CMMC Managed Service Providers: When Your MSP Is In Scope — and When It Isn’t

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We do not claim affiliation with the Department of Defense, the Cyber AB, or any U.S. government agency. This article is informational and is not legal or compliance advice. Provider-matching forms on this site may generate referral or lead-routing compensation; that compensation never determines our category guidance, and this page does not rank or endorse any named MSP or MSSP.

Here’s the short version, because you came here to decide something, not to read a definition.

CMMC managed service providers (MSPs and MSSPs) do not automatically need their own CMMC certification — and they are not automatically out of your assessment scope either. Under the CMMC Program rule (32 CFR Part 170, effective December 16, 2024), your provider enters your assessment scope when its own assets process, store, or transmit your Controlled Unclassified Information (CUI) — or your Security Protection Data (SPD), the logs, configuration files, alerts, and vulnerability data your provider’s tools collect to protect your environment. If none of that lands on provider-owned assets, the provider may not be in scope at all.

So the real question is not “is my MSP CMMC certified?” It’s “what does my MSP touch, is that documented, and can it prove it?”

That distinction is the whole game — and it’s where most of the internet is still wrong. A lot of pages still tell you every MSP handling CUI must hold its own certification. That was the proposedrule. The final rule changed it. Other pages tell you your MSP is fine because “no CUI ever goes to them” — which ignores Security Protection Data entirely. We read 32 CFR Part 170, the DoD’s official CMMC FAQ, and the FedRAMP equivalency memo directly so we could give you the version that actually matches the current rule.

The CMMC MSP Scope & Evidence Matrix

Find the row that matches your provider relationship. Sources: 32 CFR Part 170 (§ 170.4, § 170.17, § 170.19, Subpart C); DoD CMMC FAQ Section E; DoD CIO FedRAMP Moderate Equivalency memo, December 21, 2023; DFARS 252.204-7012.

Is my MSP even in scope for CMMC?

An MSP or MSSP is in your CMMC assessment scope when its own assets process, store, or transmit your CUI or your Security Protection Data while providing IT or cybersecurity services. Security Protection Data — the logs, configuration files, alerts, vulnerability data, and credentials your provider’s tools collect — is what pulls most providers into scope, even when no CUI ever reaches them. This is the single most misunderstood point in the entire topic.

Here’s why it trips people. Contractors reason like this: “We don’t send our MSP any CUI, so they’re outside the boundary.” It feels logical. It’s also wrong, and the DoD said so plainly. In Section E of its CMMC FAQ, the DoD posed exactly this scenario — IT support handled by one ESP, security tools handled by another, no CUI sent to either— and answered: yes, both are ESPs, and both are assessed as part of your assessment scope. The mechanism is Security Protection Data.

Your MSP’s SIEM ingests your logs. Their EDR holds detection telemetry. Their RMM tool has privileged access to your machines. Those tools are Security Protection Assets, and when those assets sit on the MSP’s infrastructure, the provider becomes an ESP whose applicable services get assessed within yourassessment scope. 32 CFR § 170.19 governs this, and it’s not ambiguous.

So the test isn’t “does CUI touch them?” The test is broader: what data, what security functions, and what access does this provider’s own infrastructure actually handle? You answer that by mapping the data flow, not by assuming.

The flip side is real too. A provider whose own assets process, store, or transmit neitherCUI nor Security Protection Data does not meet the ESP definition (32 CFR § 170.4). A vendor needing only temporaryaccess — a penetration tester, an incident-response or forensics firm, a one-time vulnerability scan — usually isn’t an ESP, because nothing persists on its infrastructure. Neither is pure staff augmentation where you provide the equipment, the facilities, and the procedures.

Does my MSP need its own CMMC certification?

In most cases, no. The DoD’s CMMC FAQ (Section E) states that an MSP storing your CUI in a non-cloud system is not required to hold its own CMMC assessment, though it may elect one. Instead, the provider’s in-scope services are assessed within your Level 2 assessment against the applicable NIST SP 800-171 Revision 2 requirements. If the provider does choose to get certified to streamline your assessment, the DoD says its certification level and type must equal or exceed what your contract requires.

There’s a worthwhile nuance in the rule’s own language that’s worth resolving, because it looks like a contradiction and isn’t. The rule says ESPs that only handle Security Protection Data “do not require CMMC assessment or certification” — and alsosays those services are assessed as Security Protection Assets within your scope. Both are true. The reconciliation: your provider doesn’t need an independent certificate, but its in-scope services doget assessed — inside your assessment. That’s a critically different sentence than “you don’t have to think about it.”

Why would a provider ever certify voluntarily? Three honest reasons: it serves many DIB clients and wants to stop re-proving the same controls in every client’s assessment; it wants to prove its own control maturity as a market differentiator; or a prime or customer demands it commercially even though the rule doesn’t. A provider’s own certification can reduce friction in yourassessment. It just doesn’t transfer responsibility to them.

Is my MSP secretly a Cloud Service Provider? (The FedRAMP trap)

It depends on who owns the cloud. The DoD’s CMMC FAQ says an MSP is not a Cloud Service Provider simply because it administers — or even resells — a cloud tenant that is licensed to you. But if the MSP contracts with the cloud provider directly and modifies the basic service before delivering it to you, the MSP may itself be a CSP, and any CSP that stores, processes, or transmits CUI must meet FedRAMP Moderate authorization or FedRAMP Moderate equivalency.This is the trap that catches small contractors most often, because the distinction hinges on a contract term — who is the licensed tenant — that most people have never read.

The practical move is short. Ask your provider, in writing: Who is the licensed tenant — us or you? Do you modify the cloud service, or just administer it? Is the cloud offering FedRAMP Moderate authorized or equivalent, and can you produce the Body of Evidence? Where do backups, logs, and support-ticket data actually live? If the answers are fuzzy, that’s your signal.

MSP vs. MSSP vs. RPO vs. C3PAO: which one do you actually need?

These are four different jobs, and conflating them is how contractors overspend or stall. An MSP runs your IT operations. An MSSP runs your security monitoring and operations. An RPO (Registered Practitioner Organization) is a Cyber AB-listed advisory firm that prepares you for certification. A C3PAO (Certified Third-Party Assessment Organization) is the only entity authorized to perform your Level 2 certification assessment and issue your status.Hire one role and expect it to do another, and you’ll either pay twice or fail an assessment.

A few honest pairings. If you have no internal IT and you handle CUI, you likely need a CMMC-capable MSP plus readiness help. If you have IT but no monitoring, you need an MSSP or MDR provider with real CMMC evidence support, again paired with readiness. If your operations are solid but your paperwork is thin, you mostly need an RPO. And when your environment is genuinely ready, you engage a C3PAO — and only then.

Cyber AB Ecosystem Snapshot — last checked May 27, 2026

The constraint here is not just assessor supply — it’s also contractor readiness, and the part you can control right now is your scope, your evidence, and your provider relationships. Industry reporting has described C3PAO calendars booking out well into and beyond 2026, so the contractors who get organized early are the ones who hold the early assessment slots.

The honest part: an MSP can’t take your compliance off your shoulders

A managed service provider — no matter how good — cannot own your CMMC responsibility. You remain the accountable party for your assessment scope, the accuracy of your System Security Plan (SSP), your annual affirmation in the Supplier Performance Risk System (SPRS), and your CMMC status. A provider can operate controls, collect evidence, and carry most of the technical weight. It cannot sign your affirmation or make your scoping decisions for you.

If you were hoping to write a check and make CMMC someone else’s problem, that’s the bad news. Now the good news, because this actually works in your favor. Once you accept that the responsibility stays with you, the decision gets simpler, not harder. You’re no longer shopping for a savior. You’re shopping for a provider that makes you defensible — one that documents its role, produces a Customer Responsibility Matrix, and shows up cooperatively when the C3PAO asks questions. The right MSP is the one whose evidence you could hand an assessor without flinching. The wrong one is the one that says “don’t worry, we’ve got it” and can’t produce a single artifact when you ask.

What a CMMC-ready MSP must give you before you sign

A CMMC-ready provider gives you more than uptime promises and reassuring security language. At minimum, it should produce a service description, a Customer Responsibility Matrix (CRM), inputs to your System Security Plan, a data-flow explanation, an evidence-support process, and contract terms that back up your DFARS and CMMC obligations.32 CFR Part 170 specifically requires that an ESP’s use be documented in your SSP and described in the provider’s service description and CRM (§ 170.19) — so a provider that can’t produce a CRM literally cannot be documented the way the rule expects.

The Customer Responsibility Matrix is the centerpiece. A real CRM maps responsibility for the applicable NIST SP 800-171 Revision 2 requirements — all 110 of them, organized into 14 control families— to one of three owners: the provider, you, or shared with the split spelled out. It is not optional, and it is not a one-page marketing handout. When a C3PAO assesses an environment that includes your MSP, the CRM is one of the first artifacts it examines to see who is responsible for what.

The evidence package a serious provider should be able to hand you:

• A written service description and a complete CRM mapped to the requirements they touch
• SSP inputs for the responsibilities they own, written to match what they actually do
• Asset inventory inputs and a data-flow / network diagram showing where CUI and Security Protection Data go
• The admin-access model — who has privileged access, and how it’s controlled
• How RMM, ticketing, file transfer, and backup handle data (and whether file transfer can be disabled)
• Log-retention and monitoring details, and the incident-response support process
• Vulnerability and patch management workflow
• A written commitment to cooperate with your C3PAO assessment, including interviews
• Disclosure of sub-processors and tooling that touch your environment
• For any cloud they provide, FedRAMP authorization or equivalency evidence

On the contract side, your agreement should require CRM delivery and updates, assessment cooperation, evidence retention, incident notification, defined data locations and cloud boundaries, restrictions on where CUI and Security Protection Data can go, sub-processor disclosure, and transition support if you part ways. It should notcontain a guarantee of certification — and you should be wary of any provider that offers one. Remember the flow-down obligation too: under DFARS 252.204-7021 and 32 CFR § 170.23, you must flow the appropriate CMMC requirements down to subcontractors and suppliers that will process, store, or transmit FCI or CUI (commercial off-the-shelf items are excepted).

Keep, supplement, or replace your current MSP?

Keep your provider if it can explain your CMMC scope, produce a CRM, support your SSP and evidence, and cooperate with the assessment. Supplement it if it’s operationally strong but weak on CMMC documentation, security monitoring, or readiness experience. Replace it if it refuses to map responsibilities, can’t control where CUI and Security Protection Data go, confuses the CMMC levels, or wants to both prepare and assess you.

The question we hear most: what if my MSP says they’re “not pursuing CMMC”?Don’t panic, and don’t assume they must be certified — most don’t have to be. First classify the relationship using the matrix above. Then send them this, in writing: “Please provide your current CMMC support position, a service description, a Customer Responsibility Matrix for the services you provide to our CUI environment, and a list of any provider-managed tools that process, store, or transmit CUI or Security Protection Data.”If they engage and can support the evidence, you may be fine. If they go quiet or refuse the basics, your problem was never their certification status — it’s that they can’t support your assessment, and that’s a replace signal.

What do CMMC managed service providers cost?

There’s no fixed price, and you should treat any universal number with suspicion — cost is a scoped quote, not a sticker. The one official anchor is the DoD’s modeled estimate, published in the Federal Register, that a Level 2 third-party (C3PAO) assessment-and-affirmation cycle runs $104,670 for a small entity over three years (roughly $105,000–$118,000 across entity sizes). Everything else — managed services, readiness, enclaves — is market-observed and varies widely by your scope, your starting maturity, and your environment. We label the official figure and the market ranges separately on purpose, because conflating them is how people build bad budgets.

What the market actually charges

Publicly reported industry ranges, not our own dataset — treat as directional and get scoped quotes.

• Gap / readiness assessment: ~$3,500–$20,000+
• Documentation (SSP, policies, POA&M): ~$3,000–$60,000
• Remediation / implementation: ~$10,000–$250,000+ (often several times the assessment fee)
• C3PAO assessment fee: ~$30,000–$75,000 for many small businesses
• Managed services + tooling (EDR, SIEM, backups, monitoring): commonly ~$20,000–$80,000/year
• A first Level 2 cycle, all-in: frequently ~$75,000–$300,000+, driven mostly by starting maturity

Sources we read

• 32 CFR Part 170— CMMC Program (eCFR): definitions (§170.4), Level 2 assessment (§170.17), scoping (§170.19), C3PAOs and conflict of interest (§170.9 and Subpart C), applicability and phases (§170.3), flow-down (§170.23). Last verified May 27, 2026.
• Federal Register, October 15, 2024— CMMC Program final rule (effective December 16, 2024), including the Regulatory Impact Analysis cost estimates.
• DoD CMMC Frequently Asked Questions, Section E (External Service Providers)— DoD CIO CMMC resources, dodcio.defense.gov/CMMC.
• DoD CIO memorandum, FedRAMP Moderate Equivalency for CSP Cloud Service Offerings, December 21, 2023— 100% FedRAMP Moderate baseline, 3PAO-assessed Body of Evidence, zero assessment POA&Ms permitted.
• DFARS 252.204-7021 (CMMC clause), 252.204-7012 (safeguarding / cloud), 252.204-7019 (NIST 800-171 DoD Assessment notice), and 252.204-7020 (NIST 800-171 DoD Assessment methodology and SPRS posting) — Acquisition.gov.
• NIST SP 800-171 Revision 2(110 requirements, 14 families) and NIST SP 800-171A — NIST CSRC. CMMC Level 2 currently incorporates Rev. 2.
• CMMC Level 2 Scoping Guide— DoD CIO, dodcio.defense.gov/CMMC.
• Cyber AB— Ecosystem Roles, Town Hall reporting (ecosystem counts, March 2026), and the Marketplace. cyberab.org.

Frequently asked questions

Sources: 32 CFR Part 170 (eCFR); CMMC Program final rule, Federal Register Oct 15, 2024; DoD CMMC FAQ Section E; DoD CIO FedRAMP Moderate Equivalency memo, Dec 21, 2023; DFARS 252.204-7012, 252.204-7021; NIST SP 800-171 Rev. 2 (NIST CSRC); Cyber AB Marketplace (March 2026 Town Hall figures).

Byline: The Defense Compliance Report Editorial Team. Last verified: May 27, 2026.