Do You Need CMMC? A Decision Making Guide for MSPs
By Lewis Pope
This short guide aims to help MSPs assess whether CMMC (Cybersecurity Maturity Model Certification) applies to them or their clients, and what actions to take next.
Other blogs in this series:
- Who to Hire, Who to Train, and Who to Engage: CMMC Consultant Guide for MSPs
- CMMC Certification Process: Step-by-Step Guide for MSPs
Step 1: Do You Support Clients with DoD Contracts?
The first question every MSP should ask: Do your clients have Department of Defense (DoD) contracts?
- No → You’re likely out of scope for CMMC – but continue best practices for data protection.
- Yes → Continue below.
| Key Indicators Your Client May Need CMMC |
| ☐ They are a DoD contractor or subcontractor
☐ Their contracts reference DFARS 252.204-7012 ☐ They handle, process, or transmit FCI or CUI ☐ They’ve been asked to comply with NIST SP 800-171 ☐ They have expressed interest in bidding on federal contracts ☐ They’ve received a flow-down clause requiring cyber compliance Red Flag = Contract mentions FCI, CUI, DFARS, or NIST. |
Step 2: Does Your Client Handle Government Data?
Ask your clients:
- Are they receiving or processing Federal Contract Information (FCI)?
- Are they storing or transmitting Controlled Unclassified Information (CUI)?
- Do their contracts include DFARS 252.204-7012 or references to NIST SP 800-171?
If YES to any → Your clients require CMMC and your services may fall into scope.
Step 3: What Role Does Your MSP Play?
Your level of CMMC responsibility depends on how closely you interact with sensitive government data.
| Role | Risk Level | Consideration |
| You manage infrastructure or endpoints that touch CUI | High | You’ll be treated as a Security Protection Asset (SPA) and audited |
| You provide general IT services or monitoring only | Medium | May be out of scope, but still subject to review |
| You resell cloud/SaaS platforms used by CUI holders | Medium | Ensure vendors are FedRAMP or enclave-ready |
| You offer full-stack compliance solutions with multiple defense clients | High | Strong case for becoming CMMC Level 2 certified |
Step 4: What Path Should You Take?
Once you know your exposure, you have three main options:
1. Walk Away
- You don’t want to support government work
- Your clients can be transitioned or referred out
2. Support Clients Ad Hoc
- Create a Customer Responsibility Matrix (CRM)
- Let clients include you in their audits (as SPA)
- Help them build SSP/POA&M, but remain uncertified yourself
3. Build a Dedicated Offer
- Get Level 2 certified
- Launch a compliant CMMC-as-a-Service model with premium pricing
Final Tip
If you’re still unsure CMMC applies to your MSP:
- Check out the ABCs of CMMC bootcamp
- Or speak to a CMMC partner like Prescott to validate your assumptions
Why This Matters for MSPs
CMMC compliance is no longer optional for DoD contractors, and by extension, for MSPs supporting them. Identifying where you stand now helps you avoid last-minute surprises and positions your business as a trusted, compliant partner in the defense supply chain.
For more on CMMC download our ebook: CMMC: A guide to the What, When, Why, and How?
Looking for more blogs on compliance and regulation, then check out the Compliance section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd