ScalePad
ControlMap

CMMC Field Guide for MSPs

CMMC compliance, made operational — the MSP's tactical playbook

A tactical playbook for managed service providers guiding defense contractors through contract clauses and levels, the NIST SP 800-171 R2 control families, and the assessment journey — scoping, SSP, SPRS, C3PAO, and costs — with a step-by-step ControlMap workflow.

Program Basics

CMMC at a glance — and why it lands on the MSP's desk

The Cybersecurity Maturity Model Certification is the U.S. Department of Defense's program for verifying that the ~220,000 companies in the defense industrial base actually implement the safeguards their contracts already require. The CMMC program rule (32 CFR Part 170) is in effect, and the contract clause (DFARS 252.204-7021) began appearing in solicitations in late 2025 under a phased rollout. No certification, no contract — and for the MSPs serving these contractors, the client's assessment scope very often includes you.

The Three Levels — This Guide Covers the Two That Matter to SMB Contractors

Level 1 · Foundational · 15

The basic safeguarding practices of FAR 52.204-21, protecting FCI. Validated by an annual self-assessment entered in SPRS with an executive affirmation.

Level 2 · Advanced · 110

All of NIST SP 800-171 R2, protecting CUI. Most contracts require a triennial C3PAO certification assessment; a smaller set permit self-assessment. Annual affirmations either way.

Level 3 · Expert · 110 + 24

Adds NIST SP 800-172 requirements for the highest-priority programs; assessed by the government (DIBCAC). Rare in the SMB space — out of scope for this guide.

The Phased Rollout

Why the clock is already running

  1. 1

    From Nov 2025

    L1 and L2 self-assessments required in new contracts as the clause appears.

  2. 2

    About one year later

    L2 C3PAO certification requirements begin appearing in applicable solicitations.

  3. 3

    About two years later

    L3 requirements phase in; L2 certification expectations broaden.

  4. 4

    Full rollout

    CMMC requirements in all applicable DoD solicitations and contracts.

A typical L2 journey — remediation, documentation, and the C3PAO queue — runs 12–18 months. Clients waiting for the clause to appear in their renewal are already late.

Two kinds of data decide the level

FCI — Federal Contract Information

Information provided by or generated for the government under contract that isn't intended for public release — pricing, schedules, performance data, routine emails about the work. Handling FCI triggers Level 1.

CUI — Controlled Unclassified Information

Sensitive but unclassified information requiring safeguarding per law or policy — technical drawings, specifications, export-controlled data (ITAR/EAR), certain program details. Marked or identified by the government. Handling CUI triggers Level 2.

Find the data first: the level, the assessment scope, and the price of the entire program all follow from whether CUI flows.

01

Contract Language

Levels and contract language — obligations arrive inside the contract

CMMC obligations don't come from a law you look up — they arrive inside the contract, through a small set of FAR and DFARS clauses that flow down from primes to every subcontractor. Reading the clause set tells you which level applies, what must be in SPRS before award, and what your client has already promised without realizing it.

The Clause Set — Find These in the Client's Contracts and Subcontracts

FAR 52.204-21

The 15 basic safeguarding requirements for FCI in nearly every federal contract — the substance of Level 1. If the client touches FCI, this already applies.

DFARS 252.204-7012

The original DoD clause: implement all of NIST 800-171, report cyber incidents to DoD within 72 hours, preserve images 90 days, use FedRAMP Moderate(-equivalent) clouds for covered data. In force since 2017 — CMMC verifies it.

DFARS 252.204-7019 / -7020

Require a current NIST 800-171 self-assessment score posted in SPRS — no score, no award — and grant DoD access to verify assessments at higher confidence levels.

DFARS 252.204-7021

The CMMC clause: the contractor must hold the CMMC status specified in the solicitation — at award and for the life of the contract — and flow the requirement down to subs handling FCI/CUI.

Read the flow-downs, not just the prime award. Most SMB clients are subcontractors who inherit these clauses from a prime's purchase order. Pull every active PO and teaming agreement, search for "252.204" and "52.204-21," and ask the prime in writing whether CUI will flow. Primes are now auditing their supply chains — an unprepared sub is the first one cut from the bid.

The Level Decision

Which level does this client need? Run the flow

Step 1 — What data flows?

No federal work at all? CMMC N/A.

DoD work with FCI only — no CUI identified in contracts or flow-downs? Level 1. Typical for commercial-item suppliers, logistics, and services at arm's length from technical data.

CUI is stored, processed, or transmitted — or the prime says it will be? Level 2.

Step 2 — Level 2: self or C3PAO?

Solicitation specifies Level 2 (Self) — limited to less sensitive CUI programs? Annual self-assessment + affirmation.

Solicitation specifies Level 2 (C3PAO) — the common case? Triennial third-party certification.

Bidding multiple programs or unsure what primes will demand? Plan for C3PAO certification.

Step 3 — Confirm in writing

Ask the prime or contracting officer to identify the CUI and the required CMMC status per contract.

Record the answer with the contract file — it defines the assessment scope and the SSP boundary.

Re-check at every new award, option year, and teaming agreement — levels follow the data, and the data changes.

Side by Side

The three compliance paths — what each status entails

The flow above picks the path; these cards are the spec sheet for each one.

Level 1 — Foundational

The 15 basic safeguarding practices of FAR 52.204-21, protecting FCI.

Included

  • 15 practices — all must be met; no POA&Ms permitted
  • Annual self-assessment
  • Compliance result + annual executive affirmation in SPRS

Best for

FCI-only contracts — commercial-item suppliers, logistics, and services at arm's length from technical data.

Typical MSP role

Bundle into the standard security stack

Level 2 — Self-Assessment

All 110 requirements of NIST SP 800-171 R2, protecting CUI — where the solicitation permits self-assessment.

Included

  • 110 requirements, protecting CUI (and FCI in the same boundary)
  • Triennial self-assessment + annual affirmations
  • Scored result (−203 to 110) and assessment record in SPRS
  • POA&Ms only for limited lower-weight items — minimum score 88, closed within 180 days

Best for

The minority of less sensitive CUI programs where the solicitation specifies Level 2 (Self).

Typical MSP role

Full program, minus the third-party assessment

Level 2 — C3PAO Certified

The same 110 requirements, verified by a third party — the common case and the safe planning assumption.

Included

  • Triennial C3PAO certification assessment against all 320 objectives
  • Annual affirmations in SPRS; certification valid three years
  • Conditional status available at ≥88 with an eligible POA&M, closed within 180 days

Best for

CUI programs generally — the default plan when bidding multiple programs or unsure what primes will demand.

Typical MSP role

Scoping, enclave design, control operation, evidence, assessment support

Level 1 is not a parking spot — it's the floor. For any client whose primes handle technical data, treat L1 as a milestone on the road to L2: the 15 practices are a strict subset of the 110, so nothing is wasted by starting now and building toward the full SSP.

The Operating Model

Shared responsibility — the MSP is inside the assessment scope

In CMMC language your MSP is an External Service Provider (ESP). If your people or tools store, process, or transmit CUI — or provide security protection for the systems that do — you are inside the client's assessment scope: the assessor will look at your controls, your staff, and your tooling. The split must be written down in a Shared Responsibility Matrix (SRM), control by control.

MSP × defense contractor — who runs what

MSP / ESP operates

  • Identity, MFA & access administration
  • Endpoint & network security
  • Patching & configuration management
  • Logging, SIEM & monitoring
  • Backup & media protection
  • Incident detection & response
  • Its own ESP obligations

Shared

  • Scoping the boundary
  • SSP authorship
  • Policies & procedures
  • Security training
  • POA&M remediation
  • Evidence & audits
  • Responsibility matrix

Client owns

  • Contract & flow-down review
  • CUI identification & marking
  • Personnel & physical security
  • SPRS submissions & affirmations
  • Hiring the C3PAO
  • Final risk acceptance
  • Signing the SSP & POA&M

Decide your CUI posture

An ESP that doesn't handle CUI isn't required to hold its own certification — but if your RMM, backup, or help desk touches CUI systems, you'll be examined within every client assessment. Many MSPs choose to align their own stack to 800-171 once and reuse it across clients.

Write the SRM early

For each of the 110 requirements: who implements, who operates, who documents, where the evidence lives — you, the client, or a cloud provider (whose customer responsibility matrix feeds yours). Assessors ask for the SRM by name.

Mind the cloud rule

Under DFARS 252.204-7012, clouds holding covered defense information must meet FedRAMP Moderate or equivalent — which is why CUI workloads gravitate to Microsoft 365 GCC/GCC High and similar. Verify before migrating anything.

CMMC is evidence-first: the assessor scores what is implemented and documented on assessment day — not intentions, not roadmaps. The client can delegate the work, never the accountability: affirmations are signed by a senior client official under risk of False Claims Act liability, so never let one rest on controls your evidence can't back.

02

NIST SP 800-171 R2

The 110 controls — fourteen families, every one assessed

The purpose: protect the confidentiality of CUI in nonfederal systems. The 110 security requirements are organized into 14 families, and Level 2 assesses every one of them — each scored MET or NOT MET, with most requirements breaking into multiple assessment objectives that must all be satisfied. CMMC currently assesses against 800-171 Revision 2; Revision 3 adoption will come via rulemaking — build to R2, track R3.

The Program by the Numbers

14

control families in 800-171 R2

110

security requirements, each MET or NOT MET

320

assessment objectives in 800-171A

110 → −203

the SPRS score range, top to bottom

How the DoD Assessment Methodology Scores It

Start at 110

A perfect implementation scores 110. Every NOT MET requirement subtracts its weight.

−5 · the foundations

High-weight items like MFA, FIPS-validated encryption gaps, and access control basics cost 5 points each — and most are not POA&M-eligible.

−3 / −1 · the rest

Mid- and low-weight gaps subtract 3 or 1. Only limited lower-weight items may sit on a POA&M at certification.

88 = conditional floor

A C3PAO can grant Conditional Level 2 at ≥88 with an eligible POA&M — which must be closed and verified within 180 days or the status lapses.

Effort lives in surprising places. Technology is rarely the long pole. The killers are FIPS-validated cryptography (the module must hold a CMVP certificate — "uses AES" isn't enough), documented procedures for all 14 families, and evidence habits. The family table below rates each one's real-world lift for a typical SMB defense contractor.

AC Through SI

The 14 families — coverage, translation, and effort

FamilyWhat it covers in practiceMSP translationEffort
AC · Access Control22 requirementsThe biggest family: authorized users and devices only, least privilege, separation of duties, session controls, remote-access encryption and control, wireless and mobile restrictions, CUI flow control, portable-storage limits, public-content review.Identity platform + conditional access, RBAC matrix, VPN/ZTNA, MDM, DLP-style flow rules.Heavy
AT · Awareness & Training3 requirementsRole-based security training, insider-threat awareness, and records that everyone with CUI access completed it.Awareness platform campaigns with completion exports.Light
AU · Audit & Accountability9 requirementsSystem audit logs that trace actions to individuals — protected from tampering, time-synchronized, reviewed, alarmed on failure, and retained to support investigations.SIEM/log management with retention, alerting, and a documented review cadence.Heavy
CM · Configuration Management9 requirementsBaseline configurations and inventories, change control, security-impact analysis, least functionality (disable what's unused), software allow/deny policies, user-installed software restrictions.Golden images, hardening baselines in RMM, change tickets, application control.Moderate
IA · Identification & Authentication11 requirementsUnique identification of users and devices, MFA for privileged and network access, replay-resistant authentication, password rules, obscured feedback, cryptographically protected credentials.MFA everywhere, password manager, device identity — the 5-point SPRS items live here.Heavy
IR · Incident Response3 requirementsAn operational incident-handling capability — detect, analyze, contain, recover — with tracking, reporting, and testing. Pairs with the DFARS 7012 72-hour DoD reporting duty.IR plan naming DIBNet reporting, runbooks, annual tabletop with minutes.Moderate
MA · Maintenance6 requirementsControlled system maintenance: sanitize equipment leaving the site, check media for malware, MFA for nonlocal maintenance sessions, supervise maintenance personnel without authorization.Documented maintenance procedures in the RMM workflow; vendor escort rules.Light
MP · Media Protection9 requirementsProtect and control CUI on paper and digital media: marking, restricted access, encrypted transport, sanitization before disposal or reuse, removable-media controls, backup media protection.Encrypted USB policy or port lockdown, media destruction certificates, encrypted backups.Moderate
PS · Personnel Security2 requirementsScreen individuals before CUI access; protect systems during terminations and transfers — revoke access, recover assets.Hiring and offboarding checklists tied to identity deprovisioning.Light
PE · Physical Protection6 requirementsLimit physical access to systems and the operating environment: escorts and visitor logs, physical access devices, safeguarding CUI at alternate work sites.Badge and lock procedures, visitor log, home-office rules — mostly client-operated.Light
RA · Risk Assessment3 requirementsPeriodic risk assessments; vulnerability scanning on a schedule and when new flaws are identified; remediation per risk.Vulnerability management platform with scan cadence and remediation SLAs.Moderate
CA · Security Assessment4 requirementsPeriodic control assessments, POA&Ms for deficiencies, continuous monitoring, and the System Security Plan itself — the documentation engine of the whole program.Annual self-assessment cycle, living SSP and POA&M — the GRC platform's home turf.Moderate
SC · System & Comms Protection16 requirementsBoundary defense, network segmentation and DMZs, deny-by-default, FIPS-validated cryptography for CUI, session protections, VoIP controls, split-tunneling bans, encrypted CUI at rest.Firewall architecture, enclave segmentation, FIPS-mode endpoints, TLS policy — the other 5-point hotspot.Heavy
SI · System & Info Integrity7 requirementsTimely flaw remediation, malicious-code protection at entry and exit points, security-alert monitoring and response, file and email scanning.Patch SLAs, EDR/MDR, email security, advisory monitoring (CISA alerts).Moderate

The assessor's lens: every requirement is judged against its 800-171A objectives — for "3.1.1 limit access to authorized users," that means showing who is authorized, how the list is maintained, and proof the system enforces it. Write the SSP at that level of specificity and the assessment becomes a guided tour instead of an interrogation.

Who Does What

Control-family responsibility split

Typical allocation across the control families for an MSP-supported defense contractor — capture the real split per client, control by control, in the SRM.

Identity, access & MFAAC, IA
MSP
Shared
Client
Network boundary, crypto & enclaveSC
MSP
Shared
Client
Logging, patching, malware, scanningAU, SI, RA, CM
MSP
Shared
Client
SSP, POA&M & assessment programCA
MSP
Shared
Client
Training & incident responseAT, IR
MSP
Shared
Client
People, premises & paperPS, PE, MP-physical
MSP
Shared
Client
CUI identification, SPRS & affirmations
MSP
Shared
Client
MSP leadsSharedClient leadsIllustrative split for a typical SMB engagement — the SRM records the real allocation, control by control.

03

The Certification Path

The assessment journey — from clause to certified status

Get from "we have contracts mentioning CUI" to a CMMC status in SPRS that survives scrutiny. The path: scope the boundary, build the document pack, score honestly, remediate — then the C3PAO certification assessment for Level 2. Plan 12–18 months end to end; C3PAO calendars book out months ahead.

End to End

The Level 2 certification path

  1. 1

    Scope

    CUI inventory, boundary, asset categories, enclave design.

  2. 2

    Gap assess

    Score all 110 per the DoD methodology; build the POA&M.

  3. 3

    Remediate

    Close gaps, write the SSP and procedures, post the score in SPRS.

  4. 4

    Readiness

    Mock assessment, evidence dry run, fix the misses.

  5. 5

    C3PAO assessment

    Evidence review, interviews, demos; results into eMASS and SPRS.

  6. 6

    Maintain

    Close any POA&M within 180 days; affirm annually; recertify in three years.

What to Expect

Inside the C3PAO assessment

How it runs

A CMMC Third-Party Assessment Organization — accredited by the Cyber AB — fields a certified team that examines artifacts, interviews the people who run each control (your technicians included), and tests and observes systems against all 320 objectives over roughly one to two weeks. Findings go through quality review and into DoD's eMASS system, feeding the client's CMMC status in SPRS.

The outcomes

Final Level 2 — all 110 MET. Conditional Level 2 — score ≥88 with only POA&M-eligible items open; close-out assessment within 180 days or the status lapses. Below that: remediate and return. Certification is valid three years with annual affirmations.

Book early, brief your staff

Book the C3PAO before remediation finishes — lead times run months. And brief your own engineers: assessors will interview the MSP staff who operate the controls, and "ask the client" is a failing answer.

Boundary & Paperwork

Scoping sets the price — documents make it assessable

The Level 2 scoping guidance sorts every asset into five categories, and everything that touches CUI — or protects it, or could touch it — gets assessed. The art of affordable CMMC is moving assets down the list before the assessment. Then the document pack: what must exist before anyone assesses anything.

Scope Is a Sorting Exercise

The five asset categories

Asset categoryDefinitionAssessment treatment
CUI assetsStore, process, or transmit CUI — file servers, engineering workstations, email handling drawings, ERP with technical data.Fully assessed against all applicable requirements.
Security protection assetsProvide security functions to the CUI environment — your SIEM, identity platform, EDR console, firewall, the MSP's tooling.Assessed for the security functions they provide — this is how the MSP enters scope.
Contractor risk managed assetsCould access CUI but are policy-prevented from doing so — documented and enforced.Documented in the SSP; reviewed, and assessable if the policy looks shaky.
Specialized assetsIoT/OT, GFE, test equipment, CNC machines that can't meet every control.Documented in the SSP and managed by risk-based policies; not assessed against every requirement.
Out-of-scope assetsCannot access CUI — physically or logically separated.Not assessed. The goal: make most of the network this.

The enclave play — shrink the boundary, shrink the bill. Instead of certifying the whole company, concentrate CUI into a controlled environment: a segmented network zone, a virtual-desktop setup, or a dedicated cloud tenant (Microsoft 365 GCC High is the common landing zone for ITAR-touching CUI under the DFARS 7012 cloud rule). Only the enclave and its security-protection assets face the full 110; the rest of the business stays out of scope. For a 30-person machine shop, that's routinely the difference between a five-figure and a six-figure program.

Week One Work

Scoping deliverables

CUI data inventory and flows, network diagrams showing the boundary, asset inventory tagged by the five categories, and the ESP/cloud listing with their responsibility matrices. These open every assessment — and ControlMap stores them as the workspace's foundation documents.

Scope killers to hunt early

CUI in personal OneDrives and email threads, engineers working drawings on home PCs, flat networks where the CNC shop floor sits beside accounting, and commercial SaaS holding technical data without FedRAMP-Moderate footing. Find them in week one, not in front of the assessor.

Assessors Ask for These First

The document pack

DocumentWhat it is and why it mattersOwner / cadence
SSPSystem Security PlanThe master document: system boundary, environment, CUI flows, and how each of the 110 requirements is implemented or inherited from an ESP or cloud. Required by 800-171 itself (3.12.4) — no SSP, no assessment. Expect 80–150+ pages for a real environment.Shared authorship; client signs · living document, reviewed annually
POA&MPlan of Action & MilestonesThe honest gap ledger: each unmet requirement, the remediation plan, owner, and date. At certification, only limited lower-weight items may remain open — and they close within 180 days.Shared · updated continuously
SPRS score & affirmationThe DoD-methodology self-assessment score (−203 to 110) posted to the Supplier Performance Risk System — checked before award under DFARS 7019. Annual executive affirmations of continued compliance live here too.Client submits · current within 3 years; affirmed annually
SRMShared Responsibility MatrixControl-by-control allocation across client, MSP/ESP, and cloud providers — who implements, operates, and evidences each requirement. Built from each provider's customer responsibility matrix (CRM).MSP drafts, all parties sign · reviewed annually
Scoping packCUI inventory and data flows, network and boundary diagrams, asset inventory by category, ESP and cloud listing.Shared · refreshed on change
Policies & proceduresWritten policy plus operating procedures covering all 14 families — assessors verify the documents and that practice matches them.Shared · annual review & attestation
Incident response planNames the DFARS 7012 duties: report to DoD via DIBNet within 72 hours (requires a DoD-approved medium-assurance certificate — get it before the incident), preserve images and logs 90 days.Shared · tested annually
Evidence libraryScreenshots, configs, exports, training records, scan and review artifacts mapped to the 320 objectives — collected continuously, not the week before.MSP-heavy · continuous

The SSP test

Hand the SSP to an outsider: can they tell exactly which systems hold CUI, who administers them, and how requirement 3.5.3 (MFA) is implemented and proven? If any answer is "it's in someone's head," the document isn't done. Assessment prep is 60% writing, 40% configuring.

Accuracy is a legal matter

SPRS scores and affirmations are certifications to the U.S. government — inflated scores have already produced False Claims Act settlements. The MSP's job is to make the honest score high, never to make the high score dishonest.

Budget Conversations

What it costs — setting honest client expectations

The figures below blend DoD's rulemaking estimates with observed market ranges for SMB contractors (roughly 10–100 staff), in USD. Actuals swing widely with scope, starting posture, and cloud choices — use these to frame budget conversations, then price from the gap assessment.

Planning Anchors

Cost elements and what drives them

Cost elementPlanning rangeWhat drives it
Level 1 programannual$3K – $15K / yrThe 15 practices ride on a standard MSP security stack; cost is mostly the annual self-assessment, SPRS entry, and affirmation support.
L2 gap assessment & scoping$10K – $35KEnvironment size, number of sites, whether CUI flows are already understood.
L2 remediation & build$40K – $250K+The big variable: enclave vs whole-company scope, GCC High migration, FIPS-capable hardware refresh, MFA/SIEM/EDR gaps, documentation debt.
Cloud & licensing uplift$25 – $60 / user / moGCC High–class licensing typically runs well above commercial tiers; enclave and VDI designs confine the premium to CUI-touching users.
C3PAO certification assessment$40K – $120K+ / cycleScope size, objectives count, team-days, travel, and any 180-day POA&M close-out assessment. DoD's own small-entity estimate for the L2 cycle sits near the low end.
L2 self-assessment pathwhere permitted$15K – $40K / cycleSame 110 requirements and documentation — only the third-party fee disappears.
Ongoing managed compliance$2.5K – $10K / moControl operation, evidence collection, monitoring, annual affirmations, POA&M upkeep — the MSP's recurring service.

Cost levers that work

Enclave the CUI instead of certifying the company. Confine premium licensing to CUI users. Inherit controls from FedRAMP clouds and document the inheritance. Reuse your MSP's assessed shared-services stack across many clients. Start the SSP early so remediation and writing run in parallel.

Frame it as revenue protection

The comparison isn't "compliance vs nothing" — it's the program cost vs the defense revenue that disappears without it. A contractor with $3M of DoD-linked work weighing a ~$150K two-year journey is buying contract eligibility, prime-supply-chain standing, and a marketable differentiator competitors lack.

Budget honesty

Never quote certification as a line item — quote the journey: assess → remediate → document → certify → maintain. Clients who hear only the C3PAO fee feel ambushed by remediation; clients who see the full arc fund it in phases.

Timing is a cost too. C3PAO capacity is the bottleneck of the entire ecosystem. A client who starts when the clause appears in their renewal pays rush pricing, slips bid deadlines, or both. The cheapest CMMC program is the one that started eighteen months early.

ControlMap by ScalePad

From clause panic to a C3PAO-ready program — in one platform

ControlMap is ScalePad's multi-tenant GRC platform built for MSPs. Everything the assessment journey demands — scoping documents, the 110 mapped requirements, the SSP narrative, the POA&M, SPRS scoring, policies with attestations, and the evidence library behind all 320 objectives — lives in one workspace per client, ready to hand a C3PAO.

The Five-Step ControlMap Workflow for CMMC

  1. 1

    Onboard & adopt the framework

    Create a dedicated client workspace and load CMMC Level 1 or the full NIST 800-171 set for Level 2. Anchor it with the scoping pack — CUI inventory, data flows, boundary diagrams, asset categories — and record the contract clauses that triggered the level, so the "why" travels with the evidence.

  2. 2

    Run the gap assessment & track SPRS

    Assess all 110 requirements with built-in questionnaires, mark each MET or NOT MET, and let the deficiencies populate the POA&M with owners and dates. Score the result per the DoD methodology so the client's SPRS submission is grounded in documented answers — and watch the number climb as remediation lands.

  3. 3

    Implement with in-tool guidance — split via the SRM

    Each control card explains the requirement, what "implemented" looks like, and what evidence satisfies it. Assign every control to your engineers, client staff, or an inherited cloud provider — building the shared responsibility matrix as you go instead of reconstructing it for the assessor later.

  4. 4

    Build the SSP & policies from templates

    Draft the policy set for all 14 families from the template library, tailor it to the environment, version-control approvals, and push to staff for electronic acknowledgment. Control narratives and responsibility data roll up into the SSP documentation the C3PAO reads first.

  5. 5

    Collect evidence continuously

    Attach evidence to every control — MFA configs, log-review records, training exports, scan reports — automating what integrations with the Microsoft/Google clouds and your MSP stack allow. Recurring tasks keep artifacts fresh across the 3-year cycle, the 180-day POA&M clock, and each annual affirmation.

Package it as a service

Productize the journey: Scope & Assess (CUI flows, gap, SPRS baseline) → Remediate & Document (enclave build, SSP, policies) → Manage & Certify (monthly compliance-as-a-service through the C3PAO and the 3-year cycle). CMMC's recurring nature makes it the stickiest MRR in the catalog.

Make the QBR land

Show the owner the SPRS score trend, the shrinking POA&M, the affirmation calendar, and the certification countdown. "Your DoD revenue is protected, and here's the score that proves it" is the easiest security story a defense contractor will ever fund.

Keep it alive

Scope drifts: new contracts, new CUI types, a hire working from home, a SaaS tool adopted by engineering. Make "any new contracts or data flows?" a standing QBR question — and re-run the level decision whenever the answer is yes.

Take Action

Map the platform, run the first 90 days, work the checklist

Where each part of the journey lives in ControlMap and the artifacts you'll bank along the way; a realistic first-90-days arc for a Level 2 client — months one to three of a 12–18 month journey — and the ten-point quick-start checklist to put it all in motion.

ControlMap in Action

Mapping ControlMap to the CMMC journey

AreaDo this in ControlMapArtifacts you'll bank
Levels & contractsRecord each contract's clauses and CMMC status requirement; run Level 1's 15 practices as an annual recurring assessment; stage Level 2 clients on the full 800-171 framework with cross-mapping toward CIS/NIST CSF reuse.Contract-to-level register · annual L1 self-assessment records · affirmation reminders and history
The 110 controlsAssign all 14 families with owners across MSP, client, and inherited providers; track MET/NOT MET per requirement; schedule the recurring cadence — log reviews, scans, access reviews, training, IR tabletop.Control status history · SRM allocations · review sign-offs · training and tabletop records
Assessment journeyStore the scoping pack as foundation documents; maintain the living POA&M with the 180-day clock; export the SSP narrative and evidence bundle for readiness reviews and the C3PAO; track the 3-year recertification calendar.Scoping pack · SSP & POA&M exports · SPRS scoring worksheet · assessor-ready evidence library
Your own MSPStand up a workspace for your own stack as an ESP — align your RMM, SIEM, identity, and backup tooling to 800-171 once, document it, and inherit that posture into every client SRM instead of re-proving it client by client.Your ESP control documentation · reusable inheritance statements · proof for primes' supply-chain reviews and cyber insurance

Months 1–3 of a 12–18 Month Journey

A realistic first-90-days arc per Level 2 client

  1. W1–2

    Confirm & stand up

    Contracts reviewed and level confirmed with primes · SRM in the MSA · workspace created.

  2. W3–6

    Scope & baseline

    CUI flows mapped · enclave strategy chosen · gap assessment and baseline SPRS score complete.

  3. W7–10

    Fund & fix

    Remediation roadmap priced and funded · 5-point gaps (MFA, FIPS, boundary) in flight · SSP drafting begins.

  4. W11–13

    Operationalize

    Policies launched with attestations · evidence flowing · C3PAO shortlist contacted · updated score in SPRS.

Take Action

Your 10-point CMMC quick-start checklist

1

Pull the contracts

Pull every contract, PO, and flow-down; search for 52.204-21 and 252.204-7012/-7019/-7020/-7021, and confirm CUI in writing with the primes.

2

Set the target level

L1 for FCI-only clients; L2 with C3PAO certification as the default plan wherever CUI flows.

3

Design the enclave

Map CUI flows and asset categories, then design the enclave — shrink the boundary before pricing anything.

4

Run the gap assessment

Run the 110-requirement gap assessment in ControlMap and compute the honest DoD-methodology score.

5

Attack the 5-point items first

MFA, FIPS-validated crypto, and boundary defense move the score fastest — put them in flight before anything else.

6

Build the document pack

SSP, POA&M, SRM, scoping diagrams, and policies — built alongside the technical work, not after it.

7

Post to SPRS

Post the score and affirmations in SPRS and calendar the annual renewals — missing one breaks award eligibility.

8

Prepare for DFARS 7012 incidents now

DIBNet access, the DoD-approved reporting certificate, and a tested 72-hour runbook — in place before the incident.

9

Engage the C3PAO early

Book the slot, run a readiness review, and brief every MSP engineer who'll be interviewed.

10

Schedule the maintenance cadence

180-day POA&M clocks, annual affirmations, and the 3-year recertification — recurring in ControlMap.

This guide is provided for general educational purposes and reflects the CMMC program (32 CFR Part 170), DFARS clauses, and NIST SP 800-171 R2 as commonly understood at time of publication. It is not legal or assessment advice; phase timing, self-assessment eligibility, POA&M rules, and cost estimates vary by solicitation and environment — confirm specifics against current DoD CIO program documentation, the contract, and qualified counsel or a Registered Practitioner Organization / C3PAO.

ControlMap

ControlMap by ScalePad

Turn CMMC into your next managed service

See how MSPs run multi-client CMMC programs — scoping, the 110 controls, SSPs, POA&Ms, and assessor-ready evidence — in ControlMap.