Insights · The MSP Decision

The MSP decision that decides your CMMC outcome.

Most defense contractors hand CMMC to their MSP and assume it's handled. Here are the eight stages of the journey, the three ways to structure the work, and the reason the wrong setup ends in a failed assessment you pay for twice.

$30–75KWhat a third-party assessment costs before you fix a single thing
88 / 110The minimum score to pass — even conditionally
$4.6MOne small contractor's settlement, partly over a vendor's gap
By Deepak Pal Singh
·
May 30, 2026
·
21 min read
·
Sources 23 cited

Jump to a section

Five takeaways before you read
  1. The MSP decision is the expensive one. Get it wrong and you pay for the assessment twice, plus a year you don't have.
  2. Your MSP is in your assessment scope whether or not they're certified. Their weak controls become your findings.
  3. "We handle CMMC" is not a credential. Ask for a named person's credential, a government-cloud answer, and a responsibility matrix.
  4. Choose your model on purpose. MSP-led, specialist-led-then-handover, or specialist-stays — all work; drift doesn't.
  5. The signature is always yours. No vendor can take the annual affirmation, or its exposure, off your desk.

A prime asks for your CMMC status. Or a solicitation comes back marked non-responsive. Or your IT person says the word for the first time and looks worried. However it lands on your desk, the first instinct is almost always the same: ask the MSP if they can handle it.

The MSP says yes. They usually do. A statement of work gets signed, a number gets agreed, and the problem feels solved. For a lot of defense contractors, that single moment — that one yes — is where the most expensive mistake in their whole CMMC journey gets made. Not because the MSP is dishonest. Because the question was never one an ordinary IT provider could answer.

This is the conversation that should happen before that yes. We’ve covered the decision to stay in defense work at all elsewhere; this picks up after you’ve decided to stay. No jargon, no fear-selling — just the map of what you’re actually deciding, what it costs to get it wrong, and the handful of questions that protect you.

Why this is the expensive decision

The first real decision in CMMC is whether to stay in defense work at all. The second is who leads the compliance work. And the second one quietly costs more contractors more money than any other, because of one feature of how CMMC works: you can fail it.

Here’s the shape of it. The third-party assessment itself runs roughly $30,000 to $75,000 before anyone has fixed a single thing.5 If you fail, you pay again — a focused reassessment runs $10,000 to $30,000, on top of whatever it costs to fix what they found.6 Then comes the part that hurts most: the wait. You re-prepare, you get back in your assessor’s queue, and the calendar keeps moving toward November 10, 2026, when third-party certification becomes mandatory for the contracts that require it.3 A failed assessment is not a do-over next month. It can cost you most of a year — a year in which your prime is deciding whether to keep waiting on you, or move the work to a sub who is already certified. (If you’re still weighing whether that math even works for your contract mix, that’s the cost-and-recovery question.)

The MSP doesn't pay for the failed assessment. You do.

The MSP doesn’t lose the contract. You do.

That asymmetry is the whole reason this decision deserves an hour of your attention before you sign anything. The work can be done well by your MSP, by a specialist, or by the two of them together. What you cannot afford is to drift into one of those arrangements by accident, assuming someone has it, and finding out otherwise on assessment day.

The eight stages, start to certified

Most owners don’t struggle with the individual requirements — there are guides for those. What’s missing is the shape of the journey: what happens, in what order, and which calls are yours versus your team’s. This is the map. Hold these eight stages in your head and you can have a straight conversation with any vendor who walks through your door.

The journey · tap a stage for the decision that's yours

Eight stages from "we just heard about CMMC" to a certificate you can defend.

Read your contracts for the DFARS clauses (252.204-7012 and -7021). Federal Contract Information only, you may be Level 1. If you touch Controlled Unclassified Information, you're Level 2 — where most contractors land.

Your call

Confirm which contracts actually trigger this. The wrong level burns the budget in both directions.

Find every system, person, and process that touches CUI. The single biggest cost lever in the project. Wrap the whole company in scope and you over-pay; miss something and you fail. Many contractors carve out an enclave that holds CUI and nothing else.

Your call

Whole company, or a carved-out enclave? This one decision moves the price more than any other.

Measure your current state against all 110 NIST SP 800-171 controls and calculate your SPRS score. This is what a Gap Assessment produces — an honest read on how far you are from the line.

Your call

Pick someone credible — and not the firm that will later assess you. That conflict isn't allowed.2

Decide what gets fixed and where it lives. The big one is the platform for your CUI — GCC High, Azure Government, AWS GovCloud — plus how identity, encryption, and logging are built.

Your call

Sign off on the design and the budget. This is where the real money gets committed.

Implement the missing controls — multi-factor authentication, conditional access, encryption, monitoring, backups — configured inside your environment, not just bought. This is the heart of CMMC implementation.

Your call

Approve the purchases and name the internal owners. Tools without owners fail at assessment.

The System Security Plan, the Plan of Action and Milestones, your policies, and the evidence that proves the controls actually run. The most time-consuming stage, and the one contractors most underestimate.

Your call

Name your Affirming Official — usually the CEO or CFO. That's the person who signs. That's you.

A mock run, an evidence walkthrough, then the official assessment by a certified third party. Book early — assessors schedule months out.12

Your call

Sign the affirmation. Your personal legal exposure starts the moment you do.

Certification isn't a trophy on a shelf. You affirm every year, keep collecting evidence, and get reassessed every three years — which is the whole point of continuous compliance.

Your call

Keep the specialist on retainer, or hand the keys to a trained MSP? That's the decision below.

Where your MSP actually sits in all this

Here’s the part almost nobody explains clearly, and it’s the heart of the matter.

When the final CMMC rule was published, it dropped the requirement that your MSP hold its own certification.9 A lot of owners heard that and relaxed. That was the wrong thing to relax about. The rule didn’t take your MSP out of the picture. It pulled your MSP into yours.

The moment your MSP manages your systems, its tools start collecting your logs, your configuration data, your patch status, the records of who logged in and when. The rule has a name for that: Security Protection Data. And any provider that handles your CUI or that Security Protection Data sits inside your assessment boundary — certified or not.10 So when the assessor evaluates you, they’re also evaluating the slice of controls your MSP runs. If that slice is weak, those aren’t the MSP’s findings. They’re yours.

A control like…Who often owns itWhose finding if it fails
Multi-factor authentication on emailSharedYours
Centralized logging & monitoringMSP-runYours
The cloud platform’s base controlsInheritedYours to prove
Your written access policyYouYours

This is why the rule also requires a Customer Responsibility Matrix — a document stating, control by control, exactly what the provider does and what you do. It’s not optional, and the assessor reads it first.10 If your MSP can’t produce one, you don’t have a CMMC partner; you have an IT vendor with a CMMC page on its website. (Our free Shared Responsibility Matrix maps all 110 requirements to who’s responsible across each platform — the honest starting point for your own.)

The narrow exceptions

A provider that genuinely never touches your CUI or that protection data isn’t pulled into scope. The rule carves out a few cases — truly temporary access, staffing-only arrangements, and commercial off-the-shelf products.11 But if your MSP runs monitoring tools on your machines, assume they’re in scope until someone proves otherwise.

Why most MSPs can’t lead this — even when they say they can

Let’s be fair about this. Your MSP may be excellent at what they do. Keeping your email up, your laptops patched, your network running — that’s real skill, and most of them earn their fee. CMMC is simply a different trade. It’s a credentialed compliance specialty, and the gap between “good at IT” and “can carry you through a CMMC assessment” is wider than it looks. Two things tell you which side of that gap a provider is on.

The environment

Commercial Microsoft 365 — the version most businesses already run — does not meet the Defense Department’s requirement for CUI on its own, and Microsoft says so plainly.13 Most CUI work belongs in GCC High, a separate government cloud that, among other things, requires administrators who are U.S. persons with background checks.13 That detail quietly disqualifies a lot of capable commercial MSPs. An MSP that talks about GCC High as “basically the same as the 365 you already have” has told you, in one sentence, that they haven’t done this before.

The credentials

The CMMC ecosystem has specific, verifiable credentials — Registered Practitioner, Certified CMMC Professional, Certified CMMC Assessor. As of early 2026 there were only around 760 certified assessors and just under 1,500 certified professionals across the entire country.4 The pool of providers who genuinely hold these is small. Most MSPs don’t. That’s not an insult; it’s arithmetic.

Red flags when an MSP says "we've got your CMMC handled"
  • They can’t name a specific Cyber AB credential held by a named person who’ll work on your account.
  • They treat GCC High as interchangeable with commercial Microsoft 365.
  • They promise “we handle all 110 controls for you” with no written split of who owns what.
  • They can’t produce a Customer Responsibility Matrix.
  • They have no completed Level 2 client to point to.
  • Their price is roughly half the market — the tell that they’re scoping IT work, not compliance work.

None of this means fire your MSP. Plenty of MSPs are exactly the right partner for the day-to-day, and a good one is worth keeping for years. It means stop assuming the CMMC question and the IT question have the same answer.

The three ways to set this up

Once you accept that “who leads” is a real decision, there are only three workable answers. None is wrong. The wrong move is choosing one by default.

MSP leads everything
Model A
How it works
Your MSP runs the whole thing, start to finish.
The catch
Only safe if they clear the bar above — real credentials, GCC High experience, their own house in order, a signed responsibility matrix.

Fits when your MSP is genuinely a CMMC specialist, not an IT shop that added the word.

Specialist leads, then hands over
Model B · most common
How it works
A specialist runs the implementation; your MSP keeps day-to-day IT. At the end, the specialist trains your MSP and hands over the keys.
The catch
Needs a clean handover and a documented responsibility split.

Fits when you want senior expertise for the hard part and a lower-cost partner for the long run.

Specialist leads and stays
Model C
How it works
The specialist runs the build and stays on retainer for the annual cycle. Your MSP keeps the general IT.
The catch
An ongoing cost — but the cheapest insurance against a lapsed control on next year's signature.

Fits when you'd rather a senior name stand behind the work you're signing for, every year.

The honest deciding question: when the affirmation comes due each year, whose work do you want standing behind your signature? There’s no universally right answer — only the one you chose on purpose versus the one that happened to you.

What this looks like when it goes wrong

This isn’t hypothetical anymore, and it isn’t only happening to household names. The Justice Department has spent the last few years using the False Claims Act — the government’s fraud statute — against contractors who certified cybersecurity they hadn’t delivered. You don’t need a breach for it to apply; a false certification is enough.14

March
2025
$4.6M · MORSECORP
A small contractor, brought down partly by a vendor's gap — and reported by its own security lead.

MORSE is a small Massachusetts defense contractor. It agreed to pay $4.6 million to resolve allegations it claimed cybersecurity compliance it didn't have on Army and Air Force work, where the government alleged its real SPRS score was negative 142 against the positive number it had reported.15 Part of what it acknowledged: its third-party email provider hadn't met the required federal security baseline — a vendor's gap, landing on the contractor.16 The case was started by MORSE's own Head of Security, who collected $851,000.8

Lesson · the thing that fails you can belong to a vendor

MORSE is the one to remember — small, and a provider’s shortfall became its problem. It’s not alone. A partial ledger of recent cybersecurity settlements:

ContractorWhenAmount
Health Net Federal Services / Centene17Feb 2025$11.25M
Illumina18Jul 2025$9.8M
Aerojet Rocketdyne19Jul 2022$9.0M
Raytheon / Nightwing18May 2025$8.4M
MORSECORP8Mar 2025$4.6M
Penn State17Oct 2024$1.25M

And in December 2025 it moved past money: a former manager at a Virginia contractor was criminally indicted over misrepresenting the security of a cloud platform used by the Army.21 The exposure now reaches individuals, not just balance sheets — which is exactly why who signs your affirmation matters.

What “passing” actually requires — and why it never really ends

Two things owners consistently get wrong about the finish line.

You can’t buy your way to a conditional pass with a long to-do list

Scoring starts at 110 and you lose points for each control you haven’t met — 1, 3, or 5 points depending on how important it is.22 To pass even conditionally, you need at least 88 out of 110.7 And you can only defer the cheap stuff: only 1-point controls can go on a Plan of Action and Milestones. The heavyweight 3- and 5-point controls — the ones like multi-factor authentication — must be fully in place on assessment day.23 Miss one of those and the score doesn’t matter; you don’t pass. (The full mechanics live in our SPRS score guide.)

If you do squeak in conditionally, the clock starts: 180 days to close every open item and pass a closeout check, or the conditional status expires and you’re back in line.7

It’s not “certify once every three years”

You sign an affirmation every year attesting that your controls are still in place.14 Evidence collection is continuous; the documentation has to stay current. The quiet trap: a contractor who passes once and then coasts often finds their posture has decayed by the next reassessment — and every decayed control is fresh exposure on the next signature. The signature that is, remember, yours.

An MSP can run your controls. It cannot sign your affirmation.

That line is always yours.

Work it out for yourself, before you spend a dollar

You don’t need to hire anyone to get oriented. Start with the scorecard — the fastest way to find out whether the “we’ve got it handled” you heard from your MSP holds up. Nothing you enter leaves your browser.

Self-serve · nothing is saved or sent

The MSP Readiness Scorecard

Answer for the provider you're thinking of trusting with CMMC. Honest answers only — this is for you, not them.

Can they name a specific Cyber AB credential (RP, CCP, or CCA) held by a named person who'll work on your account? Not "our team is certified in security." A name and a credential.
Do they run your CUI in a government cloud (GCC High / Azure Gov / AWS GovCloud), not commercial Microsoft 365? Commercial 365 alone does not meet the requirement.
Will they hand you a written Customer Responsibility Matrix — who owns which control? The assessor asks for this first.
Can they point to a contractor they've actually taken through a Level 2 assessment? Completed — not "in progress since last year."
Is their own environment held to CMMC standards too? If they touch your data, their gaps become yours.
Is their price in line with the market — not suspiciously cheap? Half-price compliance is usually IT work wearing a compliance label.

A starting point, not a certification of anyone. It reflects the rules and failure patterns in this article.

Free tools · built to use without us

Everything you need to get oriented, at no cost.

Plenty of contractors get a long way on these before they ever call anyone.

Free tool

Shared Responsibility Matrix

All 110 requirements mapped to who's responsible across GCC High, Azure, AWS, and GCP. The starting point for your own CRM.

Open the matrix Free tool

Readiness Assessor

Answer a short set of questions and get a candid read on how far you are from Level 2 — before you spend anything.

Run the assessor Free reference

The 110 controls, in plain English

Every NIST 800-171 requirement explained for non-engineers — what it means, how it's checked, where companies trip.

Browse the knowledge base Free read

Who actually pays for CMMC?

The full budget picture — implementation, assessment, recovery — with the math by contractor tier.

Read the breakdown
Do this week

Three moves that cost nothing and de-risk the decision

  1. Run the scorecard above on your current MSP. If it lands on "proceed with caution" or worse, you've found the conversation to have before the next invoice.
  2. Ask your MSP for a Customer Responsibility Matrix in writing. Start from the free reference. Free tool Shared Responsibility Matrix
  3. Confirm where your CUI actually lives today. Commercial 365, GCC High, or you're not sure? "Not sure" is itself the finding. Free read How to identify your CUI
Next step

If you're not sure your MSP clears the bar.

4–6 weeks. Fixed fee. We start with CUI scoping, then walk every one of the 110 controls — and tell you plainly which belong to you and which belong to your MSP, in a matrix an assessor will accept.

Get a CMMC L2 Gap Assessment → Or book a 30-minute Discovery Call · Replies within one business day · Direct to Deepak
Written by
Deepak Pal Singh

Founder & Principal of Ancitus, getting US defense contractors to a defensible CMMC Level 2 posture. Twenty years across regulated environments — financial services, energy, telecommunications. Ancitus configures customer-side controls inside the client's own tenant, writes the Customer Responsibility Matrix, and produces SSP-ready documentation. Senior judgment on every meeting.

  • Cyber AB Registered Practitioner · RPA in progress
  • Senior-only delivery · no CUI on Ancitus systems
  • NIST implementation across AWS, Azure, GCP
Read more about Deepak →
Sources

Citations and references.

  1. Level 2 covers Controlled Unclassified Information and the 110 NIST SP 800-171 controls. 32 CFR Part 170; CMMC program guidance, 2025–2026.
  2. A firm that prepares a client cannot also conduct that client's official assessment. Cyber AB / MyCMMC, 2026.
  3. The DFARS rule (48 CFR) took effect November 10, 2025; mandatory third-party assessment for Level 2 follows November 10, 2026. A-LIGN; Government Enforcement Report, 2025–2026.
  4. March 2026 Cyber AB Town Hall: ~103 authorized C3PAOs, ~759 certified assessors; February 2026 figures put Certified CMMC Professionals near 1,494. Roughly 1% of 80,000+ organizations certified. CMMC.com Town Hall recaps; Secureframe, 2026.
  5. Third-party (C3PAO) assessment fees commonly run $30,000–$75,000. IBSS; Workstreet, 2026.
  6. A focused reassessment after a failure commonly runs $10,000–$30,000, plus remediation. IBSS; Ancitus cost analysis, 2026.
  7. Conditional Level 2 requires a minimum score of 88 of 110 (80%); open items close within 180 days or conditional status expires. DISA SPRS guidance; Secureframe; Pivot Point Security, 2025–2026.
  8. U.S. Department of Justice, "Defense Contractor MORSECORP Inc. Agrees to Pay $4.6 Million…," March 2025; whistleblower share $851,000. justice.gov.
  9. The final rule does not require ESPs such as MSPs to obtain their own CMMC certification, reversing the proposed rule. A-LIGN; NeoSystems; Tevora, 2025–2026.
  10. An ESP that processes, stores, or transmits CUI or Security Protection Data is assessed within the client's scope; the relationship and responsibilities must be documented (32 CFR §170.19). eCFR; Pivot Point Security, 2026.
  11. Narrow exceptions for providers that never handle CUI or protection data — temporary access, staffing-only, and commercial off-the-shelf products. Ignyte; Tevora, 2026.
  12. C3PAO scheduling commonly runs months out; many booked well into 2026 as Phase 2 approached. ISI Defense; StratifyIT, 2026.
  13. Commercial Microsoft 365 does not, on its own, satisfy DFARS 252.204-7012 for CUI; GCC High runs on dedicated U.S. infrastructure with U.S.-person administrators. Petronella; Secureframe; Summit 7, 2026.
  14. Liability under the False Claims Act can arise from a false cybersecurity certification even absent any breach; the annual affirmation is signed by a named official (32 CFR §170.22). Security Info Watch; Holland & Knight, 2026.
  15. The government alleged MORSE's actual score was negative 142 against a reported positive score. Holland & Knight, January 2026.
  16. Among the acknowledged facts: MORSE's third-party SaaS email host had not met the FedRAMP Moderate baseline. Alston & Bird, 2025.
  17. Health Net / Centene settled for $11,253,400 (Feb 2025); Penn State for $1.25M (Oct 2024). ConsensusDocs; Alston & Bird, 2025.
  18. Illumina, $9.8M (Jul 2025); Raytheon / Nightwing, $8.4M (May 2025). The Employment Law Group cyber-fraud compilation, Jan 2026.
  19. Aerojet Rocketdyne, $9.0M (2022), an early Civil Cyber-Fraud Initiative case. The Employment Law Group, 2026.
  20. In December 2025 a defense supply-chain subcontractor (precision machining) settled allegations of failing DFARS 252.204-7012 cybersecurity for technical drawings; the case began with a former quality manager. Mayer Brown, March 2026.
  21. A former manager at a Virginia contractor was criminally indicted in December 2025 over misrepresenting cloud-platform security used by the Army. 2025–2026 reporting.
  22. SPRS scoring starts at 110 and deducts 1, 3, or 5 points per unmet control; scores can go negative. Exostar; Elevate; MACPA, 2025–2026.
  23. Only 1-point controls may be placed on a POA&M; 3- and 5-point controls (and certain specified controls) must be met at assessment. Exostar (32 CFR §170.21); Pivot Point Security, 2026.
Continue reading

Related articles.

May 13, 2026·24 min readFor CEOs

You just heard about CMMC. The conversation before the certification.

A plain-English primer for the CEO who has just been told their business needs to do something about CMMC. What it is, why it's happening, the real penalties fo…

Read the article →
April 15, 2026·14 min readEnclaves

How CMMC enclaves cut your assessment scope by 60–70% — and where they fail.

Most defense contractors making this decision get it wrong, and pay $150,000 to $300,000 for it. Here's how enclaves actually work, where they fail at first con…

Read the article →
March 18, 2026·14 min readScoring

What your SPRS score actually means in 2026.

Last year's enforcement record changed the cost of being wrong: $52 million across nine False Claims Act settlements, five of them filed by whistleblowers. The…

Read the article →