Level 1 · Foundational · 15
The basic safeguarding practices of FAR 52.204-21, protecting FCI. Validated by an annual self-assessment entered in SPRS with an executive affirmation.
CMMC Field Guide for MSPs
A tactical playbook for managed service providers guiding defense contractors through contract clauses and levels, the NIST SP 800-171 R2 control families, and the assessment journey — scoping, SSP, SPRS, C3PAO, and costs — with a step-by-step ControlMap workflow.
Program Basics
The Cybersecurity Maturity Model Certification is the U.S. Department of Defense's program for verifying that the ~220,000 companies in the defense industrial base actually implement the safeguards their contracts already require. The CMMC program rule (32 CFR Part 170) is in effect, and the contract clause (DFARS 252.204-7021) began appearing in solicitations in late 2025 under a phased rollout. No certification, no contract — and for the MSPs serving these contractors, the client's assessment scope very often includes you.
The Three Levels — This Guide Covers the Two That Matter to SMB Contractors
The basic safeguarding practices of FAR 52.204-21, protecting FCI. Validated by an annual self-assessment entered in SPRS with an executive affirmation.
All of NIST SP 800-171 R2, protecting CUI. Most contracts require a triennial C3PAO certification assessment; a smaller set permit self-assessment. Annual affirmations either way.
Adds NIST SP 800-172 requirements for the highest-priority programs; assessed by the government (DIBCAC). Rare in the SMB space — out of scope for this guide.
The Phased Rollout
L1 and L2 self-assessments required in new contracts as the clause appears.
L2 C3PAO certification requirements begin appearing in applicable solicitations.
L3 requirements phase in; L2 certification expectations broaden.
CMMC requirements in all applicable DoD solicitations and contracts.
A typical L2 journey — remediation, documentation, and the C3PAO queue — runs 12–18 months. Clients waiting for the clause to appear in their renewal are already late.
Two kinds of data decide the level
Information provided by or generated for the government under contract that isn't intended for public release — pricing, schedules, performance data, routine emails about the work. Handling FCI triggers Level 1.
Sensitive but unclassified information requiring safeguarding per law or policy — technical drawings, specifications, export-controlled data (ITAR/EAR), certain program details. Marked or identified by the government. Handling CUI triggers Level 2.
Find the data first: the level, the assessment scope, and the price of the entire program all follow from whether CUI flows.
01
Contract Language
CMMC obligations don't come from a law you look up — they arrive inside the contract, through a small set of FAR and DFARS clauses that flow down from primes to every subcontractor. Reading the clause set tells you which level applies, what must be in SPRS before award, and what your client has already promised without realizing it.
The Clause Set — Find These in the Client's Contracts and Subcontracts
The 15 basic safeguarding requirements for FCI in nearly every federal contract — the substance of Level 1. If the client touches FCI, this already applies.
The original DoD clause: implement all of NIST 800-171, report cyber incidents to DoD within 72 hours, preserve images 90 days, use FedRAMP Moderate(-equivalent) clouds for covered data. In force since 2017 — CMMC verifies it.
Require a current NIST 800-171 self-assessment score posted in SPRS — no score, no award — and grant DoD access to verify assessments at higher confidence levels.
The CMMC clause: the contractor must hold the CMMC status specified in the solicitation — at award and for the life of the contract — and flow the requirement down to subs handling FCI/CUI.
Read the flow-downs, not just the prime award. Most SMB clients are subcontractors who inherit these clauses from a prime's purchase order. Pull every active PO and teaming agreement, search for "252.204" and "52.204-21," and ask the prime in writing whether CUI will flow. Primes are now auditing their supply chains — an unprepared sub is the first one cut from the bid.
The Level Decision
No federal work at all? CMMC N/A.
DoD work with FCI only — no CUI identified in contracts or flow-downs? Level 1. Typical for commercial-item suppliers, logistics, and services at arm's length from technical data.
CUI is stored, processed, or transmitted — or the prime says it will be? Level 2.
Solicitation specifies Level 2 (Self) — limited to less sensitive CUI programs? Annual self-assessment + affirmation.
Solicitation specifies Level 2 (C3PAO) — the common case? Triennial third-party certification.
Bidding multiple programs or unsure what primes will demand? Plan for C3PAO certification.
Ask the prime or contracting officer to identify the CUI and the required CMMC status per contract.
Record the answer with the contract file — it defines the assessment scope and the SSP boundary.
Re-check at every new award, option year, and teaming agreement — levels follow the data, and the data changes.
Side by Side
The flow above picks the path; these cards are the spec sheet for each one.
The 15 basic safeguarding practices of FAR 52.204-21, protecting FCI.
Included
Best for
FCI-only contracts — commercial-item suppliers, logistics, and services at arm's length from technical data.
Typical MSP role
Bundle into the standard security stack
All 110 requirements of NIST SP 800-171 R2, protecting CUI — where the solicitation permits self-assessment.
Included
Best for
The minority of less sensitive CUI programs where the solicitation specifies Level 2 (Self).
Typical MSP role
Full program, minus the third-party assessment
The same 110 requirements, verified by a third party — the common case and the safe planning assumption.
Included
Best for
CUI programs generally — the default plan when bidding multiple programs or unsure what primes will demand.
Typical MSP role
Scoping, enclave design, control operation, evidence, assessment support
Level 1 is not a parking spot — it's the floor. For any client whose primes handle technical data, treat L1 as a milestone on the road to L2: the 15 practices are a strict subset of the 110, so nothing is wasted by starting now and building toward the full SSP.
02
NIST SP 800-171 R2
The purpose: protect the confidentiality of CUI in nonfederal systems. The 110 security requirements are organized into 14 families, and Level 2 assesses every one of them — each scored MET or NOT MET, with most requirements breaking into multiple assessment objectives that must all be satisfied. CMMC currently assesses against 800-171 Revision 2; Revision 3 adoption will come via rulemaking — build to R2, track R3.
The Program by the Numbers
control families in 800-171 R2
security requirements, each MET or NOT MET
assessment objectives in 800-171A
the SPRS score range, top to bottom
How the DoD Assessment Methodology Scores It
A perfect implementation scores 110. Every NOT MET requirement subtracts its weight.
High-weight items like MFA, FIPS-validated encryption gaps, and access control basics cost 5 points each — and most are not POA&M-eligible.
Mid- and low-weight gaps subtract 3 or 1. Only limited lower-weight items may sit on a POA&M at certification.
A C3PAO can grant Conditional Level 2 at ≥88 with an eligible POA&M — which must be closed and verified within 180 days or the status lapses.
Effort lives in surprising places. Technology is rarely the long pole. The killers are FIPS-validated cryptography (the module must hold a CMVP certificate — "uses AES" isn't enough), documented procedures for all 14 families, and evidence habits. The family table below rates each one's real-world lift for a typical SMB defense contractor.
AC Through SI
| Family | What it covers in practice | MSP translation | Effort |
|---|---|---|---|
| AC · Access Control22 requirements | The biggest family: authorized users and devices only, least privilege, separation of duties, session controls, remote-access encryption and control, wireless and mobile restrictions, CUI flow control, portable-storage limits, public-content review. | Identity platform + conditional access, RBAC matrix, VPN/ZTNA, MDM, DLP-style flow rules. | Heavy |
| AT · Awareness & Training3 requirements | Role-based security training, insider-threat awareness, and records that everyone with CUI access completed it. | Awareness platform campaigns with completion exports. | Light |
| AU · Audit & Accountability9 requirements | System audit logs that trace actions to individuals — protected from tampering, time-synchronized, reviewed, alarmed on failure, and retained to support investigations. | SIEM/log management with retention, alerting, and a documented review cadence. | Heavy |
| CM · Configuration Management9 requirements | Baseline configurations and inventories, change control, security-impact analysis, least functionality (disable what's unused), software allow/deny policies, user-installed software restrictions. | Golden images, hardening baselines in RMM, change tickets, application control. | Moderate |
| IA · Identification & Authentication11 requirements | Unique identification of users and devices, MFA for privileged and network access, replay-resistant authentication, password rules, obscured feedback, cryptographically protected credentials. | MFA everywhere, password manager, device identity — the 5-point SPRS items live here. | Heavy |
| IR · Incident Response3 requirements | An operational incident-handling capability — detect, analyze, contain, recover — with tracking, reporting, and testing. Pairs with the DFARS 7012 72-hour DoD reporting duty. | IR plan naming DIBNet reporting, runbooks, annual tabletop with minutes. | Moderate |
| MA · Maintenance6 requirements | Controlled system maintenance: sanitize equipment leaving the site, check media for malware, MFA for nonlocal maintenance sessions, supervise maintenance personnel without authorization. | Documented maintenance procedures in the RMM workflow; vendor escort rules. | Light |
| MP · Media Protection9 requirements | Protect and control CUI on paper and digital media: marking, restricted access, encrypted transport, sanitization before disposal or reuse, removable-media controls, backup media protection. | Encrypted USB policy or port lockdown, media destruction certificates, encrypted backups. | Moderate |
| PS · Personnel Security2 requirements | Screen individuals before CUI access; protect systems during terminations and transfers — revoke access, recover assets. | Hiring and offboarding checklists tied to identity deprovisioning. | Light |
| PE · Physical Protection6 requirements | Limit physical access to systems and the operating environment: escorts and visitor logs, physical access devices, safeguarding CUI at alternate work sites. | Badge and lock procedures, visitor log, home-office rules — mostly client-operated. | Light |
| RA · Risk Assessment3 requirements | Periodic risk assessments; vulnerability scanning on a schedule and when new flaws are identified; remediation per risk. | Vulnerability management platform with scan cadence and remediation SLAs. | Moderate |
| CA · Security Assessment4 requirements | Periodic control assessments, POA&Ms for deficiencies, continuous monitoring, and the System Security Plan itself — the documentation engine of the whole program. | Annual self-assessment cycle, living SSP and POA&M — the GRC platform's home turf. | Moderate |
| SC · System & Comms Protection16 requirements | Boundary defense, network segmentation and DMZs, deny-by-default, FIPS-validated cryptography for CUI, session protections, VoIP controls, split-tunneling bans, encrypted CUI at rest. | Firewall architecture, enclave segmentation, FIPS-mode endpoints, TLS policy — the other 5-point hotspot. | Heavy |
| SI · System & Info Integrity7 requirements | Timely flaw remediation, malicious-code protection at entry and exit points, security-alert monitoring and response, file and email scanning. | Patch SLAs, EDR/MDR, email security, advisory monitoring (CISA alerts). | Moderate |
The assessor's lens: every requirement is judged against its 800-171A objectives — for "3.1.1 limit access to authorized users," that means showing who is authorized, how the list is maintained, and proof the system enforces it. Write the SSP at that level of specificity and the assessment becomes a guided tour instead of an interrogation.
Who Does What
Typical allocation across the control families for an MSP-supported defense contractor — capture the real split per client, control by control, in the SRM.
03
The Certification Path
Get from "we have contracts mentioning CUI" to a CMMC status in SPRS that survives scrutiny. The path: scope the boundary, build the document pack, score honestly, remediate — then the C3PAO certification assessment for Level 2. Plan 12–18 months end to end; C3PAO calendars book out months ahead.
End to End
CUI inventory, boundary, asset categories, enclave design.
Score all 110 per the DoD methodology; build the POA&M.
Close gaps, write the SSP and procedures, post the score in SPRS.
Mock assessment, evidence dry run, fix the misses.
Evidence review, interviews, demos; results into eMASS and SPRS.
Close any POA&M within 180 days; affirm annually; recertify in three years.
What to Expect
A CMMC Third-Party Assessment Organization — accredited by the Cyber AB — fields a certified team that examines artifacts, interviews the people who run each control (your technicians included), and tests and observes systems against all 320 objectives over roughly one to two weeks. Findings go through quality review and into DoD's eMASS system, feeding the client's CMMC status in SPRS.
Final Level 2 — all 110 MET. Conditional Level 2 — score ≥88 with only POA&M-eligible items open; close-out assessment within 180 days or the status lapses. Below that: remediate and return. Certification is valid three years with annual affirmations.
Book the C3PAO before remediation finishes — lead times run months. And brief your own engineers: assessors will interview the MSP staff who operate the controls, and "ask the client" is a failing answer.
Boundary & Paperwork
The Level 2 scoping guidance sorts every asset into five categories, and everything that touches CUI — or protects it, or could touch it — gets assessed. The art of affordable CMMC is moving assets down the list before the assessment. Then the document pack: what must exist before anyone assesses anything.
Scope Is a Sorting Exercise
| Asset category | Definition | Assessment treatment |
|---|---|---|
| CUI assets | Store, process, or transmit CUI — file servers, engineering workstations, email handling drawings, ERP with technical data. | Fully assessed against all applicable requirements. |
| Security protection assets | Provide security functions to the CUI environment — your SIEM, identity platform, EDR console, firewall, the MSP's tooling. | Assessed for the security functions they provide — this is how the MSP enters scope. |
| Contractor risk managed assets | Could access CUI but are policy-prevented from doing so — documented and enforced. | Documented in the SSP; reviewed, and assessable if the policy looks shaky. |
| Specialized assets | IoT/OT, GFE, test equipment, CNC machines that can't meet every control. | Documented in the SSP and managed by risk-based policies; not assessed against every requirement. |
| Out-of-scope assets | Cannot access CUI — physically or logically separated. | Not assessed. The goal: make most of the network this. |
The enclave play — shrink the boundary, shrink the bill. Instead of certifying the whole company, concentrate CUI into a controlled environment: a segmented network zone, a virtual-desktop setup, or a dedicated cloud tenant (Microsoft 365 GCC High is the common landing zone for ITAR-touching CUI under the DFARS 7012 cloud rule). Only the enclave and its security-protection assets face the full 110; the rest of the business stays out of scope. For a 30-person machine shop, that's routinely the difference between a five-figure and a six-figure program.
Week One Work
CUI data inventory and flows, network diagrams showing the boundary, asset inventory tagged by the five categories, and the ESP/cloud listing with their responsibility matrices. These open every assessment — and ControlMap stores them as the workspace's foundation documents.
CUI in personal OneDrives and email threads, engineers working drawings on home PCs, flat networks where the CNC shop floor sits beside accounting, and commercial SaaS holding technical data without FedRAMP-Moderate footing. Find them in week one, not in front of the assessor.
Assessors Ask for These First
| Document | What it is and why it matters | Owner / cadence |
|---|---|---|
| SSPSystem Security Plan | The master document: system boundary, environment, CUI flows, and how each of the 110 requirements is implemented or inherited from an ESP or cloud. Required by 800-171 itself (3.12.4) — no SSP, no assessment. Expect 80–150+ pages for a real environment. | Shared authorship; client signs · living document, reviewed annually |
| POA&MPlan of Action & Milestones | The honest gap ledger: each unmet requirement, the remediation plan, owner, and date. At certification, only limited lower-weight items may remain open — and they close within 180 days. | Shared · updated continuously |
| SPRS score & affirmation | The DoD-methodology self-assessment score (−203 to 110) posted to the Supplier Performance Risk System — checked before award under DFARS 7019. Annual executive affirmations of continued compliance live here too. | Client submits · current within 3 years; affirmed annually |
| SRMShared Responsibility Matrix | Control-by-control allocation across client, MSP/ESP, and cloud providers — who implements, operates, and evidences each requirement. Built from each provider's customer responsibility matrix (CRM). | MSP drafts, all parties sign · reviewed annually |
| Scoping pack | CUI inventory and data flows, network and boundary diagrams, asset inventory by category, ESP and cloud listing. | Shared · refreshed on change |
| Policies & procedures | Written policy plus operating procedures covering all 14 families — assessors verify the documents and that practice matches them. | Shared · annual review & attestation |
| Incident response plan | Names the DFARS 7012 duties: report to DoD via DIBNet within 72 hours (requires a DoD-approved medium-assurance certificate — get it before the incident), preserve images and logs 90 days. | Shared · tested annually |
| Evidence library | Screenshots, configs, exports, training records, scan and review artifacts mapped to the 320 objectives — collected continuously, not the week before. | MSP-heavy · continuous |
Hand the SSP to an outsider: can they tell exactly which systems hold CUI, who administers them, and how requirement 3.5.3 (MFA) is implemented and proven? If any answer is "it's in someone's head," the document isn't done. Assessment prep is 60% writing, 40% configuring.
SPRS scores and affirmations are certifications to the U.S. government — inflated scores have already produced False Claims Act settlements. The MSP's job is to make the honest score high, never to make the high score dishonest.
Budget Conversations
The figures below blend DoD's rulemaking estimates with observed market ranges for SMB contractors (roughly 10–100 staff), in USD. Actuals swing widely with scope, starting posture, and cloud choices — use these to frame budget conversations, then price from the gap assessment.
Planning Anchors
| Cost element | Planning range | What drives it |
|---|---|---|
| Level 1 programannual | $3K – $15K / yr | The 15 practices ride on a standard MSP security stack; cost is mostly the annual self-assessment, SPRS entry, and affirmation support. |
| L2 gap assessment & scoping | $10K – $35K | Environment size, number of sites, whether CUI flows are already understood. |
| L2 remediation & build | $40K – $250K+ | The big variable: enclave vs whole-company scope, GCC High migration, FIPS-capable hardware refresh, MFA/SIEM/EDR gaps, documentation debt. |
| Cloud & licensing uplift | $25 – $60 / user / mo | GCC High–class licensing typically runs well above commercial tiers; enclave and VDI designs confine the premium to CUI-touching users. |
| C3PAO certification assessment | $40K – $120K+ / cycle | Scope size, objectives count, team-days, travel, and any 180-day POA&M close-out assessment. DoD's own small-entity estimate for the L2 cycle sits near the low end. |
| L2 self-assessment pathwhere permitted | $15K – $40K / cycle | Same 110 requirements and documentation — only the third-party fee disappears. |
| Ongoing managed compliance | $2.5K – $10K / mo | Control operation, evidence collection, monitoring, annual affirmations, POA&M upkeep — the MSP's recurring service. |
Enclave the CUI instead of certifying the company. Confine premium licensing to CUI users. Inherit controls from FedRAMP clouds and document the inheritance. Reuse your MSP's assessed shared-services stack across many clients. Start the SSP early so remediation and writing run in parallel.
The comparison isn't "compliance vs nothing" — it's the program cost vs the defense revenue that disappears without it. A contractor with $3M of DoD-linked work weighing a ~$150K two-year journey is buying contract eligibility, prime-supply-chain standing, and a marketable differentiator competitors lack.
Never quote certification as a line item — quote the journey: assess → remediate → document → certify → maintain. Clients who hear only the C3PAO fee feel ambushed by remediation; clients who see the full arc fund it in phases.
Timing is a cost too. C3PAO capacity is the bottleneck of the entire ecosystem. A client who starts when the clause appears in their renewal pays rush pricing, slips bid deadlines, or both. The cheapest CMMC program is the one that started eighteen months early.
ControlMap by ScalePad
ControlMap is ScalePad's multi-tenant GRC platform built for MSPs. Everything the assessment journey demands — scoping documents, the 110 mapped requirements, the SSP narrative, the POA&M, SPRS scoring, policies with attestations, and the evidence library behind all 320 objectives — lives in one workspace per client, ready to hand a C3PAO.
The Five-Step ControlMap Workflow for CMMC
Create a dedicated client workspace and load CMMC Level 1 or the full NIST 800-171 set for Level 2. Anchor it with the scoping pack — CUI inventory, data flows, boundary diagrams, asset categories — and record the contract clauses that triggered the level, so the "why" travels with the evidence.
Assess all 110 requirements with built-in questionnaires, mark each MET or NOT MET, and let the deficiencies populate the POA&M with owners and dates. Score the result per the DoD methodology so the client's SPRS submission is grounded in documented answers — and watch the number climb as remediation lands.
Each control card explains the requirement, what "implemented" looks like, and what evidence satisfies it. Assign every control to your engineers, client staff, or an inherited cloud provider — building the shared responsibility matrix as you go instead of reconstructing it for the assessor later.
Draft the policy set for all 14 families from the template library, tailor it to the environment, version-control approvals, and push to staff for electronic acknowledgment. Control narratives and responsibility data roll up into the SSP documentation the C3PAO reads first.
Attach evidence to every control — MFA configs, log-review records, training exports, scan reports — automating what integrations with the Microsoft/Google clouds and your MSP stack allow. Recurring tasks keep artifacts fresh across the 3-year cycle, the 180-day POA&M clock, and each annual affirmation.
Productize the journey: Scope & Assess (CUI flows, gap, SPRS baseline) → Remediate & Document (enclave build, SSP, policies) → Manage & Certify (monthly compliance-as-a-service through the C3PAO and the 3-year cycle). CMMC's recurring nature makes it the stickiest MRR in the catalog.
Show the owner the SPRS score trend, the shrinking POA&M, the affirmation calendar, and the certification countdown. "Your DoD revenue is protected, and here's the score that proves it" is the easiest security story a defense contractor will ever fund.
Scope drifts: new contracts, new CUI types, a hire working from home, a SaaS tool adopted by engineering. Make "any new contracts or data flows?" a standing QBR question — and re-run the level decision whenever the answer is yes.
Take Action
Where each part of the journey lives in ControlMap and the artifacts you'll bank along the way; a realistic first-90-days arc for a Level 2 client — months one to three of a 12–18 month journey — and the ten-point quick-start checklist to put it all in motion.
ControlMap in Action
| Area | Do this in ControlMap | Artifacts you'll bank |
|---|---|---|
| Levels & contracts | Record each contract's clauses and CMMC status requirement; run Level 1's 15 practices as an annual recurring assessment; stage Level 2 clients on the full 800-171 framework with cross-mapping toward CIS/NIST CSF reuse. | Contract-to-level register · annual L1 self-assessment records · affirmation reminders and history |
| The 110 controls | Assign all 14 families with owners across MSP, client, and inherited providers; track MET/NOT MET per requirement; schedule the recurring cadence — log reviews, scans, access reviews, training, IR tabletop. | Control status history · SRM allocations · review sign-offs · training and tabletop records |
| Assessment journey | Store the scoping pack as foundation documents; maintain the living POA&M with the 180-day clock; export the SSP narrative and evidence bundle for readiness reviews and the C3PAO; track the 3-year recertification calendar. | Scoping pack · SSP & POA&M exports · SPRS scoring worksheet · assessor-ready evidence library |
| Your own MSP | Stand up a workspace for your own stack as an ESP — align your RMM, SIEM, identity, and backup tooling to 800-171 once, document it, and inherit that posture into every client SRM instead of re-proving it client by client. | Your ESP control documentation · reusable inheritance statements · proof for primes' supply-chain reviews and cyber insurance |
Months 1–3 of a 12–18 Month Journey
Contracts reviewed and level confirmed with primes · SRM in the MSA · workspace created.
CUI flows mapped · enclave strategy chosen · gap assessment and baseline SPRS score complete.
Remediation roadmap priced and funded · 5-point gaps (MFA, FIPS, boundary) in flight · SSP drafting begins.
Policies launched with attestations · evidence flowing · C3PAO shortlist contacted · updated score in SPRS.
Take Action
Pull every contract, PO, and flow-down; search for 52.204-21 and 252.204-7012/-7019/-7020/-7021, and confirm CUI in writing with the primes.
L1 for FCI-only clients; L2 with C3PAO certification as the default plan wherever CUI flows.
Map CUI flows and asset categories, then design the enclave — shrink the boundary before pricing anything.
Run the 110-requirement gap assessment in ControlMap and compute the honest DoD-methodology score.
MFA, FIPS-validated crypto, and boundary defense move the score fastest — put them in flight before anything else.
SSP, POA&M, SRM, scoping diagrams, and policies — built alongside the technical work, not after it.
Post the score and affirmations in SPRS and calendar the annual renewals — missing one breaks award eligibility.
DIBNet access, the DoD-approved reporting certificate, and a tested 72-hour runbook — in place before the incident.
Book the slot, run a readiness review, and brief every MSP engineer who'll be interviewed.
180-day POA&M clocks, annual affirmations, and the 3-year recertification — recurring in ControlMap.
This guide is provided for general educational purposes and reflects the CMMC program (32 CFR Part 170), DFARS clauses, and NIST SP 800-171 R2 as commonly understood at time of publication. It is not legal or assessment advice; phase timing, self-assessment eligibility, POA&M rules, and cost estimates vary by solicitation and environment — confirm specifics against current DoD CIO program documentation, the contract, and qualified counsel or a Registered Practitioner Organization / C3PAO.
ControlMap by ScalePad
See how MSPs run multi-client CMMC programs — scoping, the 110 controls, SSPs, POA&Ms, and assessor-ready evidence — in ControlMap.