MSPs are already in CMMC conversations, whether they realize it or not. There can be a lack of clarity on “What’s next?” and “How did we get here?”
As a consultant, November 2025 was my catalyst. Prospects appeared asking about CMMC. I knew enough to advise from a general perspective, but not specifically on what, why and how CMMC came to be. So, I enrolled in CCP (Certified CMMC Professional) training; I completed that in December.
I passed the CCP exam in February and attended well-timed CUI-Con the following week in Orlando, FL. From there, I went straight into CCA (Certified CMMC Assessor) training and passed the CCA exam in March. Now, I’m in the Tier 3 waiting period. This is is the comprehensive background check that will make both CCP and CCA official.
Core Knowledge
Three things stood out as key themes in the two CMMC credential training courses:
- It’s all about the scoping. Where is the FCI (Federal Contract Information)? Where is the CUI (Controlled Unclassified Information)? Organizations must decide whether to manage them together or separately, and they need guidance. Scoping CUI, which necessitates CMMC Level 2, as tightly as possible saves both money and pain.
- The CMMC program must prove what’s true and actual in writing. This includes policies, procedures, plans (where appropriate) and the System Security Plan (SSP). Network diagrams and data flow diagrams must each be in its place.
- Coordination is key. If controls and operations aren’t coordinated for an organization, the assessment team will uncover that. Sadness will ensue. CMMC is a comprehensive program, and organizations will need help ensuring that.
Part 1: MSPs and Scope
Are your customers asking about CMMC? If they are, do you know where you are in scope as the MSP? Are you intentional in helping your customers manage that?
CUI is like Cotton-Eyed Joe. Where does it come from? Where does it go? Do you see it, manage assets that wrangle and tango with it? Research Security Protection Assets. You likely support those, especially customers whose scope is broad.
If you’re still CMMC-intrigued, read on.
Heather Noggle
Part 2: Scope Doesn’t Announce Itself
CUI can live in nonobvious places, such as backups, email and administrative access to where it’s stored. Routine support can quietly be part of what’s in the compliance boundary for CMMC for a customer. Surprise! You didn’t choose the obvious let’s-be-in-scope path, but you’re there by default unless operations change.
CMMC requires the compliance boundary to be visible and forces operations to follow it.
- In scope: Lock down and enforce the CMMC Level 2 110 controls and 320 assessment objectives.
- Out of scope: Carry on with regular best-practice cybersecurity as you’ve defined it and live it.
Make that intentional decision on how to manage where the MSP will be considered in scope in its activities (as defined by the CMMC program). If you’re not fully prepared to support customers who require CMMC (and that includes pricing scenarios for that support), help them find an MSP that is.
Expand Your CMMC Knowledge
If CMMC is in your plan, you don’t have to immediately embrace formal training like I did. Here are some options:
- The U.S. government sponsors CUI training for free.
- Several podcasts cover the topic extensively.
- Join the CUI Institute. As a member of the nonprofit organization, you can ask questions every other Friday in an open forum. Additionally, the membership gives you access to three other training courses recorded by its members. There’s a CUI Discord server to join, too.
After you explore these areas, then make the CCP decision. Training is official and necessary to take the CCP exam, which is the first step toward gaining the CCP credential.
As of April 1, ISACA administers the exam process and tracks training. Maintaining a CMMC credential does require continuing professional education (CPEs). At CUI-Con, one session recommended to OSCs (Organizations Seeking Certification) that CCP training for CMMC immersed staff members is a good idea. It’s also a great idea for MSPs who are working in the space.
Find a training provider whose courses fit your schedule and learning methods.
CMMC and Your MSP’s Decree
So what will it be? CMMC, or wait and see while you build some expertise. Then align your scope with policies, procedures, plans and SSPs.
Please.
Heather Noggle is owner of Codistac. The company offers services to software and cybersecurity companies, as well as other technology service providers.
Featured image: DDA — stock.adobe.com
