Questions to Ask Your MSP When Preparing for CMMC
As the Department of Defense continues to enforce CMMC (Cybersecurity Maturity Model Certification) requirements, organizations handling Controlled Unclassified Information (CUI) must ensure every component of their cybersecurity posture—including their Managed Service Provider (MSP)—is audit-ready and aligned with federal standards.
Yet not all MSPs are created equal. Simply offering cybersecurity services is no longer sufficient. Your MSP must be an informed, proactive partner capable of demonstrating maturity, compliance readiness, and a deep understanding of both NIST SP 800-171 and CMMC-specific requirements.
Before partnering with an MSP, there are several key questions you should ask including:
- Is your MSP CMMC L2 certified via a C3PAO?
- Does your MSP provide a shared responsibility matrix (SRM)?
- Does your MSP maintain and updated Systems Security Plan (SSP)?
To help you evaluate your MSP's preparedness and suitability, we’ve outlined 11 critical questions you should ask. These cover everything from proof of certification and staffing qualifications to tool compliance, boundary models, and audit support. The answers to these questions will help you determine whether your MSP is truly a strategic ally—or a compliance liability.
Questions to Ask Your MSP When Preparing for CMMC
1) Are you a CMMC Level 2 certified MSP, and can you provide proof of certification through the Department of Defense?
If your MSP is not independently certified and is in-scope for your CUI environment, they either need their own CMMC certification or must be included in your assessment boundary with documented controls.
2) Do you employ formally trained CMMC professionals-- specifically Certified CMMC Assessors (CCAs) or Certified CMMC professionals (CCPs)-- and can they demonstrate their credentials?
CMMC-aligned MSPs should have staff who have completed official Cyber AB training and certification. These roles indicate they understand the assessment methodology, requirements, and evidence expectations. CMMC goes well beyond general IT or cybersecurity frameworks. If your MSP lacks this expertise, they will struggle to support a defensible compliance program.
3) Do you provide a Shared Responsibility Matrix (SRM) and service description for each engagement that defines which CMMC controls you own, we own, or are shared?
The CRM and service description are required per 32 CFR § 170.19(c) (2)(ii) and must be maintained in your SSP.
4) Have you assessed whether your software tools (like backup, remote monitoring, antivirus, and cloud-based tools) meet CMMC and FedRAMP requirements when used in a CUI environment?
MSP tools are not exempt. Backups, patching platforms, and other remote services must not introduce non-compliant cloud components into your CUI scope.
5) Do you maintain a documented System Security Plan (SSP) and POA&M for your own environment and are those documents available to your customers as evidence of your maturity?
If your MSP does not have an SSP, they cannot model or support compliance properly.
6) Do you support and document different boundary models such as on-premises, full cloud, enclave, or co-managed environments?
Your MSP should be capable of tailoring its approach based on how your business operates—not requiring you to fit into their model.
7) Are your system administrators and any subcontracted personnel, including outsourced help desk staff, Remote
Monitoring and Management (RMM) consultants, or platform support teams, located within the United States and able to meet U.S. person requirements where required?
MSPs often rely on third-party contractors or tool vendors to deliver key services like backups, patching, endpoint protection, or systems monitoring. If those services are provided or supported by offshore personnel or individuals who do not meet “U.S. person” definitions under export controls or DFARS clauses, your environment may be at risk. Under CMMC, any user with privileged access (whether direct or indirect) is considered a potential insider threat. If these roles are not fully documented and controlled within your System Security Plan (SSP), they could represent a compliance failure. Your MSP should be transparent about where its people and its partners’ people are located and should be willing to confirm and prove (in writing) their personnel screening practices to ensure alignment with contract and regulatory requirements.
8) Will you accept DFARS 7012 and DFARS 7021 flow-down responsibilities in your MSA or subcontract?
CMMC Level 2 and DFARS compliance cannot be met without your MSP formally accepting obligations to protect CUI.
9) Do you have experience working with manufacturers or other small businesses subject to CMMC, particularly those with legacy systems, air-gapped equipment, or limited in-house IT staffing?
MSPs should understand how compliance intersects with operational realities. CMMC requires skills that go well beyond traditional IT roles. CMMC goes past cloud deployments or commercial frameworks, it requires considering and properly classifying, documenting, and securing every single asset within your CUI boundary.
10) Do you produce and maintain documentation to support assessment readiness including policies, procedures, evidence artifacts, and technical system configurations?
Your MSP should assist in gathering or generating actual assessment- ready artifacts. Similarly, the MSP must provide and update these artifacts for their systems as well.
11) Are you prepared to participate directly in a CMMC assessment and defend the systems, services, and security controls you manage when your organization is included in our assessment boundary?
If your MSP supports systems that store, process, or protect CUI, or manages Security Protection Assets, they are likely in scope for your CMMC assessment. In these cases, the MSP must provide evidence that aligns with NIST SP 800-171 and is compatible with 800-171A assessment objectives. This includes practices such as access control, audit logging, multifactor authentication, and system maintenance, all of which must be documented, implemented, and testable.
Your MSP should be able to specify which controls they are responsible for, identify how those responsibilities are fulfilled, and
support the assessment process with formal documentation, policy references, system configurations, and evidence artifacts. They should also maintain a Customer Responsibility Matrix (CRM) and service description that clarify ownership of each control.
You should also ask whether participation in your CMMC assessment is included in your agreement or considered an additional charge. Some MSPs will provide services but avoid direct involvement during an audit. If they are not willing to stand behind their work, provide evidence, and answer questions during an assessment, the risk and consequences will fall solely on you.
CorpInfoTech, a Trusted MSP for CMMC Compliance
CorpInfoTech is a CMMC L2 certified (C3PAO) MSP that offers cybersecurity, IT, and CMMC compliance solutions to defense contractors. Through TAS for CMMC Compliance, contractors are able to inherit 200+ of the 320 controls required by CMMC. This makes achieving and maintaining compliance faster, efficient, and cost effective. Our compliance solution is also flexible, allowing contractors to secure their CUI on-prem rather than exclusively in an enclave.
Whether it's in a fully or co-managed way, CorpInfoTech is the answer to all of the questions listed above! As an MSP, CorpInfoTech:
- Is a CMMC L2 certified MSP via a C3PAO
- Provides a certified SRM to its clients
- Employs several CMMC professionals including CCPs and is a Registered Practitioner Organization (RPO)
- Has experience helping contractors prepare for their CMMC audit
- Can help create the necessary documentation and evidence to prove your organizations compliance posture
CorpInfoTech, a Managed Service Provider (MSP) with over 25 years in the SMB space, is a trusted partner for business pursuing compliance and cybersecurity. We are a CMMC Level 2 (C3PAO) certified MSP and a Cyber AB Registered Provider Organization (RPO). Also, as the first CIS accredited organization, we help organizations implement the CIS controls as it pertains to CMMC and your overall cybersecurity posture. CorpInfoTech is your trusted partner for secure, compliant growth in every changing digital landscape.