CMMC 2.0 for MSPs: How to Build a DoD Contractor Compliance Service Line

The CMMC 2.0 final rule became effective in early 2026. It is not a future regulation anymore — it is a contract requirement. Any company that handles Controlled Unclassified Information (CUI) as part of a DoD contract needs to demonstrate compliance, and for most Level 2 contractors, that means a third-party assessment by a Certified Third-Party Assessor Organization (C3PAO).

Most of those companies are small manufacturers, engineering firms, IT integrators, and professional services companies. Most of them have an MSP. Almost none of them have an information security program that could pass a C3PAO assessment today.

That is the market. This is how to serve it.

What CMMC 2.0 Actually Is

CMMC — Cybersecurity Maturity Model Certification — is the DoD’s framework for requiring cybersecurity practice maturity as a condition of contract award and performance. Version 2.0 simplified the original five-level model to three levels and aligned them directly to NIST standards:

Level 1 (Foundational): 17 practices from FAR 52.204-21. Self-assessment only. Annual affirmation. Required for contracts involving Federal Contract Information (FCI) but not CUI. Around 80,000 companies fall here.

Level 2 (Advanced): 110 practices from NIST SP 800-171. For most contracts, third-party assessment by a C3PAO is required. Some contracts allow self-assessment with senior official affirmation — but DoD has been tightening this. Around 80,000 companies need Level 2.

Level 3 (Expert): 110+ practices from NIST SP 800-171 plus NIST SP 800-172 requirements. Government-led assessment. Reserved for the highest-value, highest-sensitivity programs. A small subset of companies fall here.

If your clients are in the defense industrial base — prime contractors, subcontractors, and sub-tier suppliers handling CUI — Level 2 is where you are building your service.

Who Has to Comply and When

Every DoD contract that involves CUI will require CMMC Level 2 certification once the contract contains the CMMC clause. The DoD started including CMMC clauses in new contracts in 2025 and is accelerating rollout across new awards and renewals.

The practical question is not whether CMMC applies to your client but whether their contract is up for renewal in the next 12-18 months. Any contract with a DoD prime — or any sub flowing CUI down the supply chain — is in scope.

Prime contractors are contractually responsible for ensuring their subcontractors and suppliers handling CUI are also certified. That is the pressure point: primes are actively pushing CMMC requirements down to their supply chains, and suppliers who cannot demonstrate compliance are losing contract eligibility.

The urgency is real. A client who does not have Level 2 certification when their contract comes up for renewal will not be awarded the contract.

The 110 Controls: What Is Actually Required

NIST SP 800-171 Rev 2 organizes the 110 practices across 14 domains. Understanding where most SMB defense contractors have gaps tells you where to focus first.

Access Control (22 practices) — who can access what, under what conditions, with what enforcement. Least privilege, session management, remote access controls, and mobile device management all live here. This is consistently the highest-gap domain. Most small defense contractors have excessive admin rights, no documented access control policy, and remote access running without enforced MFA.

Awareness and Training (3 practices) — user training on threats, procedures, and responsibilities for handling CUI.

Audit and Accountability (9 practices) — event logging, log review, protection of audit logs, and user accountability. Most SMBs have no centralized logging. Endpoint logs exist in isolation; no SIEM aggregating and alerting.

Configuration Management (9 practices) — baseline configurations, change management, least functionality, and software execution policies. Very few small contractors have documented configuration baselines. Software inventory is typically informal.

Identification and Authentication (11 practices) — strong authentication, MFA for remote access and privileged accounts, password management.

Incident Response (3 practices) — response capabilities, incident handling, testing.

Maintenance (6 practices) — controlled maintenance, sanitization of maintenance equipment.

Media Protection (9 practices) — protection of media containing CUI, sanitization before disposal.

Personnel Security (2 practices) — screening, personnel actions.

Physical Protection (6 practices) — physical access, environmental controls, visitor management.

Risk Assessment (3 practices) — risk assessments, vulnerability scanning.

Security Assessment (4 practices) — security plan, control effectiveness, plan of action and milestones.

System and Communications Protection (16 practices) — network segmentation, boundary protection, encryption in transit, DNS filtering. Network segmentation is consistently missing. CUI systems sit on the same flat network as general business systems, which expands scope unnecessarily.

System and Information Integrity (7 practices) — malware protection, security alerts, patch management, software integrity.

For most SMBs in the defense supply chain, the highest-gap domains are Access Control, Configuration Management, Audit and Accountability, and System and Communications Protection. A thorough gap assessment against all 110 controls typically reveals 30-60 findings for a 25-100 person defense contractor.

Building the Service Line: Phase Structure

Phase 1: Scoping and Gap Assessment (4-6 weeks)

Before any remediation work, the CUI boundary needs to be defined. Where does the client receive, store, process, or transmit CUI? What systems are in scope? What people have access to those systems?

This is the single most important decision in a CMMC engagement. A larger, poorly-scoped system boundary means more systems to protect, more controls to implement, more complexity in the assessment. A clean, defensible boundary — often achieved through network segmentation that isolates CUI from general business systems — reduces assessment scope and implementation cost significantly. Some clients can shrink a 200-device environment to a 15-device CUI enclave with targeted architecture work.

Once the boundary is defined, run a gap assessment against the 110 practices. Document current state for each practice, identify what is missing, and calculate the client’s SPRS score. Every contractor must submit a SPRS score to the DoD Supplier Performance Risk System. That score is used by prime contractors to evaluate subcontractor compliance posture and is reviewed by C3PAOs at assessment time. An honest current-state score is the starting point — an artificially inflated score that does not reflect actual implementation is a False Claims Act exposure.

Phase 2: Remediation and SSP Development (60-120 days)

Work through gap findings systematically. Technical gaps — MFA, endpoint protection, log management, network segmentation, patch management — are the highest-risk items and need to go first. Policy gaps — written System Security Plan, incident response plan, configuration management procedures — run parallel.

The System Security Plan is the central compliance artifact. It documents every control: how it is implemented, who owns it, what evidence exists. The SSP is what the C3PAO reviews during the assessment. It needs to be accurate, complete, and defensible. Generic language fails C3PAO review — the SSP must name specific technology, describe specific processes, and identify specific responsible individuals.

Plan of Action and Milestones (POA&M) documents what is not yet implemented and the timeline for closure. During the remediation phase, the POA&M tracks outstanding items. By assessment time, POA&M items should be minimal — C3PAOs want to see a compliant or near-compliant posture, not a long remediation backlog with open critical controls.

Phase 3: Assessment Preparation and C3PAO Coordination

For Level 2 contracts requiring third-party assessment, the C3PAO engagement needs to be managed. C3PAO availability is constrained — there were roughly 60-70 authorized C3PAOs as of early 2026, and demand significantly exceeds supply. Clients should plan for 4-6 months lead time to schedule an assessment.

Assessment preparation includes finalizing the SSP, ensuring all evidence is collected and organized, conducting an internal mock assessment to identify last-minute gaps, and briefing the personnel who will interact with assessors on what to expect. Assessors will interview employees, review documentation, and request demonstrations of control implementation. Employees who do not know how to answer assessor questions — or who give inconsistent answers — are a significant risk.

Some MSPs have built direct relationships with specific C3PAOs, which helps with scheduling predictability and creates a referral dynamic. If CMMC is a priority service line for your practice, a C3PAO partnership is worth formalizing.

The assessment itself typically takes 2-5 days. Post-assessment, findings are documented in CMMC’s eMASS system. Conditional certifications require POA&M closure within 180 days. Clean certifications are valid for three years.

Phase 4: Ongoing Compliance Maintenance (monthly retainer)

CMMC certification is not a one-time event. The SSP must reflect the current state of the environment. When systems change, the SSP changes. Annual SPRS score affirmations are required. Vulnerabilities need to be tracked and remediated against documented timelines. The incident response plan needs to be tested. Configuration baselines need to be maintained.

The retainer delivers: continuous monitoring, patch management against documented baselines, quarterly SSP reviews, annual security awareness training, vulnerability scan coordination, and incident response plan maintenance. It also provides continuity between three-year assessment cycles — when the next C3PAO assessment comes around, the client’s posture is current, not rebuilt from scratch.

Pricing the Service

CMMC engagements are large compared to standard managed services work. Budget accordingly.

Scoping and gap assessment: $3,000–$6,000 for a 25-100 person company. Multi-site or complex environments run higher.

Remediation and SSP development: $8,000–$25,000+ depending on gap count and technical complexity. Network segmentation projects, SIEM deployment, and identity infrastructure work can each run $5,000–$15,000 on their own.

Assessment preparation: $2,500–$5,000 for mock assessment, evidence organization, and C3PAO coordination support.

Monthly retainer: $1,500–$4,000/month depending on environment size and scope.

Total first-year revenue per client: $25,000–$60,000 in project fees plus recurring retainer. For MSPs serving the defense supply chain, five clients at this level generates meaningful new revenue, with the retainer providing sticky long-term income that continues through the three-year certification cycle.

What Most MSPs Get Wrong

Starting remediation before scoping. The boundary defines everything. MSPs who jump straight into control implementation without a clean boundary definition create unnecessary work and, in some cases, end up protecting systems that did not need to be in scope at all. Boundary scoping is not administrative — it is the highest-leverage decision in the engagement.

Underestimating the SSP. The System Security Plan is not a compliance template you fill in once and file. It needs to accurately reflect how each control is implemented, with specific technology names, process descriptions, and responsible personnel. Assessors will compare what the SSP says to what they observe and what employees tell them. Gaps between documentation and reality are findings.

Inflating the SPRS score. Some contractors submit SPRS scores that do not reflect actual implementation because they are under pressure from primes to show compliance. This is a False Claims Act liability, not a compliance shortcut. MSPs who advise clients on SPRS scoring need to make this clear.

Ignoring subcontractor flow-down. Your client may be a prime or a tier-one sub, but they also have suppliers. If those suppliers handle CUI on their behalf, your client is responsible for ensuring those suppliers are CMMC compliant. That conversation needs to happen early in the engagement, not after the prime starts asking questions.

Treating certification as a one-time project. Three-year certification cycles create the illusion that the work is done after assessment. In reality, any system change, personnel change, or new technology adoption requires SSP updates. The retainer is not optional — it is how you protect the certification and the client’s contract eligibility.

Why 2026 Is the Turning Point

DoD is including CMMC clauses in contracts at scale. Prime contractors are flowing requirements down to their supply chains. Defense contracts coming up for renewal in 2026 and 2027 will require certification that does not exist yet for most small defense contractors.

The market is large, the urgency is contractually mandated, and most defense-sector SMBs have exactly one IT partner: their MSP. If that MSP cannot guide them through CMMC, they will find someone who can — and that someone will replace the MSP on everything else too.

CMMC compliance is not just a service line. For MSPs serving the defense industrial base, it is a relationship anchor.

GetCybr maps the 110 NIST SP 800-171 practices to specific controls, evidence requirements, and SSP templates per client. MSPs can manage multiple defense contractor clients from one dashboard, track compliance posture and POA&M items, and generate assessment-ready documentation. When the C3PAO assessment arrives, the SSP is current and the evidence is organized.

See how GetCybr supports CMMC Level 2 delivery for MSPs.