Last updated: April 2026
Affiliate Disclosure: We may earn a commission when you purchase through our links. This does not affect our editorial independence.
Quick Answer
- The Cybersecurity Maturity Model Certification (CMMC) is a three-tier model, with Level 1 applying to about 140,000 Defense Industrial Base (DIB) companies Technical Application of CMMC Requirements.
- If a Managed Service Provider (MSP) stores, processes, or transmits Controlled Unclassified Information (CUI) on its own systems, it requires its own CMMC Level 2 certification When MSPs Need CMMC Compliance.
- Failing to meet CMMC standards can lead to contract loss for clients and suspension from defense work for MSPs and their clients CMMC Requirements for MSPs.
- CMMC Level 2 applies to approximately 75,000 DIB companies, ensuring they protect Controlled Unclassified Information (CUI) Technical Application of CMMC Requirements.
Managed Service Providers (MSPs) working with the U.S. Department of Defense (DoD) supply chain must understand and comply with the Cybersecurity Maturity Model Certification (CMMC). This framework enforces strict cybersecurity standards for protecting sensitive government data, particularly Controlled Unclassified Information (CUI). MSPs are directly affected because they often manage IT systems, networks, and cloud services for defense contractors, giving them privileged access to environments that may contain CUI. The DoD created CMMC to ensure that every contractor and subcontractor touching DoD data meets these security requirements, evolving from NIST SP 800-171 requirements to add third-party verification and prevent data leakage and intellectual property theft CMMC Requirements for MSPs. For example, CMMC Level 1 applies to about 140,000 DIB companies, while Level 2 applies to about 75,000 DIB companies Technical Application of CMMC Requirements. This means if an MSP interacts with a defense contractor's data or systems, it likely falls under CMMC scope.
What is CMMC and Why Does it Matter for MSPs?
CMMC, or the Cybersecurity Maturity Model Certification, is a program established by the U.S. Department of Defense to enforce strict cybersecurity standards across the Defense Industrial Base (DIB). Its primary goal is to protect Controlled Unclassified Information (CUI) within the defense supply chain, which has become increasingly critical. Every contractor and subcontractor that handles DoD data must now demonstrate they meet these security requirements CMMC Requirements for MSPs. This is not just a suggestion; it's a mandatory program designed to prevent data leakage and intellectual property theft.
For MSPs, CMMC is directly relevant because they manage the networks, systems, and cloud services for their clients, including defense contractors. This work often grants MSPs privileged access to contractor environments that may contain CUI. Because of this access, MSPs are required to meet the same security standards as their defense contractor clients. The program ensures that contractors, and by extension their service providers, actually implement the security controls they claim to have in place. CMMC evolved from the NIST SP 800-171 requirements, adding a crucial layer of third-party verification to enhance security.
Enforcing Cybersecurity Standards Across the DIB
The U.S. Department of Defense created CMMC to protect sensitive government data throughout its supply chain. This means every company, from prime contractors to subcontractors, that touches DoD data must prove they meet specific security requirements. The program aims to create a unified standard for cybersecurity across the entire Defense Industrial Base (DIB). This unified approach is essential because the defense supply chain depends on every link maintaining strong cybersecurity. If one link is weak, the entire chain is at risk.
CMMC's Impact on MSP Operations
MSPs are critical links in this chain. If an MSP administers IT systems, cybersecurity tools, hosting, networks, or cloud workloads for DoD contractors, it falls under CMMC scope. This is true even if the MSP doesn't directly handle the data itself. If an MSP stores CUI data on its infrastructure, transmits sensitive information between systems, processes contractor data that includes CUI, or has privileged access to client systems containing CUI, they are in scope. This means MSPs must align their cybersecurity practices with CMMC standards. The good news is that MSPs can turn CMMC compliance into a profitable service model by offering cybersecurity solutions and ongoing compliance support to their defense contractor clients. By doing so, they become trusted partners in the defense ecosystem CMMC Requirements for MSPs.
The Evolution from NIST SP 800-171
CMMC did not appear out of nowhere. It evolved directly from the NIST SP 800-171 requirements. NIST SP 800-171 provided a set of security controls for protecting CUI in non-federal systems and organizations. However, the DoD recognized a need for greater assurance that these controls were actually being implemented. CMMC adds third-party verification to the mix, meaning an independent assessor verifies compliance. This ensures that the security controls are not just documented but are actively in place and effective. This shift is designed to stop data leakage and intellectual property theft more effectively. The CMMC framework includes three tiers of increasing requirements, with CMMC Level 1 validating full compliance with existing regulations and applying to approximately 140,000 DIB companies. CMMC Level 2 also validates full compliance with existing regulations and applies to approximately 75,000 DIB companies Technical Application of CMMC Requirements. Understanding CMMC compliance for IT providers is no longer optional; it's a business requirement for any MSP serving the defense sector.
When Do MSPs Need Their Own CMMC Level 2 Certification?
MSPs need their own CMMC Level 2 certification if they are directly involved in storing, processing, or transmitting Controlled Unclassified Information (CUI) on their own systems for a defense contractor client. This is a critical distinction that many MSPs and Managed Security Service Providers (MSSPs) previously misunderstood. The policy shift, clarified by Matt Travis, CEO of the Cyber AB, means that if an External Service Provider (ESP) is not merely administering someone else’s systems but actively handling CUI on its own infrastructure, a separate Level 2 certification is required When MSPs Need CMMC Compliance.
This requirement extends beyond direct data handling. Even if an MSP has privileged access to client systems that contain CUI, it falls within the compliance boundary. This means the MSP must meet the same stringent security standards as the defense contractor it serves. This also applies to the use of certain tools and platforms. If an MSP manages a Remote Monitoring and Management (RMM) tool that collects data from a client’s CUI environment, or if it acts as an administrator for platforms like Microsoft GCC High or PreVeil and its access includes client emails or documents containing CUI, then it must pursue its own CMMC Level 2 certification.
Storing, Processing, or Transmitting CUI on Your Systems
The primary trigger for an MSP to need its own CMMC Level 2 certification is when it stores, processes, or transmits CUI on its own systems. This isn't about simply having access to a client's CUI environment; it's about the MSP's infrastructure becoming a repository or conduit for that sensitive information. If an MSP's servers, cloud storage, or other IT assets hold CUI data, then those systems must be compliant with CMMC Level 2 requirements. This means the MSP cannot rely solely on the client's certification. Instead, the MSP must undergo its own independent CMMC Level 2 assessment. Failure to do so would mean the MSP would effectively be assessed alongside each customer's assessment, leading to redundant and costly evaluations. "If an ESP (that is not a Cloud Service Provider) is storing, processing, or transmitting CUI on their own systems—not just administering someone else’s systems—then they require their own Level 2 CMMC certification," said Matt Travis, CEO of the Cyber AB When MSPs Need CMMC Compliance.
Privileged Access and Its Implications
Beyond direct data handling, privileged access to client systems containing CUI also places an MSP within the CMMC compliance boundary. Privileged access means the MSP has administrative control or deep access to the client’s IT environment, even if the CUI itself resides on the client's systems. This level of access grants the MSP the ability to potentially view, modify, or impact the security of CUI. Therefore, the MSP's own internal systems and processes used to manage this access must be CMMC compliant. This ensures that the MSP itself does not become a vulnerability point in the defense contractor's cybersecurity posture. MSPs manage networks, systems, and cloud services for their clients, and they often have this kind of privileged access to contractor environments that may contain CUI CMMC Requirements for MSPs. This makes their own compliance essential.
Specific Tools and Platforms Requiring Certification
Certain tools and platforms commonly used by MSPs can also trigger the need for CMMC Level 2 certification. For example, if an MSP manages a Remote Monitoring and Management (RMM) tool that actively collects data from a client’s CUI environment, the RMM tool and the MSP's use of it fall under CMMC scope. The data collected by the RMM tool, even if it's operational data, could be considered CUI or could provide access to CUI. Similarly, if an MSP acts as an administrator for platforms like Microsoft GCC High or PreVeil, and their administrative access includes client emails or documents containing CUI, then that MSP requires its own CMMC Level 2 certification. These platforms are designed to handle sensitive data, and the administrators of these systems are directly responsible for ensuring the security of that data. This policy marks an important shift for the industry, meaning many MSPs and MSSPs now face the dual challenge of pursuing their own compliance journey while continuing to advise their clients on theirs When MSPs Need CMMC Compliance.
What are the Consequences of CMMC Non-Compliance for MSPs?
Failing to meet CMMC standards creates serious problems for Managed Service Providers (MSPs) and their defense contractor clients. The implications extend beyond just losing potential business; they can severely impact an MSP's reputation and ability to operate within the defense sector. Non-compliance essentially marks an MSP as a security risk, which can have cascading negative effects throughout the defense supply chain.
When a defense contractor is undergoing a CMMC assessment, they must document every vendor who has access to their Controlled Unclassified Information (CUI) systems. If an MSP is identified as non-compliant, it immediately becomes a red flag. This can jeopardize the client's ability to win or retain DoD contracts. The U.S. Department of Defense (DoD) takes cybersecurity very seriously, and any weak link in the supply chain can lead to severe penalties. MSPs are critical links, and their non-compliance can have far-reaching business consequences.
Loss of Contracts for Clients and MSPs
One of the most immediate and impactful consequences of CMMC non-compliance is the loss of contracts. Defense contractors cannot win DoD contracts if their service providers, including MSPs, are not compliant. This means that an MSP's failure to meet CMMC standards can directly result in their clients losing lucrative defense work. When clients lose contracts, the MSP also loses business, as their services are no longer needed for those projects. This creates a ripple effect, jeopardizing the financial stability of both the contractor and the MSP. The "CMMC Status of Level 1, Level 2, or Level 3" is a condition of contract award when included in contracts that process, store, or transmit Federal Contract Information (FCI) or CUI Technical Application of CMMC Requirements. Prime contractors flow these requirements down to subcontractors based on the data shared, making MSP compliance crucial for the entire chain.
Mandatory Vendor Reporting and Red Flags
During CMMC assessments, defense contractors are required to provide detailed documentation of all vendors, including MSPs, who have access to systems containing CUI. This mandatory vendor reporting means that non-compliant MSPs cannot hide. They are explicitly identified as part of the client's compliance assessment. If an MSP is found to be non-compliant, it acts as a significant red flag during the assessment process. This can lead to delays, additional scrutiny, and potentially a failed assessment for the client. The DoD's focus on third-party verification, which CMMC evolved from NIST SP 800-171 requirements to include, ensures that security controls are actually implemented, and this includes the security posture of service providers CMMC Requirements for MSPs.
Suspension from Defense Work
Beyond contract loss, the DoD has the authority to suspend or even bar MSPs from working with defense contractors altogether. This is a severe consequence that can effectively end an MSP's ability to serve the defense sector. If an MSP is deemed a security risk due to its non-compliance, the DoD can take direct action to protect its supply chain. This measure underscores how critical cybersecurity is for national security. Such a suspension would not only impact current contracts but also prevent the MSP from pursuing future opportunities within the defense industrial base. The defense supply chain depends on every link maintaining strong cybersecurity, and MSPs are critical links in that chain CMMC Requirements for MSPs.
Reputational Damage in the Defense Community
The defense community is a close-knit network where reputation is paramount. Word spreads fast, and non-compliance quickly marks an MSP as a security risk. This reputational damage can be difficult, if not impossible, to overcome. A tarnished reputation can lead to a loss of trust from existing clients, make it challenging to attract new defense contractor clients, and even impact business in other sectors where data security is a high priority. In an environment where data security and privacy regulations are increasingly crucial to end users, a strong security posture is a competitive differentiator Why you should have SOC 2 compliance as an MSP. Non-compliance with CMMC can have the opposite effect, severely hindering an MSP's growth and standing in the market.
How Does CMMC Impact External Service Providers (ESPs) and Managed Security Service Providers (MSSPs)?
CMMC significantly impacts External Service Providers (ESPs), which is a broad category that includes both Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs). These providers are essential to the operations of defense contractors, often managing the very IT systems and security functions that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Because of their privileged access and responsibility for critical IT infrastructure, ESPs must adhere to CMMC requirements to ensure the overall cybersecurity of the Defense Industrial Base (DIB).
The U.S. Department of Defense's CMMC program mandates strict cybersecurity standards for any service provider working with defense contractors who handle sensitive government data. This directly includes MSPs and MSSPs. If an ESP administers IT systems, cybersecurity tools, hosting, networks, or cloud workloads for DoD contractors, they are in CMMC scope. This means they are expected to meet the same security standards as their defense contractor clients, ensuring that every link in the defense supply chain maintains robust cybersecurity CMMC Requirements for MSPs.
Defining External Service Providers (ESPs) in CMMC
In the context of CMMC, External Service Providers (ESPs) encompass a range of organizations that provide IT-related services to defense contractors. This includes both Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs), as well as Cloud Service Providers (CSPs). The key factor that brings an ESP into CMMC scope is their interaction with or access to Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on behalf of a client. If an ESP stores, transmits, or processes CUI data on its infrastructure, or has privileged access to client systems containing CUI, it falls under CMMC requirements. This broad definition ensures that all entities involved in the handling of sensitive DoD data are held to appropriate security standards Technical Application of CMMC Requirements.
The Role of MSPs in the CMMC Ecosystem
MSPs play a crucial role in the CMMC ecosystem by managing the day-to-day IT operations for defense contractors. This includes everything from network management and system maintenance to help desk support. While their primary focus is on IT management to support business operations, their access to client systems often means they interact with or could potentially access FCI and CUI. Therefore, MSPs must ensure their internal systems and processes are compliant with CMMC standards. This allows them to effectively support their defense contractor clients' compliance efforts without becoming a vulnerability. By achieving CMMC compliance themselves, MSPs can become trusted partners, offering cybersecurity solutions aligned with CMMC standards and providing ongoing compliance support CMMC Requirements for MSPs. Finding the right MSP for CMMC compliance is one of the most important steps for defense contractors supporting the Department of Defense Find A Managed Service Provider (MSP) For CMMC Compliance. Healthcare practices looking for MSPs that already specialize in HIPAA-regulated environments can compare top providers in our Top MSPs by Vertical: Healthcare, Legal, Manufacturing [2026] roundup.
The Role of MSSPs in CMMC Compliance
MSSPs, on the other hand, specialize in providing IT security services. Their focus is on proactively protecting businesses by adding technology, processes, and expertise specifically for cybersecurity. This includes services like scanning networks for threats, remediating vulnerabilities, security monitoring, and incident response. For defense contractors, MSSPs are invaluable in helping them meet the stringent security requirements of CMMC. MSSPs often manage security tools and systems that directly protect CUI. Therefore, like MSPs, MSSPs must also ensure their own operations and systems are CMMC compliant, especially if they store, process, or transmit CUI on their own infrastructure or have privileged access to client CUI environments. The distinction is that an MSSP provides IT security for your business, proactively protecting it and remediating vulnerabilities, while an MSP focuses on general IT management Find A Managed Service Provider (MSP) For CMMC Compliance. Both are critical links in the defense supply chain, and their compliance is essential for the overall cybersecurity of the DIB.
How Does CMMC Relate to Other Compliance Standards Like SOC 2?
CMMC is a specialized compliance framework tailored by the U.S. Department of Defense (DoD) for its supply chain, focusing specifically on the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). While CMMC is mandatory for any entity working with the DoD, other compliance standards, such as System and Organization Controls 2 (SOC 2), address broader data security and privacy concerns that are relevant across various industries. Although distinct, both CMMC and SOC 2 emphasize robust data protection and can complement each other in an MSP's overall security posture.
CMMC is a three-tier model, with increasing requirements at each level to assess and protect sensitive data. CMMC Levels 1 and 2 validate full compliance with existing regulations, primarily NIST SP 800-171, while Level 3 adds and validates additional security requirements for select DoD programs, focusing on increased protection against advanced persistent threats Technical Application of CMMC Requirements. In contrast, SOC 2 is an attestation report that evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, or privacy. It proves a business can protect sensitive customer data, making it a competitive differentiator across many sectors.
CMMC's Specific Focus on DoD Data
CMMC's primary objective is to safeguard the DoD's sensitive information throughout its supply chain. This includes Federal Contract Information (FCI), which is information not intended for public release, and Controlled Unclassified Information (CUI), which is government-created or owned information requiring safeguarding or dissemination controls. The framework defines three levels of certification, each with a progressively more stringent set of security requirements. CMMC Level 1, for example, requires compliance with 15 security requirements and involves an annual self-assessment. CMMC Level 2, applicable to approximately 75,000 DIB companies, involves 110 security requirements aligned with DFARS 252.204-7012 and NIST SP 800-171 R2 Technical Application of CMMC Requirements. This specificity ensures that the unique security needs of defense contractors are met, preventing data leakage and intellectual property theft within the DIB.
SOC 2: A Broader Data Security Standard
SOC 2, developed by the American Institute of Certified Public Accountants (AICPA), is a voluntary compliance standard for service organizations. It specifies how organizations should manage customer data based on five "Trust Services Criteria": security, availability, processing integrity, confidentiality, and privacy SOC 2® - SOC for Service Organizations: Trust Services Criteria. Unlike CMMC, which is mandated for DoD contractors, SOC 2 is often pursued by MSPs and other service providers to demonstrate their commitment to data security to a wider range of clients. It has become a competitive differentiator and a deciding factor in winning enterprise deals, especially in industries such as SaaS, fintech, and healthcare, where data security is highly valued How to get SOC 2 compliance: A guide for MSPs supporting client audits. While CMMC focuses on government data, SOC 2 addresses the broader need for protecting sensitive customer data across various private sector applications, especially in an era when the cloud and countless applications host confidential data Why you should have SOC 2 compliance as an MSP.
Complementary Compliance Strategies
Although CMMC and SOC 2 serve different purposes and target different audiences, they are not mutually exclusive. An MSP serving defense contractors might pursue CMMC certification to secure DoD contracts, while simultaneously obtaining SOC 2 attestation to demonstrate its robust security posture to commercial clients in other industries. Achieving SOC 2 compliance can lay a strong foundation for CMMC, as many of the underlying security controls and practices, such as access control, incident response, and security monitoring, overlap. For example, both frameworks require strong internal controls and evidence of their effectiveness. By implementing comprehensive security measures that satisfy SOC 2, an MSP may find itself better prepared to meet many of the CMMC requirements, particularly at Level 1 and Level 2. This dual approach allows MSPs to expand their market reach while maintaining high standards of data protection across all client segments.
What are the Different CMMC Levels and Their Requirements?
The Cybersecurity Maturity Model Certification (CMMC) is structured as a three-tier model, with each level representing an increasing set of cybersecurity requirements designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These levels are not optional; they are conditions of contract award when included in contracts that involve processing, storing, or transmitting FCI or CUI. The tiered approach ensures that organizations implement appropriate security measures based on the sensitivity of the information they handle and the level of cyber threat they face.
CMMC Levels 1 and 2 validate full compliance with existing regulations, primarily focusing on established cybersecurity practices. CMMC Level 3, however, goes further by adding and validating additional security requirements for select DoD programs, specifically designed to increase protection against advanced persistent threats. This progression ensures a layered defense, enhancing the overall security posture of the Defense Industrial Base (DIB). Each level specifies the number of security requirements, the applicability to DIB companies, and the type of assessment required to achieve certification Technical Application of CMMC Requirements.
CMMC Level 1: Foundational Safeguards
CMMC Level 1 focuses on the protection of Federal Contract Information (FCI). This level applies to approximately 140,000 DIB companies that handle FCI but do not process, store, or transmit CUI. The security requirements at Level 1 are basic cyber hygiene practices, encompassing 15 security requirements. These foundational safeguards are essential for any organization handling government information. The assessment type for CMMC Level 1 is a self-assessment, which must be conducted annually. This means that organizations are responsible for evaluating their own compliance with the 15 requirements and attesting to their adherence. While it is a self-assessment, the DoD expects these self-assessments to be accurate and verifiable, forming the baseline for cybersecurity in the defense supply chain Technical Application of CMMC Requirements.
CMMC Level 2: Protecting Controlled Unclassified Information (CUI)
CMMC Level 2 is designed for the protection of Controlled Unclassified Information (CUI) and applies to approximately 75,000 DIB companies. This level is significantly more robust than Level 1, requiring compliance with 110 security requirements. These requirements align directly with DFARS 252.204-7012 and NIST SP 800-171 R2, which are established standards for protecting CUI in non-federal systems. The assessment type for CMMC Level 2 can be either a self-assessment or an assessment conducted by a CMMC Third-Party Organization (C3PAO), as specified in the contract. The choice between a self-assessment and a C3PAO assessment depends on the specific contract requirements and the criticality of the CUI involved. An annual assessment is required for Level 2, ensuring ongoing compliance and continuous improvement of security practices. This level is particularly relevant for MSPs who store, process, or transmit CUI on their own systems or have privileged access to client systems containing CUI, as it often necessitates their own independent CMMC Level 2 certification When MSPs Need CMMC Compliance.
CMMC Level 3: Advanced Persistent Threat Protection
CMMC Level 3 represents the highest tier of the model, focusing on increased protection against Advanced Persistent Threats (APTs). This level adds and validates additional security requirements beyond those found in Level 2, specifically for select DoD programs that handle highly sensitive CUI. While the exact number of additional security requirements is not specified in the provided research, the intent is to implement a more sophisticated and proactive cybersecurity posture. The assessment for Level 3 would likely involve a rigorous C3PAO assessment, given the criticality of the data and the advanced threats it aims to counter. This level is for organizations that require the most robust cybersecurity defenses due to the nature of the CUI they handle and the strategic importance of the DoD programs they support. The CMMC program as a whole ensures that contractors actually implement the security controls they claim to have in place, evolving from NIST SP 800-171 requirements to add third-party verification CMMC Requirements for MSPs.
Frequently Asked Questions
What is CMMC?
CMMC stands for Cybersecurity Maturity Model Certification. It is a three-tier model created by the U.S. Department of Defense to enforce strict cybersecurity standards across the Defense Industrial Base (DIB). Its purpose is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) throughout the defense supply chain. CMMC evolved from NIST SP 800-171 requirements, adding third-party verification to stop data leakage and intellectual property theft CMMC Requirements for MSPs.
Do all MSPs need to be CMMC compliant?
Not all MSPs need to be CMMC compliant, but many do. An MSP is in CMMC scope if it administers IT systems, cybersecurity tools, hosting, networks, or cloud workloads for DoD contractors, especially if it handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). If an MSP stores, processes, or transmits CUI on its own systems, or has privileged access to client systems containing CUI, it requires its own CMMC Level 2 certification When MSPs Need CMMC Compliance.
What happens if an MSP is not CMMC compliant?
If an MSP is not CMMC compliant, it can lead to severe consequences. Their clients may lose DoD contracts, as non-compliant service providers become a red flag during CMMC assessments. The DoD can also suspend or bar non-compliant MSPs from working with defense contractors. Additionally, non-compliance can cause significant reputational damage within the defense community, marking the MSP as a security risk CMMC Requirements for MSPs.
What is the difference between an MSP and an MSSP in the context of CMMC?
An MSP (Managed Service Provider) focuses on general IT management to support day-to-day business operations for clients, including defense contractors. An MSSP (Managed Security Service Provider) specializes in IT security, providing technology, processes, and services to proactively protect businesses, such as scanning networks for threats and remediating vulnerabilities. Both MSPs and MSSPs are considered External Service Providers (ESPs) under CMMC and must comply with the framework if they handle or have access to CUI Find A Managed Service Provider (MSP) For CMMC Compliance.
How does CMMC Level 2 assessment work for MSPs?
For MSPs, a CMMC Level 2 assessment is required if they store, process, or transmit CUI on their own systems or have privileged access to client CUI environments. This level requires compliance with 110 security requirements, aligning with NIST SP 800-171 R2. The assessment can be a self-assessment or conducted by a CMMC Third-Party Organization (C3PAO), as specified in the contract, and must be performed annually Technical Application of CMMC Requirements.
Sources
- https://www.smpl-c.com/blog/cmmc-requirements-for-msps-complete-compliance-guide
- https://www.preveil.com/blog/when-does-your-msp-need-to-be-cmmc-compliant/
- https://dodcio.defense.gov/Portals/0/Documents/CMMC/TechImplementationCMMC-Rqrmnts.pdf
- https://www.summit7.us/blog/step-5-find-a-msp-for-cmmc
- https://www.pax8.com/blog/soc-2-compliance/
- https://www.connectwise.com/blog/how-to-get-soc-2-compliance
- https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
Related Reading
- CMMC 2.0 Compliance for MSPs
- SOC as a Service for MSPs Compared
- GDPR Compliance for US MSPs
- MSP HIPAA Compliance for Healthcare Clients
- MSP for Healthcare: HIPAA Compliance and IT Management
— The MSP Directory Team