CMMC Confusion Ends Here: How Huntress and DEFCERT Built a Playbook for MSPs

For many MSPs, the Cybersecurity Maturity Model Certification (CMMC) has hovered for years as something confusing, intimidating, and easy to postpone. That is, until clients suddenly need answers. As the compliance contractor requirements become clearer, Huntress and DEFCERT have stepped in with something MSPs have been asking for: practical, structured guidance that makes the process manageable.

Earlier this month, the two companies unveiled a jointly developed library of living CMMC resources. This collection of documentation, shared responsibility matrices, evidence templates, and step-by-step guides were designed specifically for MSPs supporting defense contractors. The collaboration grew out of years of community conversations, shared frustrations, and a recognition that MSPs will play a central role in helping the Defense Industrial Base meet Level 2 requirements.

Huntress Community Growth Strategist Jeremy Young and DEFCERT CEO Ryan Bonner recently sat down to talk with ChannelPro about how they came together on this toolset. More importantly, they shared why MSPs should see CMMC as a growth opportunity, not something to avoid.

Friends Ryan Bonner and Jeremy Young worked together on the new CMMC toolkit from Huntress and DEFCERT.

How the Partnership Took Shape

Young and Bonner, who had been friends for years, often had talked about the challenges of CMMC. After watching years of back-and-forth in the industry as MSPs struggled to plan around uncertainty, the final CMMC ruling became effective in December 2024. That clarity allowed the pair to align quickly on a path forward.

Young recalled pitching the idea to leaders at Huntress. “It was a no-brainer. They were like, ‘We should do that.’”

The documentation was inspired by patterns Bonner kept seeing in the SMB and MSP space. “A lot of the documents and resources we ended up building was like me processing my stored trauma of being at an MSP who had these struggles,” he admitted. The pair’s goal was to give MSPs a structure for making good decisions and guiding clients confidently through compliance.

Why MSPs Need a Repeatable Framework for CMMC Compliance

One thing that’s clear is that many MSPs still underestimate the scale of what’s coming. Take, for example, Corporate Information Technology (CorpInfoTech), a cybersecurity-focused MSP that had spent decades helping clients build compliance programs and prepare for audits. But when it was time for the company to go through a formal CMMC assessment firsthand, it was a different experience altogether.

Lawrence Cruciana

“The assessors didn’t simply run through an IT checklist. The team reviewed procurement workflows, HR onboarding, and the links between risk decisions and implemented controls. Their knowledge of NIST standards and high-assurance environments pushed the process well beyond traditional IT audits,” CorpInfoTech Founder and President Lawrence Cruciana wrote in an article for ChannelPro. “Despite my deep involvement with CMMC since its early days, the experience revealed how unprepared even mature MSPs might be for this level of scrutiny.”

And this is just one example. While public Department of Defense estimates suggest around 80,000 organizations will need a Level 2 CMMC assessment, Young called that estimate “wildly low.” That’s because many contractors never appear in official government databases.

That gap affects MSPs too, since many don’t yet realize they already support clients in the Defense Industrial Base. “This is a ticking time bomb for MSPs who don’t even think they’re going to touch CMMC. Yes, you are. A decision has to be made of, ‘Do I do this or try to hand off this client?’ And it’s going to be the same thing at the client level,” Young insisted.

This also means that the organizations willing to embrace compliance now will differentiate themselves before demand peaks.

What the Huntress + DEFCERT CMMC Toolkit Provides

The CMMC resource library created by the two companies gives MSPs documented, repeatable guidance built around Huntress’ sensitive data mode and a wide set of templates. Key components include:

• Editable Shared Responsibility Matrix: Outlines what Huntress handles, what the MSP handles, and what the client must own
• Operations Guide: Lists recurring tasks tied to NIST objectives (weekly, monthly, annually)
• Evidence Kits and Screenshot Instructions: Pre-built templates MSPs can hand directly to assessors
• Configuration and Agreement Templates: Security approvals, interconnection agreements, and baseline configurations

Young said the goal was to turn the step-by-step process into bite-sized chunks, making it easy to follow. “We’re really breaking it down so that when you follow the playbook, you can adopt the documentation and process internally, and then reuse that with your other tools. It makes it less scary.”

Sensitive Data Mode: A Critical Capability

According to Bonner, Huntress’ approach solves one of the biggest cost and complexity problems MSPs face when handling Controlled Unclassified Information (CUI). If a tool can ingest CUI, contractors often must migrate to a FedRAMP-authorized version of that product. This transition brings minimum spends, higher operational overhead, and significant costs for SMBs. “That’s a huge lift, and in a lot of cases, just an insurmountable obstacle for SMBs to absorb,” Bonner said.

Sensitive data mode prevents that data from entering the platform since Huntress never collects CUI in the first place. And this mode doesn’t cost extra. “It’s fantastic to have options that preserve security capability without needing to stack additional compliance requirements that aren’t appropriate for the tool’s intended use case, keeping those costs low,” Bonner noted. “That’s complete stakeholder alignment with what the tool should do and what the consumers of that tool need.”

Tough — But Beneficial — Advice for MSPs

When asked what MSPs should do if they’re uncertain about entering the CMMC market, Bonner was blunt: “Get in or get out. There’s no half measures here.”

Young backed him up. “You’re either pregnant or you’re not pregnant. You can’t be half pregnant.”

They advised MSPs to make a strategic choice:

• If opting in, build processes, referral channels, and internal competency.
• If opting out, prepare a handoff plan so clients aren’t left stranded.

Meanwhile, one of the more surprising trends is that large enterprises are now asking for managed services for new regulated cloud enclaves. Their internal IT teams are not equipped for CMMC-driven environments, Bonner said. “We’re seeing amazing opportunities for MSPs who would never imagine themselves servicing an organization of this size.”

The Bottom Line for MSPs

CMMC isn’t going away, and the organizations that move early will benefit the most. The Huntress and DEFCERT collaboration gives MSPs a structured, affordable way to start. “If you help your client get Level 2 compliance, … you have solved the single biggest threat to their business as a defense contractor,” Young said.

Supporting clients on CMMC assessments also can create a more secure client for MSPs. Once assessed, a contractor is certified for three years unless a material change occurs — like switching MSPs. And that would require the client to pay for and go through yet another CMMC assessment. “Those who choose to go down this path, it’s going to create very sticky, recurring revenue,” Young added.

For MSPs, that’s more than service delivery. It’s strategic partnership and a long-term growth path.

Anjali Fluker is senior channel editor for The ChannelPro Network, where she covers news, trends, and best practices for the MSP community. She specializes in telling the stories that matter to IT providers serving the SMB market. When she’s not reporting on the latest in managed services, she’s connecting with channel pros at industry events across the country.

Images: iStock, Anjali Fluker/ChannelPro, Lawrence Cruciana