Intelligence in Government/Public Sector + Manufacturing + Professional Services + Risk Advisory + Compliance + Technology & SaaS + vCISO

MSPs and CMMC Level 2: Certification Isn’t Always Required—But It Might Be

By
Posted on Jan 15 / 2026

A question we often receive – from organizations utilizing managed service providers (MSPs) and MSPs alike – is whether CMMC Level 2 compliance is required. As with other CMMC obligations, the answer to this question depends on the MSP’s relationship with controlled unclassified information (CUI).  

Understanding the role an MSP plays regarding CUI is critical to determining the scope of CMMC Level 2 compliance. If you’re looking through CMMC requirements, you may discover that there’s nothing explicitly listed in the scoping or assessment guides for MSPs; instead, all documentation references External Service Providers (ESPs). ESPs can include any third-party entity, including MSPs, MSSPs, and CSPs, that provide IT or security services that impact the confidentiality, integrity, or availability of CUI.  

 

There are multiple scenarios to consider regarding your MSP and CMMC compliance: 

#1

MSPs who store, process, or transmit CUI on their own systems must meet CMMC Level 2 compliance for the systems that handle CUI. 

This is often the most obvious case people think of when considering an MSP’s relationship with CUI. An MSP is clearly in scope if they: 

  • Process or transmit CUI (e.g., emails, tickets, file transfers).
  • Store CUI artifacts such as logs, backups, or images from systems containing CUI.
  • Host workloads containing CUI (e.g., servers, backups, VDI). 
#2

MSPs who have privileged or impactful access to a CUI enclave are in scope for CMMC Level 2 compliance. 

This is where a lot of people start to have questions about their MSPs being in scope. An MSP will be in scope if they can perform the following for systems that contain CUI: 

  • Have administrator or root access.
  • Can deploy agents, perform patching, or edit configurations.  
  • Can alter or have an impact on security controls. 
#3

MSPs who manage Security Protection Assets (SPAs), such as SIEMs, firewalls, and logging tools, for systems containing CUI are still in scope for CMMC Level 2 compliance. 

Similar to the above considerations, an MSP will be in scope if they: 

  • Manage identity, networking, backup, logging, or other security tools.
  • Provide SOC, SIEM, MDR, or vulnerability management systems. 
#4

MSPs who do not interact with CUI (or SPAs protecting CUI) are out of scope. 

An MSP must meet all criteria below in order to remain out of scope: 

  • MSP systems do not store, process, or transmit CUI.
  • MSP access is limited, with no administrative privileges for any systems impacting CUI, and no security-impacting roles.
  • Access is non-persistent, monitored, and time-bound.
  • The customer maintains control over logging, security, and identity measures.
  • Restrictions are technically enforced; not just stated in a policy or contract. 

Key Questions to Determine MSP CMMC Scope

Does your MSP: 

  • Have domain admin access, even if they don’t store CUI?
  • Centralize backup or logging across all systems, both CUI and non-CUI?
  • Have the ability to change configurations on systems containing CUI?
  • Collect or store CUI-derived data?
  • Have permissions that would allow them to change or disable security controls? 

If you answer “yes” to any of the above questions, the MSP is in scope. 

 

Options for MSPs impacting CUI 

An MSP who has impactful access to CUI or relevant systems can: 

  • Pursue CMMC Level 2 compliance (whether full compliance or via an enclave) and become independently certified. While this involves an initial lift of effort, the MSP’s certification allows them to not have to participate in every customer’s audit.
  • Limit their access so they can no longer impact CUI.
  • Offload CUI-supporting functions to a Level 2 certified third-party 
     

Additionally, if an MSP does not store, process, or transmit CUI, but manages SPAs, they have the option to participate in every relevant customer’s CMMC audit without pursuing CMMC Level 2 certification for their organization. While this eases the burden of initial compliance efforts, it does take time and effort to participate in every applicable customer’s audit moving forward. 

How Echelon Can Help

Unclear MSP scope is one of the most common causes of CMMC Level 2 delays and failed assessments. Echelon helps DoD contractors and service providers define CUI boundaries, evaluate MSP/ESP access, and align environments with NIST 800-171.

As a CMMC Registered Practitioner Organization (RPO), we guide clients from scoping and gap analysis through audit readiness and certification.

Learn how Echelon supports organizations with CMMC 2.0 Level 2 compliance.

At the end of the day, if an MSP can have an impact on the confidentiality, integrity, or availability of CUI, their systems or services are in scope for CMMC Level 2 compliance. It is critical to understand the shared responsibilities of the MSP/customer relationship to accurately determine if an MSP is in scope for your audit.  

Are you ready to get started?