N-able

Solutions for MSPs and IT Teams

Compliance
Head Nerds

CMMC 2.0 FAQ for MSPs: Everything You Need to Know

By Lewis Pope

Head Nerd, Sec Ops

November 7th, 2025 11 mins

Content

What is CMMC 2.0? Why Does CMMC Matter? Who needs to comply with CMMC? When does CMMC become mandatory? What are the three levels of CMMC 2.0?

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

If this issue persists, please visit our Contact Sales page for local phone numbers.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

As cybersecurity threats escalate, the U.S. Department of Defense is raising the bar for contractors and their partners with CMMC 2.0. This updated compliance framework is designed to better safeguard sensitive government data. For Managed Service Providers (MSPs), understanding where they fit in is essential.

Whether you’re working directly with the DoD or supporting clients who are, this FAQ breaks down what MSPs need to know to stay compliant, competitive, and contract-ready.

What is CMMC 2.0?

CMMC 2.0 (Cybersecurity Maturity Model Certification) is a cybersecurity framework from the U.S. Department of Defense (DoD) designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). It updates and simplifies the original CMMC 1.0 by aligning more closely with existing standards like NIST 800-171.

Why Does CMMC Matter?

With cyberattacks on the rise—particularly from nation-state actors—the DoD has made cybersecurity a contract condition. Whether you’re working directly with the DoD or supporting someone who is, CMMC compliance could soon be your ticket to staying in the game.

Who needs to comply with CMMC?

Any organization that:

  • Works directly with the DoD,
  • Handles FCI or CUI,
  • Or supports clients (like contractors or subcontractors) who do.

This includes Managed Service Providers (MSPs) that provide IT or security services to those clients—even if the MSPs themselves don’t process CUI directly.

When does CMMC become mandatory?

CMMC will begin appearing in DoD contracts in late 2025, starting with high-priority engagements. By 2028, full enforcement is expected across all relevant DoD contracts.

What are the three levels of CMMC 2.0?

Level What’s covered Who It’s For What’s Required
1: Foundational Basic cyber hygiene; self-assessment only; protects FCI. Contractors handling FCI only Annual self-assessment
2: Advanced Aligns with NIST SP 800-171; protects CUI; requires third-party or self-assessment. Organizations protecting CUI 3rd-party or self-assessment every 3 years
3: Expert Includes NIST 800-172 controls; for high-security contracts; requires government-led assessments. Critical national security work Government-led assessment

 

How does CMMC relate to NIST 800-171?

CMMC Level 2 is directly based on the 110 controls from NIST SP 800-171. If you’re already working toward NIST 800-171, you’re ahead of the game.

What About MSPs? Do We Need to Be Certified?

It depends on your role:

  • If you support client systems that touch CUI → You’ll be in their audit scope as a “Security Protection Asset” (SPA).
  • If you want to scale across clients or streamline audits → Consider becoming a Registered Practitioner Organization (RPO) or pursuing your own Level 2 certification.

What is an RPO or C3PAO and why are they important?

  • RPO = Registered Practitioner Organization: Can guide others to compliance but cannot certify.
  • C3PAO = Certified Third Party Assessor Organization: Authorized to perform official CMMC assessments.

Registered Practitioner Organizations (RPOs) and Certified Third-Party Assessor Organizations (C3PAOs) are key players in the CMMC ecosystem. An RPO is authorized by the Cyber AB to support organizations seeking CMMC certification by offering advisory services, readiness assessments, and implementation guidance. While they don’t conduct audits, they help MSPs and their clients get prepared. A C3PAO, on the other hand, is formally accredited to perform official CMMC assessments and issue certification decisions. These roles are essential because CMMC compliance is not just a technical checklist—it’s a strategic process that requires tailored expertise, validated methodologies, and a deep understanding of NIST and DoD frameworks. Partnering with an RPO or preparing to engage a C3PAO ensures you’re not navigating this journey alone—and dramatically increases the likelihood of a successful, efficient certification outcome.

Can I learn more or get help?

Yes. Start here:

Glossary of CMMC Terms for MSPs

Term What It Means What It Means to MSPs
CMMC Cybersecurity Maturity Model Certification Compliance framework for DoD-related work
CUI Controlled Unclassified Information Sensitive data that must be protected under CMMC Level 2
FCI Federal Contract Information Basic contract data – requires Level 1 protection
NIST 800-171 Security standard for protecting CUI Core of CMMC Level 2 requirements
NIST 800-172 Advanced protection practices Required for CMMC Level 3 certification
DFARS Defense Federal Acquisition Regulation Supplement Includes security clauses (7012, 7019, etc.) MSPs must understand
SPRS Score Supplier Performance Risk System score Indicates self-assessed NIST 800-171 compliance
SSP System Security Plan Documents how systems meet security requirements
POA&M Plan of Action & Milestones Tracks how and when gaps in security will be resolved
RP / RPA Registered Practitioner / Advanced Certified individuals who can help prepare for CMMC
RPO Registered Practitioner Organization An MSP or advisory firm certified to support CMMC readiness
C3PAO Third Party Assessor Organization Official auditors for CMMC Level 2
OSC Organization Seeking Certification Any entity seeking to undergo a certification assessment for a given information system for the purposes of achieving and maintaining the CMMC Status of Level 2 (C3PAO) or Level 3 (DIBCAC). An OSC is also an OSA
OSA Organization Seeking Assessment Organizations seeking to undergo an assessment to achieve and maintain “any CMMC Status.”
SPA Security Protection Asset Systems/services like MSP tools that support CUI protection
Enclave Segmented, secure environment May be needed to separate CMMC-scoped systems from others
FedRAMP Government cloud security standard Applies if you’re hosting or handling CUI in the cloud

 

For more on CMMC download our ebook: CMMC: A guide to the What, When, Why, and How?

Looking for more blogs on compliance and regulation, then check out the Compliance section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on LinkedIn: thesecuritypope / Twitch: cybersec_nerd 

 

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.