CMMCDocs.comSmall and mid-size defense contractors frequently rely on managed service providers (MSPs) and managed security service providers (MSSPs) for IT infrastructure, security monitoring, and compliance support. Under CMMC, this relationship creates a shared responsibility model that both parties must understand, document, and maintain.
MSPs in the CUI Boundary
If your MSP manages systems that process, store, or transmit CUI — or has administrative access to those systems — the MSP is within your CUI boundary. This means the MSP's practices, controls, and personnel are part of your assessment scope. An assessor will evaluate not just your controls, but the controls your MSP implements on your behalf.
This is a critical point that many contractors miss. Outsourcing your IT does not outsource your CMMC responsibility. You remain accountable for meeting all 110 NIST 800-171 requirements across your entire CUI boundary, including the portions managed by third parties.
Shared Responsibility Matrix
The foundation of a compliant MSP relationship is a clear shared responsibility matrix. For each of the 110 NIST 800-171 requirements, document who is responsible: the contractor, the MSP, or both (shared responsibility). This matrix becomes part of your SSP and tells the assessor exactly how each requirement is met and by whom.
Common MSP-managed controls include network boundary protection, firewall management, endpoint protection deployment and monitoring, vulnerability scanning, patch management, backup and recovery, and SIEM/log management. Common contractor-retained controls include access control decisions, security awareness training, incident response planning, policy development, CUI marking and handling, and personnel security.
MSP Assessment Considerations
Under CMMC, your MSP's security practices will be evaluated as part of your assessment. The C3PAO will want to see evidence that the MSP is implementing their portion of the shared controls effectively. This may include reviewing the MSP's security certifications (SOC 2 Type II, ISO 27001), their security policies, and their technical configurations.
Some MSPs are pursuing their own CMMC certification, which simplifies the assessment process. If your MSP holds a current CMMC certification, the C3PAO can leverage that certification rather than independently assessing the MSP's controls. This is the ideal scenario — look for MSPs that are pursuing or have achieved CMMC certification.
Contractual Requirements
Your MSP contract should include specific cybersecurity provisions: compliance with NIST 800-171 requirements applicable to their scope, incident notification requirements (remember the 72-hour reporting clock), right-to-audit clauses allowing your C3PAO to evaluate MSP controls, data handling and destruction requirements, personnel security requirements for MSP staff with CUI access, and a requirement to maintain their security posture throughout the contract period.
Choosing an MSP for CMMC
Not every MSP is equipped to support CMMC compliance. When evaluating MSPs, ask about their experience with defense contractors, their familiarity with NIST 800-171, whether they are pursuing CMMC certification themselves, and whether they can provide the documentation and evidence your assessor will need. An MSP that cannot articulate the shared responsibility model is not ready to support your compliance program.