Published by Three Fours
If you’re a defense contractor preparing for CMMC Level 2, the managed service provider you choose will shape your compliance journey more than almost any other decision. Here are the questions that separate a real compliance partner from a well-intentioned liability — and why the time to ask them is now.
There are approximately 44,000 managed service providers operating in the United States. The vast majority of them — including well-run, reputable firms that have served their clients faithfully for years — are not equipped to support a CMMC Level 2 audit.
That’s not a criticism. It’s a structural reality of where the market stands today. CMMC is a new regime. The infrastructure, documentation, tooling, and operational discipline required to support compliant environments represent a substantial investment — one that most MSPs haven’t yet made, and many never will.
For defense contractors heading into CMMC Level 2 certification, that reality has consequences. If your MSP isn’t equipped for CMMC, your path to certification isn’t just harder — it may be blocked entirely until you make a change. And the later you discover that, the more painful the change becomes.
This post is about how to find out before you’re under audit pressure. The questions below are the ones that separate a real compliance partner from a well-intentioned liability.
Why This Matters More Than You Think
Here’s what catches most defense contractors off guard: CMMC compliance isn’t just about your own organization. It extends to every vendor and service provider that touches your CUI environment — including your MSP.
Your C3PAO auditor will assess the entire environment, including the infrastructure your MSP manages. Gaps on the MSP side become your problem during the audit. If the managed environment can’t demonstrate the required controls, your certification is at risk — regardless of how well your internal team has prepared.
There’s a second complication that’s less widely understood: once you’ve been audited with a specific MSP in place, switching providers mid-journey isn’t just a procurement change. It can trigger a re-assessment. The audit clock resets. The certification journey restarts. That has real financial and contractual costs — at exactly the time when CMMC deadlines are firm and getting firmer.
This is why MSP selection, done before your first audit, is one of the most consequential decisions in your entire compliance journey.
The Questions That Matter
If you’re evaluating a current or prospective MSP for CMMC Level 2, these are the questions that will tell you — quickly — whether they’re a compliance asset or a compliance risk.
1. What is your own CMMC certification status, and what is your timeline?
There are three legitimate answers: “We’re certified today” (rare — fewer than a dozen MSPs nationwide), “Our assessment is scheduled for [specific date] with [named C3PAO],” or “We’re not pursuing certification.” The first two are viable partners. The third is not, for CMMC work.
Watch for vague language: “We’re CMMC-ready.” “We’re compliance-focused.” “We can help you get there.” These phrases often signal an MSP that hasn’t made the structural investments and is hoping to learn alongside you. That’s not a partnership — that’s a shared risk, with you bearing most of it.
2. Do you operate an Azure GCC-High environment or equivalent FedRAMP-authorized infrastructure for CUI handling?
If the answer is “we use Azure commercial with additional security hardening,” that’s not adequate for CUI. If the MSP doesn’t know what GCC-High is, or can’t speak to the specific boundary controls and data sovereignty requirements DoD demands, move on. A government-grade cloud environment is foundational, not optional.
3. Can you provide a Shared Responsibility Matrix for our engagement?
This document clearly delineates which of the 110 CMMC controls are owned by the MSP, which are owned by you, and which are shared. A capable MSP has a template ready and can walk you through it. An unprepared MSP won’t know what you’re asking for — or will promise to assemble one “as we go,” which means trying to build a foundational artifact under assessment pressure.
4. How is your 24/7 SOC integrated into your managed services platform?
CMMC requires continuous monitoring and mandatory reporting of security events to the U.S. government within 24 hours. That requires a real Security Operations Center — not a monitoring dashboard and a business-hours support team. Ask who runs their SOC, how it’s integrated, and how incidents are escalated.
5. What GRC tooling do you use for evidence collection and compliance documentation?
The 110 controls in CMMC Level 2 aren’t a one-time checklist. They’re an ongoing operational requirement, with evidence that must be continuously collected, documented, and maintained. Purpose-built GRC platforms — Drata, Vanta, and similar — make this manageable. Without them, the documentation burden alone can consume significant internal resources and leave you unprepared at assessment time.
6. Who are your advisory and audit partners, and are they independent?
The CMMC ecosystem works because the roles are separated: an independent C3PAO conducts the audit, a vCISO advises on policy and documentation, and the MSP builds and operates the technical environment. When a single provider tries to play multiple roles — audit prep, policy authoring, and infrastructure management — accountability breaks down. The defense community has a phrase for this: grading your own homework. It isn’t a shortcut. It’s a liability.
What Good Answers Look Like
A capable CMMC MSP will answer these questions specifically, with documentation ready. They’ll name their C3PAO partner. They’ll show you their Shared Responsibility Matrix. They’ll walk you through their GCC-High tenant architecture. They’ll introduce you to their SOC team. They’ll explain their GRC platform and what evidence it captures.
A less capable MSP will speak in generalities. “We take security seriously.” “We have partnerships.” “We’ll figure out the details during onboarding.” Those are the answers to watch for. They usually mean the MSP hasn’t done the work, and is hoping to learn it on your contract, at your expense, with your certification at stake.
Timing the Decision
If your current MSP doesn’t answer these questions satisfactorily, the right move is to transition to a capable provider — and to do it before your first audit, not after.
Yes, switching MSPs involves effort. There’s migration work, knowledge transfer, and a period of adjustment. But that investment is significantly smaller than the cost of a failed audit, a delayed contract, or a re-assessment triggered by changing providers mid-certification.
The companies that navigate CMMC successfully treat MSP selection as a foundational decision — not an afterthought. They find a capable provider early, establish the Shared Responsibility Matrix, and use the transition period to get their environment properly configured before the auditor arrives.
The companies that struggle are the ones who discover the problem six months in, when options are limited and timelines are compressed.
A Note on the Community
The CMMC compliance space is more collaborative than most technology markets. C3PAO auditors, vCISO advisors, cloud providers, and MSPs generally understand that no single organization can deliver an end-to-end solution alone — and the good ones don’t try to.
Three Fours exists specifically to occupy the MSP role in that ecosystem. We don’t audit. We don’t write policy. We build and manage the technical environment that makes everything else possible — purpose-built for CMMC Level 2, with GCC-High infrastructure, integrated SOC, GRC tooling, and a Shared Responsibility Matrix ready on day one. Our own certification journey is underway, guided by the kind of independent advisors and auditors we’d want at any client’s side.
If you’re working through these questions for your own organization — or evaluating an MSP’s answers and not sure what you’re hearing — we’re happy to have that conversation. Without pressure, and without jargon.