Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.


333 West San Carlos Street
San Jose, California 95110
United States


ChannelPro Network Awards

hello 2
hello 3


December 6, 2021 |

MSPs Must Comply with CMMC

Now that new guidance from the DoD makes that clear, will MSPs run and hide, or achieve compliance to earn bigger profits?

On December 3, 2021, the Department of Defense (DoD) released the long-awaited scoping guidance for CMMC 2.0, the newly announced revision to the original CMMC model. If you have even one defense contractor client that must comply with CMMC at any level, your managed service provider business will be part of their assessment.

You can choose to run and hide from defense contractors, or comply with CMMC and reduce the number of competitors you will face, while establishing very sticky relationships with clients.

What’s in the Guidance

The new guidance, both for end-user self-assessments and independent assessments for certification, lists security tools and vendors (including MSPs and cloud services) within the assessment scope.

The DoD defines External Service Provider (ESP) as “External people, technology, or facilities that the organization uses, including cloud services, co-located data centers, hosting providers, and managed security service providers.”

The DoD also talks about “Security Protection Assets” and provides examples:

What This Means for You

The new guidance means that your MSP business will need to implement a compliance program aligned with the NIST SP 800-171 framework consisting of 110 cybersecurity practices.

It is likely you will need to change the way you implement cybersecurity by:

  • Using government versions of communications and data storage tools.
  • Ensuring your vendors are compliant, including protecting production data and backups with FIPS 140-2 certified encryption.
  • Always having current documentation validating your compliance.

If your clients only process, store, or transmit Federal Contract Information (FCI), you will need to validate your compliance with CMMC 2.0 Level 1. However, if you have even one client that processes, stores, or transmits Controlled Unclassified Information (CUI), you will need to meet the requirements for CMMC 2.0 Level 2, and implement all 110 practices in NIST SP 800-171.

Some defense contractors will have to comply with CMMC 2.0 Level 3, requiring additional protection against advanced persistent threats.

The assessment guides – expected to be released in mid-December – will provide more guidance to help you prepare for your assessment.

The new scoping guidance definitively answers the question about MSPs having to comply with CMMC. Compliance is achievable and can result in bigger profits if you can show you are a trusted authority and have differentiated your company from MSPs who continue to think that cybersecurity and compliance are the same.

MIKE SEMEL is a former MSP and founder of Semel Consulting, which provides advisory services to MSPs and end users for compliance, cybersecurity, and business continuity planning. He worked with CompTIA to develop its Security Trustmark Plus, and with RapidFire Tools to create Compliance Manager GRC.

Editor’s Choice

What MSPs Need to Know About the Risks of Relying on Collaboration Tools for Data Backup

April 4, 2024 | Todd Thorsen

It’s important to understand your clients’ technology needs and risk tolerance to ensure you recommend and implement the proper tools and technology.

3 Questions with Ingram Micro’s Sanjib Sahoo on Integrating AI into Managed Services

March 25, 2024 |

Ingram Micro’s EVP and chief digital officer shares some insights on how MSPs can effectively integrate artificial intelligence into their business operations.

Hard Work Pays Off: One Chicagoland MSP’s Story

March 21, 2024 |

The story of a technologist turned business owner that successfully switched from break-fix to managed services.

Related MSP Spotlights, News

Growing the MSP

Explore ChannelPro


Reach Our Audience