This is a very sensitive topic for an extraordinary number of Managed Service Providers (MSPs) and Managed Security Services Providers (MSSPs) who cannot get NIST 800-171 / CMMC right. The common issue is motivational: many MSPs/MSSPs view CMMC as a “client problem” and fundamentally misunderstand that NIST 800-171 / CMMC is an MSP/MSSP problem that cannot be ignored and isn’t going away.
MSPs and MSSPs sit at the intersection of the Security, Compliance & Resilience (SCR) model for every client they serve. They are not bystanders to their clients' compliance obligations. They are participants, often the primary participants.
When an MSP manages a client's IT infrastructure, that MSP holds the "keys to the kingdom," meaning administrative access to systems, networks, and data that are directly in scope for NIST 800-171 and CMMC. This makes the MSP a critical component of the client's security posture and an obligated party under DFARS contract requirements.
The SCF provides MSPs and MSSPs with the tools to manage this responsibility properly: a Shared Responsibility Matrix (SRM) structure aligned to CMMC Assessment Objectives, SCF control mappings that satisfy both the MSP's own compliance obligations and those of their clients, and the SCRMS implementation structure to operationalize it all.
MSPs/MSSPs must demonstrate that their own operations meet NIST 800-171 and CMMC requirements, not just their clients'. Administrative access, RMM tools, and shared infrastructure all expand scope.
The DFARS clause creates contractual compliance obligations. The False Claims Act creates legal liability. The SCF's NIST SP 800-171 and CMMC mappings provide the control evidence structure that a CMMC assessor will examine.
MSPs/MSSPs are responsible for the resilience of client operations. Incident response, DR, and BC obligations flow through managed service agreements. The SCRMS provides the operational structure to document, assign, and test resilience responsibilities.
One Framework. Every Client.
Rather than building separate compliance programs for each client's CMMC obligations, MSPs/MSSPs that implement the SCF establish a single, rationalized baseline that satisfies NIST 800-171, CMMC Level 2, and DFARS requirements. The Shared Responsibility Matrix structure flows directly from SCF control assignments.
We know it is a very sensitive topic for an extraordinary number of Managed Service Providers (MSP) and Managed Security Services Providers (MSSP) where they just cannot get NIST 800-171 / CMMC right. The common issue appears to be motivational where many MSP/MSSP view CMMC as a "client problem" and fundamentally misunderstand that NIST 800-171 / CMMC is a MSP/MSSP problem that cannot be ignored and isn't going away. The following information is specifically tailored for MSPs/MSSPs.
Your client took US taxpayer money to produce products and/or services as part of a prime or sub-contract. They contractually obligated themselves to meet certain cybersecurity compliance obligations (e.g., DFARS clauses). It might not be a pleasant discussion, but your client has to accept these are legal requirements with real repercussions. Their discomfort with the compliance burden does not dissolve the obligation.
You took money from your client to get them compliant with NIST SP 800-171 & CMMC. That creates an obligation to provide competent services and guidance for their IT and cybersecurity compliance needs. If you don’t like supporting DFARS/FAR contract requirements, the solution is simple: don’t take on clients with those obligations. If you do take them on, you must deliver.
The False Claims Act (FCA) can affect both you and your client. If your client doesn’t want to meet requirements as part of a government contract, they are potentially running afoul of the FCA. As an MSP/MSSP, if your products and/or services “caused the submission of the false claim,” then you are potentially running afoul of the FCA as well.
Civil FCA liability can include triple damages plus per-claim penalties. Criminal FCA violations carry prison time. If an MSP/MSSP knowingly provided non-compliant services that allowed a client to falsely certify CMMC compliance, the MSP/MSSP may share in that liability.
Think through this section from the perspective of: “How am I, as an MSP/MSSP, going to successfully support my client during pre-certification activities, during the assessment itself, and in the ongoing care and feeding of their controls to keep them compliant?”
When the time comes for the third-party CMMC assessment, as an MSP/MSSP you will be a central figure in that assessment. This means you need to be a subject matter expert on your client’s business practices and how the technology supports them. If you shrug your shoulders and don’t know, there is a good chance you and your client have improperly scoped the environment.
This should be self-evident, but just read the material. If you won't educate yourself on the requirements, you are not providing the services your clients are paying for. You must read NIST SP 800-171 (the core requirements), NIST SP 800-171A (the assessment criteria), and the CMMC Assessment Guide (what assessors will actually evaluate). The SCF provides a rationalized, pre-mapped control set that eliminates the need to independently decode each requirement.
NIST 800-171 and CMMC are not the same as HIPAA, SOX, or GLBA. CMMC is fundamentally about where CUI lives, flows, and is protected, not about checking broad organizational security boxes. To get a solid handle on scoping and the data-centric approach, read the Unified Scoping Guide (USG). Understanding scope is the prerequisite to everything else.
NIST 800-171 / CMMC is different from other compliance requirements. The "normal" tools in your MSP toolkit may not work, not because they are technically insecure, but because they will not be compliant (e.g., encryption requirements, FIPS-validated cryptography, scope creep from RMM tools). Your RMM is likely in scope for CMMC, which pulls your entire RMM infrastructure and usage practices into scope for your clients.
You are NOT immune to NIST 800-171 & CMMC. You have the “keys to the kingdom” for your clients’ data, systems, and network infrastructure, which means your services are in scope. You need well-documented policies, standards, and procedures (evidence of due diligence) and the ability to demonstrate how security is operationalized daily (evidence of due care). If you cannot pass a CMMC 2.0 Level 2 assessment yourself, it is highly unlikely your clients can either.
Document roles and responsibilities contractually, specifically what your organization is obligated to perform for NIST 800-171 / CMMC-related activities. If the obligations are not written down, you are exposed to irate clients claiming you were responsible for things you believe are their job. Include SLA definitions for CMMC-related activities.
Every one of the several hundred control objectives that make up CMMC Level 2 requirements must be assigned to either the client or your organization, down to the Assessment Objective (AO) level. This should be documented as a contract addendum, formally agreed to by both parties. The SCF's control structure, with its pre-mapped CMMC Assessment Objective assignments, provides the foundation for building this matrix efficiently and accurately.
The SCF's Security, Compliance & Resilience Management System (SCRMS) provides the implementation structure for shared responsibility documentation. Combined with the SCF's CMMC control mappings, MSPs/MSSPs can create client-specific responsibility matrices grounded in the actual assessment criteria.
%20(white).png)
.png)