CMMC 2.0 is no longer “on the horizon.” It’s here, and it's required for contract eligibility.
For MSPs, this represents both a significant revenue opportunity and a serious responsibility. But there’s still confusion about how MSPs should approach CMMC certification — whether for their clients, for themselves, or both.
That’s why Dan Fox, Co-Founder of ControlMap, hosted a CMMC 2.0 webinar with Kyle Lai, President and CISO of KLC Consulting and an authorized C3PAO assessor responsible for conducting CMMC Level 2 certifications.
That’s why Dan Fox, Co-Founder of ControlMap, hosted a CMMC 2.0 webinarwith Kyle Lai, President and CISO of KLC Consulting and an authorized C3PAO assessor responsible for conducting CMMC Level 2 certifications.
Whether leading or supporting, the MSP plays an important role in the CMMC 2.0 certification process. In this article, we explore the top considerations every MSP should understand for CMMC 2.0 certification initiatives — and the most common mistakes to avoid.
11 Common CMMC 2.0 Mistakes Made by MSPs
Let’s dive into the most common mistakes MSPs make during the assessment and certification process:
1. Inadequate Artifacts and Demo Preparation
Many MSPs underestimate the amount of preparation required to provide proof. It’s not enough to say a control exists. You need to clearly demonstrate it with the right screenshots, logs, reports, policies, live walkthroughs, and linkage to objectives. When teams aren't sure what evidence to present — especially during the on-site inspection — assessments can quickly go off track.
“Companies that use the right GRC tools, like ControlMap, are able to organize the information, so when we go into specific controls, we can read the documentation and get to the artifacts a lot easier,” says Kyle. “GRC tools can really help us get more clarity and ask fewer questions.”
2. Existing Practices Don’t Match the Written Processes
The documentation says one thing, but daily operations say another. Maybe logs are reviewed weekly, but the security plan says they should be reviewed daily. Maybe patching timelines differ from what’s written. Assessors will check that what’s happening in real life matches what’s on paper — and if those don’t align, controls can fail, even if your security posture is strong.
3. No Mock Assessment Before the Real One
Skipping a practice run is risky. Without a mock assessment led by someone experienced in CMMC, gaps often go unnoticed until it’s too late. A dry run helps catch weak documentation, missing evidence, misclassified POA&Ms, scope confusion, incomplete baselines, and misunderstood requirements before the official review.
4. Outdated Scope, Boundary, and Asset Inventory
Environments change fast — new tools, devices, cloud services, integrations, and internal and external connections. But if the security plan doesn’t reflect what’s actually in use, that’s a problem.
An accurate inventory and clear system boundaries are foundational. If they’re wrong, everything else starts to wobble. MSPs can avoid this by double-checking that asset inventory and system boundaries are accurate before starting the process. “Scoping is very important,” Kyle adds. “Make sure you have the scope and boundaries defined.”
5. Poorly Documented (Or Missing) Configuration Baselines
You must define what “secure” looks like for each type of asset. Laptops, servers, and firewalls should each have a documented baseline configuration. Without that, it’s difficult to prove systems are consistently and securely set up for the role they play in the client’s business.
6. Undocumented Specialized Assets (SA) or Contractor-Managed Assets (CMA)
Some systems aren’t tested directly during a Level 2 review — but they still must be documented. “We are not going to ask you to show us the demo. However, we still look for the documentation,” says Kyle. If specialized equipment or contractor-managed assets touch sensitive information, they need to be in the security plan and asset inventory. Leaving them out creates unnecessary risk.
7. Confusion Between Operational Plan of Action (OPoA) and Plan of Action & Milestone (POA&M)
There’s a big difference between work that’s fully completed and work that’s still in progress. Items that are fully implemented are treated differently from items that require future remediation.
OPoA is a CMMC-specific term. Confusing OPoA and POA&M items can derail an assessment — OPoA items are considered met, while POA&M items are not met, and misclassifying them can result in failed requirements. Mixing these up can lead to failed requirements that could have been avoided.
8. Unclear ESP/CSP/MSP Inheritance and Shared Responsibility Documentation
If a cloud or service provider handles part of a requirement, that needs to be clearly documented. Which controls are fully inherited? Which are shared? Which are your responsibility? When ownership isn’t clearly defined, the control will not count.
Failing to clearly document whether each requirement is fully inherited, partially inherited, or internally managed by the ESP (External Service Provider), CSP (Cloud Service Provider), and MSP (Managed Service Provider) creates confusion during assessment and will lead to unmet controls.
9. Missing Evidence From Providers or the MSP (CSP’s or ESP’s)
You can’t just say a cloud provider or MSP handles something — you may need FedRAMP documentation for the CSP (Cloud Service Provider) or a clear responsibility (SRM - Shared Responsibility Matrix) for the ESP (External Service Provider) to back it up. That includes formal security documentation from providers and clear evidence of the MSP’s own processes, like how firewalls are managed. If the proof isn’t available, the requirement may not count.
10. Key People Not Available During the Assessment
Assessments move quickly and often require live explanations or demonstrations. If the right people aren’t in the room or on call, questions go unanswered, and delays pile up. Preparation includes scheduling with the right people, not just documentation — like the engineer who manages the firewall, SSP author, the person who owns logging, etc.
11. Leaving Custom Software Out of Scope
Custom-built applications are often overlooked, especially if they’re developed in-house. But if they store or transmit sensitive information — even source code — they likely need to be included in scope. Missing them can create serious compliance gaps.
Other CMMC 2.0 Certification Considerations
Decide Your Role: Are You Leading or Supporting?
Early in any CMMC engagement, you need to make a strategic decision: Are you acting as the security lead (vCISO)? Or are you strictly providing managed services while another firm owns the security program? Will your MSP support several CMMC clients? Does going for your own CMMC certification make sense?
This choice affects everything that follows — especially how you design and manage enclaves.
An enclave is a segmented, tightly controlled portion of an environment where Controlled Unclassified Information (CUI) is stored and processed. Instead of spreading compliance across the entire organization, contractors isolate CUI to reduce scope and risk.
Clarity on your role prevents scope creep and unexpected compliance exposure. Keep the sensitive data sectioned off and tightly controlled, and be explicit about whether it stays inside the enclave or ever touches MSP systems (like backups or tooling).
Scope Based on the Contract — But Design for the Future
You don’t choose CMMC Level 1 or Level 2. The contract dictates that. But proper scoping goes beyond compliance level. “It’s important for the MSP to understand the contractor’s current business and their future state. You don’t want to design something that’s too restrictive,” says Kyle.
If the company plans acquisitions, expansion, or hiring growth, a tightly constrained environment may require premature reassessment or costly redesign. Build for the current contract, but leave flexibility for what’s next based on your client’s long-term plans.
Keep an Eye on CMMC 2.0 Flow-Down Requirements
Compliance doesn’t stop with the prime contractor. “If the subcontractors do not meet requirements, that means the prime contractors are not meeting their requirements,” says Kyle.
If CUI flows to subcontractors, those subcontractors must meet the required level. If they don’t, the prime contractor is out of compliance — and that can put the entire contract at risk. Prime contractors should vet subcontractors early and only source partners who can meet the right compliance level, so the whole chain stays eligible.
Take the Next Step on Your CMMC Journey
CMMC 2.0 is a structural shift in how the defense supply chain manages risk, and MSPs are at the center of it. MSPs play a key role in clients' CMMC certification, whether they lead or support.
With CMMC adoption accelerating at a rapid pace, the path for MSPs is simple
- Decide your role early.
- Scope precisely — and plan for growth.
- Vet subcontractors carefully.
- Align documentation with reality.
- Practice with a mock assessment.
Becoming CMMC-compliant yourself will help you understand the process and requirements, making it easier to then offer it to your clients.
Today, we’re seeing hundreds of ControlMap MSP partners working on new CMMC projects every quarter. This growth is only beginning to meet the needs of the 300,000–500,000+ organizations expected to adopt CMMC in the coming years.
ControlMap provides everything MSPs need to guide clients from readiness to certification. The platform aligns directly with NIST 800-171 and CMMC Levels 1 and 2, providing MSPs with a single platform to track every document, score, and milestone on the path to certification.