Independent, AI-assisted research · Affiliate disclosure
Uptime
guide

MSP Liability Insurance Guide

April 12, 2026 · 15 min read

Last updated: April 2026

Affiliate Disclosure: We may earn a commission when you purchase through our links. This does not affect our editorial independence.

Quick Answer

  • CMMC is a 3-tier model to assess and protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data.
  • Approximately 140,000 DIB companies handle FCI and require CMMC Level 1, which involves 15 security requirements and an annual self-assessment.
  • Around 75,000 DIB companies handle CUI and require CMMC Level 2, which mandates 110 security requirements based on DFARS 252.204-7012 and NIST SP 800-171 R2, with assessment types specified in the contract.
  • SOC 2 compliance is a competitive differentiator for MSPs, proving their ability to protect sensitive customer data and often deciding factors in winning enterprise deals, especially in industries like SaaS, fintech, and healthcare.

Managed Service Providers (MSPs) face increasing pressure to meet stringent cybersecurity standards, especially when working with the U.S. Department of Defense (DoD) supply chain or handling sensitive customer data. The Cybersecurity Maturity Model Certification (CMMC) and Service Organization Control 2 (SOC 2) attestation are two critical compliance frameworks. CMMC, a 3-tier model, enforces cybersecurity standards across the Defense Industrial Base (DIB) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This means MSPs who manage IT systems or handle data for DoD contractors must often meet the same security requirements as their clients. For example, around 140,000 DIB companies handling FCI require CMMC Level 1, which includes 15 security requirements and an annual self-assessment. Simultaneously, SOC 2 compliance is vital for MSPs across all sectors, demonstrating robust data security practices that build trust and secure new business opportunities. Navigating these requirements is not just about avoiding penalties; it is about establishing credibility and expanding service offerings.

What is CMMC and Why Does it Matter for MSPs?

CMMC, or the Cybersecurity Maturity Model Certification, is a program developed by the U.S. Department of Defense to strengthen cybersecurity across its vast Defense Industrial Base (DIB). This framework ensures that contractors and subcontractors who handle sensitive government data, specifically Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), meet strict security standards. For MSPs, CMMC is critical because many manage networks, systems, and cloud services for defense contractors. This often gives them privileged access to environments that contain CUI, making them directly subject to CMMC requirements.

The Purpose of CMMC

The primary goal of CMMC is to stop data leakage and intellectual property theft within the defense supply chain. It evolved from earlier NIST SP 800-171 requirements by adding a layer of third-party verification. This verification ensures that contractors actually implement the security controls they claim to have in place, rather than just having policies on paper. The DoD requires every contractor and subcontractor touching DoD data to prove they meet these security requirements.

MSPs and CMMC Scope

MSPs are critical links in the defense supply chain. If an MSP administers IT systems, cybersecurity tools, hosting, networks, or cloud workloads for DoD contractors, they are considered CMMC-applicable. This is true even if they do not directly handle the data but have privileged access to client systems containing CUI. The program ensures that the entire chain maintains strong cybersecurity, making MSPs an essential part of the compliance ecosystem. CMMC requirements for MSPs are not optional for those serving the defense sector.

CMMC's Tiered Structure

CMMC is structured as a 3-tier model, with increasing requirements at each level to assess and protect FCI and CUI data. CMMC Levels 1 and 2 validate full compliance with existing regulations, while CMMC Level 3 adds and validates additional security requirements for select DoD programs. Level 3 aims to increase protection against advanced persistent threats. The "CMMC Status of Level 1, Level 2, or Level 3" can be a condition of contract award when included in contracts that process, store, or transmit FCI or CUI. Primes flow these requirements down to subcontractors based on the data shared.

Aligning with Standards

CMMC currently aligns to several key NIST Special Publications. These include NIST SP 800-171 R2, NIST SP 800-171A Jun2018, NIST SP 800-172 Feb2021, and NIST SP 800-172A Mar2022. This alignment ensures that the CMMC framework is built upon widely recognized and robust cybersecurity guidelines. The goal is a unified and enforceable set of standards across the DIB.

When Do MSPs Need to Be CMMC Compliant Themselves?

An MSP's need for CMMC compliance depends on the specific services it provides and how it handles client data. Generally, if an MSP interacts with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on behalf of a DoD contractor, it falls under CMMC scope. This means understanding when MSPs need CMMC compliance is crucial for business continuity and client relationships.

Direct Handling of CUI

A key trigger for an MSP's own CMMC Level 2 certification is the direct handling of CUI on its internal systems. Matt Travis, CEO of the Cyber AB, clarified this policy shift. He stated, "If an ESP (that is not a Cloud Service Provider) is storing, processing, or transmitting CUI on their own systems—not just administering someone else’s systems—then they require their own Level 2 CMMC certification." This marks an important change for many MSPs who previously thought they were exempt. If an MSP fails to get its own independent assessment, it will be assessed alongside each customer, effectively requiring multiple assessments.

Scenarios Requiring CMMC Level 2

Several scenarios put an MSP directly in scope for its own CMMC Level 2 certification:

  • Storing CUI data: If the MSP's infrastructure holds CUI data.
  • Transmitting sensitive information: If the MSP's systems are used to send sensitive information between client systems.
  • Processing contractor data: If the MSP processes any client data that includes CUI.
  • Privileged access: Even without directly storing or processing CUI, having privileged access to client systems containing CUI places the MSP within the compliance boundary.
  • RMM Tools: Managing a remote monitoring and management (RMM) tool that collects data from a client’s CUI environment requires the MSP to be compliant.
  • Administrator Access: Being an administrator of platforms like Microsoft GCC High or PreVeil, where access includes client emails or documents containing CUI, also brings the MSP into scope.

General IT Support vs. CUI Handling

The distinction lies in whether the MSP’s systems touch CUI. If an MSP only provides general IT support that does not involve storing, processing, or transmitting CUI on its own infrastructure, and does not have privileged access to CUI, it might not need its own CMMC certification. However, any interaction with CUI or systems containing it, even through privileged access, triggers compliance obligations. This is a critical point for MSPs serving the defense sector.

Impact on Business

This policy shift means many MSPs and MSSPs now face a dual challenge. They must pursue their own CMMC compliance journey while continuing to advise their clients on theirs. Understanding When MSPs need CMMC compliance is essential for avoiding penalties and maintaining business relationships with defense contractors. Failing to comply can lead to significant business losses and reputational damage.

What Are the Consequences of CMMC Non-Compliance for MSPs?

Failing to meet CMMC standards can lead to severe repercussions for Managed Service Providers, impacting their business, their clients' contracts, and their standing in the defense community. The U.S. Department of Defense created CMMC to ensure every link in the defense supply chain maintains strong cybersecurity. Non-compliance by an MSP weakens this chain, making it a critical business risk.

Loss of Contracts and Business Opportunities

One of the most immediate consequences is the loss of contracts. If an MSP is not CMMC compliant, its defense contractor clients cannot win or maintain DoD contracts that require CMMC certification. This means the MSP loses business, and so do its clients. The DoD can even suspend or bar MSPs from working with defense contractors altogether. This directly impacts revenue and future growth opportunities within the lucrative defense sector.

Mandatory Vendor Reporting and Red Flags

During CMMC assessments, defense contractors must document every vendor who has access to their CUI (Controlled Unclassified Information) systems. If an MSP is found to be non-compliant, it immediately becomes a red flag for the contractor and the DoD assessors. This can complicate the client's assessment process and potentially jeopardize their contract status. Non-compliant MSPs are seen as security risks, which can lead to clients seeking alternative, compliant service providers.

Reputational Damage

Reputation is paramount in the defense community. Word spreads quickly when a service provider is deemed a security risk due to non-compliance. This reputational damage can extend beyond the defense sector, affecting an MSP's ability to attract clients in other sensitive industries. A reputation for lax security or non-compliance can be difficult to overcome, leading to long-term business challenges.

Legal and Financial Implications

While not explicitly detailed as fines in the provided research, failure to protect CUI can have significant legal and financial implications. DFARS 252.204-7012 already requires NIST SP 800-171 R2 compliance for CUI handling, and CMMC builds upon this. Non-compliance could expose MSPs to liability if a data breach occurs due to their negligence or failure to implement required controls. The costs associated with data breaches, including investigations, remediation, and potential legal fees, can be substantial.

Business Requirement, Not Optional

For any MSP serving the defense sector, understanding CMMC compliance for IT providers is no longer optional. It is a fundamental business requirement. The defense supply chain depends on every entity, including MSPs, maintaining robust cybersecurity. This means investing in compliance is not just about avoiding penalties but also about becoming a trusted and indispensable partner in the defense ecosystem.

How Do CMMC Levels Work for Defense Contractors and MSPs?

The Cybersecurity Maturity Model Certification (CMMC) operates on a tiered system, with three distinct levels that dictate the stringency of cybersecurity requirements. These levels are designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) for the U.S. Department of Defense (DoD) supply chain. Both defense contractors and their Managed Service Providers (MSPs) must understand these levels to ensure compliance and maintain eligibility for DoD contracts.

CMMC Level 1: Foundational Safeguards

CMMC Level 1 focuses on the protection of Federal Contract Information (FCI). This level involves 15 security requirements, which are foundational cybersecurity practices. Approximately 140,000 DIB companies handle FCI and fall under this level. The assessment type for CMMC Level 1 is a self-assessment, which must be performed annually. This means contractors and their MSPs, if applicable, are responsible for verifying their own adherence to these basic cybersecurity measures.

CMMC Level 2: Protecting Controlled Unclassified Information (CUI)

CMMC Level 2 is designed for the protection of Controlled Unclassified Information (CUI). This level significantly increases the number of security requirements to 110, aligning with DFARS 252.204-7012 and NIST SP 800-171 R2. Around 75,000 DIB companies handle CUI and are subject to CMMC Level 2. The assessment type for Level 2 can vary; it may be a self-assessment or require a CMMC Third-Party Organization (C3PAO) assessment, as specified in the contract. MSPs who store, process, or transmit CUI on their own systems for defense contractors must pursue their own CMMC Level 2 certification.

CMMC Level 3: Advanced Persistent Threat Protection

CMMC Level 3 is the highest level, adding and validating additional security requirements beyond Level 2. This level is for select DoD programs that require increased protection against advanced persistent threats. While Levels 1 and 2 validate full compliance with existing regulations, Level 3 introduces more sophisticated cybersecurity measures. The specifics of Level 3 assessments and requirements are more complex and are tailored for highly sensitive defense programs.

The Role of Alignment with NIST Standards

CMMC currently aligns to several important NIST Special Publications. These include NIST SP 800-171 R2, NIST SP 800-171A Jun2018, NIST SP 800-172 Feb2021, and NIST SP 800-172A Mar2022. This alignment ensures that CMMC builds upon established and recognized cybersecurity frameworks. For MSPs, this means that foundational work done to meet NIST standards can contribute significantly to their CMMC compliance journey. The goal is a consistent and robust approach to cybersecurity across the entire defense industrial base.

Condition for Contract Award

The CMMC status (Level 1, Level 2, or Level 3) is a condition for contract award when included in DoD contracts that involve processing, storing, or transmitting FCI or CUI. Prime contractors are responsible for flowing these requirements down to their subcontractors based on the type of data shared. This makes compliance a non-negotiable aspect of doing business within the defense sector, driving MSPs to integrate CMMC into their service models.

What is SOC 2 Compliance and Why is it Important for MSPs?

Service Organization Control for Service Organizations 2 (SOC 2) is a data security standard that has become increasingly vital for Managed Service Providers (MSPs). It provides an attestation that proves a business can protect sensitive customer data, making it a powerful competitive differentiator. In an era where data security and privacy are paramount, especially with widespread cloud adoption, SOC 2 compliance is not just about internal controls; it is about building trust with clients and their end users.

Proving Data Protection Capabilities

SOC 2 compliance demonstrates an MSP's ability to securely manage data. This is crucial for protecting the interests of their clients and the privacy of their clients' customers. The audit evaluates how an organization handles customer data based on five "Trust Services Criteria": security, availability, processing integrity, confidentiality, and privacy. An MSP that achieves SOC 2 compliance can provide independent assurance to its clients that its systems and processes meet these rigorous standards.

A Competitive Advantage

In competitive markets, SOC 2 compliance often serves as a deciding factor in winning enterprise deals. This is particularly true in industries where data security is a high expectation, such as SaaS (Software as a Service), fintech (financial technology), and healthcare. These sectors handle vast amounts of confidential and personally identifiable information, making robust security a non-negotiable requirement for their service providers. By obtaining SOC 2, an MSP signals its commitment to top-tier data protection, setting itself apart from competitors. SOC 2 compliance for MSPs is a strategic investment in growth.

Building Client Trust

The cloud and its numerous applications are frequently used for the usage, processing, and storage of confidential data. As MSPs increasingly manage these cloud environments for their clients, the need for transparency and assurance regarding data handling practices grows. SOC 2 attestation provides this assurance, fostering greater trust between the MSP and its clients. Clients can be confident that their sensitive information is being handled with the highest level of care and security.

Navigating Client Audits

MSPs often play a supporting role in their clients' own SOC 2 audits. However, achieving their own SOC 2 compliance can significantly streamline this process. It provides ready documentation and proof of controls that clients can leverage for their own compliance efforts. As ConnectWise notes, SOC 2 is a competitive differentiator that proves a business can protect sensitive customer data, and it is often a deciding factor in winning enterprise deals. This makes it a proactive step for MSPs looking to serve demanding industries.

Continuous Improvement

The SOC 2 audit process encourages continuous improvement in an MSP's security posture. It requires ongoing monitoring and evaluation of controls, ensuring that security practices remain effective and up-to-date. This commitment to ongoing security enhances the MSP's overall operational resilience and ability to respond to evolving cyber threats.

What is the Difference Between an MSP and an MSSP?

Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) both offer outsourced IT services, but their core focus areas differ significantly. Understanding this distinction is crucial for businesses seeking specific types of support and for service providers looking to define their market position. While there can be overlap, their primary objectives and service offerings are distinct.

Managed Service Provider (MSP)

An MSP primarily focuses on managing a client's day-to-day IT operations. This includes a broad range of services designed to support business continuity and efficiency. Typical MSP services encompass network management, system maintenance, help desk support, cloud services management, and general IT infrastructure oversight. The goal of an MSP is to ensure that a client's IT systems run smoothly, are available, and support the business's operational needs. They handle routine tasks, proactive maintenance, and troubleshooting to keep the IT environment functional and optimized.

Managed Security Service Provider (MSSP)

In contrast, an MSSP specializes in providing IT security services. Their core mission is to proactively protect a business from cyber threats. MSSPs achieve this by implementing advanced security technologies, robust processes, and specialized services aimed at preventing, detecting, and responding to security incidents. Key services offered by an MSSP include:

  • Threat Monitoring: Continuously scanning networks and systems for malicious activity and vulnerabilities.
  • Vulnerability Management: Identifying and remediating security weaknesses before they can be exploited.
  • Incident Response: Developing and executing plans to contain and recover from cyberattacks.
  • Security Information and Event Management (SIEM): Collecting and analyzing security logs to detect anomalies.
  • Compliance Management: Helping clients meet various security regulations and standards, such as CMMC or SOC 2.

Overlap and Evolution

While the distinction is clear in their primary focus, many MSPs are evolving to offer some level of security services, often becoming "hybrid" providers. Conversely, some MSSPs may provide basic IT management as part of their comprehensive security packages. The critical difference lies in the depth and specialization of security services. An MSSP typically has dedicated security analysts, advanced threat intelligence capabilities, and a more robust focus on risk mitigation and compliance with security frameworks. For example, an MSSP is more likely to be deeply involved in helping clients achieve specific security certifications like CMMC, especially if they are providing services that directly handle Controlled Unclassified Information (CUI). Finding the right MSP or MSSP is a crucial step for defense contractors, as highlighted in the "7 Steps to CMMC" guide.

Why the Distinction Matters

For businesses, choosing between an MSP and an MSSP (or a provider offering both) depends on their specific needs and risk profile. A company primarily needing operational IT support might opt for an MSP. However, a business operating in a highly regulated industry or handling sensitive data, especially for the Department of Defense, would likely require the specialized security expertise of an MSSP to address specific threats and compliance requirements like CMMC. Buyers also need to decide how much of IT to keep in-house versus outsource — our Co-Managed IT vs Fully Managed: 2026 MSP Decision Guide walks through that trade-off, including how it affects liability and insurance scope.

Frequently Asked Questions

Do all MSPs need to be CMMC compliant?

No, not all MSPs need to be CMMC compliant. An MSP needs to be CMMC compliant if it administers IT systems, cybersecurity tools, hosting, networks, or cloud workloads for U.S. Department of Defense (DoD) contractors. Specifically, if the MSP stores, transmits, or processes Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on its infrastructure, or has privileged access to client systems containing CUI, it falls under CMMC scope. For instance, approximately 140,000 DIB companies handle FCI and require CMMC Level 1, which may necessitate their MSPs to comply if they handle this data.

What kind of data triggers CMMC compliance for an MSP?

CMMC compliance for an MSP is triggered by handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). If an MSP's systems store, process, or transmit CUI on their own infrastructure, or if they have privileged access to client systems containing CUI, they are in scope. This also applies if an MSP manages a remote monitoring and management (RMM) tool that collects data from a client’s CUI environment. Approximately 75,000 DIB companies handle CUI and require CMMC Level 2, impacting their MSPs directly.

Can an MSP help a client achieve CMMC compliance?

Yes, an MSP can help a client achieve CMMC compliance. MSPs can turn CMMC compliance into a profitable service model by offering cybersecurity solutions aligned with CMMC standards and providing ongoing compliance support. They can become trusted partners in the defense ecosystem by guiding clients through the CMMC requirements. However, if the MSP itself stores, processes, or transmits CUI on its own systems, it will require its own CMMC Level 2 certification, as clarified by Matt Travis, CEO of the Cyber AB.

Is SOC 2 compliance mandatory for MSPs?

SOC 2 compliance is not legally mandatory for all MSPs, unlike some regulatory frameworks. However, it is highly recommended and often a business requirement for MSPs, especially those serving industries like SaaS, fintech, and healthcare, where data security is a primary concern. SOC 2 attestation proves a business can protect sensitive customer data and serves as a significant competitive differentiator. It is often a deciding factor in winning enterprise deals, showcasing an MSP's commitment to robust security controls.

How does CMMC Level 2 assessment work?

CMMC Level 2 applies to approximately 75,000 DIB companies handling Controlled Unclassified Information (CUI). This level requires compliance with 110 security requirements based on DFARS 252.204-7012 and NIST SP 800-171 R2. The assessment type for CMMC Level 2 can be either a self-assessment or a CMMC Third-Party Organization (C3PAO) assessment, as specified in the contract. If an External Service Provider (ESP) stores, processes, or transmits CUI on its own systems, it must undergo a CMMC Level 2 assessment independently from its clients.

Sources

  1. https://www.smpl-c.com/blog/cmmc-requirements-for-msps-complete-compliance-guide
  2. https://www.preveil.com/blog/when-does-your-msp-need-to-be-cmmc-compliant/
  3. https://dodcio.defense.gov/Portals/0/Documents/CMMC/TechImplementationCMMC-Rqrmnts.pdf
  4. https://www.summit7.us/blog/step-5-find-a-msp-for-cmmc
  5. https://www.pax8.com/blog/soc-2-compliance/
  6. https://www.connectwise.com/blog/how-to-get-soc-2-compliance
  7. https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
  8. https://www.ninjaone.com/blog/msp-soc-compliance-guide/

Related Reading

— The MSP Directory Team

MSP Finder

What IT support does your business need?

Related Articles

Stay in the loop

Get the latest articles delivered to your inbox.