MSPs Must Comply with CMMC

Now that new guidance from the DoD makes that clear, will MSPs run and hide, or achieve compliance to earn bigger profits?

On December 3, 2021, the Department of Defense (DoD) released the long-awaited scoping guidance  for CMMC 2.0, the newly announced revision to the original CMMC model. If you have even one defense contractor client that must comply with CMMC at any level, your managed service provider business will be part of their assessment.

You can choose to run and hide from defense contractors, or comply with CMMC and reduce the number of competitors you will face, while establishing very sticky relationships with clients.

What’s in the Guidance

The new guidance, both for end-user self-assessments and independent assessments for certification, lists security tools and vendors (including MSPs and cloud services) within the assessment scope.

The DoD defines External Service Provider (ESP) as “External people, technology, or facilities that the organization uses, including cloud services, co-located data centers, hosting providers, and managed security service providers.”


The DoD also talks about “Security Protection Assets” and provides examples:

Table 2. Security Protection Asset Examples

Asset Type Security Position Asset Examples
People Consultants who provide cybersecurity service

Managed service provider personnel who perform system maintenance 

Enterprise network administrators

Technology Cloud-based security solutions 

Hosted Virtual Private Network (VPN) services

SIEM solutions

Facility Co-located data centers

Security Operations Center (SOCs)

Contractor office buildings


In addition, the contractor is required to: 

  • Document these assets in asset inventory;
  • Document these assets in the SSP; and
  • Provide a network diagram of the asset scope (to include these assets) to facilitate scoping discussions during the pre-assessment. 

What This Means for You

The new guidance means that your MSP business will need to implement a compliance program aligned with the NIST SP 800-171  framework consisting of 110 cybersecurity practices.

It is likely you will need to change the way you implement cybersecurity by:

  • Using government versions of communications and data storage tools.
  • Ensuring your vendors are compliant, including protecting production data and backups with FIPS 140-2 certified encryption.
  • Always having current documentation validating your compliance.

If your clients only process, store, or transmit Federal Contract Information (FCI), you will need to validate your compliance with CMMC 2.0 Level 1. However, if you have even one client that processes, stores, or transmits Controlled Unclassified Information (CUI), you will need to meet the requirements for CMMC 2.0 Level 2, and implement all 110 practices in NIST SP 800-171.

Some defense contractors will have to comply with CMMC 2.0 Level 3, requiring additional protection against advanced persistent threats.

The assessment guides – expected to be released in mid-December – will provide more guidance to help you prepare for your assessment.

The new scoping guidance definitively answers the question about MSPs having to comply with CMMC. Compliance is achievable and can result in bigger profits if you can show you are a trusted authority and have differentiated your company from MSPs who continue to think that cybersecurity and compliance are the same.


Semel Consulting works with Covered Entities, Business Associates, and Subcontractors to properly manage HIPAA compliance.