The Defense Compliance Report — independent trade publication on CMMC 2.0 and DIB compliance
CMMC Requirements for MSPs: When You’re In Scope, What You Must Prove, and When Certification Isn’t Required
If you run an MSP with even one defense-contractor client, you’ve probably gotten the email: “Our prime says CMMC is coming. Are you compliant?” And you’ve probably found that the honest answer — “it depends”— is not what anyone wants to hear.
Here’s the real answer
The CMMC requirements for MSPs come down to what your own systems touch and what role you play: whether a provider-owned system processes, stores, or transmits Controlled Unclassified Information (CUI); whether it processes, stores, or transmits Security Protection Data (SPD) — logs, configurations, alerts, credentials; and whether you’re acting as a cloud service provider. Most MSPs don’t hold CUI and aren’t cloud providers, which means most MSPs do notautomatically need their own CMMC certification. But most are still inside a client’s assessment as a Security Protection Asset — and that carries its own evidence obligations.
We read the rule text ourselves — the CMMC Program final rule at 32 CFR Part 170, effective — and cross-checked it against the DoD’s official scoping guides and its published CMMC FAQ, which has a whole section devoted to these exact MSP questions. Below is the map most of page one won’t give you, because it requires reading the rule rather than the summaries of summaries.
CMMC requirements for MSPs, in one screen
Short answer:An MSP’s obligations depend on what its own systems touch, not on whether it markets itself as “CMMC compliant.” If CUI lands on the MSP’s assets, the MSP is assessed inside the contractor’s assessment; if the MSP is a cloud provider holding CUI, FedRAMP Moderate applies. If the MSP handles only Security Protection Data, its services are assessed as Security Protection Assets. If it touches neither CUI nor SPD on its own systems, it isn’t an External Service Provider.
| If your MSP… | CMMC treatment | Your first move |
|---|---|---|
| Manages a CUI client and your tools hold Security Protection Data — logs, alerts, configs, credentials — but no CUI | You’re a Security Protection Asset inside the client’s assessment; no separate certification required | Produce a shared/customer responsibility matrix and SSP inputs |
| Stores, processes, or transmits CUI on your own systems (and you’re not a cloud provider) | Your in-scope services are assessed inside the client’s assessment; you may pursue your own Level 2 voluntarily | Decide: get certified, or be assessed in every client’s audit |
| Provides a cloud service that holds client CUI (hosted enclave, hosted CUI tenant, cloud storage) | You’re acting as a Cloud Service Provider; FedRAMP Moderate (or equivalent) applies | Verify FedRAMP authorization or equivalency evidence |
| Touches neither CUI nor Security Protection Data on provider-owned systems | You do not meet the CMMC definition of an External Service Provider | Document why you’re out of scope |
| Prepared/remediated the environment and now wants to run the formal assessment | Conflict of interest — a consultant can’t join that client’s Level 2 assessment team for three years | Separate the builder from the assessor |
Find your row before you read further.Are you the SPD-only Security Protection Asset (the most common case), the CUI-on-your-systems case, the cloud-provider case, out of scope, or the conflict-of-interest case? Hold that answer — the rest of this page tells you exactly what it means and what to do.
Use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you hire or spend. Do not submit CUI, credentials, or contract-sensitive details.
Find My CMMC Path →What are the CMMC requirements for MSPs?
Short answer: The CMMC rule does not contain the word “MSP.” It regulates managed service providers through a broader category — External Service Provider (ESP) — defined in 32 CFR § 170.4. Whether and how an MSP is covered turns on two facts: whether it is a Cloud Service Provider (CSP), and whether Controlled Unclassified Information (CUI) or Security Protection Data (SPD) is processed, stored, or transmitted on provider-owned assets.
Here’s the reframe that dissolves most of the confusion. People search “does my MSP need CMMC” as if it’s a credential question — a yes/no badge. It isn’t. It’s a scope-and-evidence question: what do your people, tools, and systems actually touch, and where does that get assessed?
The rule uses precise vocabulary, so we will too:
- FCI (Federal Contract Information)
- Information provided by or generated for the government under a contract, not intended for public release. When a contract requires CMMC Level 1, it applies to the contractor systems that process, store, or transmit FCI — 15 basic safeguarding requirements from FAR 52.204-21, self-assessed annually, all 15 met in full with no exceptions.
- CUI (Controlled Unclassified Information)
- Government information that law or policy requires be safeguarded. When a contract requires CMMC Level 2, it applies to the systems that process, store, or transmit CUI — the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families.
- SPD (Security Protection Data)
- Security-relevant data such as logs, configuration files, vulnerability data, and credentials used to protect the assessed environment. You can be in scope for handling SPD even if you never touch the client’s business CUI.
- ESP (External Service Provider)
- External people, technology, or facilities used for a contractor’s IT or cybersecurity operations, where CUI and/or SPD is processed, stored, or transmitted on the provider’s assets.
- CSP (Cloud Service Provider)
- An external company providing cloud infrastructure, platform, application, or storage services.
Notice the difference between an ESP and a subcontractor. If you furnish the actual contract deliverable, you’re a subcontractor, and CMMC requirements flow down to you under DFARS 252.204-7021 and 32 CFR § 170.23. If you support the contractor’s IT and security, you’re an ESP, scoped under 32 CFR § 170.19. Many MSP relationships become ESP relationships, not subcontractor relationships.
The two questions that decide everything:
- Is the MSP a Cloud Service Provider?
- Does the MSP’s own system process, store, or transmit CUI, SPD, both, or neither?
Do MSPs need their own CMMC certification?
Short answer: Usually not. Under 32 CFR § 170.16(a)(3), a non-cloud ESP that handles CUI has its relevant services “assessed within the scope of the OSA’s assessment against all Level 2 security requirements” — meaning the MSP is evaluated inside the contractor’s assessment rather than holding a separate certificate. An MSP may voluntarily pursue its own CMMC assessment to ease client audits and win business, but the rule does not make it mandatory for a non-cloud ESP.
This is the single most misreported fact on the topic. For a non-cloud ESP that handles CUI, the rule gives the contractor a clean path: document the ESP in the System Security Plan (SSP), the ESP’s service description, and a Customer Responsibility Matrix (CRM), and then assess those ESP services insidethe contractor’s assessment. There is no requirement in the rule that such an MSP hold a standalone CMMC certificate. Voluntary certification exists; mandatory certification for a non-cloud ESP does not.
So the honest picture is a spectrum, not a switch:
- You touch no CUI or SPD on your own systems → you’re not even an ESP, and no certification is required.
- You handle only SPD (logs, alerts, configs) → no certification required; you’re a Security Protection Asset assessed inside the client’s scope.
- You hold CUI on your own non-cloud systems → no automatic certificate required either; your services are assessed inside each client’s assessment. But if you serve several DIB clients, voluntary Level 2 certification is often the cleaner, cheaper path — because with your controls already assessed and authorized, you stop having to prove them from scratch in every client’s audit. A certified MSP is also a real differentiator.
- You’re a cloud provider holding CUI → certification isn’t the mechanism at all; FedRAMP is.
Not sure whether your MSP is actually in your assessment scope?Answer five scope questions — CUI, Security Protection Data, cloud ownership, tooling, and assessment type — and get the provider category and evidence list that fits your situation. Do not submit CUI, drawings, credentials, or contract-sensitive details.
Check whether your MSP is in scope →When is your MSP an External Service Provider (ESP)?
Short answer: An MSP becomes an ESP when it provides external IT or cybersecurity services and CUI or Security Protection Data is processed, stored, or transmitted on the MSP’s own assets. If neither CUI nor SPD ever touches the provider’s assets, the provider does not meet the CMMC definition of an ESP under 32 CFR § 170.19.
The phrase that trips people up is “on the MSP’s own assets.” Admin access alone is not the trigger — data landing on your systemsis. But “your systems” is broader than most MSPs assume. Any of these can pull you in:
- Your RMM (remote monitoring and management) platform
- Your SIEM or SOC tooling, EDR console, and the alerts and logs they ingest
- Your backup infrastructure
- Your ticketing/helpdesk system (attachments are the usual culprit)
- Your file-transfer or remote-support tools
- Your admin workstations
- Any cloud-hosted support tools you point at the client’s environment
Here’s the pattern we see cause the most trouble: an MSP swears “no CUI touches us,” then a technician pastes a CUI document into a support ticket, or a nightly backup sweeps up a CUI file share, or the SIEM ingests logs full of Security Protection Data. Now provider-owned systems are handling covered data, and the “we’re out of scope” story collapses on assessment day.
The five-question ESP self-check
Run your relationship through these before you tell a client anything. Answer honestly, then map yourself to a row in the matrix in the next section.
- Does your own system process, store, or transmit CUI?
- Does your own system process, store, or transmit logs, configuration data, alerts, vulnerability data, or other SPD?
- Do you provide security functions for the client’s assessed environment (firewalling, monitoring, identity, patching)?
- Do you own or modify the cloud service, or only administer the client’s own tenant?
- Can you produce a service description and a Customer Responsibility Matrix?
What changes if the MSP handles CUI, Security Protection Data, or neither?
Short answer: CUI, SPD, and neither produce three different outcomes. If the MSP is a cloud provider handling CUI, FedRAMP Moderate applies; if it’s a non-cloud ESP handling CUI, its services are assessed inside the contractor’s assessment. If it handles only SPD, its services are assessed as Security Protection Assets against the specific Level 2 requirements they support. If it handles neither on provider-owned systems, it isn’t an ESP. This split comes directly from 32 CFR § 170.19 Table 4.
The MSP CMMC Scope, Evidence & Exposure Matrix
| Your situation | CMMC classification | Where it’s assessed | Own certification required by the rule? | Evidence to have ready | Best next move |
|---|---|---|---|---|---|
| You store/process/transmit CUI on your own non-cloud systems | Non-CSP ESP handling CUI | Inside the contractor’s assessment; ESP services assessed against all Level 2 requirements | No — assessed in the client’s scope; you may voluntarily certify | SSP inputs, service description, CRM, asset inventory, data-flow map, access-control and storage evidence | Keep if evidence is real; consider your own Level 2 if you serve several DIB clients |
| You run SIEM/EDR/monitoring/logging and hold SPD, but no CUI | ESP handling SPD → Security Protection Asset | In the contractor’s assessment as an SPA, against the Level 2 requirements your services support | No | Log-flow map, retention policy, CRM, tool architecture, privileged-access procedures, assessor-interview commitment | Keep if evidence is strong; add MSSP/GRC support if monitoring exists but documentation is thin |
| You administer the client’s own GCC High / Azure Government / AWS GovCloud tenant | ESP/admin support — not necessarily a CSP | Depends on CUI/SPD and privileged access | No | Tenant-ownership proof, admin-role list, MFA/conditional-access evidence, CRM, SSP inputs | Document the cloud boundary and your admin responsibilities |
| You package and deliver a cloud service that holds client CUI | You may be acting as a CSP | CSP requirements apply if CUI is involved | Certification isn’t the issue — FedRAMP Moderate (or equivalent) is | FedRAMP Marketplace listing or equivalency Body of Evidence, CRM, CSP boundary, subprocessor list | Require a written FedRAMP path before hosting CUI |
| You run RMM / remote support / backup / file transfer connected to a CUI environment | Fact-specific ESP / SPA / CUI-asset exposure | Likely in scope if CUI or SPD lands on your assets | No — even if CUI persists on your non-cloud systems, the rule doesn’t require a standalone MSP certificate; those services are assessed in the client’s scope. If the tool is a cloud offering holding CUI, run the CSP/FedRAMP analysis instead. | RMM data map, ticket-redaction rules, backup encryption, transfer settings, admin logs, CRM | Treat as in scope until a data-flow map proves otherwise |
| You use only client-owned equipment, no provider asset touches CUI/SPD | Usually not an ESP | Usually outside ESP scope | No | Written out-of-scope rationale; proof of no provider-owned storage/tooling | Preserve the evidence of why you’re out |
| Temporary access — pen test, incident response, forensics, vulnerability scan | Usually not an ongoing ESP if no CUI/SPD persists on your assets | Fact-specific | No | SOW, access duration, data-handling and destruction/return rules | Keep it temporary and documented |
| You did the readiness/remediation and now want to assess it | Independence/conflict issue, not a scope issue | Assessment-independence problem | The three-year conflict rule governs | Cyber AB status, engagement dates, conflict disclosure | Separate the firm that builds from the firm that assesses |
Three separate things people constantly blur
Almost every argument about “CMMC for MSPs” mashes three separate things into one. Pull them apart and the fog lifts:
- Track A — Your own certification. Voluntary, or driven by your own DoD contract. Relevant if you hold CUI on non-cloud systems and want to stop being re-assessed in every client’s audit, or if you’re also a DoD subcontractor whose own contract requires a CMMC status. Not automatically mandatory.
- Track B — FedRAMP Moderate (or equivalent). Only relevant if you act as a cloud provider for CUI.
- Track C — Being in scope for your client’s assessment as a Security Protection Asset. This one hits many MSP and MSSP relationships that touch zero business CUI but do process, store, or transmit Security Protection Data — logs, configs, alerts, vulnerability data, credentials — on provider-owned assets. It requires a CRM referenced in the client’s SSP.
You can owe Track C and not Track A or B. That’s the normal case. Getting this straight is worth more than any certificate.
Before you ask any provider for a quote, classify what you’re actually dealing with.Get matched with source-checked provider categories — readiness/MSP/MSSP, CUI enclave, GRC, or the C3PAO path — based on your level, scope, and timeline, not a one-size-fits-all vendor list. Do not submit CUI.
Get matched with source-checked provider options →When does an MSP need FedRAMP Moderate?
Short answer: An MSP does not need FedRAMP just for providing IT support. FedRAMP becomes the gating requirement when the MSP acts as a Cloud Service Provider whose offering stores, processes, or transmits CUI. Per 32 CFR § 170.16(a)(2) and DFARS 252.204-7012, that cloud offering must be FedRAMP Moderate Authorized or FedRAMP Moderate Equivalent.
Equivalency is not a marketing claim. Under the DoD’s FedRAMP Moderate Equivalency guidance (the December 21, 2023 memo), the cloud offering must be assessed by a FedRAMP-recognized Third-Party Assessment Organization against the full FedRAMP Moderate baseline — roughly 325 controls, about three times CMMC Level 2’s 110 — and backed by a Body of Evidence. A SOC 2 report, an ISO 27001 certificate, or a vendor questionnaire does not satisfy it. For more on this, see our full CMMC cloud service provider requirements guide.
Whether you’re even a CSP is its own question. The rule points to the NIST definition of cloud computing (on-demand self-service, broad network access, resource pooling, rapid elasticity, and location independence). Using cloud toolsto deliver your service does not make you a CSP. Here’s the line, three ways:
| Your cloud role | Are you a CSP? | FedRAMP evidence needed | What to ask for |
|---|---|---|---|
| You administer the client’s own tenant (they own the GCC High / GovCloud subscription) | Generally no — you’re an ESP administering their environment | None from you; the client’s environment carries its own authorization | Tenant-ownership proof, admin-role list, MFA/conditional-access evidence, CRM |
| You own, package, or modify a cloud offering that holds client CUI | Yes, likely | FedRAMP Moderate authorization or equivalency Body of Evidence | Marketplace listing or 3PAO-validated BoE, CSP boundary, subprocessor list, CRM |
| You only resell licenses | Reselling alone is not CSP status | Depends on who owns/operates the service | Who owns, modifies, and operates the offering — then classify from there |
The practical move, stated plainly. Standing up and continuously maintaining your own FedRAMP-equivalent CUI environment is a major compliance program in its own right — heavy on 3PAO assessment, documentation, and continuous monitoring — not an MSP shortcut. The cleaner route for most MSPs is to keep client CUI inside an already-authorized environment — Microsoft’s GCC High carries a FedRAMP High authorization and GCC a FedRAMP Moderate authorization; verify current status on the FedRAMP Marketplace — and architect your services around it. If that boundary decision is where you’re stuck, that’s exactly what a CUI enclave or GCC High implementation partner exists to solve.
What CMMC actually costs — and why your MSP is already in DoD’s math
Short answer: The DoD’s own cost estimates assume contractors will pay an External Service Provider to help them prepare for and participate in a Level 2 assessment — the analysis breaks out ESP support as its own labor line. For a small entity, DoD estimated a Level 2 self-assessment and affirmations at roughly $37,000 over three years, and a Level 2 C3PAO certification at $101,752 for the initial assessment ($104,670 over three years). Level 1 runs about $6,000.
We went to the source — the CMMC Program rule’s Regulatory Flexibility Analysis filed with the rulemaking. The numbers for a small entity:
| DoD small-entity estimate | Initial assessment + affirmation | Three-year cost |
|---|---|---|
| Level 1 self-assessment | ~$5,977 | Annual self-assessment thereafter |
| Level 2 self-assessment | ~$34,000 | ~$37,000 |
| Level 2 C3PAO certification | $101,752 | $104,670 |
The part that matters for the MSP conversation: DoD’s model prices in labor “for a company (and any ESP support) to prepare for and participate in the assessment,” as a distinct line from in-house IT and management. In plain terms: the government built the cost of your MSP’s involvement into its official estimate of what CMMC costs a contractor.Your role in a client’s assessment isn’t a footnote the DoD forgot. It’s a line item.
Two honest caveats: these are DoD’s estimates, not market quotes — real engagements vary widely by size, scope, and starting maturity. And DoD’s Level 2 figures deliberately exclude the cost of actually implementingthe 110 controls, because the government considers that a pre-existing obligation under DFARS 252.204-7012 since 2017. That implementation and remediation work is usually the expensive part: across the market, the C3PAO audit fee itself is commonly only about 20–30% of a contractor’s total cost, with readiness, remediation, and technology the larger share.
Want scoped numbers instead of national averages?Tell us your level, your MSP’s role, your CUI boundary, your cloud environment, and your timeline, and we’ll route you to source-checked provider categories that fit. Do not submit CUI.
Request scoped quotes from matched provider categories →What to demand from your MSP before an assessment
Short answer: A CMMC-ready MSP should give you documentation, not promises. At minimum, expect a service description, a Customer Responsibility Matrix, SSP inputs, a CUI/SPD data-flow map, a tool and subprocessor list, a privileged-access model, an evidence-export process, and a written commitment to support assessment interviews and artifact requests. 32 CFR § 170.19 requires the ESP relationship, services, SSP reference, and CRM to be documented.
It is still common to find an MSP that has never produced a Shared Responsibility Matrix. If yours hasn’t, you may have to demand one — and if they can’t build it, that tells you something before assessment day does. Use this as your request list, whether you’re the contractor asking or the MSP getting ahead of it:
| Evidence item | Why it matters | Who owns it |
|---|---|---|
| Service description | Defines what the MSP actually does | MSP |
| Customer Responsibility Matrix (CRM) | Splits each NIST SP 800-171 responsibility between you and the MSP | MSP + contractor |
| SSP inputs | Lets the contractor document the MSP relationship in the System Security Plan | MSP + contractor |
| CUI/SPD data-flow map | Shows where covered data actually moves | MSP |
| Asset inventory inputs | Identifies which provider tools are in scope | MSP + contractor |
| Privileged-access model | Shows admin control, least privilege, and MFA | MSP |
| Tool / subprocessor list | Prevents hidden scope expansion from offshore help desks or third-party SOCs | MSP |
| FedRAMP evidence (if a CSP) | Required if a cloud offering handles CUI | CSP/MSP |
| Evidence-retention / export plan | Prevents lock-in and an assessment-day scramble | MSP |
| Assessment-cooperation clause | Ensures the MSP shows up for assessor interviews and artifact requests | MSP |
Two contract terms are worth singling out. Get the assessment-cooperation and CRM-delivery commitments in writing — including update frequency — because a helpful MSP in the sales cycle can become an unreachable one during an audit. And watch the subprocessor question hard: if your MSP outsources help desk, NOC, or engineering to third parties who can reach CUI systems, that exposure can flow into your scope. Offshore or non-U.S.-person access is a special hazard for ITAR/EAR data and needs to be locked down contractually before it becomes an assessment finding.
Which NIST SP 800-171 Rev. 2 controls your MSP usually affects
Short answer:An MSP does not “own CMMC” for the contractor, but it typically influences the controls that decide whether an environment can be assessed cleanly. Within the 110 requirements, the heaviest MSP-touched areas are access control, identification and authentication, audit and accountability, configuration management, incident response, maintenance, risk assessment, system and communications protection, and system and information integrity.
This is the shortlist of families where an MSP’s tooling and procedures make or break the client’s evidence, plus the failure we see derail assessments in each one.
| Control family | Where the MSP shows up | Evidence to request | Common MSP evidence failure |
|---|---|---|---|
| Access Control | Admin roles, least privilege, remote access | Admin role list, access reviews | Stale admin accounts; shared credentials |
| Identification & Authentication | MFA, account lifecycle, privileged identities | MFA policy, provisioning workflow | MFA gaps on privileged/service accounts |
| Audit & Accountability | Logs, SIEM, retention, alerting | Log sources, retention settings, alert workflow | Logs exist but retention period isn’t mapped to the requirement |
| Configuration Management | Baselines, change control, hardening | Baseline configs, change tickets | A baseline exists but no evidence changes follow it |
| Incident Response | Detection, escalation, reporting support | IR playbook, escalation contacts | No documented escalation path to the client |
| Maintenance | Remote maintenance, support tooling | Maintenance logs, tool controls | Remote maintenance sessions aren’t logged or controlled |
| Risk Assessment | Vulnerability scanning and remediation | Scan reports, remediation SLAs | Scans run, but no evidence of remediation timelines |
| System & Communications Protection | Boundary protection, encryption, segmentation | Network diagram, firewall rules | Diagram doesn’t match the real environment |
| System & Information Integrity | EDR, patching, malicious-code protection | EDR reports, patch dashboard | Patch dashboard exists but coverage gaps aren’t tracked |
Keep, supplement, or replace your MSP?
Short answer: Keep the MSP if it can map scope, produce evidence, support your SSP and CRM, control CUI/SPD flows, and cooperate with your assessment. Supplement it if the IT is strong but the documentation, monitoring, or CMMC interpretation is weak. Replace it if it refuses responsibility mapping, mishandles CUI/SPD, guarantees certification, hides its subprocessors, or wants to both prepare and assess the same environment.
Most contractors assume the answer is “fire the MSP and hire a defense specialist.” Sometimes. But often you don’t need a new MSP — you need a different category layered on top. Diagnose before you rip anything out.
| Decision | What you’re seeing | Next step |
|---|---|---|
| Keep | Real CRM, a data-flow map, CMMC-aware operations, willingness to support the assessment | Get the evidence package in writing |
| Supplement | Solid day-to-day IT, but weak documentation, monitoring, or control interpretation | Add an RPO, MSSP, GRC platform, or CUI enclave specialist |
| Replace | No CRM, no CUI/SPD map, commercial cloud holding CUI, no assessor-support commitment | Scope the replacement carefully before rushing to quotes |
You may not need a new MSP — you may need a different provider category. Compare provider categories, and map your level, CUI scope, and timeline to the right one, before you tear out a working relationship. Do not submit CUI.
Compare provider categories →MSP vs. MSSP vs. RPO vs. GRC platform vs. CUI enclave vs. C3PAO
Short answer:These are different jobs, and hiring the wrong one first is how contractors overspend and still aren’t ready. An MSP runs IT, an MSSP monitors security, an RPO/RP helps you prepare, a GRC platform organizes your evidence, a CUI enclave shrinks your scope, and a C3PAO performs the formal Level 2 certification assessment. Only a C3PAO can conduct the Level 2 certification assessment; Level 3 certification is a government (DIBCAC) assessment.
| Category | What it does | Can it certify you? | When it fits |
|---|---|---|---|
| MSP | IT operations, helpdesk, endpoints, identity, backups | No | You need operational IT control |
| MSSP / MDR | Monitoring, SIEM, SOC, EDR, alerting | No | You lack security operations |
| RPO / RP | Readiness, scoping, SSP/POA&M, control interpretation | No | You need to prepare before assessment |
| GRC platform | Evidence workflows, control mapping, POA&M tracking | No | You need evidence discipline |
| CUI enclave | Shrinks your CUI boundary to a subset of users/systems | No | CUI is limited and you want to reduce scope and cost |
| C3PAO | The formal Level 2 certification assessment | Yes — Level 2 (Level 3 is a DIBCAC assessment) | You are assessment-ready |
One rule the Cyber AB takes seriously, and so should you: under 32 CFR § 170.8(b)(17)(ii)(G) and the CMMC Code of Professional Conduct, an ecosystem member who served as a consultant to prepare an organization for any CMMC assessment cannot participate in that organization’s Level 2 certification assessment for three years. Separate the builder from the assessor, and don’t let a single vendor blur the line. Software alone doesn’t satisfy CMMC either — a GRC tool organizes your evidence; it doesn’t implement your controls or pass your assessment.
When does all of this actually hit?
Short answer: The CMMC Program rule (32 CFR Part 170) took effect . The acquisition rule that puts CMMC into contracts — DFARS 252.204-7021 — took effect , starting a four-phase, three-year rollout. Per the DoD’s CMMC FAQ, the first 12 months focus primarily on self-assessments; beginning , CMMC Level 2 third-party (C3PAO) assessments will be required for applicable contractors.
- Phase 1 is live now ( forward). Contracting officers are inserting Level 1 and Level 2 self-assessment requirements — and they have discretion to require a Level 2 C3PAO certification on select contracts even in Phase 1.
- From : third-party Level 2 certification becomes a condition of award for applicable CUI contracts, and the requirement broadens through the remaining phases as the rollout completes by 2028.
Why that matters for the MSP timeline: a Level 2 certification program commonly runs 12 to 18 months once you count scoping, remediation, documentation, and getting on a C3PAO’s schedule — treat that as a planning range, not a promise, and confirm it against your own scope and required assessment type. There’s no grace period for new bidders — you need the required status at award. If your clients wait for the clause to appear before they fix their MSP relationship, the math doesn’t work. Neither does yours.
What we actually verified
For this page, The Defense Compliance Report Editorial Team verified the following against primary sources, in :
Frequently asked questions about CMMC requirements for MSPs
Do MSPs need CMMC certification?
Not automatically. Under 32 CFR § 170.16(a)(3), a non-cloud MSP that handles CUI has its relevant services assessed inside the contractor’s assessment rather than needing a separate certificate; an MSP may voluntarily pursue its own Level 2 certification. If the MSP is a cloud provider handling CUI, FedRAMP requirements apply instead. An MSP’s own certificate never certifies its customer.
Is an MSP an External Service Provider under CMMC?
An MSP is an ESP when it provides external IT or cybersecurity services and CUI or Security Protection Data is processed, stored, or transmitted on the MSP’s own assets. If neither CUI nor SPD ever touches the provider’s assets, it does not meet the CMMC definition of an ESP under 32 CFR § 170.19.
What is Security Protection Data?
Security Protection Data (SPD) is security-relevant information — such as logs, configuration data, alerts, and credentials — used by tools that protect the CMMC environment. It matters because an MSP or MSSP can be in scope for handling SPD even when it never touches the contractor’s business CUI.
Does an MSP need FedRAMP?
An MSP does not need FedRAMP merely for providing IT support. FedRAMP Moderate authorization or equivalency becomes the requirement when the MSP acts as a Cloud Service Provider whose offering stores, processes, or transmits CUI, per 32 CFR § 170.16(a)(2) and DFARS 252.204-7012. See our full CSP requirements guide.
Can a CMMC-certified MSP certify my company?
No. An MSP’s own assessment or certificate does not certify the customer’s environment. The contractor’s required CMMC status is tied to its own contractor information systems and must be current in the Supplier Performance Risk System (SPRS), with an annual affirmation where required.
What CMMC level does an MSP need?
An MSP acting only as an ESP doesn’t have a CMMC level of its own the way a contract does. The contractor’s required level and the MSP’s CUI/SPD/CSP scenario drive the obligation. A non-cloud MSP handling CUI is assessed against Level 2 requirements inside the client’s assessment; an MSP handling only SPD is assessed against the specific Level 2 requirements its services support. If the MSP is also a DoD subcontractor, its own contract or flow-down can create a separate CMMC requirement.
What’s the difference between an MSP and an MSSP for CMMC?
Both are External Service Providers. An MSP runs general IT; an MSSP (Managed Security Service Provider) runs security operations like a SOC or SIEM. An MSSP operating security tooling for a CUI environment is typically a Security Protection Asset assessed inside the client’s assessment against the Level 2 requirements its services support. For the full ESP matrix, see our CMMC external service provider assessment guide.
Can my MSP also be my C3PAO?
Treat that as a conflict of interest. Under 32 CFR § 170.8(b)(17)(ii)(G) and the CMMC Code of Professional Conduct, an ecosystem member that consulted to prepare an organization for a CMMC assessment cannot participate in that organization’s Level 2 certification assessment for three years. Keep readiness and assessment in separate lanes.
Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?
Level 2 is assessed against NIST SP 800-171 Revision 2 — the 110 requirements incorporated into 32 CFR Part 170. Per the DoD’s CMMC FAQ, the Department intends to incorporate Revision 3 through future rulemaking and has issued a class deviation to DFARS 252.204-7012 to keep Revision 2 as the assessment standard in the interim. Contractors may implement Revision 3 using the DoD’s Organization-Defined Parameters, but assessments are still conducted against Revision 2 until that changes.
What’s the safest first step for figuring out CMMC requirements for an MSP?
Map your CUI, SPD, cloud model, tools, and required assessment type before you request quotes. The wrong quote before scope is defined can lock you into an expensive path that doesn’t match your contract requirement. Classify first; hire second. Use our CMMC scoping guide and readiness checklist as starting points.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Do not submit CUI, drawings, credentials, or sensitive contract details.
Find My CMMC Path →Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. See our corrections policy if you spot something that needs updating.
Related from The Defense Compliance Report
- CMMC external service provider assessment (full ESP matrix)
- CMMC cloud service provider requirements: CSP, ESP, and FedRAMP rules
- CMMC Level 2 requirements (110 practices, 14 families)
- CMMC Level 2 cost: DoD estimate vs. real market
- CMMC scoping guide
- The CMMC Final Rule, explained
- NIST SP 800-171A assessment objectives (320 objectives)
- GCC High for CMMC
- CUI enclave providers
- SPRS score and posting guide
- CMMC readiness checklist
- Editorial standards · Corrections policy