Illustrated graphic of a computer screen with a lock on it overlayed with a compliance checklist and a compliance shield icon

From awareness to assurance: Key compliance framework changes coming in 2026

HIPAA compliance: A practical guide for MSPs

SOC 3 report: What it is and why it matters

SOC 2 report walkthrough: Understanding the content

On This Page

11 Common CMMC 2.0 Mistakes MSPs Make (And How to Avoid Them)

7 minute read

March 17, 2026

Mike Vipond

Compliance webinar graphic - compliance shield on an external monitor

CMMC 2.0 is no longer “on the horizon.” It’s here, and it's required for contract eligibility.

For MSPs, this represents both a significant revenue opportunity and a serious responsibility. But there’s still confusion about how MSPs should approach CMMC certification — whether for their clients, for themselves, or both.

That’s why Dan Fox, Co-Founder of ControlMap, hosted a CMMC 2.0 webinar with Kyle Lai, President and CISO of KLC Consulting and an authorized C3PAO assessor responsible for conducting CMMC Level 2 certifications.

Whether leading or supporting, the MSP plays an important role in the CMMC 2.0 certification process. In this article, we explore the top considerations every MSP should understand for CMMC 2.0 certification initiatives — and the most common mistakes to avoid.

Want to watch the full webinar? Check out the recording.

Watch the Recording

11 Common CMMC 2.0 Mistakes Made by MSPs

Let’s dive into the most common mistakes MSPs make during the assessment and certification process:

1. Inadequate Artifacts and Demo Preparation

Many MSPs underestimate the amount of preparation required to provide proof. It’s not enough to say a control exists. You need to clearly demonstrate it with the right screenshots, logs, reports, policies, live walkthroughs, and linkage to objectives. When teams aren't sure what evidence to present — especially during the on-site inspection — assessments can quickly go off track.

“Companies that use the right GRC tools, like ControlMap, are able to organize the information, so when we go into specific controls, we can read the documentation and get to the artifacts a lot easier,” says Kyle. “GRC tools can really help us get more clarity and ask fewer questions.”

2. Existing Practices Don’t Match the Written Processes

The documentation says one thing, but daily operations say another. Maybe logs are reviewed weekly, but the security plan says they should be reviewed daily. Maybe patching timelines differ from what’s written. Assessors will check that what’s happening in real life matches what’s on paper — and if those don’t align, controls can fail, even if your security posture is strong.

“You want to make sure whatever you do matches what you documented,” says Kyle.“If you have an SSP saying vulnerability assessments are done every week, and in reality, you do this every 3 months, there will be a problem.”

3. No Mock Assessment Before the Real One

Skipping a practice run is risky. Without a mock assessment led by someone experienced in CMMC, gaps often go unnoticed until it’s too late. A dry run helps catch weak documentation, missing evidence, misclassified POA&Ms, scope confusion, incomplete baselines, and misunderstood requirements before the official review.

“Do a practice test before the actual certification assessment. You don’t want to take the real exam without any practice,” says Kyle.

4. Outdated Scope, Boundary, and Asset Inventory

Environments change fast — new tools, devices, cloud services, integrations, and internal and external connections. But if the security plan doesn’t reflect what’s actually in use, that’s a problem.

An accurate inventory and clear system boundaries are foundational. If they’re wrong, everything else starts to wobble. MSPs can avoid this by double-checking that asset inventory and system boundaries are accurate before starting the process. “Scoping is very important,” Kyle adds. “Make sure you have the scope and boundaries defined.”

5. Poorly Documented (Or Missing) Configuration Baselines

You must define what “secure” looks like for each type of asset. Laptops, servers, and firewalls should each have a documented baseline configuration. Without that, it’s difficult to prove systems are consistently and securely set up for the role they play in the client’s business.

“If you have the Windows server, Linux server, Linux machines, laptops, Mac, and the firewalls, you need to have the configuration baseline for all these individual systems documented,” says Kyle.

6. Undocumented Specialized Assets (SA) or Contractor-Managed Assets (CMA)

Some systems aren’t tested directly during a Level 2 review — but they still must be documented. “We are not going to ask you to show us the demo. However, we still look for the documentation,” says Kyle. If specialized equipment or contractor-managed assets touch sensitive information, they need to be in the security plan and asset inventory. Leaving them out creates unnecessary risk.

7. Confusion Between Operational Plan of Action (OPoA) and Plan of Action & Milestone (POA&M)

There’s a big difference between work that’s fully completed and work that’s still in progress. Items that are fully implemented are treated differently from items that require future remediation.

OPoA is a CMMC-specific term. Confusing OPoA and POA&M items can derail an assessment — OPoA items are considered met, while POA&M items are not met, and misclassifying them can result in failed requirements. Mixing these up can lead to failed requirements that could have been avoided.

8. Unclear ESP/CSP/MSP Inheritance and Shared Responsibility Documentation

If a cloud or service provider handles part of a requirement, that needs to be clearly documented. Which controls are fully inherited? Which are shared? Which are your responsibility? When ownership isn’t clearly defined, the control will not count.

Failing to clearly document whether each requirement is fully inherited, partially inherited, or internally managed by the ESP (External Service Provider), CSP (Cloud Service Provider), and MSP (Managed Service Provider) creates confusion during assessment and will lead to unmet controls.

9. Missing Evidence From Providers or the MSP (CSP’s or ESP’s)

You can’t just say a cloud provider or MSP handles something — you may need FedRAMP documentation for the CSP (Cloud Service Provider) or a clear responsibility (SRM - Shared Responsibility Matrix) for the ESP (External Service Provider) to back it up. That includes formal security documentation from providers and clear evidence of the MSP’s own processes, like how firewalls are managed. If the proof isn’t available, the requirement may not count.

10. Key People Not Available During the Assessment

Assessments move quickly and often require live explanations or demonstrations. If the right people aren’t in the room or on call, questions go unanswered, and delays pile up. Preparation includes scheduling with the right people, not just documentation — like the engineer who manages the firewall, SSP author, the person who owns logging, etc.

11. Leaving Custom Software Out of Scope

Custom-built applications are often overlooked, especially if they’re developed in-house. But if they store or transmit sensitive information — even source code — they likely need to be included in scope. Missing them can create serious compliance gaps.

Other CMMC 2.0 Certification Considerations

Decide Your Role: Are You Leading or Supporting?

Early in any CMMC engagement, you need to make a strategic decision: Are you acting as the security lead (vCISO)? Or are you strictly providing managed services while another firm owns the security program? Will your MSP support several CMMC clients? Does going for your own CMMC certification make sense?

“It all depends on what role the MSP wants to take on,” Kyle says. “Some of them do take on the vCISO role, but some of them just want to stay in their lane.”

This choice affects everything that follows — especially how you design and manage enclaves.

“You need to make a decision on how much you’re going to support and where you’re going to land. Are you going to take a lead role as a vCISO or a support role? Will your team be supporting within the enclave or outside of it? These decisions change your role.”

Dan Fox
Co-Founder, ControlMap

An enclave is a segmented, tightly controlled portion of an environment where Controlled Unclassified Information (CUI) is stored and processed. Instead of spreading compliance across the entire organization, contractors isolate CUI to reduce scope and risk.

“You want to make sure that CUI data always lives within that secure enclave, because it starts to leak out pretty quickly if you don’t section that off,” says Dan.

Clarity on your role prevents scope creep and unexpected compliance exposure. Keep the sensitive data sectioned off and tightly controlled, and be explicit about whether it stays inside the enclave or ever touches MSP systems (like backups or tooling).

Scope Based on the Contract — But Design for the Future

You don’t choose CMMC Level 1 or Level 2. The contract dictates that. But proper scoping goes beyond compliance level. “It’s important for the MSP to understand the contractor’s current business and their future state. You don’t want to design something that’s too restrictive,” says Kyle.

If the company plans acquisitions, expansion, or hiring growth, a tightly constrained environment may require premature reassessment or costly redesign. Build for the current contract, but leave flexibility for what’s next based on your client’s long-term plans.

Keep an Eye on CMMC 2.0 Flow-Down Requirements

Compliance doesn’t stop with the prime contractor. “If the subcontractors do not meet requirements, that means the prime contractors are not meeting their requirements,” says Kyle.

If CUI flows to subcontractors, those subcontractors must meet the required level. If they don’t, the prime contractor is out of compliance — and that can put the entire contract at risk. Prime contractors should vet subcontractors early and only source partners who can meet the right compliance level, so the whole chain stays eligible.

Take the Next Step on Your CMMC Journey

CMMC 2.0 is a structural shift in how the defense supply chain manages risk, and MSPs are at the center of it. MSPs play a key role in clients' CMMC certification, whether they lead or support.

With CMMC adoption accelerating at a rapid pace, the path for MSPs is simple:

Decide your role early.
Scope precisely — and plan for growth.
Vet subcontractors carefully.
Align documentation with reality.
Practice with a mock assessment.

Becoming CMMC-compliant yourself will help you understand the process and requirements, making it easier to then offer it to your clients.

Today, we’re seeing hundreds of ControlMap MSP partners working on new CMMC projects every quarter. This growth is only beginning to meet the needs of the 300,000–500,000+ organizations expected to adopt CMMC in the coming years.

ControlMap provides everything MSPs need to guide clients from readiness to certification. The platform aligns directly with NIST 800-171 and CMMC Levels 1 and 2, providing MSPs with a single platform to track every document, score, and milestone on the path to certification.

Ready to take the next step with CMMC 2.0?

Book a ControlMap demo, and we’ll help you get started.

Book a Demo

How to Handle Tariffs in Your Quoting Process in 2025

How to reposition your MSP from “IT Maintenance Team”to “Business Partner”

How do MSPs package compliance services for clients?

When Clients Sound the Alarm: How to Launch Compliance as a Service Fast