This article was written by guest contributor Lindsey O’Donnell-Welch, a technical community writer at Huntress.
The Department of Defense (DoD) has officially finalized the Cybersecurity Maturity Model Certification (CMMC), and it’s about to reshape how contractors—and the MSPs that support them—do business. For any managed service provider working with defense contractors, this isn’t just another regulatory update. It’s a wake-up call.
MSPs aren’t just bystanders in this process. Whether you’re storing sensitive government data, supporting secure networks, or simply advising your clients that are DoD contractors or suppliers, your involvement is under the microscope—and your ability to lead clients through this compliance maze could become your next big differentiator.
If you want to remain relevant, competitive, and trusted in the defense supply chain, now’s the time to get ahead. Here’s how to prepare your MSP for what’s coming.
A Long Road to the Present
The DoD first developed CMMC more than five years ago. Since then, the framework has undergone several revisions. The DoD published the final version on October 15, 2024. It has three levels that designate different security measures for defense contractors.
- Level 1: A “foundational” level for contractors handling federal contract data, which encompasses information related to a government contract that’s not intended for public release. This level requires 15 basic safeguarding measures specified in the FAR (Federal Acquisition Regulation) clause (CFR 52.204-21), with annual self-assessments for compliance.
- Level 2: An “advanced” level for contractors that handle controlled unclassified information (CUI), which is government data that’s not classified but still must be protected. This level requires 110 security measures that align with NIST SP 800-171 and third-party assessments every three years (or self-assessments every three years in select cases).
- Level 3: An “expert” level that will only apply to about one percent of contractors that handle particularly sensitive CUI and support the most critical government programs and technology. These firms must comply with 134 requirements based on NIST SP 800-171 and 800-172, and undergo a government-led assessment every three years.
What MSPs Need to Do
According to CMMC, MSPs are classified as “external service providers.” As a result, if you handle CUI or security protection data for your customers in the defense supply chain, your services fall within the scope of your customers’ CMMC assessments. With that in mind, you need to take three steps:
1. Look at how third-party relationships shape CMMC compliance.
As an MSP supporting companies in the defense industrial base (DIB), you need to have a solid understanding of the scope of your customers’ CUI data and how (or if) it fits into CMMC. A key challenge here is the involvement of third parties, such as cloud service providers, which adds complexity. The framework introduces specific nuances depending on who handles, processes, or stores CUI data and how these responsibilities are reflected in contracts and licenses. You need to stay well-versed in the broader shared responsibility model to effectively guide your customers through CMMC compliance.
2. Break down the certification vs. assessments question.
If your MSP business works with CUI—but doesn’t directly store, process, or transmit it—you aren’t required to obtain CMMC certification. However, you still need to participate in your clients’ CMMC assessments each time they occur.
If you only have one or two customers in the DIB, participating in their assessments wouldn’t be too heavy of a lift. However, if you’re juggling multiple DoD contractor clients, you may want to consider getting your own certification. Another thing to consider is that while gaining CMMC certification may be a time- and resource-consuming process, MSPs that can say they’re CMMC certified will have a competitive edge.
3. Develop a plan of action to deliver CMMC compliance services.
Regardless of whether your MSP pursues certification or participates in client assessments, make sure to delegate CMMC compliance services to a specific person or team. That group can lead the charge on creating a plan of action and setting milestones, collecting documentation, and more.
If your MSP decides to pursue CMMC certification, you will need to look at the specific requirements outlined within the level you’re pursuing and conduct a gap analysis. Then you’ll need to develop a plan for meeting each security control mandate. For example, if your MSP business is looking into Level 2 compliance, you will need to understand how to implement NIST SP 800-171 controls and undergo an assessment.
Meanwhile, participating in clients’ assessments means your MSP must showcase your security processes and capabilities as supporting evidence for customers seeking CMMC compliance. If you choose this option, come prepared with documentation and be ready to explain how your services support CMMC-related security controls.
RELATED: Compliance Is Your Path To Higher-Value Clients
CMMC Readiness Is the New MSP Credibility Test
As the CMMC compliance clock ticks down, one thing is clear: MSPs that wait will be left behind. Those that act now—by clarifying their role in client assessments, tightening internal security practices, or even pursuing their own certification—will become invaluable strategic partners in a highly regulated and high-stakes environment.
The path to CMMC compliance is complex, but for forward-thinking MSPs, it’s also paved with opportunity. Get proactive, get prepared, and position yourself not just as a vendor—but as a trusted compliance guide and cybersecurity leader.
