The MSP Success Thought Leaders Program invites leaders in the small business IT/MSP industry to share their insights and advice with MSP Success readers. This article was written by guest contributor Matt Katzer, founder and CEO of KAMIND Cloud Solutions Advisors, a full-service IT and cybersecurity firm and Microsoft Tier 1 Cloud Partner based in Lake Oswego, Oregon.
CMMC is forcing MSPs to make a choice. For those supporting clients in or near the Defense Industrial Base (DIB), surface-level familiarity is no longer enough. But the question many MSP leaders now face is how deeply they are willing (or able) to engage. There’s an old saying: “How you do anything is how you do everything.” This applies to the Cybersecurity Maturity Model Certification (CMMC) path. You need to be “all in.”
Similar to business strategy, CMMC is a progressive journey. Pursuing deeper CMMC knowledge is not a marketing exercise or a quick certification grab. It requires a clear-eyed understanding of responsibility boundaries, assessment rigor, documentation expectations, and the operational discipline needed to support CMMC Level 2 clients. MSPs considering this path need to know what they’re signing up for: increased accountability, higher client expectations, and a long-term commitment to compliance culture—not just security tooling.
For MSPs willing to make that investment, the upside is significant. Deep CMMC expertise positions you as a trusted advisor rather than a commodity vendor, unlocks higher-value engagements, and creates defensibility in a crowded market. But it also demands intention—investing the time and effort toward the right credentialing for your MSP business.
That inflection point is what led me, as a CEO, to pursue the path to becoming a CMMC Certified Assessor. What started as a desire to better serve our clients became a strategic decision that transformed our business. This is the story of why we chose to go deeper—and what MSPs should consider before embarking on the same journey.
The Back Story
KAMIND’s journey started as an MSP. We distinguished ourselves early on as a cloud-based Microsoft vendor providing licenses and services. We forged a strong partnership with Microsoft by actively participating in planning committees and contributing to product development, including security enhancements for Business Standard and various compliance features not typically included with standard offerings. The objective of these initiatives was to reduce the total cost of ownership for our clients.
In 2019, KAMIND reaffirmed its commitment to Microsoft licenses as its core platform and we realigned our MSP focus toward cybersecurity, specifically by adhering to NIST 800-171 standards. We launched two specialized solutions: Guard, which addresses CMMC Level 1 requirements and serves the Office 365 commercial market; and Fortress, tailored for defense contractors using Microsoft Azure Government in pursuit of CMMC Level 2 compliance. Additionally, we introduced a partner program to facilitate the growth of other MSPs. As a provider exclusively utilizing Microsoft security tools, all solutions are developed in accordance with CMMC guidelines.
This strategic shift is well aligned with evolving regulatory frameworks, as the IT industry undergoes increased regulation, particularly regarding CMMC services for defense contracts. Furthermore, these regulatory requirements are beginning to impact commercial enterprises, evidenced by both Microsoft and Google now mandating enhanced cybersecurity controls for their partners.
Our Stepwise Path: RP, RO, CCP, and CCA
The evolution to a CMMC compliance-focused MSSP wasn’t a solitary decision. Early in the process, I reached out to my partner Barbara, whose deep understanding of business strategy has shaped countless company milestones. Together, we examined the requirements outlined by the Cybersecurity Maturity Model Certification Accreditation Body (Cyber AB), which provides independent oversight and credentialing for organizations in the defense supply chain. It operates as a deregulated entity responsible for overseeing all training and accreditation activities related to CMMC under a contract with the Department of War (DoW).
My first step was to become a CMMC Registered Practitioner (RP). This is an entry-level designation that demonstrates an individual’s foundational knowledge of the CMMC framework, its terminology, and processes.
The RP credential is for professionals who support organizations in preparing for CMMC assessments, offering advisory services or internal readiness. The CMMC RP is extremely important because it helps you understand the terminology used in the Defense Industrial Base. By using the correct terminology from the RP, you ensure clear communication and acceptance within this market. Cost for the RP registration and training is $600, with an annual renewal of $500.
Our second step was to become an RPO (Registered Provider Organization) with RPs on staff to consult on CMMC readiness projects. RPO registration costs $6,000 with an annual renewal of $5,000.
Building on this, our team pursued the CMMC Certified Professional (CCP) certification. The CCP is the first step in the CMMC Assessor track. It certifies that an individual has in-depth understanding of the CMMC model, assessment process, and requirements. CCPs are eligible to serve as assessment team members and provide consultancy around CMMC implementation.
In order to take a CCP exam, you must take an accredited CMMC training delivered by licensed training providers. The training includes topics such as the structure of CMMC, scoping, evidence collection, and assessment methodology. Once you pass your CCP, DoW steps back in to perform a Tier 3 background investigation. The Investigation takes about 9–12 months and is conducted by the Defenses Counterintelligence and Security agency (DCSA). Exams and training typically cost about $3,000.
Finally, we worked toward becoming a CMMC Certified Assessor (CCA), the highest individual credential currently available. CCAs are authorized to lead formal CMMC assessments for organizations seeking certification, especially at Level 2 (Advanced) for the DIB. The process of becoming a CCA involves CCP certification, further specialized training, passing the CCA exam, and gaining practical team experience under the mentorship of experienced assessors. The Cyber AB reviews all credentials and ensures that candidates meet rigorous standards before granting CCA status.
After passing the CCA, you should pursue additional cybersecurity skills, such as earning the CISSP or CISM certifications from ISACA and to have work experience in cybersecurity. This is required to earn the CCA badge. Finally, you will need to participate in a CMMC Third Party Assessor Organization (C3PAO) assessment to gain practical experience. As I said earlier, this is a personal and a business commitment.
Looking back at our journey, this takes about two years of work, and the cost for CCA certification and training runs around $24,000. Maintenance of the CMMC RP, RPO, CCP, CCA and the necessary ISACA membership is about $7,000/year.
Why Certification Matters
Our expertise in the Microsoft Security Stack and deep familiarity with cloud environments—from Microsoft 365/Azure Commercial to Azure Government—form the backbone of our assessment capabilities. But it is the discipline of CMMC training and certification that has truly set us apart. By following Cyber AB’s accredited pathways, we demonstrate not only technical mastery but also a commitment to compliance, integrity, and continuous improvement.
The importance of certification goes far beyond personal achievement—it directly influences how organizations perceive and engage with teams like ours. Specifically, holding the CCP and CCA credentials builds a strong foundation of trust for companies navigating the CMMC Level 2 certification process. Having certified professionals and assessors on our team means organizations can rely on proven expertise and validated methodologies, ensuring the path to compliance is clear, efficient, and credible.
For defense contractors and others in the supply chain, the presence of CCPs and CCAs is a definitive signal of reliability and readiness. These certifications verify deep knowledge of the CMMC framework and assessment protocols, giving clients assurance that their sensitive data and processes will be evaluated with rigor and care. As a result, our team can guide clients through every step of the Level 2 journey, reducing uncertainty and providing the confidence needed to meet demanding regulatory requirements.
Ultimately, the CCP and CCA designations serve as a badge of quality—reinforcing our integrity and enabling us to foster lasting partnerships based on mutual trust and shared commitment to cybersecurity excellence.
How Certification Impacts Our Business
The benefits have been remarkable for us. Certification has positioned us as trusted advisors, opening doors to new contracts and partnerships across sensitive sectors, notably defense. Our clients recognize the value of working with a team whose qualifications are validated by independent, industry-leading bodies. Internally, the training has elevated our standards, improved our documentation, and fostered a culture of ongoing learning.
In every review and every engagement, our CMMC credentials communicate reliability and excellence. Barbara’s thoughtful guidance and our shared vision for leadership have transformed our standing in cybersecurity assessment. Looking ahead, we remain committed to the journey—ensuring our clients’ trust and contributing to a safer, more secure digital future.
The 8-Step CMMC Certification Checklist
If your MSP is interested in going through the certification process, we recommend following this simple 8-step checklist below.
- Review CMMC requirements and determine the appropriate level for your organization.
- Engage with a trusted partner or team member with cybersecurity expertise.
- Become a CMMC Registered Practitioner (RP) to build foundational knowledge.
- Pursue CMMC Certified Professional (CCP) certification for in-depth understanding.
- Complete specialized training and gain team experience in CMMC assessments.
- Pass the CMMC Certified Assessor (CCA) exam and meet all credentialing requirements.
- Ensure ongoing compliance by following Cyber AB’s guidance and best practices.
- Maintain certifications and stay updated with regulatory changes and continuous learning.
By systematically reviewing requirements, engaging qualified experts, and completing the RP, CCP, and CCA credentialing pathway, your team can be confident in their readiness for CMMC Level 2 assessment for your own organization as well as your clients’. Continuous compliance and learning ensure you keep pace with evolving standards and maintain a resilient cybersecurity posture.
For more on CMMC, see The CMMC Final Rule Changed the Game—Why You Must Get the Customer Responsibility Matrix Right
