Looking for the latest information security and privacy insights from EXTEND? Follow us on LinkedIn.
CMMC 2.0: Navigating the New Landscape for MSPs and MSSPs

CMMC 2.0: Navigating the New Landscape for MSPs and MSSPs

The proposed Cybersecurity Maturity Model Certification (CMMC) initiated by the U.S. Department of Defense (DoD) presents both challenges and exciting opportunities for Managed IT Service Providers (MSPs) and Managed Security Service Providers (MSSPs).

CMMC is a required assessment and certification program for organizations that serve as contractors and subcontractors to the DoD. It is designed to validate that these organizations meet the information security requirements set out in their government contracts, namely compliance with NIST SP 800-171.

In CMMC 2.0, both Cloud Service Providers (CSPs) and External Service Providers (ESPs) that transmit, access, or store DoD-controlled unclassified information fall within its scope. As a result, MSPs and MSSPs must meet the same CMMC compliance level as their DoD Contractor and Subcontractor clients.

A Quick History of the Cybersecurity Maturity Model Certification

The DoD published an interim cybersecurity rule to the existing Defense Federal Acquisition Requirements Supplement (DFARS) in September 2020. Implementation of this rule outlined the initial vision for the program: CMMC 1.0. That rule became effective in November 2020 and established a phase-in schedule over a five-year period.

After performing an internal review of the interim rule and hundreds of related public comments, in March 2021, the DoD, along with cybersecurity and federal acquisition leaders, set out to refine the original policies and program. The Department released a redesigned CMMC 2.0 in November 2021 with a focus on five primary goals:

  1. Safeguard sensitive information to enable and protect the warfighter,
  2. Enforce the Defense Industrial Base (DIB) cybersecurity standards to meet evolving threats,
  3. Ensure accountability while minimizing barriers to compliance with DoD requirements,
  4. Perpetuate a collaborative culture of cybersecurity and cyber resilience, and
  5. Maintain public trust through high professional and ethical standards.

The proposed rule was published in the Federal Register on December 26, 2023. The Defense Department accepted public comments through February 26, 2024. The DoD is expected to publish the final rule and fully implement the program later this year.

While navigating CMMC compliance requirements can be complex, it also opens doors to significantly expand your client base and service offerings.

Let’s delve into the critical points MSPs and MSSPs should know.

CMMC 2.0 Requirements for MSPs & MSSPs

In the proposed rule, if any MSP/MSSP clients are subject to CMMC and they access, store, or transmit CUI from MSP systems, the managed service provider is subject to the same requirements.

  • Aligned with Levels: Like its predecessor, CMMC 2.0 aligns your compliance level with your clients. This means achieving the same level of certification (Level 1, 2, or 3) as your clients who are working with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).
  • Shared Responsibility Matrix: A “Shared Responsibility Matrix” will be mandatory, outlining your and your client’s specific security responsibilities regarding CUI protection.
  • Subcontracting: As a subcontractor to a CMMC-obligated entity, you will also be subject to the same compliance requirements.
  • Rigorous Assessments: For Levels 2 and 3, independent assessments by Certified Third-Party Assessment Organizations (C3PAOs) will verify your compliance.

Compliance Challenges for MSPs & MSSPs

Planning to meet CMMC requirements for your organization or in support of your clients’ efforts requires significant knowledge, discipline, and qualified resources. Here are a few challenges to consider as you develop your strategy.

  • Internal Compliance: Achieving and maintaining certification requires significant investment in security controls, processes, and training.
  • Client Onboarding & Support: Assessing client needs, mapping compliance requirements to their IT infrastructure, and implementing changes can be complex and time-consuming.
  • Cost & Resource Management: The financial and personnel resources required for compliance can be substantial.
  • Talent Acquisition: Finding qualified personnel with CMMC 2.0 expertise can be challenging.
  • C3PAO Assessment: Scheduling your certification audit is challenging due to the limited number of C3PAO-certified assessors. Plan ahead to beat the crowd.
  • Continual Monitoring & Maintenance: Maintaining compliance requires ongoing monitoring, adjustments, and documentation.

Overcoming CMMC Compliance Challenges

Understanding requirements for your CMMC level, planning ahead, and engaging qualified experts in the process can help you overcome and avoid implementation challenges. For instance, below are five strategies you can leverage to support timely and effective compliance.

  • Start Early: Begin preparing now, even before the final rule is published. Conduct gap assessments to identify areas for improvement.
  • Invest in Training & Resources: Train your staff on the Cybersecurity Maturity Model and invest in necessary security tools and technologies.
  • Partner with CMMC Consultants: Seek guidance from experts, such as EXTEND Resources information security team led by a CMMC Registered Practitioner, to navigate your compliance journey efficiently and support your clients’ security programs.
  • Develop Client Onboarding Strategies: Create standardized processes for assessing client needs and implementing controls effectively.
  • Communicate Clearly: Maintain transparent communication with clients throughout the compliance process.


Discover helpful ways to work with a CMMC Registered Practitioner. Check out the blog: The Ultimate Guide to CMMC Compliance with a Registered Practitioner


Opportunities for MSPs & MSSPs

While becoming CMMC compliant requires effort and investment, your organization reaps the rewards of having enhanced, demonstrable protection against cyber threats and attacks. Certification brings additional rewards.

  • Expanded Client Portfolio: CMMC 2.0 opens doors to a vast pool of potential clients, including DoD contractors and subcontractors across diverse industries.
  • Enhanced Value Proposition: By offering compliance support to DoD contractors and subcontractors, you can differentiate yourself and command premium rates.
  • Recurring Revenue Streams: Compliance with the DoD mandate requires ongoing monitoring and maintenance, creating recurring revenue streams.
  • Building Stronger Client Relationships: Supporting clients through compliance and certification can foster trust and loyalty.


Looking for tips you can share with clients facing CMMC certification? Read our recent blog post: 10 Steps You Can Take Today to Conquer the CMMC: Tips for Defense Contractors and Sub-Contractors.


Partnering with Experts

EXTEND Resources is your trusted partner for navigating CMMC 2.0 compliance. EXTEND is an ISO 27001-certified organization for information security management. Through our partnership programs for MSPs and MSSPs, we offer:

  • Cybersecurity Consulting: Expert guidance from a CMMC Registered Practitioner on achieving and maintaining compliance with the latest requirements.
  • Client Onboarding & Support: Streamlined processes for assessing client needs and implementing controls, plus providing ongoing monitoring, maintenance, and incident response to foster sustained compliance.
  • Security Tool Implementation & Management: Expertise in deploying and managing compliant security tools.
  • Training & Awareness Programs: Comprehensive training for your staff and your clients on Cybersecurity Maturity Model Certification.
  • C3PAO Assessment Support: Coordinate with a Certified Third-Party Assessor Organization (C3PAO) to schedule your assessment and provide audit support throughout the process.


CTA: Learn more about EXTEND’s Information Security Services, including CMMC Readiness. 


By partnering with EXTEND Resources, you can efficiently meet compliance requirements, expand your business opportunities, and become a trusted advisor to your clients in this evolving security landscape. Contact us today to learn more and discuss your specific needs.

Remember: This certification is a challenge and a strategic opportunity for MSPs and MSSPs to solidify their position as trusted partners in the DoD ecosystem and unlock significant growth potential. Be proactive, embrace the change, and let EXTEND Resources guide you on your journey to CMMC 2.0 success.


Scroll to Top
Skip to content

By continuing to use the site, you agree to the use of cookies. Learn More

We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.