This article is written by Mike Semel, a CMMC Certified Assessor who has created CMMC for MSPs, which includes Customer Responsibility Matrix (CRM) training and a template, to help MSPs deliver CMMC Level 2 compliance.
Now that CMMC is live, there is urgency—even panic—flowing from defense contractors to their MSPs and downstream to security tool vendors. Defense contract solicitations are now coming out with the cybersecurity requirements that are assessed under CMMC.
Virtually all defense contractors that store, process, or transmit Controlled Unclassified Information (CUI) will be required to pass an independent CMMC Level 2 certification assessment that will include their MSP.
Many smaller defense contractors that rely on MSPs are being pressured by the prime contractors they support to quickly get CMMC Level 2 certified or they will be removed as a vendor. Millions of dollars are on the line and defense contractors have no choice but to work with an MSP using cloud security tools that are aligned with CMMC.
The CMMC Final Rule completely changed the landscape. Unfortunately, many vendors and MSPs are still operating with advice that was correct in 2023—but flat-out wrong in 2026.
For one, many MSPs supporting CMMC Level 2 clients have a Customer Responsibility Matrix (CRM) that is incomplete and incorrect in how responsibilities are documented. Know this: The CRM is the most important CMMC document you’ll create.
The Final Rule clarified how Security Protection Assets (SPAs) and Security Protection Data (SPD) fit into CMMC Level 2 scoping, documentation, and assessments.
Defense contractors are responsible for meeting all 320 assessment objectives defined in the CMMC Level 2 Assessment Guide. They may outsource tasks to MSPs who use third-party cloud security tools to deliver their services.
What Changed (and Why It Matters to You)
When CMMC was first proposed, MSPs and security tool vendors were told that:
- Every MSP needs its own CMMC certification assessment to support a Level 2 defense contractor.
- Every log file and configuration data must be stored in a FedRAMP Moderate or equivalent cloud service—protected at the same level as CUI, the sensitive documents restricted by the Department of War from unauthorized distribution.
Here’s what the Final Rule clarified:
MSPs do NOT need to pay for a $20,000 to $50,000 CMMC assessment to keep a client. Instead, your services will be assessed as part of your client’s assessment. You must provide your client with an accurate and thorough Customer Responsibility Matrix based on the 320 CMMC Level 2 assessment objectives. You must be present at your client’s assessment to answer questions and take ownership of the CMMC practices your client outsources to you. MSPs may voluntarily choose to be assessed for CMMC Level 2 as a competitive advantage and to make client assessments easier.
You also need to provide specific documentation about your security tools.
Under the Final Rule’s CMMC Level 2 Scoping Guide, the cybersecurity systems, services, people, and facilities that protect environments with CUI are now formally categorized as Security Protection Assets.
SPAs generate and/or handle Security Protection Data—things like configurations, log files, vulnerabilities, and admin credentials.
SPAs include, but are not limited to, an MSP’s:
- RMM tool
- PSA tool
- CRM tool
- Cloud-based security tools
- Vulnerability scanners
- Patch management systems
- SIEMs and MDR/XDR services
- MSP/MSSP-delivered managed security functions
- Cybersecurity and system maintenance staff
- Security Operation Centers (SOC)
- Office
Security Protection Data no longer requires the same protection as CUI —but it’s now subject to clear documentation and responsibility-sharing requirements.
That means:
- Your cloud-based cybersecurity services do not need to be FedRAMP if they only handle SPD and no CUI. Warning: Some cloud security services have the ability to upload client files for analysis. You must turn off this feature to avoid the cloud service being classified as a CUI asset, requiring FedRAMP.
- Your cloud-based cybersecurity vendors need to provide you with a service description and an accurate and thorough Customer Responsibility Matrix aligned with the 320 CMMC Level 2 Assessment Objectives—not just the 110 practices. Some cloud services make it very difficult to get their CRMs. Others, like Kaseya, make theirs easily accessible.
Any services that store, process, or transmit CUI must be FedRAMP Moderate or equivalent. This includes file storage, file transfer, email, backups, email filters, and other cloud services that touch CUI. Not using FedRAMP services for CUI has resulted in defense contractors being penalized under the federal False Claims Act—and the resulting triple payback of government payments, fines, public embarrassment, and watching whistleblowers be rewarded. Contractors can be banned from future contracts for noncompliance.
A CRM is the Most Important CMMC Document You’ll Create
CMMC’s Level 2 Scoping Guide requires a Customer Responsibility Matrix for External Service Providers, including MSPs and the cloud-based services they use. Many MSPs and vendors routinely use Shared Responsibility Matrices (SRM) that assign general responsibilities. The difference between a traditional SRM and a CMMC CRM is that the CMMC matrix must be detailed down to the individual CMMC assessment objectives in the CMMC Level 2 Assessment Guide.
The CMMC Assessment Process guide requires a defense contractor to provide the CRMs to their assessor in order to get their assessment scheduled. Assessors use the CRMs to determine who will be interviewed and provide documented evidence of CMMC implementation during an assessment.
An MSP’s CRM documents each applicable CMMC assessment objective and whether the responsibility to implement the requirement belongs to the client, the MSP, or is shared. A cloud-based security service’s CRM documents the responsibilities for each applicable CMMC assessment objective and whether the requirement is implemented by the cloud service, the MSP, or is shared.
Getting the CRM right isn’t easy.
An MSP showed me their CRM that only listed the 110 main CMMC requirements instead of the 320 CMMC Assessment Objectives.
Another MSP showed me a vendor’s CRM that was just marketing fluff and would not have passed the scrutiny of a CMMC assessor. (I know because I am a CMMC Certified Assessor.)
Why “Close Enough” Will Fail
Many MSP CRMs are incomplete and incorrect in how responsibilities are documented.
Many vendors still treat CRMs as marketing deliverables—multicolumn tables filled with vague statements like “Vendor maintains compliance” or “Customer is responsible for configuration.”
That might have worked before, but under the Final Rule, it won’t survive the interview, test, and examine phases of a formal assessment.
CMMC assessments cost $20,000 to $ 50,000 and require a perfect score. “Almost compliant” means “noncompliant.”
For MSPs and vendors alike, the CRM is the single most important piece of evidence connecting your service to your client’s compliance story.
An accurate MSP CRM must:
- Reference all of the applicable (of 320 possible) CMMC Level 2 assessment objectives.
- Clearly separate responsibilities between the Customer (defense contractor) and the MSP.
- Be backed up with evidence showing how each objective is satisfied—policy, procedure, technology, or manual control (because the MSP’s services are being scrutinized as part of the client’s assessment).
- Include service-specific detail—hosting model, data boundaries, regions, encryption, monitoring, and access control.
The MSP must provide each cloud-based security tool vendor’s CRM to their client as part of their documentation package. Security tool vendors do not need to participate in the client’s assessment.
If the CRMs are vague, incomplete, or inaccurate, the result is predictable: a defense contractor’s failed or delayed certification—and an angry client.
Who Should Write or Validate an MSP’s CRM?
Writing a CRM that can stand up to an assessment requires two kinds of experience:
- CMMC Certification & Assessment Experience
You need expert guidance from someone who has certified knowledge of the CMMC model, the 320 Assessment Objectives, the Scoping Guide, and how assessors think. - Managed Service Provider Experience
Only someone who has delivered managed IT and security services understands what MSPs actually do—and what evidence they can realistically produce.
Friendly Warning: Just using a generic CRM or copying a peer group member’s CRM will easily be exposed when you are put on the spot by the client’s assessment team. You don’t want to be the cause of your client’s failed assessment, resulting in them being banned from defense contracts until they pay for and pass another assessment. Likely with another MSP.
The New Opportunity
CMMC doesn’t just create risk—it creates opportunity for MSPs and vendors who document correctly.
- For MSPs: A defensible, assessor-ready CRM and the right documentation from your vendors make you the easiest provider for defense contractors to work with.
- For Vendors: An assessor-validated CRM turns your compliance documentation into a sales weapon—proof that your partners can trust you with their most regulated clients.
CMMC has raised the bar. Those who can quickly prove compliance win very profitable and very sticky business relationships. Those who guess or dawdle lose.
The choice is clear. And yours to make.
6 Action Steps for MSPs
Here’s what to do next:
1. Review the current CMMC Level 2 Assessment Guide so you understand the 320 Assessment Objectives and the CMMC Assessment Process guide so you understand the assessment process. The best way to understand CMMC and the nuances of the assessment process is to get CMMC certified or take formal CMMC training for MSPs created by a CMMC Certified Assessor.
2. Create a spreadsheet called (MSP Name) CMMC Customer Responsibility Matrix with at least three columns: CMMC Control, (MSP Name) Responsibility, and Customer Responsibility.
3. For each of the 320 Level 2 Assessment Objectives (not the 110 CMMC practices) identify the related roles and responsibilities for you and your client.
4. Don’t just enter a checkmark. Briefly describe the tasks you and your client will perform in the appropriate box. Some rows will only have MSP tasks. Others will have Customer tasks. Some will have tasks in both the MSP and Customer columns.
5. Because your clients and the systems you manage will vary, you should personalize the CRM for each client because their CMMC assessors will use your CRM as their guide.
6. For each item in the CRM’s MSP column, you will be required to participate in your client’s assessment, take ownership of your tasks, provide the appropriate documentation described in the assessment guide, answer questions, and be ready to demonstrate your processes.
