CMMC 2.0 FAQ for MSPs: Everything You Need to Know
By Lewis Pope
As cybersecurity threats escalate, the U.S. Department of Defense is raising the bar for contractors and their partners with CMMC 2.0. This updated compliance framework is designed to better safeguard sensitive government data. For Managed Service Providers (MSPs), understanding where they fit in is essential.
Whether you’re working directly with the DoD or supporting clients who are, this FAQ breaks down what MSPs need to know to stay compliant, competitive, and contract-ready.
What is CMMC 2.0?
CMMC 2.0 (Cybersecurity Maturity Model Certification) is a cybersecurity framework from the U.S. Department of Defense (DoD) designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). It updates and simplifies the original CMMC 1.0 by aligning more closely with existing standards like NIST 800-171.
Why Does CMMC Matter?
With cyberattacks on the rise—particularly from nation-state actors—the DoD has made cybersecurity a contract condition. Whether you’re working directly with the DoD or supporting someone who is, CMMC compliance could soon be your ticket to staying in the game.
Who needs to comply with CMMC?
Any organization that:
- Works directly with the DoD,
- Handles FCI or CUI,
- Or supports clients (like contractors or subcontractors) who do.
This includes Managed Service Providers (MSPs) that provide IT or security services to those clients—even if the MSPs themselves don’t process CUI directly.
When does CMMC become mandatory?
CMMC will begin appearing in DoD contracts in late 2025, starting with high-priority engagements. By 2028, full enforcement is expected across all relevant DoD contracts.
What are the three levels of CMMC 2.0?
| Level | What’s covered | Who It’s For | What’s Required |
| 1: Foundational | Basic cyber hygiene; self-assessment only; protects FCI. | Contractors handling FCI only | Annual self-assessment |
| 2: Advanced | Aligns with NIST SP 800-171; protects CUI; requires third-party or self-assessment. | Organizations protecting CUI | 3rd-party or self-assessment every 3 years |
| 3: Expert | Includes NIST 800-172 controls; for high-security contracts; requires government-led assessments. | Critical national security work | Government-led assessment |
How does CMMC relate to NIST 800-171?
CMMC Level 2 is directly based on the 110 controls from NIST SP 800-171. If you’re already working toward NIST 800-171, you’re ahead of the game.
What About MSPs? Do We Need to Be Certified?
It depends on your role:
- If you support client systems that touch CUI → You’ll be in their audit scope as a “Security Protection Asset” (SPA).
- If you want to scale across clients or streamline audits → Consider becoming a Registered Practitioner Organization (RPO) or pursuing your own Level 2 certification.
What is an RPO or C3PAO and why are they important?
- RPO = Registered Practitioner Organization: Can guide others to compliance but cannot certify.
- C3PAO = Certified Third Party Assessor Organization: Authorized to perform official CMMC assessments.
Registered Practitioner Organizations (RPOs) and Certified Third-Party Assessor Organizations (C3PAOs) are key players in the CMMC ecosystem. An RPO is authorized by the Cyber AB to support organizations seeking CMMC certification by offering advisory services, readiness assessments, and implementation guidance. While they don’t conduct audits, they help MSPs and their clients get prepared. A C3PAO, on the other hand, is formally accredited to perform official CMMC assessments and issue certification decisions. These roles are essential because CMMC compliance is not just a technical checklist—it’s a strategic process that requires tailored expertise, validated methodologies, and a deep understanding of NIST and DoD frameworks. Partnering with an RPO or preparing to engage a C3PAO ensures you’re not navigating this journey alone—and dramatically increases the likelihood of a successful, efficient certification outcome.
Can I learn more or get help?
Yes. Start here:
Glossary of CMMC Terms for MSPs
| Term | What It Means | What It Means to MSPs |
| CMMC | Cybersecurity Maturity Model Certification | Compliance framework for DoD-related work |
| CUI | Controlled Unclassified Information | Sensitive data that must be protected under CMMC Level 2 |
| FCI | Federal Contract Information | Basic contract data – requires Level 1 protection |
| NIST 800-171 | Security standard for protecting CUI | Core of CMMC Level 2 requirements |
| NIST 800-172 | Advanced protection practices | Required for CMMC Level 3 certification |
| DFARS | Defense Federal Acquisition Regulation Supplement | Includes security clauses (7012, 7019, etc.) MSPs must understand |
| SPRS Score | Supplier Performance Risk System score | Indicates self-assessed NIST 800-171 compliance |
| SSP | System Security Plan | Documents how systems meet security requirements |
| POA&M | Plan of Action & Milestones | Tracks how and when gaps in security will be resolved |
| RP / RPA | Registered Practitioner / Advanced | Certified individuals who can help prepare for CMMC |
| RPO | Registered Practitioner Organization | An MSP or advisory firm certified to support CMMC readiness |
| C3PAO | Third Party Assessor Organization | Official auditors for CMMC Level 2 |
| OSC | Organization Seeking Certification | Any entity seeking to undergo a certification assessment for a given information system for the purposes of achieving and maintaining the CMMC Status of Level 2 (C3PAO) or Level 3 (DIBCAC). An OSC is also an OSA |
| OSA | Organization Seeking Assessment | Organizations seeking to undergo an assessment to achieve and maintain “any CMMC Status.” |
| SPA | Security Protection Asset | Systems/services like MSP tools that support CUI protection |
| Enclave | Segmented, secure environment | May be needed to separate CMMC-scoped systems from others |
| FedRAMP | Government cloud security standard | Applies if you’re hosting or handling CUI in the cloud |
For more on CMMC download our ebook: CMMC: A guide to the What, When, Why, and How?
Looking for more blogs on compliance and regulation, then check out the Compliance section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on LinkedIn: thesecuritypope / Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.
Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.
N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.