Your Compliance Affects Your Clients' Compliance
If you manage a defense contractor's IT environment, you're not a third party to their CMMC assessment. You're in scope. Your personnel, your tools, your cloud platforms, your remote access methods — all of it is part of the CUI environment you're managing for them. If you don't meet CMMC Level 2, your clients can't meet it either as long as they use your services.
This is the unique challenge for MSPs and IT consultants serving the defense sector. You're not just a vendor — you're an extension of your client's IT team, with privileged access to systems that process controlled data. An assessor from a C3PAO will look at your remote access tools, your technician credentials, your documentation, and your own security posture as part of their client's assessment.
If you have administrative access to a defense contractor's systems — whether you're on site, remote, or managing from a cloud platform — you are part of their CUI environment. You must meet the same CMMC Level 2 requirements as your client. There is no "MSP exception."
The Unique Position IT Service Providers Occupy
Most defense supply chain companies have CUI in their own industry domain — drawings for manufacturers, technical orders for MRO shops, blueprints for construction firms. IT service providers are different: they may hold CUI from multiple clients across multiple industries, all within a single management platform.
An MSP managing 10 defense contractor clients may be touching engineering drawings, maintenance records, shipping data, and test results simultaneously — all flowing through shared tools like RMM (Remote Monitoring and Management) platforms, PSA (Professional Services Automation) systems, and documentation portals. That aggregation creates an extreme concentration of risk that assessors take very seriously.
The RMM Problem
Most MSPs use an RMM platform like ConnectWise Automate, Datto RMM, or NinjaRMM to manage client endpoints. If that RMM platform is used to manage endpoints in a CUI environment, the RMM itself is in scope. Is your RMM vendor FedRAMP-authorized? Do you have separate instances for defense and commercial clients? How are your technician credentials managed and monitored? These are questions you need to answer before an assessor asks them.
The Documentation Portal Problem
MSPs typically document client environments in a shared portal — IT Glue, Hudu, Confluence. If those portals contain network diagrams, credentials, or configuration details for defense contractor environments, they contain CUI. Are those portals in a compliant environment?
What You Actually Need for CMMC as an MSP
To serve CMMC-compliant defense contractor clients, you need your own management environment to meet CMMC Level 2 requirements. That means:
- A compliant cloud platform — Microsoft 365 GCC High or equivalent for email and productivity; Azure Government or AWS GovCloud for infrastructure services you provide to clients
- Compliant RMM — Either a separate RMM instance for defense clients, or an RMM platform with demonstrated CMMC compliance (very few currently qualify)
- MFA on everything — Every technician account, every client portal, every cloud console. No exceptions. Phishing-resistant MFA (FIDO2) is the gold standard.
- Privileged access management — Credentials for client environments need to be managed through a PAM solution, not stored in shared spreadsheets or browser autofill
- Your own System Security Plan (SSP) — Documenting your management environment as a System Security Plan, identifying your own CUI boundary (your client data and access credentials)
- Incident response plan that covers client incidents — If you detect a breach in a client environment through your RMM, you need documented procedures for how you handle it, including the DFARS 252.204-7012 72-hour reporting requirement
Building a CMMC-Compliant MSP Service Stack
Most MSPs need to build a parallel service stack for defense clients — separate from their commercial delivery environment. Here's what that looks like:
- M365 GCC High tenant — Your defense clients' email, SharePoint, and Teams environments need to be on GCC High, not commercial M365. Your own management accounts that access these environments need to be GCC High too.
- Azure Government or GovCloud infrastructure — Any servers, virtual machines, or cloud services you host for defense clients need to be in a FedRAMP-authorized government cloud environment.
- Separate RMM instance with CMMC-compliant configuration — Ideally on a government cloud. At minimum, documented access controls, MFA, and complete separation from your commercial client data.
- SIEM and log aggregation — You need centralized logging for all your defense client environments, with 90-day hot storage minimum and anomaly detection.
- Documented change management for client environments — Every change you make to a client's systems needs to be authorized, documented, and tied back to a change request. This is both good MSP practice and a CMMC requirement.
What CMMC Costs for IT Service Providers
| Cost Component | Typical Range | Notes |
|---|---|---|
| Gap assessment (your own environment) | $8,000–$20,000 | MSP environments are complex — expect thorough assessment |
| GCC High tenant setup and migration | $10,000–$30,000 | For your management environment; client migrations billed separately |
| Compliant RMM reconfiguration/migration | $8,000–$25,000 | Major platform change if current RMM isn't compliant |
| PAM solution deployment | $5,000–$15,000 | CyberArk, BeyondTrust, or similar for privileged access |
| SIEM deployment and configuration | $8,000–$20,000 | Sentinel, Splunk, or Devo for defense client log aggregation |
| Documentation and SSP | $10,000–$20,000 | MSP environments are complex to document |
| C3PAO assessment | $25,000–$60,000 | Your own assessment, not your clients' |
| Total first-year estimate | $74,000–$190,000 | Shared across your defense client base |
The Business Opportunity for CMMC-Ready MSPs
Here's the other side of this: there are thousands of small defense contractors who desperately need a trusted IT partner who already understands CMMC. Most can't hire a CISO or build a compliant infrastructure internally — they need an MSP to do it for them.
An MSP that has its own CMMC certification (or is actively pursuing it), that has a GCC High delivery stack, that has experienced technicians who know NIST 800-171, and that can credibly tell a defense contractor "we'll manage your compliant environment" — that firm has a massive competitive advantage.
The defense MSP market is dramatically undersupplied right now. The investment to build a compliant service stack is real, but it's also a moat. Once you've done it and your competitors haven't, you can charge premium rates for a service that defense contractors can't find anywhere else. The Registered Practitioner Organization (RPO) designation from the Cyber AB is the starting point — it opens doors to the defense contracting community and signals that your firm takes CMMC seriously.
Our free readiness check asks about your technical environment and gives you a prioritized action list for becoming CMMC-ready.
Start Free Readiness Check →Frequently Asked Questions
Almost certainly yes. If you manage, monitor, or have administrative access to a defense contractor's systems — their network, servers, endpoints, email, or anything that processes CUI — your access and your infrastructure are part of their CUI environment. That means you need to meet the same CMMC Level 2 requirements they do. This isn't optional. An MSP with privileged access to a defense contractor's environment is one of the highest-risk third parties in that contractor's CMMC scope.
Being an RPO means your firm is authorized to provide CMMC consulting and advisory services. It's a business credential for firms that help defense contractors with CMMC compliance. Getting CMMC certified as an MSP means your own IT environment meets the CMMC Level 2 requirements — which you need if you manage CUI systems for clients. These are different things. You might be an RPO that also serves as a managed service provider. If you do both, you need both.
Not for systems that process CUI. If you're using standard Microsoft 365 (not GCC High), standard Azure (not Azure Government), or standard AWS (not GovCloud) to deliver services to your CMMC client, and those services touch CUI, you're not compliant. The cloud environments used to process CUI must be FedRAMP-authorized at the appropriate impact level. This often requires MSPs to stand up a separate compliant environment for their defense contractor clients.
A CMMC-compliant MSP delivery environment includes: Microsoft 365 GCC High or equivalent FedRAMP High-authorized email and productivity platform; Azure Government or GovCloud infrastructure for hosted services; endpoint management via Intune with FIPS-compliant encryption; MFA enforced on all accounts; EDR deployed to all managed endpoints; SIEM/log aggregation with 90-day log retention; documented incident response procedures; and a formal System Security Plan (SSP) for your management environment. This is a real engineering project, not just checking boxes.
Significant. Only a small fraction of MSPs currently have the technical capability to serve CMMC-compliant defense contractors. The thousands of small defense contractors who need CMMC are looking for IT partners who already understand the requirements. An MSP that has gone through CMMC compliance for its own environment and can clearly articulate how its service stack meets NIST 800-171 has a major competitive advantage in the defense market. The investment is real — but so is the differentiation.
Understand your CMMC position before your clients ask.
Our free readiness check helps IT service providers identify their own compliance gaps and the business opportunity in getting ahead of the market.
Start Free Readiness Check →2 minutes. No email required to see results.
Or see pricing & packages →