CMMC 2.0 is Here.
Own the Shift with ControlMap.

An MSP becomes in scope when its people, processes, or systems can access, store, process, or transmit a customer’s CUI or directly impact the security of CUI systems (for example, admin access into the enclave or customer tenant). The MSP does not need to be certified at the same CMMC level, but there are strategic advantages outlined below and the more direct the access and control an MSP has, the stronger the expectation that the MSP meets equivalent requirements.

There are strategic advantages to an MSP (or ESP - External Service Provider) being CMMC certified such as: Proven audit readiness and faster implementation by leveraging an MSP’s existing compliance / tech stack, an established Shared Responsibility Matrix that defines who manages each of the 320 assessment objectives that allows delegation / inheritance when an MSP is certified, streamlined documentation (SSP, Policies, etc) that aligns with CMMC objectives among other benefits.

CMMC itself certifies organizations that handle CUI, not tools or individuals. However, organizations that advertise consulting or readiness services are expected to demonstrate substantive understanding of NIST 800‑171 and CMMC 2.0. RPOs and C3PAOs must be listed in the Cyber AB marketplace. MSPs/MSSPs supporting Level 2 environments should be prepared to show how their own practices align to NIST 800‑171, even if they are not formally certified yet.

As outlined above, there are strategic advantages to an MSP being CMMC certified such as: proven audit readiness and an established Shared Responsibility Matrix that allows inheritance and defines management of CMMC objectives.

Anything that can touch or administer CUI systems may come into scope: RMM tools, PSA, ticketing, SIEM, and backup solutions. Common strategies to limit scope include: creating separate tenants or tool instances for CMMC customers known as an “enclave”, restricting which technicians have access to the enclave, using just‑in‑time privileged access, and avoiding installing RMM agents inside the enclave when not needed. A clear shared responsibility matrix (SRM) is essential to document what the MSP does and does not do.

An enclave is appropriate when only part of the environment needs to handle CUI, or when you want to sharply limit scope for CMMC. Cloud‑based enclaves (e.g., GCC/GCC High or compliant IaaS) are often faster to deploy and easier to standardize. On‑prem enclaves may be preferred for manufacturing equipment, legacy systems, or special connectivity needs. The choice usually comes down to latency, integrations, regulatory expectations, and your internal skills.

CMMC 2.0 is based on NIST 800‑171, which is technology‑agnostic. This means Microsoft 365 Commercial can meet CMMC requirements if it is properly configured and the organization can demonstrate compliance with all applicable controls and if contracts permit it. 

However, the decision to use Commercial vs. GCC vs. GCC High is rarely just technical—it is primarily driven by contractual obligations and data sensitivity. For instance, GCC High may be required by certain contracts, primes, or government agencies, especially where ITAR, export controls, or higher assurance around data residency apply. 

ControlMap follows a similar approach with ControlMap Commercial USA regions hosted on AWS East/West which is FedRAMP moderate acceptable for most use cases where as AWS Gov Cloud is FedRAMP High and necessary for ITAR or specific compliance requirements.

Ultimately, the contract language and the customer’s risk posture determine whether GCC/GCC High is mandated or simply a recommendation.

Third‑party providers that can access CUI or security‑relevant data must support appropriate controls: strong authentication, secure development practices, logging, and data residency consistent with contract requirements. FedRAMP Moderate/High is not always mandatory, but it’s a strong signal of maturity for SaaS used with CUI. If tools are not FedRAMP‑authorized, organizations should evaluate where data is stored, what data is retained, how access is controlled, and whether the tool can be logically isolated from CUI.

Focus on segmenting backup infrastructure for CUI workloads. Use dedicated backup repositories or tenants for CMMC customers, and ensure encryption, access control, and logging meet NIST 800‑171 expectations. Avoid sending CUI backups into shared MSP platforms where other clients’ data resides, or where many technicians have broad access. Options include in‑enclave backup appliances, GCC/GCC High‑aligned storage, or specialized providers with clear contractual assurances and technical isolation.

Organizations typically start with scoping, gap analysis, and a NIST 800‑171 self‑assessment to generate an SPRS score. Next comes remediation: policies, technical controls, documentation, and evidence collection. Many then use an RPO or consultant for a readiness review before scheduling a C3PAO assessment. Costs vary widely by size and complexity, but you should plan for both one‑time remediation costs and ongoing effort to maintain controls, not just the price of the formal audit. 

C3PAO Assessors such as Kyle Lai from KLC Consulting suggest planning up to 12 months for CMMC implementation. Planning resources such as KLC Consulting’s Resource Tools are available.

Start from contracts, flow‑down clauses, and government or prime guidance to identify what is explicitly marked as CUI. Then analyze where that information flows: CAD files, g‑code, modified drawings, ERP systems, email, and physical printouts. Derived data can still be CUI if it reveals or is generated from CUI content. Work with the customer’s contracts and legal teams as needed, and document your scoping rationale so assessors can see how you reached those conclusions.

SOC 2 and ISO 27001 are broader, risk‑based frameworks, often tailored to an organization’s chosen scope and controls. CMMC 2.0 Level 2 is tightly mapped to NIST 800‑171, with a defined set of practices and assessment objectives that must be met. There is less flexibility to “compensate” with different controls. While nothing is labeled strictly “optional,” some items may be accepted with Plans of Action & Milestones (POA&Ms) depending on DoD policy and contracting officers.

CMMC 2.0 is about continuous practice, not a one‑time project. Organizations must maintain policies, review logs, manage vulnerabilities, test incident response, update system security plans, track changes, and reassess risks regularly. Cyber hygiene tasks such as account reviews, patching, backup testing, and vendor management must be routinized. Documented evidence of these recurring activities is critical so that, at any point, you can demonstrate you are still operating at the assessed maturity level.

Define clear service tiers and reference architectures. For CMMC customers, use hardened baselines (e.g., secure configurations, stricter MFA, logging) and, where feasible, separate tenants or tool instances. For non‑CMMC clients, you can apply a subset of the same controls, but with more flexibility. Align your internal processes - ticketing, change management, onboarding - so technicians follow consistent playbooks, with specific additional steps when working in regulated environments.

Anchor conversations in mission outcomes: contracts at risk, supply‑chain expectations, and potential revenue loss if they cannot meet CMMC requirements. Ask which contracts mention DFARS, CMMC, or NIST 800‑171, what data they exchange with prime contractors, and what audits they’ve faced. Then frame recommendations as a prioritized roadmap rather than an all‑or‑nothing purchase. Emphasize risk reduction, contract eligibility, and predictable budgeting over pure technology features.

A GRC platform centralizes requirements, controls, assets, and evidence so you can trace each CMMC practice to specific policies, systems, and proof. It helps manage scoping decisions, track POA&Ms, assign ownership, and maintain a living System Security Plan. For audits, a well‑organized GRC makes it easier to answer assessor questions, show how controls are implemented, and quickly pull current evidence instead of hunting through file shares and email threads. It provides the MSP and the client with a shared workspace to collaborate and define responsibility.

No, if a client only handles FCI, they are not required to achieve CMMC Level 2. They would fall under CMMC Level 1 and complete an annual self-assessment aligned to FAR 52.204-21 safeguarding requirements. It’s important to review contract clauses (e.g., DFARS 252.204-7012) to confirm whether CUI is in scope, as that would drive a Level 2 requirement.