CMMC (Cybersecurity Maturity Model Certification) is not just a tick in the compliance box. While it may sound like a topic only relevant for defense contractors, regulated industries, and the MSPs that serve them, if looked at closely, it speaks to a core problem of enterprises - data. Companies don't know where sensitive data lives, who has access to it, how it moves across the business, or whether they can prove the right controls are in place. And this is irrespective of whether the data is CUI, customer records, financial information, healthcare data, intellectual property, or anything else the business cannot afford to lose.
For now, and especially for defense contractors, CMMC is becoming harder to ignore.
Phase 2 of the rollout begins in November 2026, and contractors that handle controlled unclassified information, or CUI, will need to show that the right security controls are in place and working every day. But this does not stop with the main contractor. CMMC requirements can flow down to subcontractors, too. If CUI moves through a supplier’s environment, that supplier may also have to meet the requirements.
That means a machine shop, software vendor, or small service provider could be pulled into CMMC Level 2 even if it never works directly with the Department of Defense.
That is where MSPs and MSSPs need to pay attention. If a provider manages a client’s firewall, supports the CUI environment, handles backups, monitors security tools, or has admin access to systems in scope, it can become part of the assessment boundary. “Our MSP handles that” does not end the audit conversation. It usually starts the next one.
Cloud vendors and technology suppliers face the same issue. If a service stores, processes, or transmits CUI, it may come under scrutiny. Using a cloud service does not remove the customer’s responsibility to prove that the right environment, controls, and documentation are in place.
There are some exemptions, but they are narrow. Temporary access services, staffing agencies, and COTS products may sit outside the scope in some cases. But most organizations that touch CUI should assume they need to understand their exposure. That is where many companies get caught. They assume they are exempt because they “just sell software” or “just do IT support.” CMMC does not work that way. If CUI passes through their environment, they may have responsibilities.
This means any MSP or MSSP that touches a defense contractor’s environment may now have its own tools, processes, vendors, and evidence reviewed as part of the assessment. Customers do not need vague promises about compliance. They need providers that can define the scope, fix gaps, document controls, produce evidence, and keep the work going after the audit.
Contractors are no longer waiting
In a conversation with MSSP Alert,
Jim Ambrosini, CISO and cybersecurity advisor at CompassMSP, said that the urgency is now showing up in customer conversations.
“What we are seeing is, frankly, a little bit of a scramble and a panic,” Ambrosini said. “CMMC was really just the certification of a security standard that companies were supposed to be following for about the last 10 or 15 years, but were not.”
Many contractors had been waiting to see whether CMMC would move again, or whether their prime contractor would force the issue. That posture is becoming harder to sustain.
“Now that the standard is in place, companies are rushing to fulfill the requirement,” Ambrosini said. “It is creating a lot of stress because it involves fixing a lot of technology and process-related debt that has existed in the companies for years.”
The MSP conversation has changed as well.
Patrick Costello, partner account manager at Cynomi, said providers are no longer only asking what CMMC is. They are asking how to deliver readiness work in a repeatable way.
“The conversation has really shifted from understanding the CMMC framework and the controls to, how do we actually operationalize this?” Costello said. “We understand that there is a massive opportunity. We have clients asking us for help. But the organizations making the most progress are standardizing their approach.”
MSPs cannot own compliance alone
One of the biggest misunderstandings is that the MSP or MSSP can make the customer compliant by itself.
Ambrosini said customers often come to their service provider because CMMC includes a large technology component. That does not mean the provider owns the whole program.
“It is not one side or the other,” he said. “Clients go to the MSP thinking they are responsible for making them compliant. It is an operational security framework. The contractor has to comply. They have to drive it.”
Still, the MSP’s work may become part of the assessment. If the provider manages systems or security controls tied to CUI, the assessor can ask the provider to prove how those controls operate.
“There are 110 control practices and 320 assessment objectives,” Ambrosini said. “The relevant ones get looped in to the MSP. They have to be able to show how they meet those controls.”
That can be a shock for providers that are used to managing technology but not defending their processes in front of an assessor.
Ambrosini said a typical assessment can involve the contractor, the service provider, and a C3PAO, the certified third-party assessment organization that performs the CMMC assessment. The assessor may ask for logs, firewall evidence, MFA configuration, vulnerability scanning data, backup proof or documentation showing how a control is being handled.
“The MSP has to have the right person there,” Ambrosini said. “They may have to pull up a firewall console, pull up a vulnerability scanning console, pull up logs and explain the controls in very explicit detail. These audits typically take several days.”
That changes the provider’s role. The MSP is no longer just operating the environment in the background. It may have to show its work.
Scoping CUI is where the real work starts
Both Ambrosini and Costello said scoping is often where customers get stuck first.
Before a contractor can prove controls, it has to understand where CUI enters the business, where it lives, who touches it, and which systems are involved. That boundary determines what comes into scope and what can remain outside it.
“In my opinion, scoping and understanding the CUI data flow is the most important part of the process,” Costello said. “How is that information coming into the organization? Is it being sent as physical mail? Is it coming in as an email? Where does it go? Who has access to it?”
Ambrosini said
CompassMSP changed its own methodology because scoping and architecture became so important.
“Think of CUI like something you need to contain,” he said. “You need to understand where it is so it does not leak out, and you want to control that across everything.”
That data can live in many places: email, file servers, cloud systems, paper files, printers, or machines on the shop floor. Once that boundary is clear, the MSP and customer can build the right controls around it. That may include segmentation, VLANs, firewalls, and access controls to keep the data from spreading into systems that should stay out of scope.
“The MSP and the client have to show this is where it exists, this is how we define the boundary, and this is how we control it from spilling out to where it is not supposed to be,” Ambrosini said.
For MSSPs, this is the point where CMMC stops being just a compliance issue and starts becoming an everyday security operations issue. If a provider cannot show where the data goes, who has access to it, and which systems it touches, it will have a hard time proving the controls are actually working.
The revenue opportunity is in fixing the gaps
CMMC creates pressure, but it also creates a service opportunity for MSPs and MSSPs. Ambrosini said the first opportunity is helping the customer define the boundary. That can become an assessment or architecture engagement. The larger opportunity usually comes after that, when customers need to fix what is not ready.
“We see the bulk of the revenue opportunity coming from project remediation,” he said. “There are controls that have to be put in place. We have seen, on average, at least $50,000 of infrastructure work, and we have seen it go higher.”
That work can include server upgrades, firewall replacements, network segmentation, better backups, encryption updates, and other infrastructure fixes. For contractors running older systems or carrying years of technical debt, the cleanup can quickly turn into a larger project.
Costello said Microsoft environments are a common example. Many contractors use commercial Microsoft environments, but CMMC requirements may push some users or workloads into Microsoft GCC High or Azure Government.
“There is not only more expensive licensing, but also a migration that needs to take place,” Costello said. “There needs to be a tenant configuration for that new Microsoft environment.”
At a previous MSP, Costello said those projects often became $50,000 to $75,000 professional services engagements over several weeks, depending on the amount of data and the complexity of the environment.
The bigger opportunity, though, may be ongoing readiness. Contractors need recurring control reviews, documentation updates, continuous monitoring, audit support and advisory help. That opens the door for vCISO services, compliance-as-a-service and managed readiness offerings.
“Someone has to keep this going,” Ambrosini said. “This is a great opportunity for MSPs to start investing in a virtual chief information security officer or compliance-as-a-service.”
Compliance claims will not be enough
As more contractors look for help, more providers will say they can support CMMC. Ambrosini said customers should test those claims carefully.
“Most MSPs are not built for this because they do not have people who are qualified to do that consulting and compliance,” he said. “It is not an IT thing. It is an operational security framework.”
Customers should ask direct questions before trusting an MSP with CMMC work. Who on the team actually understands CMMC? Has the provider helped other clients through the process? Does it know how the assessment works? And can it clearly explain what the MSP owns versus what the customer still has to handle?
“Who on your team is qualified to help advise me?” Ambrosini said. “That is the biggest thing.”
Costello said customers should also look for a repeatable process, not a provider that plans to learn as it goes.
“A competent provider should be able to say, we know exactly what we are going to be doing for you,” he said. “There should be a process in place, as opposed to, we will figure it out.”
For MSSPs and MSPs, the CMMC opportunity is not around tools. The real work is in scoping the environment, building the right architecture, mapping controls, documenting the work, collecting evidence, and keeping the program running after the assessment.
MSSPs need training, tools, and a repeatable model
For providers that want to build a CMMC practice, Ambrosini said the first step is training.
“The first thing I would say is go get yourself trained in CMMC,” he said. “This is not just reading a quick article.”
He also recommended using a governance and risk platform to manage assessments, scores, evidence, and customer visibility. Without a structured platform, MSPs and MSSPs may struggle to scale the work across multiple clients.
Costello said providers also need to understand the actual federal rule behind the program before they begin selling services around it.
“I have had conversations with service providers where they push back on certain things and ask where this is coming from,” he said. “It is coming from the regulation, 32 CFR Part 170. That is the federal CMMC rule.”
The larger challenge is repeatability. CMMC work cannot look completely different for every customer if a provider wants to scale the practice.
“You do not have a different approach with every single client,” Costello said. “If you did, it is not sustainable. It is not scalable.”
CMMC readiness is really coming down to one thing: can providers prove the security work they say they are doing? Contractors need help figuring out what is in scope, fixing the gaps, pulling the evidence together, and keeping the controls working after the audit is over. MSPs and MSSPs that can handle that will have a clearer role as CMMC pressure moves deeper into the defense supply chain.