This article was written by guest contributor Jon DePerro, a compliance expert and military veteran.
If you have managed services clients who have been “kicking the can down the road” when it comes to compliance with the Cybersecurity Maturity Model Certification (CMMC), the end of the road is officially here November 10.
That’s when enforcement of CMMC 2.0 standards starts for contractors and subcontractors in the defense industry base (DIB) supply chain. Tens if not hundreds of thousands of businesses in the defense industrial base will have to meet CMMC requirements. And if your MSP serves any of those businesses, their requirements become your requirements.
Here are three things MSPs need to know:
- There are 300,000 companies in the defense industrial base.
- Only a handful have their Level 2 certification.
- Large primes like Lockheed Martin are requiring their supply chain to meet CMMC Level 2 well in advance of the contract requirements taking effect.
Translation? There is a ton of opportunity for both project work and new monthly recurring revenue.
RELATED: Want to learn more about the future of security and compliance? Join the Kaseya team and top industry experts for a free, full-day event on November 13, 2025. Find out more here.
Follow the Math and the Money
First, it’s important to note that the enforcement date presumes that organizations have already upgraded firewalls and other infrastructure and have put the required security controls in place. If that’s not the case for your defense-related clients, they’ll have no choice but to spend some money and implement your recommendations (finally).
Second, the estimated cost to support a Level 2 certification assessment for a small entity is $96K, according to the Feds. And that does not include the cost of a third-party assessor.
The whole world is spending this much money. Your prospects, the people shopping you, are trying to AVOID spending this.
But bear this in mind: An MSP is going to spend about 200 hours getting clients ready. This is not simply showing up and helping them with some paperwork. The average MSP is spending about one year and $200K building a CMMC offering and training their staff. You cannot charge $5K for this work or be in “I’ll figure it out as I go” mode.
Because of the deadline, your prospects and customers may expect you to drop everything else you’re doing. That’s a business choice you’ll have to make: Do you have the time and resources to do CMMC work?
And remember, that $96K assessment price tag assumes the client has already fixed their technical shortcomings. If they haven’t, it’s a massive uplift. But the opportunity is massive as well.
CMMC assessors will be looking to see if organizations are set up to remain compliant. Only fully managed services will meet that goal. This is not a point-in-time project like other frameworks. You are designing and selling fully managed services for the life of their defense contracts.
CMMC Requires You to Go All-In
CMMC work is lucrative, but there are no shortcuts. You cannot “dabble” at CMMC in the same way that you cannot “dabble” in brain surgery. Both require a specialist. In fact, many CMMC compliance vendors’ entire marketing approach is to tell your customers that their MSP is woefully unprepared to support CMMC. And oftentimes they are right.
The MSPs who are true CMMC practitioners have learned the process. They’ve tightened up their paperwork—employee credentials, background checks, physical security, and media storage. They know how to use MSP tools in a compliant manner. They understand where you need FedRAMP and where you don’t. The best are Level 2 certified. They’ve had an audit done by a CMMC third-party assessment organization and got a perfect score of 110.
Why is this important? Because if you’re an MSP and your customer goes through a CMMC third-party assessment, everything you do to support that customer is part of that assessment, which is why you also need a customer responsibility matrix that breaks down exactly what you do for that customer. Everything must be in scope for the assessment.
There is no easy button for CMMC. There’s no one SKU you can buy and you’re done. I don’t care what salespeople tell you.
If you don’t have the skills internally, you either need to partner up or level up. If you decide to partner, be very judicious about your choice. There are some MSSPs out there looking to steal the entire opportunity.
The Bottom Line: CMMC Is a Business Decision
The November 10 enforcement deadline for CMMC 2.0 marks a pivotal moment for MSPs serving the defense industrial base. With only a fraction of the 300,000 DIB companies certified and the cost and complexity of compliance rising, MSPs face a critical decision: Invest in becoming true CMMC practitioners, partner wisely, or walk away.
The opportunity is enormous—but so is the responsibility. Those who commit fully to the process stand to gain significant revenue and long-term client loyalty. The time for kicking the can is over. It’s time to step up—or step aside.
If you missed DePerro’s last column, see Now’s the Time to Talk BCDR with Manufacturing Clients and Prospects—Before It’s Too Late
