It’s GO TIME people. It’s for real. At this moment, if you’re an MSP who is delivering IT and security services to a company that requires CMMC Compliance, you are facing perhaps the biggest risk to your company you’ve ever encountered.
Your Clients rely on YOU for them to pass assessment. You are essential. And YOU can be the reason they fail.
The fallout of a CMMC Assessment failure for a control or documentation you are responsible for can be as soft as losing a Client, and as hard as a demand for tens of thousands of dollars back for the services you’ve rendered, lawsuits, or defamation of character online.
If you’re serious about your business, you’ll be serious about a readiness strategy.
NOW is the time to take a sober assessment of your own readiness to present alongside your Client for a CMMC Assessment, AND to have a strategy in place if your Client surprises you with a scheduled Certification Assessment.
Top Priorities:
Priority #1: Communicating to all Clients you need a minimum of 3 months to prepare for and schedule resources to assist the Client with the CMMC Assessment
Even if you manage the Compliance for the Client, they may freak out with the upcoming November 10th date and decide to engage a C3PAO and set up a quick assessment.
Yes, most (good) C3PAO’s are booked out through most of 2026. But OSC’s are backing out of assessments last minute when they realize they aren’t ready. C3PAO’s make their money by turning these assessments so they are eager to fill those cancellations with companies who want an assessment fast.
Priority #2: Assure you are REALLY clear on your Service Delivery Scope – People, Technology, and Facilities.
Your Service Delivery Scope (the People, Processes, Security Tools, Maintenance Tools, Documentation Tools, and maybe even Facilities) will be part of your Client’s CMMC Certification Assessment.
Diagram your Service Delivery Scope – the Assessor will need to see it. Then do the following….
Assure you have suitable toolsets selected and employed. These tools are the BARE MINIMUM required to meet the controls:
- RMM (maintenance, patching, remote access)
- Malware Protection (EDR)
- Vulnerability Scanning
- SIEM
- SOC (service – with appropriate documentation/evidence to pass AU controls)
- Password Manager
- MFA
Assure the other tools you employ are suitable. If they are on this, they are also in scope for assessment.
- PAM
- Whitelisting/Endpoint ZTA tool
- SASE
- Backup (if you have a backup employed, must be compliant)
- Email Security (email filter)
- Configuration Management/Hardening Tool
- Documentation Tool (if you’re not just storing the information on your internal SharePoint)
- Security Awareness & Training Platform
- 3rd Party Data Storage and Transfer Tool
- 3rd Party Email Encryption Tool
- DNS Protection Tool
- 3rd Party Encryption Tool
- Ticketing Tool (PSA)
- Network Access Control Tool
- DLP Tool
If you still have not deployed suitable tools to ALL CMMC Clients (or with yourself), create a ‘back of the napkin’ strategy for emergency deployment if a Client surprises you with a scheduled Certification Assessment.
Priority #3: Get CRM’s for all your selected vendors
Contact ALL vendors in scope for your assessment and demand CRM’s NOW. If they don’t have one, explain what you need and that you won’t be able to continue to use their product without one.
Save all CRMs on a known, shared location on your system so everyone know where they are.
Priority #4: Have a way to spin up a COMPLIANT Service Delivery Scope – quickly.
If you’re delivering services from technician laptops, those laptops are in scope and all 110 controls must apply.
That means baseline configuration documentation, devices aligned to the documented baselines, approved software list with only approved software installed, compliant security toolset, SOPs for setting up your users, documentation you’ve followed your processes in tickets, and evidence your team has training for the role they have (i.e. – more than just basic cybersecurity awareness training and phish testing).
If you don’t have all of that now, create a roadmap to get this in place so you can show evidence of compliance during a Client assessment.
At the same time you need to be prepared to onboard new Clients quickly. As the rubber meets the road OSC’s are jumping ship from their old MSP’s in search of someone who will actually get them past assessment.
Assure you’re setting REASONABLE expectations with these new Clients about the amount of effort required to onboard, remediate, and document.
Don’t be afraid to charge extra for SPEED, in fact, you need to. If a Client demands speed, that comes with a cost to YOU. You need to take technicians and engineers off their scheduled work and reassign/reprioritize them. Its going to put a lot of pressure on your team. Assure you’re being properly compensated.
These organizations are betting their businesses on US. Don’t let them down!
Are you an MSP or MSSP with a Client who needs CMMC Compliance? We created The CMMC Documentation Toolkit – a resource full of Policies, Plans, Procedures, How To’s, supporting documentation, and guidance to fast track your own compliance, and the compliance of your Clients.
We also created the CMMC IT Documentation Toolkit Community – a group of like minded MSP’s and MSSP’s who share best practices, struggles, and clarity so we are ALL successful is securing the Defense Industrial Base.
Learn more at www.itdoctoolkit.com and join the army of suitable MSPs and MSSPs today!
