Zero Trust for MSPs: How to Build a NIST 800-207 Managed Service Line

Most SMB networks were built the same way. A firewall at the perimeter, VPN for remote access, flat internal network, and an implicit assumption that everything inside the boundary could be trusted. That model worked well enough when employees sat in offices and applications lived on-premises. It stopped working around 2019 and completely collapsed by 2021.

Your clients probably still run something close to this architecture. And so do most of their competitors. The difference now is that cyber insurers, enterprise procurement teams, and compliance frameworks are starting to ask whether “trust but verify at the perimeter” is still acceptable. The answer, increasingly, is no.

Zero Trust is the replacement model. NIST 800-207 is the authoritative definition. And MSPs who treat Zero Trust as a one-time migration project rather than an ongoing managed service are misreading both the technical requirements and the commercial opportunity.

Here is how to build a Zero Trust managed service line that generates recurring revenue, satisfies compliance requirements, and positions you as the security partner your clients cannot afford to replace.

What NIST 800-207 Actually Requires

Zero Trust gets thrown around in vendor marketing to mean almost anything. Microsoft calls Conditional Access a Zero Trust feature. Palo Alto describes their firewall as Zero Trust-ready. Cloudflare’s landing page uses the phrase seventeen times. This noise makes it harder to explain the concept to clients — and harder to sell a coherent service.

NIST 800-207, published by the National Institute of Standards and Technology, cuts through the noise. It defines Zero Trust as an architecture built on seven tenets:

1. All data sources and computing services are considered resources.
2. All communication is secured regardless of network location.
3. Access to individual enterprise resources is granted on a per-session basis.
4. Access to resources is determined by dynamic policy based on identity, application, and behaviour.
5. The enterprise monitors and measures the integrity and security posture of all assets.
6. All resource authentication and authorisation is dynamic and strictly enforced.
7. The enterprise collects information about the current state of assets and uses it to improve security posture.

The practical translation: no implicit trust based on network location, continuous verification before every access decision, and comprehensive visibility across every asset and user. That is a significant shift for most SMBs — and a significant amount of ongoing management that they cannot handle themselves.

The Five Pillars MSPs Need to Cover

CISA’s Zero Trust Maturity Model, which builds on NIST 800-207, organises implementation around five pillars. These map neatly to service delivery workstreams.

Identity. Every user and service account must be verified before accessing any resource. This means multi-factor authentication as a baseline, privileged identity management for admin accounts, and conditional access policies that evaluate device health and behaviour before granting access. For most SMB clients, this alone is a 12-month implementation project. The ongoing management — reviewing access policies, onboarding and offboarding users correctly, monitoring for compromised credentials — is the recurring service.

Device. Zero Trust requires that every endpoint accessing resources is known, managed, and assessed for compliance. Unmanaged personal devices should have no path to corporate data. Managed devices should be health-checked before each access session. This means MDM deployment (Intune, Jamf) and endpoint detection and response (EDR) with real-time posture assessment. Again: deployment is a project, ongoing management is the service.

Network. Traditional network segmentation drew lines between VLANs. Zero Trust network segmentation is micro-segmentation — workloads can only communicate with the specific resources they need, nothing else. East-west traffic (internal movement between systems) is the kill zone for ransomware. Micro-segmentation closes it. For SMB clients this typically means software-defined perimeter solutions (Cloudflare Access, Zscaler, Palo Alto Prisma) replacing or supplementing VPNs, plus DNS filtering and encrypted traffic inspection.

Application. Applications should not be accessible from the public internet unless explicitly required. Zero Trust application access means publishing apps through an access proxy that enforces identity verification before any connection is established. Users never access the application directly — they authenticate to the proxy, which validates their identity, device posture, and policy, then establishes a proxied connection. This removes the application from the attack surface entirely.

Data. The final pillar is ensuring that data is classified, that classification drives access policy, and that data handling is monitored. For SMB clients this usually starts with Microsoft Purview or similar DLP tooling and focuses on regulated data types: personal data (GDPR, HIPAA), payment card data (PCI DSS), or controlled unclassified information (CMMC).

You do not need to implement all five pillars on day one. The CISA maturity model has three levels — Traditional, Advanced, and Optimal — and most SMB clients are at Traditional across all five pillars when you start. The service is the journey from Traditional toward Optimal, managed on a continuous basis.

Building the Service: Three Tiers

A Zero Trust managed service should have at least two billable tiers, with a clear path to a third.

Tier 1 — Zero Trust Foundations (£1,500–£2,500/month per client)

This is the baseline. Covers Identity and Device pillars. Deliverables:

• MFA deployed across all users and admin accounts
• Conditional access policies configured and monitored
• MDM deployment and device compliance enforcement
• EDR deployed with 24/5 alert monitoring
• Monthly access review report
• Quarterly posture score against CISA maturity model

This tier is accessible to any SMB client and defensible to cyber insurers. It maps directly to the “basic cyber hygiene” requirements in most insurance questionnaires and satisfies the identity and endpoint controls in NIST CSF, SOC 2 CC6, and CMMC Level 1.

Tier 2 — Zero Trust Architecture (£3,000–£5,000/month per client)

Adds Network and Application pillars. Deliverables above, plus:

• SDP/ZTNA solution deployed (VPN replacement or overlay)
• Micro-segmentation implemented for critical workloads
• Application access proxied through Zero Trust gateway
• DNS filtering and secure web gateway
• Privileged access workstation (PAW) policy for admin accounts
• Bi-annual network architecture review

This tier is relevant for clients in regulated industries (HIPAA, PCI, CMMC Level 2), clients who have experienced a breach, or clients with enterprise customers scrutinising their security posture.

Tier 3 — Zero Trust Operations (£5,000–£8,000/month per client)

Adds Data pillar and shifts from implementation to continuous optimisation. Deliverables above, plus:

• Data classification and DLP policy management
• Continuous monitoring of access anomalies
• Monthly Zero Trust maturity report with roadmap
• Incident response retainer (covered separately or bundled)
• Quarterly executive briefing with metrics

This tier is for clients who need to demonstrate Zero Trust maturity to regulators, enterprise buyers, or their own board. The monthly report is your deliverable — it justifies the fee every month and creates a paper trail that’s worth something in a breach investigation or audit.

The Client Onboarding Process

Every Zero Trust engagement starts the same way: a maturity assessment. This is a billable discovery engagement (£1,500–£3,000 as a standalone) that assesses the client’s current state across all five CISA pillars and produces a scored baseline. The output is a 12-month roadmap with clear milestones and a recommended service tier.

The maturity assessment serves three purposes. First, it surfaces the current risk exposure — clients often have no idea that unmanaged personal devices have access to their Microsoft 365 tenant, or that their admin accounts have no MFA. Second, it creates a baseline that lets you demonstrate progress over time. Third, it is the sales conversation. You are not pitching a product. You are presenting a gap analysis and a remediation plan.

When scoping the assessment, ask these questions upfront:

• How many users, devices, and applications are in scope?
• Are there any regulatory compliance requirements (HIPAA, PCI, CMMC, NIST 800-171)?
• What is the existing identity infrastructure (Active Directory, Entra ID, Okta)?
• Are there any third-party contractors or supply chain partners who access internal systems?
• Has the organisation experienced a security incident in the last 24 months?

The answers determine scope, tier recommendation, and urgency. A healthcare MSP client with 80 users, a mix of personal and managed devices, and a HIPAA audit scheduled for Q4 is a Tier 2 conversation. A professional services firm with 30 users, no compliance requirements, and a prior ransomware event is a Tier 1 conversation with a fast path to Tier 2.

Tooling Stack

You do not need to build your own Zero Trust platform. The tooling exists. What you are selling is the expertise to configure, manage, and report on it correctly.

A practical MSP stack for the UK and US markets:

• Identity: Microsoft Entra ID (included in M365 Business Premium), with Conditional Access and Entra ID Protection
• Device: Microsoft Intune (MDM/MAM, included in M365 Business Premium) + CrowdStrike Falcon Go or Microsoft Defender for Business (EDR)
• Network/Application: Cloudflare Zero Trust (competitive pricing, strong SMB story) or Zscaler for Business for larger clients
• Data: Microsoft Purview (included in M365 E3/E5 or available as add-on)
• Monitoring: Sentinel or Defender for Cloud (SIEM/XDR layer)

If your clients are already on Microsoft 365 Business Premium, they have most of the Tier 1 tooling included. The value you add is configuring it correctly — most SMB M365 tenants have Conditional Access disabled, Intune not enrolled, and Defender running in passive mode. You are not selling new licences. You are activating and managing the licences they already own.

Compliance Alignment

Zero Trust maps directly to the requirements that are creating demand in your pipeline:

CMMC 2.0 Level 2 (NIST 800-171): Access control (AC), identification and authentication (IA), and system and communications protection (SC) families all align with Zero Trust implementation. Clients in the US Defence Industrial Base who need CMMC Level 2 certification need Zero Trust architecture to satisfy the AC and IA controls. This is a strong upsell conversation if you serve manufacturing, aerospace, or defence supply chain clients.

Cyber Insurance: Lloyd’s, Chubb, and most US cyber insurers now include explicit questions about MFA, privileged access management, network segmentation, and endpoint detection in their application questionnaires. Tier 1 Zero Trust covers the questions that most insurers weight most heavily. Clients who have implemented Tier 1 typically see materially better renewal terms.

SOC 2 Type II: The CC6 (Logical and Physical Access) and CC7 (System Operations) criteria map directly to Identity and Device pillar controls. If you are helping clients pursue SOC 2, Zero Trust Tier 1 is not optional — it is the implementation of the controls the auditor will test.

NIST CSF 2.0: The Protect function, particularly PR.AC (Identity Management and Access Control) and PR.DS (Data Security), aligns with all five Zero Trust pillars. If you are delivering NIST CSF engagements, Zero Trust managed services are the implementation layer.

Pricing and Packaging

The recurring fee structure that works best is per-user-per-month, with a minimum commitment of 20 users. This gives you predictable revenue and scales with client growth.

Example pricing:

• Tier 1: £65–£90 per user per month (20-user minimum = £1,300–£1,800/month)
• Tier 2: £120–£160 per user per month (20-user minimum = £2,400–£3,200/month)
• Tier 3: £200–£250 per user per month (20-user minimum = £4,000–£5,000/month)

Onboarding fee: 1.5–2× first month’s recurring fee. This covers the maturity assessment, initial configuration, documentation, and knowledge transfer.

Adjust for US clients (use USD equivalents). CMMC-driven engagements typically support a 20–30% premium over the standard rates.

The anchor metric in your renewal conversations is the maturity score. If a client started at CISA Traditional Level (score: 1–2 out of 5) across all pillars and is now at Advanced Level (score: 3–4) in Identity and Device, that is a concrete, documented improvement that justifies the contract. No other managed security service gives you that kind of before-and-after evidence.

Getting Started

The fastest path to your first Zero Trust client is the existing one. You almost certainly manage at least one client who is on Microsoft 365, has cyber insurance up for renewal in the next six months, and has never properly configured Conditional Access or Entra ID Protection. Run a free 30-minute Zero Trust readiness review on their tenant — you will find gaps immediately. The gap report is the proposal.

The MSPs who win the next five years of SMB security spend will not be the ones who sell the most point tools. They will be the ones who sell a coherent architecture that clients can describe to their board, their insurer, and their enterprise customers. Zero Trust, implemented against NIST 800-207 and reported against CISA’s maturity model, is that architecture.

The question is not whether your clients need Zero Trust. They already do. The question is whether you are the one delivering it.

---

Ready to build a vCISO-backed Zero Trust practice? GetCybr gives MSPs the platform, frameworks, and reporting layer to deliver Zero Trust managed services at scale — without hiring a full-time security architect. Book a demo to see how it works.