Does My MSP Need to Be CMMC Compliant?

Does My MSP Need to Be CMMC Compliant?

If your MSP handles CUI or security protection data, they're in your CMMC assessment scope. Learn when your MSP qualifies as an ESP, what that means for your certification, and how to structure the relationship for assessment success.

Deep Fathom
CMMC

The short answer: it depends on what they touch.

If your managed service provider processes, stores, or transmits CUI or Security Protection Data on your behalf, they are an External Service Provider under CMMC. Their environment becomes part of your assessment scope. Their security practices directly affect your certification outcome.

This isn’t a theoretical concern. It’s one of the most common sources of assessment findings for defense contractors who use outsourced IT services.

When Your MSP Is an ESP

The CMMC program defines an External Service Provider as an organization that processes, stores, or transmits CUI or Security Protection Data (SPD) for the contractor. The key word is “or.” Your MSP doesn’t need to touch CUI directly to be in scope. If they manage security tools that generate or process SPD, they qualify.

Your MSP is likely an ESP if they:

  • Manage systems where CUI is stored, processed, or transmitted
  • Administer your email system if CUI flows through email
  • Run your SIEM, firewall, or endpoint protection (these generate Security Protection Data)
  • Manage your backup solution if backups contain CUI
  • Have remote access to systems within your CUI boundary through RMM or remote desktop tools
  • Administer identity and access management systems for CUI environments

In multiple recent readiness reviews we’ve conducted, the contractor’s RMM tool was the ESP trigger nobody had considered. The MSP’s remote monitoring agent sat on every in-scope endpoint, processing security telemetry continuously — making the MSP an ESP regardless of whether they ever touched CUI directly.

Your MSP may not be an ESP if they:

  • Provide services exclusively to systems outside your CUI boundary
  • Have no access to CUI or SPD in any form
  • Operate in a completely separate network segment with no connectivity to in-scope systems

The distinction matters because an ESP’s environment, tools, and operational practices become assessable as part of your CMMC scope. If your MSP manages your firewall but their own administrative access isn’t secured with MFA, that’s a potential finding on your assessment, not theirs.

Your MSP Usually Doesn’t Need a Separate CMMC Certificate (But Their Practices Are in Scope)

This is a common misconception. Your MSP usually does not need a separate standalone CMMC certificate solely because it supports your environment. Some ESPs may separately pursue voluntary assessments as a market differentiator, but that’s their business decision, not your compliance requirement.

What does matter: if your MSP is an in-scope ESP, their services, evidence, and control responsibilities become part of your assessment scope. The CMMC assessment evaluates your environment, including the portions operated by your ESP. The assessor doesn’t separately certify the MSP. They assess whether the controls the MSP is responsible for are implemented and evidenced as part of your compliance package.

What this means in practice:

  • Your MSP’s configurations must support the NIST 800-171 controls documented in your SSP
  • Your MSP must be able to produce evidence for the controls they own
  • Your MSP’s practices (access management, logging, incident response, patching) must be consistent with what your documentation describes
  • Your MSP’s staff may be interviewed by the assessor about the controls and procedures they manage on your behalf

The Customer Responsibility Matrix

The mechanism for making this work is documented control ownership. For each security requirement where your MSP plays a role, you need clear documentation of who owns the control, who implements it, and who produces the evidence.

Document how security responsibilities are divided between your organization and each in-scope provider. A customer responsibility matrix is required by the CMMC scoping guidance for all in-scope ESPs. The document should specify:

  • Which NIST 800-171 requirements the MSP is fully responsible for
  • Which requirements are shared between the MSP and the contractor
  • Which requirements the contractor owns independently
  • For shared requirements, the specific division of responsibility
  • How the MSP’s compliance with their assigned controls is verified and monitored

Assessors will ask for this documentation. If it doesn’t exist, or if it’s vague about who owns what, the assessor has to determine accountability during the assessment. That process surfaces gaps.

Need help defining control ownership between you and your MSP? Start with a free readiness check to map which controls fall in your scope and which fall in theirs.

Cloud Service Provider Requirements

If your MSP hosts your CUI environment in a cloud service, or if they provision cloud services on your behalf, additional requirements apply.

Cloud service providers that process, store, or transmit CUI must meet FedRAMP Moderate authorization or FedRAMP Moderate equivalency. This is a requirement of DFARS 252.204-7012, validated as part of your CMMC assessment.

If your MSP delivers services through a cloud platform, determine whether the service is being provided as an ESP using a third-party CSP, or whether the provider itself is acting as a CSP for the in-scope service. The distinction matters because CSPs that process, store, or transmit CUI must meet FedRAMP Moderate authorization or equivalency requirements, while ESPs that use a compliant CSP’s infrastructure have a different compliance profile.

Verify that the specific cloud environment meets the FedRAMP requirement. “We use Azure” is not sufficient. Azure Commercial, Azure Government, and Azure Government (GCC High) have different authorization levels. The environment where CUI resides must meet the applicable standard.

If a CSP claims FedRAMP Moderate equivalency rather than formal authorization, require a defensible body of evidence showing the offering has been assessed against the FedRAMP Moderate baseline in line with DoD policy. There is no public registry of equivalent offerings, so the OSA must evaluate the CSP’s evidence directly — and your assessor will review it during your assessment. Self-declared equivalency without third-party assessment does not satisfy the requirement.

Questions to Ask Your MSP

Before your CMMC assessment, have a direct conversation with your MSP about their role in your compliance program.

Scope questions:

  • Do you process, store, or transmit any of our CUI or Security Protection Data?
  • Which of your systems and tools interact with our CUI boundary?
  • What remote access methods do your staff use to connect to our in-scope systems?
  • Are your RMM, ticketing, and administrative tools within or connected to our assessment scope?

Compliance questions:

  • Are you prepared to document your security practices for the controls you manage on our behalf?
  • Can you produce evidence (configurations, logs, access records) for assessor review?
  • Do your administrative practices (MFA, access management, logging) meet the NIST 800-171 requirements applicable to the services you provide?
  • Is the cloud environment where our data resides FedRAMP Moderate authorized or equivalently assessed?

Documentation questions:

  • Do you have a customer responsibility matrix or equivalent document that defines control ownership?
  • Are you willing to participate in the assessment process, including potential interviews with our C3PAO?
  • What happens to our data and access if we change providers?

If your MSP can’t answer these questions clearly, that’s a signal. An MSP that doesn’t understand CMMC, can’t document their security practices, or can’t produce evidence for the controls they manage creates risk for your assessment. The time to discover this is before your C3PAO engagement, not during it.

What to Do If Your MSP Isn’t Ready

If your current MSP doesn’t understand CMMC, can’t support the controls they’re responsible for, or can’t produce documentation for your assessment, you have three options.

Option 1: Help them get ready. Share the requirements. Walk them through what the assessment will evaluate. Give them time to prepare. This works if the MSP is willing and capable, but lacks CMMC-specific knowledge. Many strong IT providers simply haven’t been exposed to the CMMC framework yet.

Option 2: Supplement with an RPO. Bring in a Registered Practitioner Organization to bridge the compliance advisory gap. The RPO helps define the customer responsibility matrix, guides the MSP on what evidence to produce, and ensures the documentation meets assessment standards. The MSP continues managing IT. The RPO manages the compliance layer.

We see Option 2 most frequently among mid-tier contractors. The MSP stays for IT operations, an RPO bridges the compliance gap, and the CRM defines who owns what. It works when the MSP is willing but uninformed — which describes most of the market right now.

Option 3: Change MSPs. If the MSP can’t or won’t support your CMMC program, and the cost of bringing them along exceeds the cost of switching, find a provider that already understands the defense compliance environment. MSPs that hold RPO designation or that specialize in serving the defense industrial base are increasingly common.

Switching MSPs mid-compliance-program is disruptive. The customer responsibility matrix, evidence, and SSP all reference the provider’s environment. Changing providers means rebuilding those references. Start evaluating your MSP’s readiness early so you have time to make this decision without schedule pressure.

The Bottom Line

Your MSP’s compliance posture is your compliance posture, at least for the controls they manage. The CMMC assessment doesn’t draw a line at your organizational boundary. It follows the CUI and SPD to wherever they’re processed, stored, or transmitted, including your MSP’s environment.

Get the customer responsibility matrix in place. Verify your MSP can support the controls they’re assigned. Confirm cloud environments meet FedRAMP requirements. And do all of this before you engage your C3PAO, not after.

Deep Fathom gives contractors and their MSPs a shared system of record for managing compliance. Controls, evidence, and documentation live in one environment with role-based access, so both parties work from the same truth and the assessor sees a clean, organized package.

Check your readiness or talk to our team.

Related reading: