CMMC Compliance Guide for MSPs: What You Need to Know in 2025

Your MSP doesn't have to be directly involved in defense contracts to be considered a worthy target for cyber criminals. If you’re involved in US military operations at any level, you’re at risk.

The Cybersecurity Maturity Model Certification (CMMC) framework was designed to protect the vast supply chain of the Department of Defense (DOD). In the very near future, CMMC will be a contractual obligation for businesses working with the DOD. That includes subcontractors several tiers removed from prime contracts — which could very well mean your MSP is obligated to comply.

In this article, we discuss how CMMC may impact your MSP, and how to get ahead of it.

Why CMMC and Why Now? A Guide for MSPs

The Defense Industrial Base (DIB) refers to the thousands of businesses and organizations that provide defense-related goods and services to the DOD. The DOD and DIB rely on information systems to carry out their operations, and those systems hold extremely sensitive information. The kind of information that, if compromised, undermines the technical advantages and innovations of the US, and threatens national security, public safety, and economic prosperity.

In an effort to create a unified front against these cyber threats, the DOD created the CMMC program. The final rule was published on Oct. 15, 2024, and came into effect on Dec. 17, 2024. The program in its entirety will be rolled out over the next three years, but new cybersecurity standards will hit contracts as early as mid-2025.

How Does CMMC Impact Your MSP Business?

Over 220,000 companies in the DIB process, store, or transmit controlled unclassified information (CUI) or Federal Contract Information (FCI). CMMC concerns DIB contractors that handle this type of information, as well as their suppliers.

Tiers

The CMMC program has three tiers of cybersecurity compliance. A contractor's required tier depends on the sensitivity of information they handle:

Level 1 contractors work with less sensitive information, and they can self-assess their cybersecurity compliance.
Level 2 contractors work with more sensitive information and are required to undergo assessment by an independent third-party assessor.
Level 3 contractors work with the most sensitive information and must undergo assessment by the Defense Industrial Base Cybersecurity Assessment Center.

Requirements

The CMMC program is based on the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 and 800-172 controls. When the program is fully implemented, the DOD will include CMMC requirements in its contracts, and bidders must have the necessary certification level to be eligible for award.

How Does CMMC Impact Your MSP Business?

Cyber threats aren’t limited to the big defense contractors. The small entities that make up the lower levels of the defense supply chain are also targets. That’s why the CMMC program emphasizes subcontractors, and this will inevitably impact some MSPs.

While prime contractors must have the appropriate CMMC certification level to bid on a defense contract, any and all subcontractors they use to execute the product or service they’re bidding on must also meet the requirements of that level. Subcontractors will be required to demonstrate their adherence, either through certification or assessment.

CMMC Certification vs Assessment: Making the Right Choice

Only MSPs that process, store or transmit CUI are required to attain CMMC certification. However, if you’re not certified, and you work with a defense contractor that’s required to be assessed for CMMC Level 2 or 3, you must also pass the assessment.

If your MSP doesn't handle CUI, you won't need the same certification level as defense contractors. However, you may still fall under CMMC's scope. You'll then face a choice: either obtain CMMC certification matching your clients' level or participate in all their third-party assessments.

CMMC Shared Responsibility Matrix Requirements

Defense contractors outsourcing their CMMC compliance to an MSP have their fair share of responsibility for fulfilling CMMC controls. The division of responsibility between your MSP and your client is laid out in a Shared Responsibility Matrix, which:

should be reflected in your contract
should make clear who is responsible for what
should be laid out at a granular level

A Shared Responsibility Matrix is so important that your client must provide one to their assessor. During your own assessment, this document acts as evidence of what capabilities you provide for your client, and what you do not.

CMMC Third-Party Assessment Requirements for Outsourcing

If your MSP is required to undergo a CMMC assessment and you outsource services, systems, or personnel to another third party, they may need to participate in assessments if they're not CMMC certified. This extends further: if your suppliers outsource to other parties, those organizations may also need to participate in assessments, creating a chain of compliance requirements.

Getting started with CMMC

While full CMMC implementation will take time, contractors' ability to bid on contracts will eventually depend on their assessment and certification status. To avoid losing contracts, some prime contractors are already requiring their subcontractors to meet CMMC requirements.

There are two things to keep in mind at this point.

First, it takes many months to achieve CMMC certification. If you’re required to get certified, or you’re planning on doing so in order to avoid constant assessments, we recommend you get the process started immediately.
Second, and perhaps even more importantly for your bottom line, getting certified or participating in assessments requires an organizational pivot. It’s time to begin preparing your systems, restructuring pricing, and rewriting contracts to reflect this level of responsibility and oversight.

Compliance Scorecard for CMMC Compliance

Compliance Scorecard can help your MSP take the hassle out of getting certified and staying compliant. CMMC is as complex as it is necessary. Compliance Scorecard is a comprehensive compliance platform purpose-built for MSPs that can help you navigate those complexities and maintain CMMC readiness. Here’s how.

Policy packs

Our CMMC policy pack is a pre-built library of essential policies and procedures specifically tailored to meet CMMC/NIST SP 800-171 requirements. This toolkit saves MSPs countless hours developing critical documents from scratch and allows you to focus on implementing and integrating the necessary controls.

Auditing and reporting

Compliance Scorecard’s auditing tools streamline the certification and/or assessment processes by automating evidence collection, facilitating risk assessments, and generating detailed compliance reports. This not only saves valuable time and resources, but also provides a clear picture of CMMC posture, allowing you to identify and address any gaps before an audit.

Ongoing compliance

CMMC Level 2 certification is valid for three years but requires annual affirmation from a senior official. Compliance Scorecard makes it easy to maintain compliance with automated reminders for policy updates, simplified evidence management and upgrades based on framework changes. This ongoing support empowers MSPs to proactively address evolving threats and ensure their security posture remains aligned with CMMC requirements.

Reproducible results

Once your MSP has navigated the CMMC compliance journey with Compliance Scorecard, replicating the process for your clients is simple. The platform's pre-built templates are easily adapted to each client's specific needs, saving you from reinventing the wheel, and ensuring consistency that reduces the risk of errors. Compliance Scorecard essentially empowers you to become a CMMC compliance champion for your entire client base.

Learn More About Compliance Scorecard CMMC Capabilities

Whether you deal directly with CUI or work for a client that does, you fall under the scope of CMMC. Maintaining your current contracts may require either full certification or participation in the assessment process. MSPs have decisions to make, prices to restructure, contracts to rewrite, and months of work to get up to speed with CMMC obligations.

Sounds like a headache? Let us alleviate the pressure. Compliance Scorecard has all the tools and resources your MSP needs to start the process, whichever way you decide to go. Contact us to learn more about our CMMC capabilities and professional services.