Last updated: April 2026
Affiliate Disclosure: We may earn a commission when you purchase through our links. This does not affect our editorial independence.
Quick Answer
- CMMC Level 1 applies to about 140,000 Defense Industrial Base (DIB) companies handling Federal Contract Information (FCI), requiring 15 security controls and an annual self-assessment.
- If an MSP stores, processes, or transmits Controlled Unclassified Information (CUI) on its own systems, it needs its own CMMC Level 2 certification, as clarified by Matt Travis, CEO of the Cyber AB.
- Failing to meet CMMC standards can lead to contract loss, mandatory vendor reporting, and suspension from defense work for MSPs.
- CMMC Level 2 applies to roughly 75,000 DIB companies working with CUI, requiring 110 security controls based on NIST SP 800-171 R2.
Managed Service Providers (MSPs) working with the U.S. Department of Defense (DoD) supply chain must understand and achieve Cybersecurity Maturity Model Certification (CMMC) compliance. This certification is not just for defense contractors; it extends directly to MSPs who handle sensitive government data. The DoD created CMMC to enforce strict cybersecurity standards across the Defense Industrial Base (DIB), ensuring that every contractor and subcontractor, including MSPs, proves they meet these security requirements. Approximately 140,000 DIB companies are subject to CMMC Level 1, which requires 15 security controls and an annual self-assessment for handling Federal Contract Information (FCI) Technical Application of CMMC Requirements. If an MSP stores, processes, or transmits Controlled Unclassified Information (CUI) on its own systems, it requires its own CMMC Level 2 certification, a significant shift for the industry.
What is CMMC and Why Does it Matter for MSPs?
CMMC stands for Cybersecurity Maturity Model Certification. It is a set of standards designed by the U.S. Department of Defense (DoD) to protect sensitive government information within the defense supply chain. The CMMC program enforces strict cybersecurity standards across the Defense Industrial Base (DIB). This means any company, including Managed Service Providers (MSPs), that works with defense contractors and handles sensitive government data must meet these security requirements.
The Purpose of CMMC
The main goal of CMMC is to stop data leakage and intellectual property theft within the defense supply chain. It ensures that contractors actually implement the security controls they claim to have in place. The CMMC evolved from earlier NIST SP 800-171 requirements. It adds a crucial element: third-party verification. This verification step ensures that the cybersecurity practices are not just documented but are actively used and effective. The DoD wants to make sure that all contractors and subcontractors touching DoD data demonstrate their adherence to these security standards.
MSPs as Critical Links in the Supply Chain
MSPs are directly affected by these rules because they manage networks, systems, and cloud services for their clients, often having privileged access to contractor environments. These environments may contain Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). Because of this access and the data they handle, MSPs must meet the same security standards as their defense contractor clients. The defense supply chain depends on every link maintaining strong cybersecurity. MSPs are critical links in that chain, and their compliance directly impacts the overall security posture of the DIB. Understanding CMMC requirements for MSPs is not optional; it is a business requirement for any MSP serving the defense sector.
Protecting Sensitive Information
CMMC is a 3-tier model that sets increasing requirements to assess and protect both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data. CMMC Levels 1 and 2 validate full compliance with existing regulations, while CMMC Level 3 adds and validates additional security requirements for select DoD programs. This tiered approach is designed to increase protection against advanced persistent threats. The "CMMC Status of Level 1, Level 2, or Level 3" can be a condition for contract awards when included in contracts that process, store, or transmit FCI or CUI. Prime contractors are expected to flow these requirements down to their subcontractors, based on the type of data shared. This cascading requirement means MSPs supporting subcontractors also need to be aware of and comply with CMMC standards.
The Broader Impact
Beyond direct contract requirements, CMMC compliance builds trust. For MSPs, demonstrating CMMC compliance signals to potential and existing defense contractor clients that they are a secure and reliable partner. This can lead to new business opportunities and strengthen existing relationships. The DoD’s focus on robust cybersecurity means that non-compliance for any party in the supply chain can jeopardize the security of sensitive national defense information, underscoring why CMMC matters so much for MSPs.
When Do MSPs Need Their Own CMMC Certification?
An MSP is considered CMMC-applicable if it administers IT systems, cybersecurity tools, hosting, networks, or cloud workloads for Department of Defense (DoD) contractors. If an MSP handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on behalf of a client, it falls under CMMC scope. This broad definition means many MSPs supporting the defense sector will need to consider their own CMMC certification.
Defining "In Scope" for MSPs
MSPs are in scope for CMMC if they meet any of these conditions: they store CUI data on their own infrastructure, transmit sensitive information between systems, process contractor data that includes CUI, or have privileged access to client systems containing CUI. Even if an MSP does not directly handle the data, having privileged access automatically places it within the compliance boundary. This means that managing client networks or providing system administration, even remotely, can trigger CMMC obligations. The crucial point is the presence and accessibility of CUI within the MSP's operational purview.
A Key Clarification for External Service Providers
A significant shift in policy was clarified by Matt Travis, CEO of the Cyber AB, during a May Cyber-AB Town Hall. He stated that if an External Service Provider (ESP), which includes MSPs but not Cloud Service Providers (CSPs), stores, processes, or transmits CUI on its own systems—and not just administers someone else’s systems—then it requires its own Level 2 CMMC certification. This clarification is vital for MSPs. It means that if an MSP's internal systems, tools, or infrastructure touch CUI, the MSP itself must undergo a CMMC Level 2 assessment independently from its clients. Failure to do so means the MSP will be assessed in addition to the customer’s assessment, effectively requiring a second assessment each time one of its customers gets assessed. This policy marks an important shift for the industry, pushing many MSPs to pursue their own compliance journey while still advising clients on theirs.
Practical Examples of In-Scope Activities
This requirement applies to several common MSP activities. For example, an MSP managing a Remote Monitoring and Management (RMM) tool that collects data from a client’s CUI environment would need its own CMMC Level 2 certification. Similarly, if an MSP acts as an administrator for platforms like Microsoft GCC High or PreVeil, and their access includes client emails or documents containing CUI, then the MSP itself must achieve CMMC Level 2 compliance. These scenarios highlight that direct interaction with CUI on the MSP's own systems or through tools it manages makes independent certification necessary. Understanding when MSPs need CMMC compliance is crucial for continued business in the defense sector.
Beyond Direct Data Handling
The scope extends beyond direct storage or processing. If an MSP's privileged access allows it to view, modify, or otherwise interact with CUI on a client's system, even if the data never resides on the MSP's infrastructure, the MSP still has CMMC obligations. This is because the MSP becomes a potential vector for data compromise. Therefore, comprehensive cybersecurity practices aligned with CMMC are essential for any MSP providing services to DoD contractors, even for general IT support that might involve access to sensitive environments.
What Are the Levels of CMMC and Their Requirements?
CMMC is structured as a 3-tier model, with each level introducing increasing requirements to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) data. This tiered approach ensures that cybersecurity measures are scaled appropriately to the sensitivity of the information being handled.
CMMC Level 1: Foundational Protection for FCI
CMMC Level 1 is the baseline for cybersecurity and applies to approximately 140,000 Defense Industrial Base (DIB) companies. This level is specifically designed for organizations that handle Federal Contract Information (FCI). FCI is information, not intended for public release, that is provided by or generated for the Government under a contract. For Level 1, organizations must comply with 15 specific security requirements. These requirements are foundational cybersecurity practices. The assessment type for CMMC Level 1 is a self-assessment, which must be conducted annually. This annual self-assessment ensures that basic cybersecurity hygiene is maintained consistently across the DIB.
CMMC Level 2: Enhanced Protection for CUI
CMMC Level 2 builds significantly on Level 1 and is crucial for organizations that handle Controlled Unclassified Information (CUI). CUI is government-created or owned information that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy. Roughly 75,000 DIB companies fall under the scope of CMMC Level 2. This level mandates full compliance with NIST SP 800-171 R2, which includes 110 security requirements. These requirements are more extensive and complex than Level 1, focusing on protecting CUI from more sophisticated threats.
For CMMC Level 2, the assessment type can vary. It may be a self-assessment, or it could require an assessment by a CMMC Third-Party Organization (C3PAO). The specific assessment type is determined by what is specified in the contract. This flexibility allows the DoD to tailor the level of third-party oversight based on the criticality of the CUI involved and the specific program. The assessments for Level 2 are also conducted annually, ensuring continuous adherence to the more rigorous standards.
CMMC Level 3: Advanced Protection for Critical Programs
CMMC Level 3 represents the highest tier of cybersecurity requirements within the model. This level is designed for select DoD programs that require protection against advanced persistent threats (APTs). It adds and validates additional security requirements beyond those in NIST SP 800-171 R2. While the exact number of DIB companies subject to Level 3 is smaller, its requirements are the most stringent, reflecting the high-stakes nature of the information involved. Level 3 focuses on proactive defense and sophisticated threat mitigation strategies. Assessments for Level 3 are even more rigorous, involving government-led evaluations.
The Importance of Meeting Each Level
Each CMMC level is a condition of contract award when included in contracts that process, store, or transmit FCI or CUI. Prime contractors are obligated to flow these requirements down to their subcontractors based on the data shared. This means that an MSP's CMMC status directly impacts its ability to secure and retain contracts within the defense supply chain. Failing to meet the specified level of compliance can lead to significant business consequences. MSPs must accurately determine which CMMC level applies to their operations and clients, then diligently work to implement and maintain the required security controls.
What Are the Consequences of Non-Compliance for MSPs?
Failing to meet CMMC standards creates serious problems for Managed Service Providers (MSPs) and their defense contractor clients. The implications extend beyond just technical issues, impacting business relationships, contract eligibility, and reputation within the defense community. The U.S. Department of Defense (DoD) designed CMMC to enforce stringent cybersecurity, and non-compliance undermines the entire framework.
Loss of Contracts
One of the most immediate and severe consequences is contract loss. If an MSP is not CMMC compliant, its defense contractor clients may not be able to win DoD contracts. This is because CMMC status, whether Level 1, Level 2, or Level 3, is a condition for contract award when it's included in contracts that involve processing, storing, or transmitting Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). If an MSP is a critical part of a contractor's IT infrastructure and is non-compliant, it becomes a liability that can disqualify the contractor from bidding on or securing DoD work. This means the MSP not only loses potential business for itself but also causes its clients to lose business. The ripple effect can be substantial, damaging the MSP's financial stability and its relationships with clients.
Mandatory Vendor Reporting and Red Flags
During CMMC assessments, defense contractors are required to document every vendor that has access to their CUI systems. This includes MSPs. If an MSP is non-compliant, it becomes a significant red flag during the assessment process. Auditors will identify these non-compliant vendors, which can delay or even derail a client's CMMC certification. Such documentation can highlight security weaknesses in the contractor's supply chain, directly attributing those weaknesses to the MSP. This transparency means that non-compliance is easily identified and cannot be hidden, making it a critical issue for both the MSP and its clients.
Suspension from Defense Work
The DoD has the authority to suspend or even bar MSPs from working with defense contractors if they fail to meet CMMC standards. This is a direct measure to protect national security interests and sensitive information. Such a suspension would effectively cut off an MSP from a significant and often lucrative market segment. For MSPs heavily reliant on defense sector clients, this could be a business-ending event. The DoD's stance is clear: every link in the defense supply chain must maintain strong cybersecurity, and non-compliant entities will be removed to protect the integrity of the system.
Reputational Damage
Word spreads fast in the defense community. An MSP that is known for non-compliance or for causing its clients to lose contracts will quickly be marked as a security risk. This reputational damage can be difficult, if not impossible, to overcome. Potential clients will be wary of engaging with an MSP that has a history of cybersecurity issues, especially in a sector where trust and security are paramount. This can lead to a decline in new business opportunities and the erosion of existing client relationships, impacting the MSP's long-term viability. The defense supply chain depends on every link maintaining strong cybersecurity, and MSPs are critical links in that chain. Understanding CMMC compliance for IT providers isn't optional anymore; it's a business requirement for any MSP serving the defense sector.
Legal and Financial Penalties
While the primary focus of CMMC is on contract eligibility and security posture, non-compliance can also expose MSPs to potential legal and financial penalties. Although CMMC itself is not a regulatory framework with direct fines, failure to protect CUI can lead to violations of other regulations, such as the False Claims Act, if contractors misrepresent their compliance status. Additionally, data breaches resulting from an MSP's non-compliance could lead to costly litigation, regulatory fines, and significant financial losses due to incident response, recovery, and potential client compensation.
How Can MSPs Turn CMMC Compliance into a Business Opportunity?
While CMMC compliance presents significant challenges, it also offers Managed Service Providers (MSPs) a unique opportunity to grow their business and enhance their market position. By proactively embracing CMMC, MSPs can transform a regulatory burden into a profitable service model and become indispensable partners in the defense ecosystem.
Becoming a Trusted Partner
The demand for CMMC-compliant services is rapidly increasing among defense contractors. Many contractors, especially smaller and mid-sized businesses, lack the internal expertise and resources to navigate the complex CMMC requirements on their own. This creates a clear need for external support. MSPs that achieve and maintain their own CMMC certification, particularly Level 2 for handling Controlled Unclassified Information (CUI), position themselves as trusted experts. When an MSP can demonstrate its own compliance, it provides a strong assurance to clients that it understands the regulations and can implement the necessary controls effectively. This trust is invaluable in the defense sector, where security is paramount.
Offering Specialized Cybersecurity Solutions
MSPs can develop and offer specialized cybersecurity solutions that are directly aligned with CMMC standards. This includes services such as:
- CMMC Gap Assessments: Helping clients identify where their current security posture falls short of CMMC requirements.
- Implementation of CMMC Controls: Assisting with the deployment and configuration of the 110 security requirements specified in NIST SP 800-171 R2 for CMMC Level 2.
- Security Information and Event Management (SIEM) for CUI: Providing monitoring and incident response services tailored to CUI protection.
- Access Control and Identity Management: Implementing robust systems to ensure only authorized personnel have access to sensitive data.
- Managed Security Services: Offering ongoing proactive threat detection, vulnerability management, and remediation services that align with CMMC.
- Documentation and Policy Development: Helping clients create the necessary policies and procedures required for CMMC audits.
By offering these tailored services, MSPs move beyond general IT support to become strategic cybersecurity advisors. This shift allows them to command higher-value contracts and build deeper, more resilient client relationships.
Providing Ongoing Compliance Support
CMMC is not a one-time achievement; it requires continuous monitoring, maintenance, and annual assessments. MSPs can provide ongoing compliance support, ensuring that clients remain compliant year after year. This recurring service model generates predictable revenue and solidifies the MSP's role as an essential partner. Ongoing support can include:
- Continuous Monitoring: Regularly checking systems for compliance deviations and potential vulnerabilities.
- Audit Preparation: Helping clients prepare for their CMMC assessments, whether self-assessments for Level 1 or C3PAO-led assessments for Level 2.
- Training and Awareness: Educating client employees on CMMC requirements and best practices for handling CUI and FCI.
- Incident Response Planning: Developing and testing incident response plans that meet CMMC standards.
The good news is that MSPs can turn CMMC compliance into a profitable service model. By offering cybersecurity solutions aligned with CMMC standards and providing ongoing compliance support, managed service providers can become trusted partners in the defense ecosystem. This proactive approach not only mitigates the risks of non-compliance but also creates new avenues for business growth and specialization.
Differentiating in the Market
Achieving CMMC compliance for an MSP, especially CMMC Level 2, serves as a powerful competitive differentiator. In a crowded market, being able to say "we are CMMC compliant ourselves, and we can get you there too" sets an MSP apart. It signals a high level of commitment to security and a deep understanding of the unique needs of defense contractors. This can be a deciding factor for clients choosing an MSP, making compliance a strong selling point. MSPs that proactively invest in CMMC compliance are well-positioned to capture a larger share of the defense contractor market.
What is the Difference Between an MSP and an MSSP in CMMC Context?
Understanding the distinction between a Managed Service Provider (MSP) and a Managed Security Service Provider (MSSP) is important, especially when discussing stringent cybersecurity frameworks like CMMC. While both types of providers offer outsourced IT services, their primary focus and the depth of their security offerings differ significantly.
Managed Service Provider (MSP)
A Managed Service Provider (MSP) primarily focuses on managing a client's day-to-day IT operations. This typically includes a broad range of services aimed at ensuring the smooth functioning of business technology. Common MSP services encompass network management, server maintenance, help desk support, software updates, data backup and recovery, and infrastructure monitoring. The core goal of an MSP is to keep a client's IT systems running efficiently and reliably, supporting overall business operations.
In the context of CMMC, an MSP might handle systems that store, process, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). If an MSP has privileged access to client systems containing CUI, or if its own infrastructure handles CUI, it will fall under CMMC scope. For example, an MSP managing a client's general IT network that also contains CUI would need to ensure their practices align with CMMC. Their role is broad, covering general IT health and functionality.
Managed Security Service Provider (MSSP)
A Managed Security Service Provider (MSSP), on the other hand, specializes in providing IT security services. An MSSP's focus is specifically on protecting a business from cyber threats. They do this by adding specialized technology, processes, and services designed to proactively safeguard the client's digital assets. MSSP services typically include continuous security monitoring, intrusion detection, vulnerability management, threat intelligence, security incident response, firewall management, and compliance reporting. The goal of an MSSP is to reduce cybersecurity risks, detect threats, and remediate vulnerabilities before they can cause significant damage.
In the CMMC context, an MSSP's services are directly aligned with many of the cybersecurity controls required by CMMC Levels 1, 2, and 3. For instance, an MSSP would be instrumental in implementing the 110 security requirements of NIST SP 800-171 R2 for CMMC Level 2, which covers areas like access control, incident response, risk management, and system integrity. MSSPs are designed to scan networks for threats and remediate vulnerabilities, offering a specialized security focus relevant to CMMC. They might manage Security Information and Event Management (SIEM) solutions, provide security awareness training, or conduct penetration testing, all of which contribute to CMMC compliance.
Overlap and Specialization in CMMC
While there is some overlap, especially as MSPs increasingly offer basic security services, the key difference lies in the depth and specialization of security. An MSP might include basic antivirus and firewall management as part of its general IT package. An MSSP, however, provides a much more comprehensive and specialized suite of security services, often with dedicated security analysts and advanced threat detection tools.
For CMMC, both MSPs and MSSPs can play crucial roles. An MSP might manage the overall IT environment, ensuring that the infrastructure is set up to support CMMC. An MSSP would then layer on the specific security controls and monitoring necessary to meet the CMMC requirements for protecting FCI and CUI. Many defense contractors choose to work with both: an MSP for their general IT needs and an MSSP for their specialized cybersecurity and CMMC compliance efforts. Finding the right Managed Service Provider (MSP) or MSSP for CMMC compliance could be one of the most important steps for defense contractors supporting the Department of Defense.
Why is SOC 2 Compliance Important for MSPs?
System and Organization Controls 2 (SOC 2) attestation is a critical data security standard that has become increasingly important for Managed Service Providers (MSPs). While CMMC focuses on government contracts and Controlled Unclassified Information (CUI), SOC 2 demonstrates a broader commitment to data security and privacy for all types of customer data.
Proving Data Protection Capabilities
SOC 2 compliance serves as a competitive differentiator that proves a business can protect sensitive customer data. It is an auditing procedure that ensures service providers securely manage data to protect the interests of their clients and the privacy of their clients' customers. The audit evaluates an organization's information security system based on the AICPA's (American Institute of Certified Public Accountants) Trust Services Criteria. These criteria include Security, Availability, Processing Integrity, Confidentiality, and Privacy. For MSPs, achieving SOC 2 means demonstrating robust controls in these areas, reassuring clients that their data is handled with the utmost care. This is especially crucial in an era where the cloud and countless applications are often used for processing and storage of confidential data.
Meeting Client Expectations and Winning Deals
Data security and privacy are no longer just internal matters for businesses; they are paramount for end users and clients alike. In industries such as SaaS, fintech, and healthcare, where data security is not just expected but legally mandated, SOC 2 compliance is often a deciding factor in winning enterprise deals. Many larger clients, particularly those in regulated industries, will require their service providers, including MSPs, to be SOC 2 compliant as a prerequisite for partnership. Without it, an MSP may be excluded from significant business opportunities. This makes SOC 2 not just a best practice, but a business necessity for growth and market access.
Complementing CMMC Compliance
While CMMC is specific to the defense industrial base and government data, SOC 2 compliance can complement an MSP's overall security posture. Many of the controls and practices implemented for SOC 2, such as robust access controls, incident response procedures, and continuous monitoring, align with and support the requirements of CMMC. An MSP that is SOC 2 compliant already has a strong foundation in cybersecurity best practices, which can make the journey to CMMC compliance smoother. It demonstrates a holistic approach to security, showing that the MSP protects all client data, not just CUI. Learn why this data security standard matters for MSPs.
Enhancing Trust and Reputation
Achieving SOC 2 attestation significantly enhances an MSP's reputation and builds trust with clients. It signals that the MSP has undergone a rigorous third-party audit and has established and maintains strong internal controls over information security. This trust is vital in an environment where cyber threats are constantly evolving, and data breaches can severely impact businesses. For MSPs, SOC 2 compliance provides independent validation of their security commitments, giving clients peace of mind. This can lead to stronger client relationships, increased client retention, and a positive brand image in the marketplace. MSP SOC compliance guide offers further details on this.
Operational Benefits
Beyond external validation, pursuing SOC 2 compliance also brings internal operational benefits. The process of preparing for a SOC 2 audit forces an MSP to review and strengthen its internal security policies, procedures, and controls. This often leads to improved operational efficiency, better risk management, and a more secure overall environment. By embedding these robust practices, an MSP becomes more resilient to cyber threats and better prepared to handle data security challenges proactively.
Frequently Asked Questions
What is CMMC Level 1 compliance for MSPs?
CMMC Level 1 compliance for MSPs applies if they handle Federal Contract Information (FCI). It requires adherence to 15 security requirements, which are basic cybersecurity hygiene practices. This level is applicable to approximately 140,000 DIB companies and demands an annual self-assessment to ensure ongoing compliance. An MSP providing general IT support for a client that only handles FCI would typically need to meet Level 1.
How does CMMC Level 2 impact MSPs handling CUI?
CMMC Level 2 significantly impacts MSPs handling Controlled Unclassified Information (CUI). If an MSP stores, processes, or transmits CUI on its own systems, or has privileged access to client systems containing CUI, it requires its own CMMC Level 2 certification. This involves meeting 110 security requirements based on NIST SP 800-171 R2. This level applies to roughly 75,000 DIB companies and may require a CMMC Third-Party Organization (C3PAO) assessment, depending on the contract.
What are the risks if an MSP is not CMMC compliant?
If an MSP is not CMMC compliant, it faces severe risks, including contract loss for its clients, becoming a red flag during mandatory vendor reporting in client assessments, and potential suspension or barring from working with defense contractors by the DoD. Non-compliance also leads to significant reputational damage in the defense community, marking the MSP as a security risk.
Can CMMC compliance be a service offered by MSPs?
Yes, CMMC compliance can be a profitable service offered by MSPs. MSPs can turn compliance into a business opportunity by providing specialized cybersecurity solutions aligned with CMMC standards, such as gap assessments, implementation of controls, and ongoing compliance support. By doing so, they become trusted partners in the defense ecosystem, helping clients meet their CMMC obligations.
Why is SOC 2 compliance relevant for MSPs in addition to CMMC?
SOC 2 compliance is highly relevant for MSPs because it proves their ability to protect sensitive customer data, which is a critical factor for winning enterprise deals, especially in industries like SaaS, fintech, and healthcare. While CMMC focuses on government data, SOC 2 demonstrates a broader commitment to data security and privacy for all client data, enhancing trust and providing a competitive differentiator in the market.
Sources
- https://www.smpl-c.com/blog/cmmc-requirements-for-msps-complete-compliance-guide
- https://www.preveil.com/blog/when-does-your-msp-need-to-be-cmmc-compliant/
- https://dodcio.defense.gov/Portals/0/Documents/CMMC/TechImplementationCMMC-Rqrmnts.pdf
- https://www.summit7.us/blog/step-5-find-a-msp-for-cmmc
- https://www.pax8.com/blog/soc-2-compliance/
- https://www.connectwise.com/blog/how-to-get-soc-2-compliance
- https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
- https://www.ninjaone.com/blog/msp-soc-compliance-guide/
Related Reading
- CMMC 2.0 Compliance for MSPs
- MSP PCI DSS Compliance Services
- MSP Compliance and Certification Guide
- MSP SOC 2 Compliance Journey
- GDPR Compliance for US MSPs
— The MSP Directory Team