Insights

CMMC for MSPs: The Compliance Land-Grab and How to Win It

CMMC for MSPs is becoming a premium managed service for defense contractors. The service scope, pricing model, timing, and why early providers win.

By Alexej Pikovsky  ·  Updated

There is a kind of moat a competitor cannot buy off a distributor, cannot resell, and cannot fake, because a federal auditor checks it. For managed service providers, that moat now has a name: CMMC. The Cybersecurity Maturity Model Certification is the US Defense Department's requirement that every company in its supply chain prove its security before it can win or keep a contract. It is phasing into live contracts right now, north of 200,000 companies sit inside its scope, and almost none of their IT providers are ready to deliver it. That gap is a land-grab. The MSPs that move into it over the next 18 months will own a premium, defensible, hard-to-copy service line. The ones that wait will watch it commoditize, the way every MSP capability eventually does, and wonder why the accounts already belong to someone else.

I write this from the operator seat, not the vendor seat. I spent a decade in investment banking and private equity working on over 7bn dollars of transactions, including a board seat through a 300m dollar-plus PE exit, and I now run growth inside a US MSP. So I read this the way both halves of that background read it: the operating question of what a client actually needs, and the finance question of whether a new service line adds to the multiple or quietly subtracts from it. CMMC is one of the few service lines that answers both at once, and the reason is scarcity.

CMMC terms MSPs need to know
TermWhat it means for an MSP
CMMCCybersecurity Maturity Model Certification: the DoD's tiered proof-of-security requirement for its supply chain
CUIControlled unclassified information: the data whose presence triggers Level 2 obligations
NIST SP 800-171The 110-control standard behind CMMC Level 2; the real work is implementing and evidencing these controls
Levels 1 / 2 / 3Basic safeguarding, the CUI tier most contractors need, and the enhanced tier for critical programs
C3PAOCertified third-party assessment organization: the auditors who conduct Level 2 assessments; capacity is scarce
OSCOrganization seeking certification: your client
ESPExternal service provider: what the MSP is under CMMC; your own house has to meet the standard your clients inherit
SPRSThe DoD's supplier risk system where self-assessment scores get posted
DFARS 252.204-7012 / 7021The contract clauses that pull the requirement into actual DoD contracts
SSP / POA&MSystem security plan and plan of action: the living documentation an assessor reads first

The certificate is a checkbox. The capability is the business

There are two ways an MSP reacts to CMMC, and only one of them is a business. The first is to chase your own badge and put "CMMC compliant" in the website footer, treating it as a marketing sticker that might win a few defense-adjacent logos. The second is to build the capability to make your clients assessment-ready, and to run the compliant environment for them on a recurring basis, because they cannot run it themselves. The first is a checkbox. The second is a service line.

The checkbox matters only as an entry ticket. You may need your own house in order to credibly serve regulated clients, but the badge on its own is table stakes, and table stakes do not command a premium. The business is on the other side of the table: the defense contractor who just learned that its next contract carries a CMMC clause, has no idea what a System Security Plan is, and needs someone to stand up the whole apparatus and keep it standing. That is not a product you pass through. It is an operating capability plus an audit you shepherd, and it is exactly the kind of work a client cannot commoditize because they cannot see inside it.

Contrast it with the rest of the security stack. Reselling an endpoint tool or a managed detection service used to be a differentiator and is now table stakes, available to every MSP off the same distributors, which is why it prices like a commodity. I mapped that whole landscape and why most of it commoditizes in the cybersecurity market map. CMMC delivery sits outside that dynamic. You are not reselling a SKU every competitor can also resell. You are operating a control environment to a federal standard and carrying a client through a third-party assessment, and that is a capability, not a catalogue item.

The gap your prospects actually have

The reason this is a real opening and not a marketing frame is that the demand is arriving on a schedule and the supply to meet it barely exists. The program rule became law at the end of 2024, and through 2026 and 2027 the contract requirement is phasing into Defense Department solicitations on a rolling basis. The practical effect for a contractor is binary: as the clause lands in your contracts, no certification means no eligibility to bid. This is not a nice-to-have security upgrade. It is the difference between staying in business with the DoD and losing the customer that funds the company.

Who has to comply

Now look at who has to comply. The Defense Industrial Base is north of 200,000 companies, and most of them are small: machine shops, engineering firms, subcontractors three tiers down from the prime, who have never had to run to a federal security bar in their lives. They cannot self-deliver this. Meeting the standard means the 110 controls of NIST SP 800-171, a segmented environment to hold the sensitive data, usually inside Microsoft's government cloud, a System Security Plan and a Plan of Action and Milestones kept continuously current, evidence collected on an ongoing basis, and a third-party assessment by an authorized firm every three years. That is not an internal IT job. It is a managed service, and the natural owner is the MSP who already holds the client's identity, devices, and network.

Why supply stays constrained

Here is the supply side that makes it a land-grab. Most generalist MSPs will not touch this. The government cloud is painful to work in, the control set is real work, the liability of getting a client through an audit is heavy, and the whole thing sits outside the comfortable resold-SKU model. The pool of MSPs that can genuinely deliver is thin, and the pool of authorized assessors is still small, fewer than 150 firms nationally. A demand shock arriving on a fixed timeline, meeting a supply that has barely formed, is the textbook setup for pricing power. It will not stay this scarce, which is the entire point about timing below.

What a CMMC-ready managed service actually is

Compliance sounds abstract until you break it into the deliverables a contractor will pay a monthly fee for. Here is the service line as concrete components, each of which is billable work an MSP is structurally positioned to own.

The CMMC-ready managed service, component by component
ComponentWhat the MSP actually does
Scope and enclave designFind where the sensitive government information (CUI) actually lives, then design a segmented enclave, usually in the government cloud, so the compliance boundary is small, defensible, and cheaper to maintain than locking down the whole business.
The 110 controls, operatedStand up and run the NIST 800-171 control set as a managed service: access control, multifactor everywhere, encryption, logging, incident response. Not a one-time hardening, an operated environment.
SSP and POA&M maintenanceAuthor and keep current the System Security Plan and the Plan of Action and Milestones, the documents the assessor actually grades. These decay the moment the estate changes, so maintaining them is recurring work.
Continuous evidenceCollect and retain audit evidence continuously, so the assessment is a readout of a system already running to standard, not a scramble in the quarter before it is due.
Shared-responsibility matrixDefine in writing what the MSP owns versus what the client owns, the artifact both the client and the assessor require, and the one most contractors have no idea how to produce.
Assessment liaisonManage the third-party assessor relationship and the remediation that follows, the part of the process a contractor is least equipped to run alone.

Notice what none of these are: reselling a product. The MSP does not need to invent any capability it does not already have the raw materials for. The work is scoping, engineering, documentation, evidence, and shepherding, applied to a standard the client is legally required to meet. That is why it holds its value. The specific tools underneath will change. The contractor's need for someone accountable to build the environment, keep the paperwork alive, and get them through the audit does not.

Why this moves the multiple

This is where the finance lens changes the decision. In what moves an MSP's multiple I put cyber scarcity on the short list of levers that actually lift the price a buyer pays. CMMC is the sharpest, hardest-to-fake version of that lever, and it clears every test a buyer applies to revenue quality at once.

It is recurring, because compliance never finishes: the controls run every month, the evidence collects continuously, and the assessment comes round every three years. It is high-margin, because the cost is labor and process, not a passed-through license. It is sticky, because switching the provider who holds your compliance boundary mid-cycle is brutal, and no contractor re-baselines a live audit environment for fun. And it is scarce in the one way that does not erode, because the scarcity is enforced by a federal auditor rather than by you. A competitor cannot resell their way past a government assessment. Recurring, high-margin, sticky, and structurally scarce is the exact revenue profile that the buyers who pay the highest multiples are hunting for, and the method they use to price it is laid out in how to value an MSP.

There is a second-order benefit. A book of defense-vertical clients sitting on compliance retainers does not read as risky concentration. It reads as the profile that earns the top of the range in MSP valuation multiples: a specialist franchise with a regulatory tailwind, the kind of durable, defensible revenue that a platform buyer will pay up to acquire rather than try to build. The buyer pool itself is widening: venture capital is now funding buyers of MSPs who underwrite margin expansion, and a compliance franchise is exactly the kind of defensible book they look for. Building that revenue quality is the same groundwork that carries an owner through exit readiness.

The window, and why it closes

Every land-grab has a clock, and this one is loud. The demand is scheduled: as the requirement phases into contracts from late 2025 through 2028, a fresh wave of contractors discovers each quarter that they cannot bid without help. That is the open half of the window. The closing half is supply catching up. The government cloud tooling is maturing, templated enclaves are appearing, more MSPs will get their own house in order and start selling the service, and the specialist GovCon providers and the large platforms are already moving into the space. Scarcity here is a function of being early.

Being early compounds in two ways that late arrival cannot undo. The first is switching cost: once you hold a contractor's enclave and their audit history, you are extremely hard to displace, so the accounts you win now are accounts you keep. The second is reputation, which in the defense verticals travels through a tight referral network, and the provider known for getting people through assessments gets the next introduction. A late mover competes on price into an account that is already held by someone with the evidence trail and the relationship. Land, once claimed, is expensive to take back.

How to price it

Structure it as a project followed by a retainer, and price the retainer for what it protects rather than what it costs. The onboarding, scoping the boundary, standing up the enclave, writing the first SSP, remediating to pass, is project work with a real setup fee. The value is the recurring compliance retainer that follows, billed per seat or per client, and priced at a clear premium to a standard managed-services agreement.

The trap is to bundle it in as a slightly bigger managed-services package priced off your cost stack, the same mistake that caps how much an MSP should charge everywhere else. That gives away the whole advantage. Our analysis of roughly 2,000 US MSPs' own published pricing shows how tightly the market clusters on cost-anchored per-seat numbers, and CMMC delivery is precisely where you should break from that pattern. You are not billing for hours or licenses. You are billing for the eligibility to bid that the client loses without you, which is value-based pricing in its purest form, and the reasoning behind that choice is in MSP pricing models in 2026 and why cost-plus pricing caps your valuation.

The one moat a competitor cannot buy

Step back and the whole argument is one contrast. Most moats an MSP builds can be bought off a distributor by the competitor down the road: the same tools, the same certifications, the same resold services, available to anyone willing to sign the reseller agreement. A regulatory moat cannot be bought that way. The bar is set by the Defense Department, checked by an independent assessor, and structurally hard to clear, so it concentrates value in the few providers that clear it and holds them there. That is what separates CMMC from every other "add a security service" pitch aimed at MSP owners.

The catch is the clock. Land-grabs reward arrival, not intention. The capability takes months to stand up and a reputation takes longer, and the contractors losing eligibility are choosing their providers now, not later. The MSPs that treat CMMC as a checkbox will get a sticker for the footer. The ones that treat it as a business will get a defensible, premium, recurring service line and a franchise a buyer pays up for. The window to be one of them is open. It will not stay that way.

FAQ

What is CMMC and who does it apply to?

CMMC, the Cybersecurity Maturity Model Certification, is the US Defense Department's requirement that companies in its supply chain prove they meet a defined security standard before they can win or keep contracts. It applies to the Defense Industrial Base, north of 200,000 companies, and flows all the way down the subcontract chain. Most contractors handling sensitive government information must meet the 110 controls of NIST SP 800-171 and pass a third-party assessment.

Why is CMMC an opportunity for MSPs specifically?

Because the contractors who need it cannot deliver it themselves, and the MSP already holds the identity, device, and network infrastructure the standard is built on. The requirement is phasing into contracts through 2026 and 2027, so demand is arriving on a schedule, while the supply of MSPs that can genuinely deliver is thin and the pool of authorized assessors is small. Scheduled demand meeting scarce supply is what creates pricing power.

Does serving a defense contractor put my MSP in scope?

If your MSP handles or protects the client's controlled unclassified information, yes, you are treated as an external service provider and your part of the environment is assessed alongside the client's. That is why a credible CMMC service line starts with getting your own house in order, then extends to operating the compliant environment for clients as a managed service with a written shared-responsibility matrix defining who owns what.

How should an MSP price a CMMC-ready service?

As a project plus a premium recurring retainer. Charge a real setup fee for scoping the boundary, standing up the enclave, writing the first System Security Plan, and remediating to pass. Then bill an ongoing per-seat or per-client retainer priced for the eligibility it protects, not the cost of the tools underneath. Without the service the client cannot bid on contracts, which makes this value-based pricing rather than cost-plus.

Why is the window closing?

Because supply is catching up to demand. Government-cloud tooling is maturing, templated enclaves are appearing, more MSPs will start selling the service, and specialist and large platform providers are moving in. The scarcity that creates today's pricing power is a function of being early. First movers lock in accounts with high switching costs and a referral reputation in a tight-knit vertical, while late movers compete on price into accounts already held.

Getting exit-ready

If you own an MSP and expect to sell to private equity one day, the groundwork for a strong exit starts years before the process, and building recurring, high-margin, defensible service lines like this one is a large part of it. I work with owners on exit readiness. Get in touch.