, your configuration, or your CMMC status | None as of |
| NinjaOne for Government – FedRAMP High | Official Marketplace record (DCR-verified) | FedRAMP Marketplace FR2620841940— Ready, Class D (High), Rev 5, Agency, zero authorizations, verified | The offering has reached Ready status. NinjaOne states its native remote-access component falls within the government offering (verify the exact package boundary with the vendor) | Ready is not Certified; the High package shows no authorizations as of the verified date | None as of |
| N-able N-central for CMMC Compliance | Provider documentation (reviewed, not independently tested) | N-able states N–central for CMMC is generally available with a dedicated on-premise edition; documentation lists included and excluded features. N-able states the product is not itself a CMMC-compliant solution | The vendor offers a documented deployment path and publishes an honest boundary | That every N–central function, an integrated remote-support component, or your configuration is covered | None as of |
| Kaseya (Datto RMM, VSA X, and others) | Company announcement (DCR verified the announcement, not the implementation) | Kaseya stated in an August 19, 2025 announcement that it engaged ControlCase to document and validate product-specific Customer Responsibility Matrices, including Datto RMM, VSA X, and IT Glue | That Kaseya published CRMs for cloud-based Security Protection Assets | Assessment acceptance, exact version coverage, current product configuration, or a third party’s current C3PAO status | None as of |
Two offerings we deliberately did not include as verified rows, and why:
- Microsoft’s government-cloud endpoint stack(Intune, Defender for Endpoint, Microsoft Sentinel via Azure Government or Microsoft 365 GCC High) is a well-established FedRAMP High/Moderate path for CUI-touching endpoint management. But those are separate services with separate boundaries and authorizations — not one product with one inherited status. If you go this route, confirm the exact service and that you’re on the government tenant, and reflect it in your SSP and CRM. See Best GCC High providers for CMMC and AWS GovCloud for CMMC.
- Widely used commercial-cloud RMMs.We did not locate a FedRAMP Marketplace authorization for the standard commercial offering of ConnectWise, Kaseya/Datto, Atera, or Syncro under the vendors’ common product names as of — but Marketplace records and product editions change. Verify the exact offering yourself before you rule it in or out; don’t treat the absence of a record we found as proof that none exists.
What evidence should an RMM vendor give you before you buy?
A defensible RMM decision needs more than a security white paper. At minimum, get the exact offering and component boundaries, an architecture and data-flow diagram, a current customer/shared responsibility matrix, a FedRAMP package or equivalency evidence when the CUI trigger applies, a CMVP module mapping, identity and logging detail, support-personnel controls, data-retention terms, incident obligations, and a written list of excludedmodules and integrations. (Source: 32 CFR § 170.19(c)(2)(ii).)
The RMM evidence request packet
- Exact legal/contracting entity and the exact product and edition.
- Exact hosting package or tenant type (commercial vs. government).
- Full architecture and data-flow diagram, including one interactive remote session.
- Complete list of modules and integrations, and what data each sends to the provider.
- Treatment of screen content, clipboard, files, shell output, screenshots, and recordings.
- Ticket, attachment, diagnostic, crash-dump, telemetry, and backup handling.
- Current CRM / shared-responsibility matrix (with version and date).
- FedRAMP Marketplace package ID or the equivalency Body-of-Evidence process, when CUI is in play.
- Current NIST CMVP certificate, plus the exact product/module/version/approved-mode mapping.
- MFA and identity-provider support; treatment of local, emergency/break-glass, service, and API accounts.
- RBAC and privileged-command authorization.
- Audit-event catalog; log export, retention, timestamping, and integrity.
- Support-personnel locations, workstations, screening, and access model.
- Subprocessors and data residency.
- Incident-notification and forensic-support obligations; service-termination, data-return, and deletion terms.
- Every excluded module, integration, and deployment pattern.
Five questions that expose a weak vendor in one call:
- “Show us the exact data path for one interactive remote session.”
- “Which CMVP certificate covers that path, and how do we prove approved mode?”
- “Which FedRAMP package covers the offering on our quote?”
- “Which responsibilities stay ours, and where is that written?”
- “Which components are excluded from your CMMC documentation?”
Red flags, in the vendor’s own words:
“Our company is FedRAMP” (no package ID). • “FIPS encryption” (no certificate, no mode). • “CMMC certified software.” • “Our other customers passed.” • “The assessor will accept it.” • “It’s encrypted, so FedRAMP doesn’t matter.” • “The MSP owns compliance.” • “The CRM is confidential.” • “The commercial tenant is the same code as government.” • “Remote control is included” (without naming the embedded component).
If the vendor cannot provide the applicable evidence to you or your assessor under appropriate confidentiality protections, treat the issue as unresolved before purchase— a legitimate reason to slow down, not a reason to sign.
Before a demo turns into a migration, price the boundary — not the brand.The evidence packet above is yours to lift straight into your next vendor questionnaire. If you’d rather see where your gaps sit across all 14 control families first, download the CMMC Readiness Checklist — a quick email-gated download, no CUI.
Which RMM deployment model fits your CMMC situation?
There’s no universally “safest” deployment.A FedRAMP-authorized government-cloud offering can resolve the cloud-CUI question but usually adds cost and still doesn’t certify you. Self-hosting keeps data inside your boundary but hands you the operational and evidence burden. The right model depends on your CUI flow, staffing, current maturity, assessment type, and the provider’s evidence — so decide by the data, not by the logo.
| Deployment model | Best fit | Main advantage | The honest downside | Evidence burden |
|---|---|---|---|---|
| FedRAMP-authorized SaaS | You need a provider cloud to handle CUI | An authorized package resolves a major CSP question | Adds cost; still doesn’t certify you or every integration | Exact package/boundary, CRM, modules, tenant config, your controls |
| Commercial SaaS, SPD-only | You can technically keep CUI out of the tool | Avoids an unnecessary government-cloud purchase | Requires credible proof that no interactive/support path can move CUI | Data-flow tests, disabled features, change control, CRM, logs |
| Contractor self-hosted / on-prem | You have operational capacity and a controlled enclave | Keeps the primary service inside your boundary | You inherit hardening, uptime, patching, backup, monitoring, evidence | Full system evidence, hosting, crypto, logging, recovery, update path |
| MSP-hosted (non-cloud) | You rely on a provider that will join your assessment | Centralized managed operations | Provider assets/personnel may enter your assessment scope | CRM, provider evidence, contract rights, interviews/tests |
| Split RMM + separate remote support | You want SaaS telemetry but a controlled CUI session path | Avoids forcing every function into one boundary | More products, identities, logs, and integration work | Separate classification and evidence per component |
| Jump host / tightly constrained VDI | You can force admin through a controlled access point | Can reduce endpoint exposure and standardize evidence | Scope reduction depends on real technical restrictions, not the word “VDI” | KVM-only controls, separate MFA, blocked transfer/capture, tests |
A short decision sequence beats a scorecard. Ask, in order: Does the provider cloud actually receive CUI? Is there an exact applicable FedRAMP package or equivalency Body of Evidence? Can the CUI paths be technically disabled? Can you operate the platform yourself? Is the remote-support component separable? Will the provider participate in your assessment? Your answers point to keep, reconfigure, split, self-host, or migrate.
The official DoD VDI endpoint example— use it as a design template, not an approval of your setup. The CMMC FAQ describes a narrow case where an endpoint used only for keyboard/video/mouse access to a VDI can be out of scope when copy-paste, file transfer, drive mounting, and printing are blocked; only KVM data transits the session; separate multifactor authentication (a hardware token or PKI credential with PIN) protects the VDI; and access is limited to authorized users and locations — all enforced server-side and verified. It’s a precise recipe; it does not make an ordinary RMM remote-control session an out-of-scope endpoint. (Source: DoD CMMC FAQ, VDI.)
Your “RMM problem” might be a readiness, enclave, GRC, or assessment problem in disguise.Tell us your required level, CUI scope, current deployment, and timeline, and we’ll match you to the source-checked provider category that fits — readiness/MSP-MSSP, CUI enclave, GRC platform, or (only when you’re assessment-ready) a C3PAO. We route to a category, not a name, and it’s not a score or a ranking. No CUI, drawings, or contract details.
Can you keep your current RMM and reduce CMMC scope?
Sometimes — but only when the scope reduction is technically enforced, documented, tested, and change-controlled. Disabling file transfer, clipboard, recording, shell access, screenshots, or direct remote control can change the data path so the RMM stays an SPD-only Security Protection Asset. A policy or an unused button does not prove CUI cannot reach the service; server-side enforcement and evidence do. (Source: DoD CMMC Level 2 Scoping Guide.)
| RMM feature | Why it matters | Enforce it | Proof artifact |
|---|---|---|---|
| Screen relay / remote control | Can display CUI to a technician or the cloud relay | Server-side; restrict who and when | Config export, session log, test transcript |
| File transfer | Moves CUI to/from the endpoint or provider | Disable tenant-wide; block local re-enable | Config export, transfer-attempt test |
| Clipboard sync | Silent CUI path | Disable in session policy | Config export, paste test |
| Shell / scripts | Privileged action at scale | RBAC + command authorization + logging | Role definitions, command logs |
| Session recording | May capture CUI at rest in the cloud | Disable, or route to a CUI-approved store | Config export, retention policy |
| Screenshots | Same as recording | Disable | Config export |
| Ticket attachments | Easy place for CUI to leak | Restrict/scan; document treatment | DLP policy, sample review |
| Backups / diagnostics | Bulk CUI or SPD | Define scope and location; encrypt | Backup config, location evidence |
| API access | Undocumented external path | Inventory and authorize | Connection approvals, API logs |
| Support diagnostics | Vendor may pull data | Contract terms + access controls | Support-access model, DTA/NDA |
When the vendor won’t disclose the architecture, CUI handling can’t be disabled, the FedRAMP or CMVP evidence you need doesn’t exist, logs lack unique attribution, shared accounts can’t be eliminated, or the provider won’t join your assessment — migration is the safer call. And when the weak link is a single embedded remote-control component, check whether it can be disabled and replaced independently — splitting that component is usually cheaper than replacing the whole platform.
Does your MSP or RMM provider need its own CMMC assessment?
It depends on whether the provider is a Cloud Service Provider (CSP) or another kind of External Service Provider, whether its systems receive CUI or only Security Protection Data, and how the service participates in your assessment.A non-cloud MSP handling only SPD does not automatically need its own CMMC certificate; a cloud service handling CUI must meet FedRAMP Moderate (or equivalency). Either way, the provider’s services can be assessed inside your scope. (Source: 32 CFR § 170.16, § 170.19(c)(2); DoD CMMC FAQ.)
| Provider situation | Assessment treatment | FedRAMP trigger | CRM / documentation | Separate CMMC certificate? |
|---|---|---|---|---|
| CSP handling CUI | In your scope | Yes — Authorized at Moderate+ or equivalency | Required, referenced in your SSP | No (but must meet FedRAMP/equivalency) |
| CSP handling SPD only | In your scope as an SPA | No | Required | No |
| Non-CSP ESP handling CUI | In your scope | No (not a cloud service) | Required | No (assessed within your scope) |
| Non-CSP ESP handling SPD only | In your scope as an SPA | No | Required | No |
| Provider handling neither CUI nor SPD | Not an ESP under the rule | No | Not required as an ESP | No |
Two points from the DoD FAQ that resolve most real arguments:
- “We don’t hold CUI” does not settle it. Under the CMMC definition, a provider is an ESP when CUI or SPD is processed, stored, or transmitted on its assets. Administrative access to systems that handle CUI can create that condition.
- The contractual and technical service relationship helps determine CSP status. If youhold the cloud tenant subscription and the MSP merely administers it — even when the MSP resold it — the MSP is not the CSP for that cloud service. If the MSP contracts for, modifies, and delivers the cloud service, it may itself be the CSP.
The documentation obligation is yours. Our guides on CMMC requirements for MSPs and the MSP dual-role question go deeper. And if you’re an MSP reading this: if your RMM stores, processes, or transmits your client’s CUI or SPD, that service is in your client’s scope — and if your own systems or people touch CUI, you may have a path of your own to walk.
What will a C3PAO ask to see about your RMM?
A C3PAO evaluates the contractor information system within its defined Level 2 CMMC Assessment Scope — it does not approve or certify products.For a Level 2 certification assessment, expect the team to examine your SSP and scope, asset and data-flow diagrams, the ESP service description and CRM, exact tenant and module boundaries, FedRAMP or equivalency evidence when applicable, CMVP mapping, MFA and privileged-access configuration, session and command logs, retention and export settings, provider participation, and test evidence showing that your documented restrictions actually work. (Source: 32 CFR § 170.17; NIST SP 800-171A.)
01-Architecture-and-Scope— SSP boundary, network and data-flow diagrams02-Asset-Inventory— every RMM component, agent, console, and integration03-Service-and-Provider-Contracts— ESP terms, assessment-participation rights04-CRM-SRM— current, versioned responsibility matrix05-FedRAMP-or-Equivalency— package IDs or the Body of Evidence, where CUI applies06-CMVP-and-Cryptography— certificate, version, approved-mode evidence per component07-Identity-MFA-RBAC— identity-provider config, roles, privileged-command authorization08-Remote-Access-Configuration— tenant settings, disabled features, managed access points09-Audit-Logs-and-Retention— event catalog, retention, export, integrity10-Patching-Config-and-Vulnerabilities— policies, deployment records, exceptions11-Tests-and-Validation— reproducible tests proving the restrictions hold12-Exceptions-and-POA-Ms— anything not yet met, with the plan to close it
One reproducible test is worth a folder of screenshots. Walk it: a named technician requests access; the authorization is recorded; MFA occurs; the session routes through the approved access point; you attempt a file transfer and a clipboard paste and show they’re blocked; a privileged command runs and is attributed to that technician; the session terminates; you export the log and demonstrate retention and review. Stale screenshots from a prior tenant or version won’t carry the same weight — evidence should reflect the current tenant, version, configuration, identities, contract, and Marketplace/CMVP status.
See also: CMMC Level 2 self-assessment vs. C3PAO for the practical dividing line between the two paths.
Getting close to a Level 2 (C3PAO) assessment?The readiness and evidence work — and the formal assessment — should be handled by different kinds of partner, because under 32 CFR § 170.8(b)(17)(ii)(G) the people who prepared you generally can’t also assess that work (more on that below). Use Find My CMMC Path to line up readiness and assessment categories, kept properly separate.
What actually drives CMMC RMM cost?
There is no authoritative universal price for a “CMMC compliant RMM,” and any page quoting a tidy range is selling false precision.Real cost depends on the exact edition, endpoint and technician counts, modules, log-retention tier, any government-cloud minimums, self-hosting infrastructure, implementation and evidence work, migration, and provider participation — plus the controls the tool doesn’t supply. We publish the cost drivers, not invented numbers.
Price four buckets separately: subscription (per endpoint, per technician, per tenant, minimum commitment, government-cloud premium, log-retention tier, API/integration charges); implementation (architecture, tenant hardening, identity integration, RBAC, baselines, scripts, patch policies, logging, documentation, evidence collection, testing, training); migration (agent removal and redeployment, overlap period, script rewriting, policy conversion, historical-log retention, integration replacement, downtime, rollback); and self-hosting operations (infrastructure, database, backup, monitoring, certificates, administration, uptime, upgrades, security testing, recovery, staffing).
The bucket contractors ignore until it bites: the cost of unresolved evidence— a delayed assessment, extra readiness consulting, repeated evidence collection, an emergency migration, scope expansion, prime-contractor escalation, lost staff time. These can exceed the license cost, but the amount depends on your organization, assessment stage, migration, and provider contract. Define the boundary before you compare total costs. For dollar-level detail by scope and company size, see our CMMC Level 2 cost guide.
What RMM mistakes create the most CMMC assessment risk?
The costliest mistakes come from treating labels as evidence and treating unused capabilities as technically impossible. Each of the errors below maps to a rule or control, a missing artifact, and a test that would expose it.
- Buying the vendor name, not the exact offering. One vendor sells several packages with different boundaries and Marketplace statuses. Test: match the quote to a Marketplace package ID.
- Treating FedRAMP Ready as FedRAMP Certified. The two NinjaOne records above are the clean illustration. Test: read the lifecycle-status field.
- Accepting “FIPS encryption” without a certificate, version, mode, and component. Ties to 3.13.11. Test: pull the CMVP entry and the config evidence.
- Forgetting the embedded remote-control module. Base RMM and remote support can have different boundaries. Test: ask which product the session uses.
- Shared technician accounts. Destroys unique attribution under 3.1.7 / 3.1.15. Test: attribute one privileged command to a named person.
- Unmanaged technician workstations.A hardened portal doesn’t fix a laptop that reaches CUI systems. Test: inventory and classify the technician endpoint.
- CUI hiding in session recordings, tickets, or support diagnostics. Changes your provider boundary. Test: inspect a recording and a support export.
- No current CRM.Each side assumes the other implemented a control. Ties to § 170.19(c)(2)(ii). Test: produce the versioned matrix.
- Assuming on-prem is automatically safe.It shifts responsibility and evidence to you; it doesn’t erase them. Test: show your own hardening and logging evidence.
- Switching products before mapping the current data flow. Recreates the same problem at higher cost. Test: produce the data-flow diagram first.
- Asking a C3PAO to “approve” your RMM. A C3PAO assesses your information system, not products. Test: none — it’s a category error.
What should you do next if your RMM evidence is incomplete?
Don’t start with a replacement shortlist. Start with a map.Inventory the functions and data, classify the assets and provider relationships, request the missing evidence, test the controls, update your SSP and responsibility allocation — then decide whether the remaining gap is best solved by reconfiguration, a separate remote-support path, self-hosting, migration, or provider help.
- Freeze assumptions. Stop calling the tool compliant, non-compliant, FedRAMP, or FIPS until the exact evidence is in hand.
- Map functions and data— remote sessions, files, clipboard, recordings, tickets, telemetry, logs, scripts, APIs, support.
- Classify every component— base RMM, remote-control module, vendor cloud, MSP console, technician endpoint, jump host, integrations.
- Request evidence using the packet above.
- Test implementation— MFA, RBAC, privileged commands, restrictions, logging, retention, approved cryptographic mode.
- Update documentation— SSP, network diagram, asset inventory, data-flow diagram, CRM, policies, procedures.
- Decide— keep, reconfigure, split, self-host, or migrate.
Where the gap points, so does the provider category: a Registered Provider Organization (RPO) / Registered Practitioner (RP) for scoping, SSP, evidence, and implementation gaps; a Managed Security Service Provider (MSSP) or CMMC-focused MSP for ongoing operations and control ownership; a CUI enclave to shrink the primary environment (see CMMC secure enclaves); a GRC platform for responsibility, evidence, and SSP/POA&M workflow; a C3PAO only when you’re assessment-ready; and a qualified federal-contracts attorneyfor clause interpretation, flow-down, and contractual applicability. Keep readiness and formal assessment separate — under 32 CFR § 170.8(b)(17)(ii)(G), the Accreditation Body must prohibit CMMC Ecosystem members from participating in a Level 2 certification assessment for an organization they served as a consultant to prepare for any CMMC assessment within the preceding three years.
Need help deciding what type of CMMC provider you need?Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Seven non-sensitive questions, about two minutes. Provider matching may generate referral compensation if you engage a provider; no provider is ranked here because they paid for placement. Do not submit CUI, drawings, credentials, vulnerability data, or sensitive contract details.
Frequently asked questions
- Is any RMM officially “CMMC compliant”?
- No official, product-level CMMC designation exists. CMMC evaluates a contractor’s information system within a defined scope; it does not certify software. A product can provide relevant capabilities and supporting evidence, but your CMMC status depends on your environment, configuration, and evidence. (Source: 32 CFR Part 170.)
- What is the best RMM for CMMC Level 2?
- There isn’t a universal “best.” The right choice depends on whether CUI reaches the tool, the required cloud status, the exact cryptographic evidence, which modules are in scope, provider participation, logging, your internal staffing, and your assessment scope. Decide by your data flow, not by a ranking.
- Does every RMM need FedRAMP Moderate?
- No. FedRAMP is triggered when the cloud offering processes, stores, or transmits CUI. A cloud RMM handling only Security Protection Data stays in scope but does not automatically require FedRAMP. (Source: DoD CMMC Level 2 Scoping Guide; DoD CMMC FAQ.)
- Is viewing a CUI desktop over remote control “processing” CUI?
- It can be. The CMMC definition of “process” includes data being accessed, so interactive viewing can count as processing when it gives a user access to CUI. Whether the vendor cloud also processes or transmits that session content depends on the relay, encryption, recording, and storage design — which is why you should require a data-flow diagram. (Source: DoD CMMC Level 2 Scoping Guide.)
- Can we disable file transfer and keep our current RMM?
- Possibly. The restriction must be technically enforced server-side, documented, tested, monitored for change, and reflected in your SSP and data-flow analysis. A policy alone won’t satisfy an assessor. See the feature-disable worksheet above.
- Does hosting the RMM on-premises eliminate FedRAMP?
- It can remove the SaaS-cloud trigger for the application itself when the tool is fully local, but any underlying cloud hosting, backup, telemetry, update, or support path must still be evaluated — and self-hosting shifts operational and evidence responsibility to you.
- Is FIPS 140-2 still acceptable, or do we need FIPS 140-3?
- Don’t answer by the number alone. Check the exact module’s current NIST CMVP status, version, operational environment, and approved mode. CMVP will move remaining active FIPS 140-2 certificates to the Historical List on September 21, 2026; Historical is not Revoked (existing systems may continue; new procurements should not include them), and agencies make a risk determination. Under 32 CFR § 170.21(a)(2)(ii), SC.L2-3.13.11 can be placed on a POA&M if encryption is used but not FIPS-validated. (Source: NIST CMVP; 32 CFR § 170.21.)
- Is “FedRAMP Ready” good enough?
- Ready is not Certified and cannot be represented as such. The NinjaOne High package we checked currently shows zero authorizations; determine whether the exact status satisfies your specific procurement requirement. (Source: FedRAMP Marketplace.)
- Does our MSP need its own CMMC certificate?
- Not automatically. It depends on whether the provider is a CSP or another ESP, whether it receives CUI or only SPD, and whether its service is assessed within your scope. Not sending CUI to the MSP does not, by itself, remove it from scope. (Source: DoD CMMC FAQ; 32 CFR § 170.19(c)(2).)
- Can an RMM satisfy all 110 Level 2 requirements?
- No. An RMM can support and evidence a subset — mostly remote access, maintenance, audit, configuration, and integrity controls — but Level 2 covers the full NIST SP 800-171 Rev. 2 set across your entire assessment scope. (Source: NIST SP 800-171 Rev. 2.)
- Can Microsoft Intune replace an RMM for CMMC?
- They overlap on some management functions but aren’t interchangeable by label. Evaluate the enabled functions, data flows, remote-support path, evidence, responsibilities, cloud package (commercial vs. GCC High / Azure Government), and control coverage for the architecture you’re proposing.
- Should a C3PAO approve our RMM before we buy it?
- No. A C3PAO evaluates your information system within its defined scope, not products. A readiness advisor can help analyze architecture and evidence; the formal assessor must preserve independence.
- Does this analysis apply to CMMC Level 1?
- The product-badge warning still applies, but the CUI, FedRAMP, and Level 2 assessment analysis usually doesn’t fit an FCI-only Level 1 environment. Confirm what your contract requires before buying a Level 2-oriented deployment. For the level breakdown, see CMMC levels.
What we verified, and how —
Primary regulatory facts, verified against the issuing source:
- Asset categories, ESP/CSP scoping, and the CRM documentation requirement in 32 CFR §§ 170.4, 170.16, 170.17, 170.19 (eCFR).
- The CSP-in-Level-2 rule and Conditional/Final statuses in §§ 170.16–170.18, and the FIPS-encryption POA&M provision in § 170.21(a)(2)(ii) (eCFR).
- The three-year consultant-participation prohibition in § 170.8(b)(17)(ii)(G) (eCFR, verbatim).
- The cloud-CUI FedRAMP requirement in DFARS 252.204-7012(b)(2)(ii)(D) (Acquisition.gov) and the DoD CIO FedRAMP Moderate Equivalency memo (Dec. 21, 2023).
- NIST SP 800-171 Rev. 2 control text and NIST CMVP validated/Historical/Revoked definitions, including the September 21, 2026 FIPS 140-2 transition (NIST CSRC).
Current official records, directly checked:
- Both NinjaOne FedRAMP Marketplace records (FR2430847803 = Certified/Moderate; FR2620841940 = Ready/High).
Provider-stated claims reviewed (we verified the statement, not the underlying implementation):
- N-able N-central for CMMC availability, on-premise edition, and N-able’s own “not a CMMC-compliant solution” statement.
- Kaseya’s August 19, 2025 announcement that it engaged ControlCase to document and validate product CRMs, including Datto RMM.
Editorial conclusions:
The scope matrix, deployment guidance, feature-disable worksheet, and keep/reconfigure/split/self-host/migrate framework are our application of the verified facts above.
What we did not do:
- Conduct hands-on security testing of any product, or review any vendor’s private FedRAMP package or equivalency Body of Evidence.
- Validate any specific customer deployment, or verify any vendor’s assessment-pass claims.
- Endorse, rank, or certify any product, or determine your contract’s applicability for you.
- Replace an RP/RPO, a C3PAO, an assessor, or a federal-contracts attorney.
Primary sources
- eCFR — 32 CFR Part 170 (CMMC Program)
- eCFR — § 170.19 (CMMC scoping)
- eCFR — § 170.17 (Level 2 certification assessment)
- eCFR — § 170.16 (Level 2 self-assessment)
- eCFR — § 170.21 (POA&M requirements)
- eCFR — § 170.8 (Accreditation Body / conflict-of-interest rules)
- Acquisition.gov — DFARS 252.204-7012
- Acquisition.gov — DFARS 252.204-7019, -7020, -7021
- DoD CIO — CMMC Level 2 Scoping Guide
- DoD CIO — CMMC Level 2 Assessment Guide
- DoD CIO — CMMC FAQ
- DoD CIO — FedRAMP Authorization and Equivalency memorandum (Dec. 21, 2023)
- NIST CSRC — NIST SP 800-171 Rev. 2
- NIST CSRC — NIST SP 800-171A (assessment procedures)
- NIST CSRC — FIPS 140-3 Transition Effort (140-2 Historical date)
- FedRAMP Marketplace — NinjaOne for Government (Moderate, FR2430847803)
- FedRAMP Marketplace — NinjaOne for Government – FedRAMP High (Ready, FR2620841940)