CMMC Managed Services: What MSPs and MSSPs Handle vs. Your Responsibility

One of the most common questions we hear from defense contractors is whether they can simply outsource CMMC compliance to a managed service provider. The short answer is that you can outsource many of the technical controls — but you cannot outsource accountability. Understanding where the MSP's responsibility ends and yours begins is the difference between a successful assessment and a costly surprise.

Managed service providers (MSPs) and managed security service providers (MSSPs) have become essential partners for defense contractors pursuing CMMC certification, particularly small businesses that lack the internal IT resources to build and maintain a compliant environment on their own. These providers offer specialized infrastructure, security tooling, and operational expertise that can dramatically reduce the burden of meeting NIST 800-171 controls.

But the relationship between a defense contractor and its MSP in the context of CMMC is more complex than a typical vendor arrangement. The concept of shared responsibility — borrowed from cloud computing but applied with CMMC-specific nuances — governs who is accountable for which controls during a CMMC assessment. This guide covers what CMMC managed services entail, how shared responsibility works, and how to evaluate whether an MSP is truly equipped to support your compliance objectives.

What CMMC Managed Services Look Like

CMMC-focused MSPs and MSSPs typically offer a suite of services designed to address specific NIST 800-171 control families. The scope varies by provider, but the most common offerings fall into several categories.

Enclave Hosting

An enclave is a segmented environment specifically designed and hardened for CUI processing. Rather than securing your entire corporate network to CMMC standards, an enclave approach restricts CUI to a defined boundary, reducing the number of systems and controls that must be assessed.

CMMC enclave providers typically offer:

• Virtual desktop infrastructure (VDI): Users access a secure virtual desktop within the enclave to work with CUI. The CUI never touches the user's local workstation.
• Secure file storage: Encrypted, access-controlled file repositories within the enclave boundary
• Email protection: CUI-capable email environments with encryption, DLP, and retention controls
• Network segmentation: The enclave is logically or physically separated from the contractor's general-purpose network

Enclave hosting is one of the most effective scope reduction strategies available. By concentrating CUI processing in a managed environment, you significantly reduce the number of systems your organization must bring into compliance.

Managed SIEM and Security Operations Center

Security Information and Event Management (SIEM) and Security Operations Center (SOC) services address some of the most resource-intensive NIST 800-171 control families: Audit and Accountability (AU) and Incident Response (IR).

Service Component	NIST 800-171 Controls Addressed
Log collection and aggregation	AU 3.3.1, 3.3.2
Log analysis and correlation	AU 3.3.5, 3.3.6
Alerting and escalation	IR 3.6.1, AU 3.3.4
Incident detection and response	IR 3.6.1, 3.6.2, 3.6.3
Log retention and protection	AU 3.3.8, 3.3.9
Reporting and dashboards	AU 3.3.1, CA 3.12.3

A managed SIEM/SOC eliminates the need to build and staff these capabilities internally. For organizations with small IT teams, this can be the difference between meeting audit and accountability requirements and failing them entirely.

Endpoint Detection and Response

Managed endpoint protection services provide:

• Agent deployment and management across all in-scope endpoints
• Continuous monitoring for malware, anomalous behavior, and policy violations
• Automated response actions (quarantine, isolation, remediation)
• Patch management and vulnerability scanning
• Endpoint configuration compliance monitoring

These services address controls in System and Information Integrity (SI), Configuration Management (CM), and Risk Assessment (RA) domains.

Identity and Access Management

Some MSPs offer managed identity services that handle:

• Multi-factor authentication (MFA) deployment and management
• Privileged access management (PAM)
• User lifecycle management (provisioning, role changes, de-provisioning)
• Single sign-on (SSO) integration
• Access reviews and recertification

Identity and access management addresses the Access Control (AC) and Identification and Authentication (IA) control families, which together represent over 25 of the 110 NIST 800-171 controls.

Compliance Monitoring and Reporting

Beyond pure security services, some CMMC MSPs offer ongoing compliance monitoring:

• Continuous assessment of control effectiveness
• Automated evidence collection for assessment readiness
• Policy template maintenance and updates
• SPRS score tracking and reporting
• POA&M management and remediation tracking

The Shared Responsibility Model

The shared responsibility model is the most important concept to understand when engaging a CMMC MSP. It defines, control by control, who is responsible for implementation, operation, and evidence production.

How Shared Responsibility Works

Think of shared responsibility as a matrix with three categories:

• MSP-managed controls: The MSP fully implements, operates, and maintains these controls. The MSP produces evidence for assessors.
• Shared controls: Both the MSP and the contractor have responsibilities. For example, the MSP may provide the MFA platform, but the contractor is responsible for ensuring all users are enrolled and that exceptions are managed.
• Contractor-managed controls: These controls remain entirely the contractor's responsibility regardless of MSP engagement. The MSP has no role.

Here is how this typically breaks down across NIST 800-171 control families:

Control Family	Typical Responsibility
Access Control (AC)	Shared — MSP manages platform, contractor manages users and policies
Awareness and Training (AT)	Contractor — MSP cannot train your employees
Audit and Accountability (AU)	MSP-managed (if managed SIEM) — contractor reviews outputs
Configuration Management (CM)	Shared — MSP manages infrastructure, contractor manages local devices
Identification and Authentication (IA)	Shared — MSP manages platform, contractor manages enrollment
Incident Response (IR)	Shared — MSP detects and escalates, contractor provides organizational response
Maintenance (MA)	Shared — MSP maintains managed systems, contractor maintains local assets
Media Protection (MP)	Contractor — physical media remains your responsibility
Personnel Security (PS)	Contractor — screening, clearances, and termination are organizational functions
Physical Protection (PE)	Contractor — your facilities, your responsibility
Risk Assessment (RA)	Shared — MSP provides scanning, contractor performs risk assessment
Security Assessment (CA)	Shared — MSP provides monitoring, contractor performs self-assessment
System and Communications Protection (SC)	MSP-managed (for enclave) — contractor manages local network
System and Information Integrity (SI)	Shared — MSP manages patching and AV for managed systems

The Customer Responsibility Matrix

A reputable CMMC MSP will provide a Customer Responsibility Matrix (CRM) — also sometimes called a shared responsibility matrix — that maps every NIST 800-171 control to a responsible party. This document should be:

• Granular: Listing each of the 110 controls individually, not just control families
• Specific: Stating exactly what the MSP does and what the contractor must do for each control
• Consistent with the SSP: Your System Security Plan must accurately reflect the shared responsibility model
• Updated regularly: As services change, the CRM must be revised

What we tell clients: if an MSP cannot produce a detailed CRM before you sign a contract, that is a significant red flag. The CRM is the foundation of your assessment preparation — without it, you cannot write an accurate SSP, and without an accurate SSP, you cannot pass an assessment.

Does Your MSP Need to Be CMMC Certified?

This question generates more confusion than almost any other in the CMMC ecosystem. The answer depends on the MSP's role:

If the MSP stores, processes, or transmits CUI: The MSP is a Cloud Service Provider (CSP) or external service provider within your assessment boundary. Their systems must meet the same CMMC requirements as yours. This typically means:

• The MSP must either have its own CMMC certification at the appropriate level, or
• The MSP's relevant systems must be included within your assessment scope (which is often impractical)

If the MSP only manages your systems remotely but never accesses CUI: The MSP may be treated as an external service provider with limited scope. However, if the MSP has privileged access to systems containing CUI — even if they do not directly access the CUI itself — they likely fall within the assessment boundary.

If the MSP provides a FedRAMP-authorized cloud environment: FedRAMP Moderate (or equivalent) authorization satisfies many CMMC cloud service requirements, but it does not eliminate the need to address controls related to your use of that environment.

Verifying MSP Compliance

Before engaging a CMMC MSP, verify their compliance posture:

• Ask for their CMMC certification status: If they claim certification, verify it in the Cyber AB Marketplace
• Review their SSP or security documentation: A credible MSP should be willing to share relevant portions of their security posture documentation
• Check for SOC 2 Type II or equivalent: While not a CMMC substitute, SOC 2 demonstrates a baseline of security maturity
• Ask for FedRAMP authorization status: For cloud-based services, FedRAMP Moderate or High provides significant assurance
• Request references from CMMC-certified clients: An MSP whose clients have successfully passed CMMC assessments is a stronger bet than one with no track record

Evaluating CMMC Managed Service Providers

Not all MSPs claiming CMMC expertise are created equal. The market has attracted providers ranging from deeply experienced defense-sector specialists to general IT providers that added "CMMC" to their marketing. Here is how to separate substance from marketing.

Essential Evaluation Criteria

Control mapping documentation: The MSP should provide a clear mapping of their services to specific NIST 800-171 controls. Vague claims like "we help you meet CMMC requirements" are insufficient. You need to know exactly which controls they address and how.

Defense industrial base experience: CMMC compliance has nuances that general IT providers may not understand — CUI marking and handling, DFARS flow-down requirements, ITAR considerations, and DoD-specific incident reporting obligations. Ask about their experience specifically with defense contractors.

Assessment support: A quality CMMC MSP does not disappear when the C3PAO arrives. They should provide evidence packages for the controls they manage, participate in assessor interviews for their scope, and support your assessment coordinator throughout the process.

Incident response integration: When a security incident occurs in the MSP's environment, how does the response process work? Who notifies whom? How does the MSP's incident response integrate with your IR plan and the 72-hour DoD reporting requirement?

Data sovereignty and handling: Where is your CUI stored? Which MSP personnel can access it? What happens to your data if the relationship ends? These are critical questions that should be answered in the contract, not discovered during an assessment.

Red Flags to Watch For

In our experience advising defense contractors, these are warning signs that an MSP may not be ready for CMMC:

• No Customer Responsibility Matrix: They cannot clearly delineate what they handle versus what you handle
• No CMMC certification or credible path to it: They are selling CMMC compliance services but have not achieved compliance themselves
• Overpromising scope coverage: Claims that they cover "all 110 controls" should be viewed skeptically — controls related to personnel security, physical protection, and governance cannot be outsourced
• No DIB-specific references: They have general IT clients but no defense contractor clients who have successfully passed CMMC assessments
• Unwillingness to participate in assessments: They provide services but do not support the assessment process for controls within their scope

Structuring the MSP Relationship for Assessment Success

Once you have selected an MSP, structuring the relationship correctly is critical for assessment success.

Contractual Considerations

Your MSP agreement should address:

• Explicit CMMC control mapping: Which controls the MSP is responsible for, by control number
• Evidence production obligations: The MSP must produce assessment evidence for their controls on request
• Assessment participation: The MSP must be available to participate in assessor interviews and technical demonstrations
• Incident notification timelines: Aligned with DoD's 72-hour reporting requirement
• Continuous monitoring and reporting: Regular reports on control effectiveness, vulnerability status, and compliance posture
• Data handling and return: Clear provisions for CUI handling during and after the relationship
• Insurance and liability: Who bears liability if the MSP's failure to maintain controls results in a failed assessment or security incident

Integrating MSP Services into Your SSP

Your System Security Plan must accurately describe how each control is implemented, including which controls are handled by the MSP. For each MSP-managed or shared control:

• Describe what the MSP does and how it satisfies the control requirement
• Reference the MSP's CRM as a supporting document
• Describe your organization's responsibilities for shared controls
• Document the interfaces between your environment and the MSP's environment
• Identify the MSP as an external service provider within your system boundary

Assessors will review these descriptions and verify them against both your environment and the MSP's documentation. Inconsistencies between your SSP, the CRM, and actual implementation are findings.

Ongoing Governance

The MSP relationship requires ongoing governance, not just initial setup:

• Regular review meetings: Monthly or quarterly reviews of service performance, security posture, and compliance status
• Change management coordination: Changes to the MSP's environment that affect your compliance posture must be communicated and assessed
• Annual reassessment alignment: Ensure MSP services continue to meet requirements as CMMC standards evolve
• Exit planning: Maintain a documented plan for transitioning away from the MSP if needed, including data migration and control reassignment

Cost Considerations

CMMC managed services represent a significant investment, but they are often more cost-effective than building equivalent capabilities internally. Contact providers for current pricing — costs vary based on scope, user count, and environment complexity.

Service	Pricing Model
CUI enclave hosting	Per-user monthly fee — contact provider for current pricing
Managed SIEM/SOC	Monthly subscription — scales with log volume and environment size
Managed endpoint protection	Per-device monthly fee — contact provider for current pricing
Managed identity and access management	Monthly subscription — contact provider for current pricing
Compliance monitoring and reporting	Monthly subscription — contact provider for current pricing
Full managed CMMC environment (bundled)	Contact provider for bundled pricing based on your scope

These costs must be weighed against the alternative: hiring security staff, purchasing and maintaining security tooling, building secure infrastructure, and dedicating internal resources to ongoing compliance operations. For organizations with fewer than 100 employees, managed services almost always represent the more economical path to CMMC certification.

Making the Decision

Engaging a CMMC MSP is not an all-or-nothing decision. Many organizations take a hybrid approach:

• Use enclave hosting for CUI processing while maintaining their general corporate network independently
• Outsource SIEM/SOC operations but manage endpoint protection internally
• Use managed identity services but retain physical security and personnel security internally

The right mix depends on your organization's size, technical capabilities, budget, and the complexity of your CUI environment. Start by identifying which NIST 800-171 control families represent your biggest gaps, then evaluate MSPs that specifically address those areas.

Whatever approach you choose, remember the fundamental principle: you can outsource the work, but you cannot outsource the responsibility. Your organization will be the one on the assessment report, and your senior official will be the one affirming your compliance posture. Make sure you understand every control — whether you implement it yourself or your MSP does.