The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

The Defense Compliance Report — independent trade publication on CMMC 2.0 and DIB compliance

By The Defense Compliance Report Editorial Team · Last reviewed: · Last verified:

CMMC Requirements for MSPs: When You’re In Scope, What You Must Prove, and When Certification Isn’t Required

If you run an MSP with even one defense-contractor client, you’ve probably gotten the email: “Our prime says CMMC is coming. Are you compliant?” And you’ve probably found that the honest answer — “it depends”— is not what anyone wants to hear.

Here’s the real answer

The CMMC requirements for MSPs come down to what your own systems touch and what role you play: whether a provider-owned system processes, stores, or transmits Controlled Unclassified Information (CUI); whether it processes, stores, or transmits Security Protection Data (SPD) — logs, configurations, alerts, credentials; and whether you’re acting as a cloud service provider. Most MSPs don’t hold CUI and aren’t cloud providers, which means most MSPs do notautomatically need their own CMMC certification. But most are still inside a client’s assessment as a Security Protection Asset — and that carries its own evidence obligations.

We read the rule text ourselves — the CMMC Program final rule at 32 CFR Part 170, effective — and cross-checked it against the DoD’s official scoping guides and its published CMMC FAQ, which has a whole section devoted to these exact MSP questions. Below is the map most of page one won’t give you, because it requires reading the rule rather than the summaries of summaries.

Who this page is for: MSPs, MSSPs, and IT providers with DoD-adjacent clients — and defense contractors trying to figure out whether their current MSP is an asset or a liability in an upcoming assessment.

The one qualifier that governs everything below: the contract clause sets a contractor’s required CMMC level; the MSP’s actual data flows and services determine whether the MSP is in that assessment.

CMMC requirements for MSPs, in one screen

Short answer:An MSP’s obligations depend on what its own systems touch, not on whether it markets itself as “CMMC compliant.” If CUI lands on the MSP’s assets, the MSP is assessed inside the contractor’s assessment; if the MSP is a cloud provider holding CUI, FedRAMP Moderate applies. If the MSP handles only Security Protection Data, its services are assessed as Security Protection Assets. If it touches neither CUI nor SPD on its own systems, it isn’t an External Service Provider.

CMMC MSP quick-reference: five scenarios, source: 32 CFR § 170.19 Table 4 and 32 CFR § 170.16(a)(2)–(a)(3)
If your MSP…CMMC treatmentYour first move
Manages a CUI client and your tools hold Security Protection Data — logs, alerts, configs, credentials — but no CUIYou’re a Security Protection Asset inside the client’s assessment; no separate certification requiredProduce a shared/customer responsibility matrix and SSP inputs
Stores, processes, or transmits CUI on your own systems (and you’re not a cloud provider)Your in-scope services are assessed inside the client’s assessment; you may pursue your own Level 2 voluntarilyDecide: get certified, or be assessed in every client’s audit
Provides a cloud service that holds client CUI (hosted enclave, hosted CUI tenant, cloud storage)You’re acting as a Cloud Service Provider; FedRAMP Moderate (or equivalent) appliesVerify FedRAMP authorization or equivalency evidence
Touches neither CUI nor Security Protection Data on provider-owned systemsYou do not meet the CMMC definition of an External Service ProviderDocument why you’re out of scope
Prepared/remediated the environment and now wants to run the formal assessmentConflict of interest — a consultant can’t join that client’s Level 2 assessment team for three yearsSeparate the builder from the assessor

Sources: 32 CFR § 170.19 Table 4 and 32 CFR § 170.16(a)(2)–(a)(3). Assembled into MSP operational scenarios by The Defense Compliance Report. Verified: .

Find your row before you read further.Are you the SPD-only Security Protection Asset (the most common case), the CUI-on-your-systems case, the cloud-provider case, out of scope, or the conflict-of-interest case? Hold that answer — the rest of this page tells you exactly what it means and what to do.

The right CMMC provider isn’t the same for every contractor. The category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.

Use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you hire or spend. Do not submit CUI, credentials, or contract-sensitive details.

Find My CMMC Path →

What are the CMMC requirements for MSPs?

Short answer: The CMMC rule does not contain the word “MSP.” It regulates managed service providers through a broader category — External Service Provider (ESP) — defined in 32 CFR § 170.4. Whether and how an MSP is covered turns on two facts: whether it is a Cloud Service Provider (CSP), and whether Controlled Unclassified Information (CUI) or Security Protection Data (SPD) is processed, stored, or transmitted on provider-owned assets.

Here’s the reframe that dissolves most of the confusion. People search “does my MSP need CMMC” as if it’s a credential question — a yes/no badge. It isn’t. It’s a scope-and-evidence question: what do your people, tools, and systems actually touch, and where does that get assessed?

The rule uses precise vocabulary, so we will too:

FCI (Federal Contract Information)
Information provided by or generated for the government under a contract, not intended for public release. When a contract requires CMMC Level 1, it applies to the contractor systems that process, store, or transmit FCI — 15 basic safeguarding requirements from FAR 52.204-21, self-assessed annually, all 15 met in full with no exceptions.
CUI (Controlled Unclassified Information)
Government information that law or policy requires be safeguarded. When a contract requires CMMC Level 2, it applies to the systems that process, store, or transmit CUI — the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families.
SPD (Security Protection Data)
Security-relevant data such as logs, configuration files, vulnerability data, and credentials used to protect the assessed environment. You can be in scope for handling SPD even if you never touch the client’s business CUI.
ESP (External Service Provider)
External people, technology, or facilities used for a contractor’s IT or cybersecurity operations, where CUI and/or SPD is processed, stored, or transmitted on the provider’s assets.
CSP (Cloud Service Provider)
An external company providing cloud infrastructure, platform, application, or storage services.

Notice the difference between an ESP and a subcontractor. If you furnish the actual contract deliverable, you’re a subcontractor, and CMMC requirements flow down to you under DFARS 252.204-7021 and 32 CFR § 170.23. If you support the contractor’s IT and security, you’re an ESP, scoped under 32 CFR § 170.19. Many MSP relationships become ESP relationships, not subcontractor relationships.

The two questions that decide everything:

  1. Is the MSP a Cloud Service Provider?
  2. Does the MSP’s own system process, store, or transmit CUI, SPD, both, or neither?

Every scenario below is just those two answers combined.

Do MSPs need their own CMMC certification?

Short answer: Usually not. Under 32 CFR § 170.16(a)(3), a non-cloud ESP that handles CUI has its relevant services “assessed within the scope of the OSA’s assessment against all Level 2 security requirements” — meaning the MSP is evaluated inside the contractor’s assessment rather than holding a separate certificate. An MSP may voluntarily pursue its own CMMC assessment to ease client audits and win business, but the rule does not make it mandatory for a non-cloud ESP.

This is the single most misreported fact on the topic. For a non-cloud ESP that handles CUI, the rule gives the contractor a clean path: document the ESP in the System Security Plan (SSP), the ESP’s service description, and a Customer Responsibility Matrix (CRM), and then assess those ESP services insidethe contractor’s assessment. There is no requirement in the rule that such an MSP hold a standalone CMMC certificate. Voluntary certification exists; mandatory certification for a non-cloud ESP does not.

So the honest picture is a spectrum, not a switch:

  • You touch no CUI or SPD on your own systems → you’re not even an ESP, and no certification is required.
  • You handle only SPD (logs, alerts, configs) → no certification required; you’re a Security Protection Asset assessed inside the client’s scope.
  • You hold CUI on your own non-cloud systems → no automatic certificate required either; your services are assessed inside each client’s assessment. But if you serve several DIB clients, voluntary Level 2 certification is often the cleaner, cheaper path — because with your controls already assessed and authorized, you stop having to prove them from scratch in every client’s audit. A certified MSP is also a real differentiator.
  • You’re a cloud provider holding CUI → certification isn’t the mechanism at all; FedRAMP is.

Not sure whether your MSP is actually in your assessment scope?Answer five scope questions — CUI, Security Protection Data, cloud ownership, tooling, and assessment type — and get the provider category and evidence list that fits your situation. Do not submit CUI, drawings, credentials, or contract-sensitive details.

Check whether your MSP is in scope →

When is your MSP an External Service Provider (ESP)?

Short answer: An MSP becomes an ESP when it provides external IT or cybersecurity services and CUI or Security Protection Data is processed, stored, or transmitted on the MSP’s own assets. If neither CUI nor SPD ever touches the provider’s assets, the provider does not meet the CMMC definition of an ESP under 32 CFR § 170.19.

The phrase that trips people up is “on the MSP’s own assets.” Admin access alone is not the trigger — data landing on your systemsis. But “your systems” is broader than most MSPs assume. Any of these can pull you in:

  • Your RMM (remote monitoring and management) platform
  • Your SIEM or SOC tooling, EDR console, and the alerts and logs they ingest
  • Your backup infrastructure
  • Your ticketing/helpdesk system (attachments are the usual culprit)
  • Your file-transfer or remote-support tools
  • Your admin workstations
  • Any cloud-hosted support tools you point at the client’s environment

Here’s the pattern we see cause the most trouble: an MSP swears “no CUI touches us,” then a technician pastes a CUI document into a support ticket, or a nightly backup sweeps up a CUI file share, or the SIEM ingests logs full of Security Protection Data. Now provider-owned systems are handling covered data, and the “we’re out of scope” story collapses on assessment day.

The five-question ESP self-check

Run your relationship through these before you tell a client anything. Answer honestly, then map yourself to a row in the matrix in the next section.

  1. Does your own system process, store, or transmit CUI?
  2. Does your own system process, store, or transmit logs, configuration data, alerts, vulnerability data, or other SPD?
  3. Do you provide security functions for the client’s assessed environment (firewalling, monitoring, identity, patching)?
  4. Do you own or modify the cloud service, or only administer the client’s own tenant?
  5. Can you produce a service description and a Customer Responsibility Matrix?
How to read your answers:If you answered yes to 1 or 2, you meet the ESP data trigger and you’re in scope. If you answered yes to 3, check whether your security tools actually process, store, or transmit SPD. Question 4 decides whether you’re also a CSP. Question 5 is the readiness gut-check: if you can’t produce a CRM, you are not ready, no matter what your marketing says.

What changes if the MSP handles CUI, Security Protection Data, or neither?

Short answer: CUI, SPD, and neither produce three different outcomes. If the MSP is a cloud provider handling CUI, FedRAMP Moderate applies; if it’s a non-cloud ESP handling CUI, its services are assessed inside the contractor’s assessment. If it handles only SPD, its services are assessed as Security Protection Assets against the specific Level 2 requirements they support. If it handles neither on provider-owned systems, it isn’t an ESP. This split comes directly from 32 CFR § 170.19 Table 4.

The MSP CMMC Scope, Evidence & Exposure Matrix

MSP CMMC scope, evidence & exposure matrix — source: 32 CFR § 170.19 Table 4; 32 CFR § 170.16(a)(2)–(a)(3); CMMC FAQ v5
Your situationCMMC classificationWhere it’s assessedOwn certification required by the rule?Evidence to have readyBest next move
You store/process/transmit CUI on your own non-cloud systemsNon-CSP ESP handling CUIInside the contractor’s assessment; ESP services assessed against all Level 2 requirementsNo — assessed in the client’s scope; you may voluntarily certifySSP inputs, service description, CRM, asset inventory, data-flow map, access-control and storage evidenceKeep if evidence is real; consider your own Level 2 if you serve several DIB clients
You run SIEM/EDR/monitoring/logging and hold SPD, but no CUIESP handling SPD → Security Protection AssetIn the contractor’s assessment as an SPA, against the Level 2 requirements your services supportNoLog-flow map, retention policy, CRM, tool architecture, privileged-access procedures, assessor-interview commitmentKeep if evidence is strong; add MSSP/GRC support if monitoring exists but documentation is thin
You administer the client’s own GCC High / Azure Government / AWS GovCloud tenantESP/admin support — not necessarily a CSPDepends on CUI/SPD and privileged accessNoTenant-ownership proof, admin-role list, MFA/conditional-access evidence, CRM, SSP inputsDocument the cloud boundary and your admin responsibilities
You package and deliver a cloud service that holds client CUIYou may be acting as a CSPCSP requirements apply if CUI is involvedCertification isn’t the issue — FedRAMP Moderate (or equivalent) isFedRAMP Marketplace listing or equivalency Body of Evidence, CRM, CSP boundary, subprocessor listRequire a written FedRAMP path before hosting CUI
You run RMM / remote support / backup / file transfer connected to a CUI environmentFact-specific ESP / SPA / CUI-asset exposureLikely in scope if CUI or SPD lands on your assetsNo — even if CUI persists on your non-cloud systems, the rule doesn’t require a standalone MSP certificate; those services are assessed in the client’s scope. If the tool is a cloud offering holding CUI, run the CSP/FedRAMP analysis instead.RMM data map, ticket-redaction rules, backup encryption, transfer settings, admin logs, CRMTreat as in scope until a data-flow map proves otherwise
You use only client-owned equipment, no provider asset touches CUI/SPDUsually not an ESPUsually outside ESP scopeNoWritten out-of-scope rationale; proof of no provider-owned storage/toolingPreserve the evidence of why you’re out
Temporary access — pen test, incident response, forensics, vulnerability scanUsually not an ongoing ESP if no CUI/SPD persists on your assetsFact-specificNoSOW, access duration, data-handling and destruction/return rulesKeep it temporary and documented
You did the readiness/remediation and now want to assess itIndependence/conflict issue, not a scope issueAssessment-independence problemThe three-year conflict rule governsCyber AB status, engagement dates, conflict disclosureSeparate the firm that builds from the firm that assesses

Source: 32 CFR § 170.19; 32 CFR § 170.16(a)(2)–(a)(3); CMMC FAQ v5; DoD FedRAMP Moderate Equivalency guidance. Assembled by The Defense Compliance Report editorial team. Last verified: .

Three separate things people constantly blur

Almost every argument about “CMMC for MSPs” mashes three separate things into one. Pull them apart and the fog lifts:

  • Track A — Your own certification. Voluntary, or driven by your own DoD contract. Relevant if you hold CUI on non-cloud systems and want to stop being re-assessed in every client’s audit, or if you’re also a DoD subcontractor whose own contract requires a CMMC status. Not automatically mandatory.
  • Track B — FedRAMP Moderate (or equivalent). Only relevant if you act as a cloud provider for CUI.
  • Track C — Being in scope for your client’s assessment as a Security Protection Asset. This one hits many MSP and MSSP relationships that touch zero business CUI but do process, store, or transmit Security Protection Data — logs, configs, alerts, vulnerability data, credentials — on provider-owned assets. It requires a CRM referenced in the client’s SSP.

You can owe Track C and not Track A or B. That’s the normal case. Getting this straight is worth more than any certificate.

Before you ask any provider for a quote, classify what you’re actually dealing with.Get matched with source-checked provider categories — readiness/MSP/MSSP, CUI enclave, GRC, or the C3PAO path — based on your level, scope, and timeline, not a one-size-fits-all vendor list. Do not submit CUI.

Get matched with source-checked provider options →

Disclosure: The Defense Compliance Report is an independent trade publication. We may receive compensation for qualified introductions or partner referrals when disclosed. Compensation does not control our regulatory analysis.

When does an MSP need FedRAMP Moderate?

Short answer: An MSP does not need FedRAMP just for providing IT support. FedRAMP becomes the gating requirement when the MSP acts as a Cloud Service Provider whose offering stores, processes, or transmits CUI. Per 32 CFR § 170.16(a)(2) and DFARS 252.204-7012, that cloud offering must be FedRAMP Moderate Authorized or FedRAMP Moderate Equivalent.

Equivalency is not a marketing claim. Under the DoD’s FedRAMP Moderate Equivalency guidance (the December 21, 2023 memo), the cloud offering must be assessed by a FedRAMP-recognized Third-Party Assessment Organization against the full FedRAMP Moderate baseline — roughly 325 controls, about three times CMMC Level 2’s 110 — and backed by a Body of Evidence. A SOC 2 report, an ISO 27001 certificate, or a vendor questionnaire does not satisfy it. For more on this, see our full CMMC cloud service provider requirements guide.

Whether you’re even a CSP is its own question. The rule points to the NIST definition of cloud computing (on-demand self-service, broad network access, resource pooling, rapid elasticity, and location independence). Using cloud toolsto deliver your service does not make you a CSP. Here’s the line, three ways:

MSP cloud role: are you a CSP? — source: 32 CFR § 170.16(a)(2); DFARS 252.204-7012; CMMC FAQ v5 (E-Q5)
Your cloud roleAre you a CSP?FedRAMP evidence neededWhat to ask for
You administer the client’s own tenant (they own the GCC High / GovCloud subscription)Generally no — you’re an ESP administering their environmentNone from you; the client’s environment carries its own authorizationTenant-ownership proof, admin-role list, MFA/conditional-access evidence, CRM
You own, package, or modify a cloud offering that holds client CUIYes, likelyFedRAMP Moderate authorization or equivalency Body of EvidenceMarketplace listing or 3PAO-validated BoE, CSP boundary, subprocessor list, CRM
You only resell licensesReselling alone is not CSP statusDepends on who owns/operates the serviceWho owns, modifies, and operates the offering — then classify from there

Sources: 32 CFR § 170.16(a)(2); DoD FedRAMP Moderate Equivalency guidance; CMMC FAQ, External Service Providers section.

The practical move, stated plainly. Standing up and continuously maintaining your own FedRAMP-equivalent CUI environment is a major compliance program in its own right — heavy on 3PAO assessment, documentation, and continuous monitoring — not an MSP shortcut. The cleaner route for most MSPs is to keep client CUI inside an already-authorized environment — Microsoft’s GCC High carries a FedRAMP High authorization and GCC a FedRAMP Moderate authorization; verify current status on the FedRAMP Marketplace — and architect your services around it. If that boundary decision is where you’re stuck, that’s exactly what a CUI enclave or GCC High implementation partner exists to solve.

What CMMC actually costs — and why your MSP is already in DoD’s math

Short answer: The DoD’s own cost estimates assume contractors will pay an External Service Provider to help them prepare for and participate in a Level 2 assessment — the analysis breaks out ESP support as its own labor line. For a small entity, DoD estimated a Level 2 self-assessment and affirmations at roughly $37,000 over three years, and a Level 2 C3PAO certification at $101,752 for the initial assessment ($104,670 over three years). Level 1 runs about $6,000.

We went to the source — the CMMC Program rule’s Regulatory Flexibility Analysis filed with the rulemaking. The numbers for a small entity:

DoD small-entity CMMC cost estimates — source: CMMC Regulatory Flexibility Analysis (filed with 32 CFR Part 170)
DoD small-entity estimateInitial assessment + affirmationThree-year cost
Level 1 self-assessment~$5,977Annual self-assessment thereafter
Level 2 self-assessment~$34,000~$37,000
Level 2 C3PAO certification$101,752$104,670

Source: DoD Regulatory Flexibility Analysis, filed with the CMMC Program rule. See also our full CMMC Level 2 cost breakdown for market vs. DoD estimate comparison.

The part that matters for the MSP conversation: DoD’s model prices in labor “for a company (and any ESP support) to prepare for and participate in the assessment,” as a distinct line from in-house IT and management. In plain terms: the government built the cost of your MSP’s involvement into its official estimate of what CMMC costs a contractor.Your role in a client’s assessment isn’t a footnote the DoD forgot. It’s a line item.

Two honest caveats: these are DoD’s estimates, not market quotes — real engagements vary widely by size, scope, and starting maturity. And DoD’s Level 2 figures deliberately exclude the cost of actually implementingthe 110 controls, because the government considers that a pre-existing obligation under DFARS 252.204-7012 since 2017. That implementation and remediation work is usually the expensive part: across the market, the C3PAO audit fee itself is commonly only about 20–30% of a contractor’s total cost, with readiness, remediation, and technology the larger share.

Want scoped numbers instead of national averages?Tell us your level, your MSP’s role, your CUI boundary, your cloud environment, and your timeline, and we’ll route you to source-checked provider categories that fit. Do not submit CUI.

Request scoped quotes from matched provider categories →

What to demand from your MSP before an assessment

Short answer: A CMMC-ready MSP should give you documentation, not promises. At minimum, expect a service description, a Customer Responsibility Matrix, SSP inputs, a CUI/SPD data-flow map, a tool and subprocessor list, a privileged-access model, an evidence-export process, and a written commitment to support assessment interviews and artifact requests. 32 CFR § 170.19 requires the ESP relationship, services, SSP reference, and CRM to be documented.

It is still common to find an MSP that has never produced a Shared Responsibility Matrix. If yours hasn’t, you may have to demand one — and if they can’t build it, that tells you something before assessment day does. Use this as your request list, whether you’re the contractor asking or the MSP getting ahead of it:

MSP evidence-request checklist for CMMC readiness
Evidence itemWhy it mattersWho owns it
Service descriptionDefines what the MSP actually doesMSP
Customer Responsibility Matrix (CRM)Splits each NIST SP 800-171 responsibility between you and the MSPMSP + contractor
SSP inputsLets the contractor document the MSP relationship in the System Security PlanMSP + contractor
CUI/SPD data-flow mapShows where covered data actually movesMSP
Asset inventory inputsIdentifies which provider tools are in scopeMSP + contractor
Privileged-access modelShows admin control, least privilege, and MFAMSP
Tool / subprocessor listPrevents hidden scope expansion from offshore help desks or third-party SOCsMSP
FedRAMP evidence (if a CSP)Required if a cloud offering handles CUICSP/MSP
Evidence-retention / export planPrevents lock-in and an assessment-day scrambleMSP
Assessment-cooperation clauseEnsures the MSP shows up for assessor interviews and artifact requestsMSP

Two contract terms are worth singling out. Get the assessment-cooperation and CRM-delivery commitments in writing — including update frequency — because a helpful MSP in the sales cycle can become an unreachable one during an audit. And watch the subprocessor question hard: if your MSP outsources help desk, NOC, or engineering to third parties who can reach CUI systems, that exposure can flow into your scope. Offshore or non-U.S.-person access is a special hazard for ITAR/EAR data and needs to be locked down contractually before it becomes an assessment finding.

Which NIST SP 800-171 Rev. 2 controls your MSP usually affects

Short answer:An MSP does not “own CMMC” for the contractor, but it typically influences the controls that decide whether an environment can be assessed cleanly. Within the 110 requirements, the heaviest MSP-touched areas are access control, identification and authentication, audit and accountability, configuration management, incident response, maintenance, risk assessment, system and communications protection, and system and information integrity.

This is the shortlist of families where an MSP’s tooling and procedures make or break the client’s evidence, plus the failure we see derail assessments in each one.

NIST SP 800-171 Rev. 2 control families: where MSP evidence makes or breaks assessment readiness
Control familyWhere the MSP shows upEvidence to requestCommon MSP evidence failure
Access ControlAdmin roles, least privilege, remote accessAdmin role list, access reviewsStale admin accounts; shared credentials
Identification & AuthenticationMFA, account lifecycle, privileged identitiesMFA policy, provisioning workflowMFA gaps on privileged/service accounts
Audit & AccountabilityLogs, SIEM, retention, alertingLog sources, retention settings, alert workflowLogs exist but retention period isn’t mapped to the requirement
Configuration ManagementBaselines, change control, hardeningBaseline configs, change ticketsA baseline exists but no evidence changes follow it
Incident ResponseDetection, escalation, reporting supportIR playbook, escalation contactsNo documented escalation path to the client
MaintenanceRemote maintenance, support toolingMaintenance logs, tool controlsRemote maintenance sessions aren’t logged or controlled
Risk AssessmentVulnerability scanning and remediationScan reports, remediation SLAsScans run, but no evidence of remediation timelines
System & Communications ProtectionBoundary protection, encryption, segmentationNetwork diagram, firewall rulesDiagram doesn’t match the real environment
System & Information IntegrityEDR, patching, malicious-code protectionEDR reports, patch dashboardPatch dashboard exists but coverage gaps aren’t tracked

If your MSP can produce clean evidence across these families, you’re in good shape. If they go quiet when you ask for a patch dashboard or an access-review log, you’ve found your gap. See our NIST SP 800-171A assessment objectives guide for the full 320 objective-level breakdown.

Keep, supplement, or replace your MSP?

Short answer: Keep the MSP if it can map scope, produce evidence, support your SSP and CRM, control CUI/SPD flows, and cooperate with your assessment. Supplement it if the IT is strong but the documentation, monitoring, or CMMC interpretation is weak. Replace it if it refuses responsibility mapping, mishandles CUI/SPD, guarantees certification, hides its subprocessors, or wants to both prepare and assess the same environment.

Most contractors assume the answer is “fire the MSP and hire a defense specialist.” Sometimes. But often you don’t need a new MSP — you need a different category layered on top. Diagnose before you rip anything out.

Keep, supplement, or replace your MSP: decision table
DecisionWhat you’re seeingNext step
KeepReal CRM, a data-flow map, CMMC-aware operations, willingness to support the assessmentGet the evidence package in writing
SupplementSolid day-to-day IT, but weak documentation, monitoring, or control interpretationAdd an RPO, MSSP, GRC platform, or CUI enclave specialist
ReplaceNo CRM, no CUI/SPD map, commercial cloud holding CUI, no assessor-support commitmentScope the replacement carefully before rushing to quotes

The trap to avoid: replacing a competent generalist MSP with an expensive specialist when all you actually needed was a readiness firm to write the SSP and a matrix. Match the category to the gap.

You may not need a new MSP — you may need a different provider category. Compare provider categories, and map your level, CUI scope, and timeline to the right one, before you tear out a working relationship. Do not submit CUI.

Compare provider categories →

MSP vs. MSSP vs. RPO vs. GRC platform vs. CUI enclave vs. C3PAO

Short answer:These are different jobs, and hiring the wrong one first is how contractors overspend and still aren’t ready. An MSP runs IT, an MSSP monitors security, an RPO/RP helps you prepare, a GRC platform organizes your evidence, a CUI enclave shrinks your scope, and a C3PAO performs the formal Level 2 certification assessment. Only a C3PAO can conduct the Level 2 certification assessment; Level 3 certification is a government (DIBCAC) assessment.

CMMC provider category comparison: roles, certification authority, and fit
CategoryWhat it doesCan it certify you?When it fits
MSPIT operations, helpdesk, endpoints, identity, backupsNoYou need operational IT control
MSSP / MDRMonitoring, SIEM, SOC, EDR, alertingNoYou lack security operations
RPO / RPReadiness, scoping, SSP/POA&M, control interpretationNoYou need to prepare before assessment
GRC platformEvidence workflows, control mapping, POA&M trackingNoYou need evidence discipline
CUI enclaveShrinks your CUI boundary to a subset of users/systemsNoCUI is limited and you want to reduce scope and cost
C3PAOThe formal Level 2 certification assessmentYes — Level 2 (Level 3 is a DIBCAC assessment)You are assessment-ready

One rule the Cyber AB takes seriously, and so should you: under 32 CFR § 170.8(b)(17)(ii)(G) and the CMMC Code of Professional Conduct, an ecosystem member who served as a consultant to prepare an organization for any CMMC assessment cannot participate in that organization’s Level 2 certification assessment for three years. Separate the builder from the assessor, and don’t let a single vendor blur the line. Software alone doesn’t satisfy CMMC either — a GRC tool organizes your evidence; it doesn’t implement your controls or pass your assessment.

When does all of this actually hit?

Short answer: The CMMC Program rule (32 CFR Part 170) took effect . The acquisition rule that puts CMMC into contracts — DFARS 252.204-7021 — took effect , starting a four-phase, three-year rollout. Per the DoD’s CMMC FAQ, the first 12 months focus primarily on self-assessments; beginning , CMMC Level 2 third-party (C3PAO) assessments will be required for applicable contractors.

  • Phase 1 is live now ( forward). Contracting officers are inserting Level 1 and Level 2 self-assessment requirements — and they have discretion to require a Level 2 C3PAO certification on select contracts even in Phase 1.
  • From : third-party Level 2 certification becomes a condition of award for applicable CUI contracts, and the requirement broadens through the remaining phases as the rollout completes by 2028.

Why that matters for the MSP timeline: a Level 2 certification program commonly runs 12 to 18 months once you count scoping, remediation, documentation, and getting on a C3PAO’s schedule — treat that as a planning range, not a promise, and confirm it against your own scope and required assessment type. There’s no grace period for new bidders — you need the required status at award. If your clients wait for the clause to appear before they fix their MSP relationship, the math doesn’t work. Neither does yours.

What we actually verified

For this page, The Defense Compliance Report Editorial Team verified the following against primary sources, in :

  • The ESP scoping logic32 CFR § 170.19, Table 4, checked on eCFR — and that the rule regulates MSPs through the term “ESP,” not “MSP” (32 CFR § 170.4).
  • The certification question32 CFR § 170.16(a)(3): a non-CSP ESP handling CUI has its services assessed within the contractor’s assessment, not via a mandatory standalone certificate — corroborated by the DoD CMMC FAQ, External Service Providers section.
  • The CSP/FedRAMP requirement32 CFR § 170.16(a)(2) and DFARS 252.204-7012 on acquisition.gov, plus the DoD FedRAMP Moderate Equivalency guidance.
  • The cost figures — DoD’s Regulatory Flexibility Analysis: small-entity Level 2 C3PAO at $101,752 initial / $104,670 over three years, Level 1 at $5,977, and the explicit “(and any ESP support)” labor line.
  • The timeline — DFARS 252.204-7021 effective ; the phase schedule tied to 32 CFR § 170.3(e); Level 2 third-party assessments required for applicable contractors beginning .
  • The conflict-of-interest rule — the three-year prohibition in 32 CFR § 170.8(b)(17)(ii)(G) and CoPC v2.0.
  • NIST SP 800-171 Revision 2 as the assessed Level 2 standard, held in place by a DoD class deviation to DFARS 252.204-7012 pending future rulemaking to incorporate Revision 3.

What we did not verify, and won’t assert: we did not independently confirm the internal ESP-labor sub-totals within DoD’s cost tables — sources that cite specific figures describe them as inferred and disagree with one another — so we’ve stated only the confirmed totals. We do not rank or endorse named MSPs on this page. Last verified: .

Frequently asked questions about CMMC requirements for MSPs

Do MSPs need CMMC certification?

Not automatically. Under 32 CFR § 170.16(a)(3), a non-cloud MSP that handles CUI has its relevant services assessed inside the contractor’s assessment rather than needing a separate certificate; an MSP may voluntarily pursue its own Level 2 certification. If the MSP is a cloud provider handling CUI, FedRAMP requirements apply instead. An MSP’s own certificate never certifies its customer.

Is an MSP an External Service Provider under CMMC?

An MSP is an ESP when it provides external IT or cybersecurity services and CUI or Security Protection Data is processed, stored, or transmitted on the MSP’s own assets. If neither CUI nor SPD ever touches the provider’s assets, it does not meet the CMMC definition of an ESP under 32 CFR § 170.19.

What is Security Protection Data?

Security Protection Data (SPD) is security-relevant information — such as logs, configuration data, alerts, and credentials — used by tools that protect the CMMC environment. It matters because an MSP or MSSP can be in scope for handling SPD even when it never touches the contractor’s business CUI.

Does an MSP need FedRAMP?

An MSP does not need FedRAMP merely for providing IT support. FedRAMP Moderate authorization or equivalency becomes the requirement when the MSP acts as a Cloud Service Provider whose offering stores, processes, or transmits CUI, per 32 CFR § 170.16(a)(2) and DFARS 252.204-7012. See our full CSP requirements guide.

Can a CMMC-certified MSP certify my company?

No. An MSP’s own assessment or certificate does not certify the customer’s environment. The contractor’s required CMMC status is tied to its own contractor information systems and must be current in the Supplier Performance Risk System (SPRS), with an annual affirmation where required.

What CMMC level does an MSP need?

An MSP acting only as an ESP doesn’t have a CMMC level of its own the way a contract does. The contractor’s required level and the MSP’s CUI/SPD/CSP scenario drive the obligation. A non-cloud MSP handling CUI is assessed against Level 2 requirements inside the client’s assessment; an MSP handling only SPD is assessed against the specific Level 2 requirements its services support. If the MSP is also a DoD subcontractor, its own contract or flow-down can create a separate CMMC requirement.

What’s the difference between an MSP and an MSSP for CMMC?

Both are External Service Providers. An MSP runs general IT; an MSSP (Managed Security Service Provider) runs security operations like a SOC or SIEM. An MSSP operating security tooling for a CUI environment is typically a Security Protection Asset assessed inside the client’s assessment against the Level 2 requirements its services support. For the full ESP matrix, see our CMMC external service provider assessment guide.

Can my MSP also be my C3PAO?

Treat that as a conflict of interest. Under 32 CFR § 170.8(b)(17)(ii)(G) and the CMMC Code of Professional Conduct, an ecosystem member that consulted to prepare an organization for a CMMC assessment cannot participate in that organization’s Level 2 certification assessment for three years. Keep readiness and assessment in separate lanes.

Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?

Level 2 is assessed against NIST SP 800-171 Revision 2 — the 110 requirements incorporated into 32 CFR Part 170. Per the DoD’s CMMC FAQ, the Department intends to incorporate Revision 3 through future rulemaking and has issued a class deviation to DFARS 252.204-7012 to keep Revision 2 as the assessment standard in the interim. Contractors may implement Revision 3 using the DoD’s Organization-Defined Parameters, but assessments are still conducted against Revision 2 until that changes.

What’s the safest first step for figuring out CMMC requirements for an MSP?

Map your CUI, SPD, cloud model, tools, and required assessment type before you request quotes. The wrong quote before scope is defined can lock you into an expensive path that doesn’t match your contract requirement. Classify first; hire second. Use our CMMC scoping guide and readiness checklist as starting points.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Do not submit CUI, drawings, credentials, or sensitive contract details.

Find My CMMC Path →

Compliance note: This article is educational research, not legal, contractual, or compliance advice. Your CMMC level and scope are set by your contract clause and how CUI actually flows through your environment — not by a checklist. Confirm your scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you act. Provider-matching may generate referral or lead-routing compensation, disclosed at the point of recommendation.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. See our corrections policy if you spot something that needs updating.

Related from The Defense Compliance Report