Is My MSP Actually CMMC Compliant?

In most cases, your MSP cannot be “CMMC compliant” on its own — and treating “don’t worry, we’ve got CMMC covered” as proof is exactly how contractors fail their assessment. Under the CMMC Final Rule (32 CFR Part 170, effective December 16, 2024), your managed service provider becomes an External Service Provider (ESP) only when it processes, stores, or transmits your Controlled Unclassified Information (CUI) — or the data that protects it — on its own systems. When it doesn’t, it may fall entirely outside your CMMC assessment scope. When it does, those services are evaluated as part of your Level 2 assessment.

The right question isn’t “is my MSP CMMC compliant?” It’s: what does my MSP touch, what proof can it produce, and how will those services show up in my assessment scope?Get that right and your incumbent MSP might be fine. Get it wrong and a single missing piece of MSP evidence can sink a Level 2 assessment you’ve spent months preparing for.

Three conditions change the answer: an MSP that voluntarily earned its own Level 2 certification can reduce your burden; an MSP acting as a Cloud Service Provider that stores your CUI must meet FedRAMP Moderate (or equivalent) under DFARS 252.204-7012; and a provider with only temporary access may fall outside ESP treatment entirely, depending on what it stores.

Which of these four is your MSP? (Start here)

Almost every MSP relationship lands in one of four buckets. Find yours, then read the section that matches.

The right next move is different for each path. So is the right provider category if you decide your MSP can’t get you there.

The right CMMC provider isn’t the same for every contractor— the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.

Not sure which path you’re on? Run the proof test before you call another vendor — it sorts your MSP into one of these four buckets with a next step for each. Do not enter CUI, drawings, passwords, or contract-sensitive details.

Run the MSP CMMC Proof Test ↓

Is my MSP actually CMMC compliant — or just saying the words?

“CMMC compliant MSP” is usually marketing language, not a status. There is no badge an IT provider can wave that transfers compliance to you. CMMC status attaches to assessed systems within a defined scope— not to a company’s general reputation.

Vendors blur three very different things, and the blur is where contractors get hurt:

1. “We understand CMMC.” Fine. That’s knowledge, not proof.
2. “We help clients prepare for CMMC.” Useful. That’s a service, not a certification.
3. “This specific environment holds a current CMMC status.” That’s a claim you can — and must — verify.

Keep three words separate and you’ll never be fooled: compliance is what you do, certification is how it’s proven for a defined scope, and “covered” is what a salesperson says. They are not interchangeable.

The MSP CMMC Proof Test: which path is your MSP on?

Your MSP is on one of four paths — out of scope, in-scope ESP, cloud/FedRAMP risk, or already certified — and the right next step depends on what the MSP touches, not what it calls itself. Under 32 CFR § 170.19, the test for whether an MSP enters your assessment is whether CUI or Security Protection Data(log data, configuration data, and similar artifacts) is processed, stored, or transmitted on the provider’s own assets.

The full matrix below covers every common scenario. It was built by reading 32 CFR § 170.19, the official CMMC Program FAQ (v5), and DFARS 252.204-7012.

Primary-source basis: 32 CFR § 170.19 (CMMC scoping; ESP and Security Protection Asset treatment); official CMMC Program FAQ v5 (MSP/MSSP, SPD, and MSP/CSP scenarios); DFARS 252.204-7012 (cloud handling of covered defense information). Last verified June 2026.

Does my MSP need its own CMMC certification?

No — not automatically. The Department’s own CMMC FAQ is explicit: an MSP that stores CUI in a non-cloud system does not require its own CMMC assessment, though it may elect to self-assess or certify; and if it certifies to simplify your assessment, the level and type must be the same or higher than your contract requires and must cover the assets in your scope (CMMC Program FAQ v5, answer E-A3).

CMMC Level 2 maps to NIST SP 800-171 Revision 2 (110 requirements across 14 control families). NIST has since published Revision 3, and the Department lets companies optionally implement Rev. 3 using its Organization-Defined Parameters — but CMMC assessments are still conducted against Revision 2until the Department’s class-deviation memo is withdrawn or superseded (32 CFR § 170.14; CMMC Program FAQ B-A4). If a vendor tells you to chase Rev. 3 “because that’s what CMMC uses now,” that’s not correct as of mid-2026.

One caveat: a prime or subcontract can impose requirements beyondthe baseline rule. If a prime tells you “your MSP must be certified,” that may be a contractual demand — ask for the exact flow-down language and source-check it.

When is my MSP an “External Service Provider” — and what does “in scope” mean?

Your MSP becomes a CMMC scope issue the moment any MSP-owned or MSP-operated system holds your CUI or the data that protects your CUI environment. That’s the test in 32 CFR § 170.19: external people, technology, or facilities used for IT or cybersecurity, where CUI or Security Protection Data is processed, stored, or transmitted on the provider’s assets. “In scope” means those services are evaluated as part of yourLevel 2 assessment, not the MSP’s.

The MSP systems that most often pull contractors into scope:

• RMM (remote monitoring and management) platforms
• PSA / helpdesk ticketing systems
• SIEM and log aggregation
• Endpoint management and EDR consoles
• Backup and disaster-recovery systems
• Password vaults and privileged-access tools
• Vulnerability-management scanners
• Documentation and knowledge-base platforms
• Remote-access tooling
• Managed cloud admin consoles

Here’s what catches people off guard. When your assessment happens, the C3PAO uses three methods — examine, interview, and test — and all three reach your MSP. The assessor will examine your MSP’s evidence, interview your MSP’s engineers, and test controls your MSP operates. If a control is assigned to your MSP and the MSP can’t stand behind it on the day, the finding lands on your scorecard. That’s why the rule requires the MSP relationship, services, and responsibilities to be documented in your System Security Plan (SSP) and your Customer Responsibility Matrix (32 CFR § 170.19(c)(2)(ii)).

“But my MSP says they never touch CUI” — why that’s not the end of it

“We never receive CUI” is not enough. Security Protection Data — configuration files, logs, vulnerability results, credentials tied to your in-scope environment — can pull an MSP’s services into your assessment even when no CUI is ever intentionally sent (32 CFR § 170.19; CMMC Program FAQ v5, answer E-A4). The right follow-up to “we don’t touch CUI” is “okay — what doyour tools store?”

Security Protection Data hides in ordinary places. Ask specifically about:

• Firewall and device configurations
• Endpoint and server logs
• SIEM events and alerts
• Vulnerability-scan results
• RMM asset inventories
• Network and asset lists
• Passwords and credential-vault entries
• Conditional-access and identity settings
• Screenshots pulled from in-scope systems
• Helpdesk tickets that reveal CUI-system details

The one document that decides it: the Customer Responsibility Matrix

The Customer Responsibility Matrix (CRM) is the artifact that makes or breaks the MSP question. It’s required for in-scope ESP services under 32 CFR § 170.19(c)(2)(ii), and it maps each applicable NIST SP 800-171 Revision 2 security requirement to who’s responsible — the MSP, you, or both. If a control is assigned to your MSP and the MSP can’t produce evidence at assessment time, that control is scored NOT MET in your assessment.

It helps to see this in three layers:

• Rule-stated: the ESP relationship and services must be documented in your SSP, with a CRM describing the responsibilities of you and the ESP for the services provided (§ 170.19(c)(2)(ii)).
• Process-stated: under the CMMC Assessment Process, the assessment team checks that the CRM is current, includes the relevant parties, and addresses the in-scope requirements the ESP performs wholly, partially, or jointly.
• Operationally verified: a CRM that survives the assessment names, for each in-scope requirement, who implements it, who owns the evidence, and who answers for it in an interview.

Know the difference between two documents vendors use loosely. A CRM is one-directional — the ESP authors it to tell you what you must do for their service to support compliance. A Shared Responsibility Matrix (SRM) is bidirectional and collaborative, mapping both parties’ responsibilities. The rule names the CRM specifically because a CMMC assessment evaluates yourimplementation, not the provider’s internal operations. A glossy SRM full of “vendor maintains compliance” lines won’t survive the examine-interview-test phases.

The CRM isn’t just paperwork for the binder. The CRM needs to be available during pre-assessment planning, and the assessment team uses it to decide who gets interviewed and what evidence to demand. If the C3PAO can’t confirm your ESP documentation and participation up front, the CMMC Assessment Process says they should weigh whether to proceed at all.

Is my MSP a Cloud Service Provider? (When FedRAMP enters the picture)

Sometimes yes, sometimes no — and it changes your obligations. Per the CMMC Program FAQ (v5, answer E-A5), your MSP is not automatically a Cloud Service Provider when you subscribe to and license the cloud tenant yourself. The MSP may be the CSP if it contracts with the underlying cloud provider and modifies the basic service. The distinction matters because a CSP that stores, processes, or transmits your CUI must meet FedRAMP Moderate (or equivalency) under DFARS 252.204-7012.

Three cloud questions decide it:

1. Who holds the tenant? If you license the Microsoft 365 GCC High or AWS GovCloud tenant, the FedRAMP obligation rides on the underlying cloud. Your MSP administering it is not automatically the CSP.
2. Does CUI actually land in the MSP’s own service? If the MSP runs a managed enclave or file-sharing platform that holds your CUI, that service needs FedRAMP authorization or an equivalency package.
3. Can they prove it? Ask for the FedRAMP Marketplace listing or the equivalency documentation and a CRM. “Secure cloud” is a phrase, not evidence.

How to verify a “we’re CMMC certified” claim (and why you can’t just Google it)

You cannot look up an MSP’s CMMC certification online — certified-contractor assessment results are not public. The Cyber AB Marketplace lists the ecosystem — C3PAOs, RPOs, Registered Practitioners, certified assessors — not certified contractors or MSPs. To verify the claim, you have to ask the MSP to show you the proof directly.

Sort every credential claim into one of three tiers:

• Publicly verifiable. “We’re a C3PAO,” “we’re an RPO,” “our staff are Registered Practitioners / Certified CMMC Assessors.” Confirm these in the Cyber AB Marketplace. If they’re not listed, the claim is empty. (Important: being a C3PAO means they’re authorized to assess others — it is not the same as the MSP itself being certified.)
• Not publicly verifiable. “We’re CMMC Level 2 certified.” You can’t Google this. Ask for their SPRS CMMC status record and Certificate of CMMC Status. A genuine certificate, per 32 CFR § 170.9, includes: the CAGE code(s) tied to the assessed systems, the C3PAO’s name, an assessment unique identifier, the company name, and the CMMC status date and level. See how to verify CMMC status in SPRS.
• Meaningless without proof.“We’re CMMC compliant.” Don’t argue — just ask for the CRM and the evidence. The word alone tells you nothing.

What happens to your score if your MSP can’t produce evidence

Any control your MSP owns that lacks evidence at assessment time is scored NOT MET — and depending on which control, that can cost you certification outright. CMMC Level 2 is point-based: you start at 110 and lose points for each unmet requirement. SPRS scores can run as low as −203. You need a score of 88 or higher to qualify for conditional certification, every open item must be a low-value control on a Plan of Action & Milestones (POA&M), and the clock to close those items is 180 days (32 CFR § 170.21, § 170.24).

The failure mode that blindsides contractors isn’t a low score — it’s a good score with the wrong gap in it.Any Level 2 requirement worth more than 1 point generally cannot sit on a POA&M (the lone exception is CUI encryption that’s in place but not yet FIPS-validated), and certain 1-point requirements — including the SSP itself — are barred from POA&M treatment too. So if a 3- or 5-point control — multifactor authentication, access control, audit logging, encryption — is assigned to your MSP in the CRM, and your MSP can’t produce the evidence on assessment day, that’s a NOT MET on a non-deferrable control.

That is not a conditional pass. With a limited pool of authorized C3PAOs (fewer than 100 in mid-2026) and Phase 2 enforcement beginning November 10, 2026, a failed assessment doesn’t just cost money — it sends you to the back of a months-long queue.

The documents to request before your assessment

A defensible MSP can hand you scope, responsibility, data-flow, evidence, and participation artifacts — not just a sales claim.Request these ten items in writing. If they balk at most of them, that’s a finding in itself.

1. Service description — what services they provide, which systems they cover, and exactly where the MSP boundary starts and stops.
2. Customer Responsibility Matrix (CRM) — who implements, operates, monitors, and produces evidence for each relevant control.
3. Data-flow map — whether CUI or Security Protection Data enters any MSP system.
4. RMM/PSA/ticketing data statement — what those tools store, retain, export, and expose.
5. Privileged-access model — how admin credentials are created, stored, rotated, monitored, and revoked.
6. Cloud / FedRAMP evidence (if applicable) — FedRAMP Moderate authorization or equivalency for any cloud service handling your CUI.
7. Evidence-export plan — how they'll support assessment evidence without over-exposing sensitive data.
8. Incident-support terms — how they support DFARS 252.204-7012 cyber-incident reporting, including the 72-hour reporting obligation and evidence preservation.
9. Assessment-participation commitment — whether MSP personnel will attend assessment sessions if their services are in scope, and whether that's included or billed extra.
10. Change-notification and exit terms — how they alert you to tool, cloud, subcontractor, or boundary changes.

Use the CMMC readiness checklistto move from “I think we’re fine” to a documented answer fast.

Red flags that mean your MSP isn’t assessment-defensible

The biggest red flag is not “uncertified MSP.” It’s an MSP that can’t explain what it touches, where sensitive data lives, who owns which responsibilities, and how it will produce evidence during your assessment.

• ⚑"Our CMMC certification covers you." A provider's status never automatically transfers to your environment.
• ⚑No CRM or shared-responsibility model. Without it, your SSP and evidence story are incomplete by definition (32 CFR § 170.19(c)(2)(ii)).
• ⚑CUI in tickets or screenshots. This silently drags helpdesk and ticketing tools into scope.
• ⚑RMM or SIEM stores logs and configs, but they say "we don't touch CUI." Security Protection Data still counts (CMMC FAQ E-A4).
• ⚑Cloud claims with no FedRAMP or equivalency proof. "Secure cloud" ≠ FedRAMP Moderate for CUI (DFARS 252.204-7012).
• ⚑Refusal to participate in your assessment. If they won't stand behind their work, the risk falls entirely on you.
• ⚑They offer to both remediate and assess you. That's a conflict of interest the rule prohibits (see next section).

Can my MSP, RPO, or readiness consultant also be my C3PAO?

No — keep readiness and formal assessment in separate lanes. This is a bright line in the rule: 32 CFR § 170.8(b)(17)(ii)(G), reinforced by the Cyber AB Code of Professional Conduct, prohibits a CMMC ecosystem member from participating in your Level 2 certification assessment if they served as your consultant within the previous three years — regardless of which level the prior consulting prepared you for.

In plain English: a provider can help you prepare, or a C3PAO can assessyou — but the same firm can’t prepare you and then independently certify its own work. The reason is obvious once you say it out loud: no assessor can objectively grade homework it helped write.

Why does this belong on a page about your MSP? Because MSPs, RPOs, consultants, and software vendors all cluster around the same buying moment, and it’s easy to accidentally hire one provider in a way that creates a conflict later — forcing a scramble for a new assessor under deadline. Plan the separation early: a readiness partner (often an RPO) for preparation, and a separate authorized C3PAO for the certification assessment. See our RPO vs. C3PAO guide.

Keep, supplement, segment, or replace? A decision table

Keep your MSP if it can document scope, responsibilities, evidence, and data handling. Add or replace when it can’t support your CUI/SPD boundary, your CRM, cloud evidence, assessor participation, or the depth your assessment type demands.

Where to go next depends on which row you landed on. If you need readiness, scoping, SSP/POA&M help, or managed compliance, that’s the RPO/MSP/MSSP category. If you need a compliant home for CUI, that’s a managed enclave. If you need to organize evidence and policies, a GRC platform is a supporting layer — not the whole solution. If you’re assessment-ready, that’s a C3PAO. Not sure which one is you?

Copy and paste: the email to send your MSP this week

The fastest real next step isn’t asking “are you CMMC compliant?” — it’s asking for specific evidence. Send this today; the quality of the reply tells you most of what you need to know.

If the reply is clear, specific, and backed by artifacts — good sign. If it’s vague, defensive, or comes back with “we’ve got you covered,” run the proof test and start comparing categories.

Copy the email, then run Find My CMMC Path if the answer is unclear →

What we actually verified

See also: CMMC MSP guide · RPO vs. MSP · CMMC scoping guide · Annual affirmation

Frequently asked questions

Make the call with confidence

If you strip every link off this page, the bottom line still holds: your MSP’s marketing claim is not your compliance, and you can verify the truth in an afternoon using the rule itself.Find your path in the matrix, send the email, request the ten documents, and run the proof test. If your MSP clears it, you’ve saved yourself a needless vendor change. If it doesn’t, you now know precisely what’s missing — and which provider category fixes it.

About this report: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. Our discipline is primary-source citation on every claim. Disclosure: We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. Last reviewed June 2026. This article is educational research, not legal, contractual, or compliance advice; confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. Found an error? See our corrections policy and editorial standards.