N-able

Solutions pour les MSP et les équipes informatiques

Conformité
Head Nerds

CMMC Certification Process: Step-by-Step Guide for MSPs

By Lewis Pope

Head Nerd

août 20th, 2025 9 mins

Content

Step 1. Determine the Required CMMC Level Step 2. Perform a Readiness Self-Assessment Step 3. Build Required Documentation Step 4. Register with the Cyber AB Step 5. Choose a Certified Third-Party Assessor (C3PAO)

This blog is created to provide MSPs with a quick step-by-step guide to the full CMMC certification process – from preparing to apply, selecting the right auditor (C3PAO), to timelines and expectations.

Other blogs in this series:

Step 1. Determine the Required CMMC Level

  • Level 1: If your clients handle only Federal Contract Information (FCI).
  • Level 2: If your clients handle Controlled Unclassified Information (CUI).

Tip: If unsure, ask clients to share their DoD contract requirements or refer to the DFARS 252.204-7012 clause.

Step 2. Perform a Readiness Self-Assessment

  • Complete a Level 1 or Level 2 readiness checklist.
  • Use a Plan of Action & Milestones (POA&M) to identify and track gaps.

Pro Tip: You can’t certify with an active POA&M — unresolved gaps may delay your approval.

CMMC Readiness Self-Assessment for MSPs
Use this tailored checklist to evaluate your readiness for CMMC Level 1 and Level 2 compliance. Score each item 0 (Not started), 1 (In progress), or 2 (Complete).

Level 1: Foundational Cyber Hygiene

☐ Limit access to authorized users and devices. (Score: ___)

☐ Protect against malware and malicious code. (Score: ___)

☐ Update software and apply security patches. (Score: ___)

☐ Perform regular backups and test recovery processes. (Score: ___)

☐ Limit use of removable media (USBs, etc.). (Score: ___)

☐ Monitor physical access to systems. (Score: ___)

☐ Provide basic cybersecurity awareness training. (Score: ___)

☐ Control external system connections (e.g., remote access). (Score: ___)

Level 2: Intermediate Cyber Hygiene

☐ Maintain documented policies and procedures for all controls. (Score: ___)

☐ Implement access control using least privilege principles. (Score: ___)

☐ Log system events and maintain an audit trail. (Score: ___)

☐ Encrypt CUI at rest and in transit. (Score: ___)

☐ Use multi-factor authentication for all remote access. (Score: ___)

☐ Perform regular vulnerability scans and remediation. (Score: ___)

☐ Conduct security assessments and risk analysis. (Score: ___)

☐ Develop and maintain a System Security Plan (SSP). (Score: ___)

☐ Document a Plan of Action & Milestones (POA&M). (Score: ___)

Scoring Guidance

• 0–15: Limited Readiness – Consider external consultation or start with foundational education.

• 16–25: Partial Readiness – Begin internal gap closure and policy development.

• 26+: Strong Readiness – Proceed with planning or engage a C3PAO for pre-assessment.

 

Plan of Action & Milestones (POA&M) Starter Template
Use this template to document and track remediation activities for CMMC compliance gaps.

Control/Requirement Deficiency Description Planned Remediation Action Responsible Party Target Completion Date Status/Notes

 

Step 3. Build Required Documentation

  • Create your System Security Plan (SSP).
  • Maintain documented policies and procedures for each control.
  • Log evidence of control implementation (screen captures, logs, training records, vendor policies).

System Security Plan (SSP) Template for MSPs
This generic SSP template is designed to help MSPs document how their environment supports CMMC compliance, particularly Level 2 aligned with NIST 800-171. Where applicable, N‑able can input details about its solutions (e.g., N-entral, Cove, EDR).

1. System Identification

System Name: ________________________
System Owner: ________________________
Location(s): __________________________
Boundaries/Enclaves: __________________

2. System Description

Describe the overall architecture. Include key functions, network diagrams, and the role of the MSP.
[Insert visual reference or summary. N‑able N‑central architecture diagrams can be embedded here.]

3. System Environment and Components

List servers, endpoints, backup platforms, and tools in use.
Example:
• N‑able N‑central (remote monitoring and management)
• N‑able Cove (backup)
• Endpoint Detection & Response (EDR) solution
• MFA for admin console access

4. CUI Handling

Describe where Controlled Unclassified Information (CUI) is processed or stored, and how it’s protected.
Include access control methods, data flow diagrams, and segmentation strategy.

5. Control Implementation Summary

For each NIST 800-171 control family, summarize how the MSP addresses it.

6. Points of Contact

• CMMC Compliance Officer
• Technical POC
• Documentation Owner

7. Review and Approval

Prepared By: ____________________
Approved By: ____________________
Date: ___________________________


Note: Include diagrams, screenshots of N‑central alerting configurations, and exportable audit trails in this section for assessments.

 

Step 4. Register with the Cyber AB

  • Go to the official Cyber AB site: https://cyberab.org
  • Create an account and profile for your organization.
  • Indicate your intent to pursue CMMC certification and desired level.

Step 5. Choose a Certified Third-Party Assessor (C3PAO)

  • Use the Cyber AB Marketplace to find an authorized Certified Third-Party Assessor Organization.
  • Vet based on experience, industry familiarity, and availability.

Step 6. Contract and Schedule Your Assessment

  • Finalize the scope of the audit with your C3PAO (e.g., affected systems, enclave strategy).
  • Allow 60–90 days minimum lead time.
  • Costs vary ($15K–$60K+ depending on scope and level).

Step 7. Undergo the Certification Assessment

  • Conducted onsite or remotely over several days.
  • Assessor will review:
    • Technical controls
    • Written policies
    • Implementation evidence
  • Any nonconformities must be addressed before a certificate is issued.

Step 8. Receive Your Certification Decision

  • Certification is valid for 3 years.
  • Level 2 certifications are posted on the Cyber AB site.
  • C3PAO submits formal report and decision.

Step 9. Maintain Compliance

  • Treat certification as a program, not a project.
  • Schedule annual internal reviews.
  • Update documentation when systems or processes change.

Additional Notes:

  • RPOs can assist with pre-assessment and gap closure but cannot certify you.
  • MDR, RMM, and backup vendors (like N‑able) should be part of your documentation for technical controls.

Final Thoughts for MSPs Pursuing CMMC

Achieving CMMC certification as an MSP may seem daunting, but with the right preparation, checklists, and templates, you can streamline the process. Start with a readiness self-assessment, document your security practices, and engage a trusted C3PAO to guide your certification journey.

For more on CMMC download our ebook: CMMC: A guide to the What, When, Why, and How?

Looking for more blogs on compliance and regulation, then check out the Compliance section of our blog.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd 

 

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.