When do MSPs need to be CMMC compliant

July 14, 2025

Until recently, many MSPs and MSSPs believed they were off the hook for achieving CMMC compliance—even when their defense contractor customers were handling Controlled Unclassified Information (CUI). That changed during May’s Cyber-AB Town Hall, when Matt Travis, CEO of the Cyber AB, clarified exactly when External Service Providers (ESPs) must pursue their own CMMC certification.

Mr. Travis stated that if an ESP that is not a Cloud Service Provider is storing, processing, or transmitting CUI on their own systems—not just administering someone else’s systems—then they require their own Level 2 CMMC certification.

This policy marks an important shift for the industry. Many MSPs and MSSPs now face a dual challenge: pursuing their own compliance journey while continuing to advise their clients on theirs.

This blog breaks down the key scenarios in which an ESP does or does not need their own CMMC Level 2 certification—and what that means for your business.

When MSP/MSSPs Do Need to Pursue CMMC Level 2

If your organization stores, processes, or transmits CUI on your own systems, you must undergo a CMMC Level 2 assessment independently from your clients. Failure to do so means you will be assessed in addition to the customer’s assessment, effectively requiring a second assessment each time one of your customers gets assessed.

Examples:

You manage a remote monitoring and management (RMM) tool that collects data from your client’s CUI environment.
You are an administrator of Microsoft GCC High or PreVeil, and your access includes client emails or documents containing CUI.
You host a VDI environment for defense contractors that handle CUI on your infrastructure
You operate backup or file sync services that store customer CUI on your infrastructure.

When MSP/MSSPs are Assessed with the Client

If you don’t store, process, or transmit CUI, but you do manage Security Protection Assets (SPAs)—like a SIEM, firewall logs, or endpoint detection systems—you do not need your own certification. However, your services will be included in your client’s CMMC assessment boundary.

In this case:

Your practices will be evaluated as part of the client’s CMMC Level 2 assessment.
Your documentation and procedures may be reviewed by the assessor, but you’re not separately certified.

This is an important nuance as you are “in scope” but not “certification required.”

When MSP/MSSPs are Out of Scope Entirely

If your systems never touch CUI or SPA, you’re not considered an ESP for CMMC purposes—and you are not in scope for any assessment.

Example:

You provide on-site desktop support, replacing hardware or troubleshooting a user’s device, but no data flows through your infrastructure.
Your support is hands-on, but not tied to storing or analyzing sensitive data.

This type of support does not require certification, and your involvement would not be included in the client’s CMMC boundary.

Why It Matters

Matt Travis’ clarification underscores a growing truth: you can no longer assume you’re off the hook just because you’re not the primary defense contractor. As an MSP/MSSP, your infrastructure decisions—and how they interact with your clients’ environments—will determine whether you’re required to become certified.

To protect your business and avoid surprises during a client’s assessment, you must:

Understand your role in your customers’ compliance ecosystem.
Separate your systems from client systems that contain CUI, where possible.

Document your practices and be transparent with clients about what data you do and don’t touch.

How PreVeil Separates MSP Systems

PreVeil’s Approval Groups technology provides a unique security and compliance feature for defense organizations and the MSPs that assist them in their compliance journey. Approval Groups provide a cryptographic technique that prevents Global Admin access to customer data and ensures MSP admins cannot access customer data on MSP systems.

With this feature, MSP admins are cryptographically prevented from accessing customer data—both accidentally and intentionally. And, if the MSP is not handling CUI, they do not need an assessment and therefore do not require separate CMMC certification.

The Approval Groups feature is available by default in all PreVeil Admin licenses however it must be set up properly to ensure compliance is met.

Conclusion

The message is clear: CMMC compliance is no longer just for defense contractors. MSPs and MSSPs can now be part of the security equation—and the CMMC enforcement framework.

Understanding whether you need to pursue certification is essential for maintaining client trust, avoiding disruption, and securing future business in the defense sector.

Need help? Book time with PreVeil’s partner compliance team:

screen_share

Get a

PreVeil Demo

See how PreVeil simplifies CMMC

support_agent

Schedule a free

Compliance Call

Get answers to your CMMC questions

book

Download Our

CMMC Guide

Achieve your CMMC compliance goals

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is PreVeil's Compliance Officer and Certified CMMC Assessor (CCA) with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her M.S. in Information Technology and holds certifications from the CMMC Accreditation Body (CyberAB), Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.

Related Blog

See All Blog

July 2, 2025

What’s New in PreVeil: Product Updates

PreVeil News

June 27, 2025

What Private Equity Firms Need to Know About CMMC: M&A and Costs

CMMC

June 25, 2025

What is CMMC Compliance?

CMMC

PROUDLY MADE IN THE USA

PreVeil is 100% Designed & Developed in the USA

When Does your MSP Need to be CMMC Compliant

By: Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP