"This article is for general informational purposes and should not be considered legal, compliance, or certification advice. Organizations should consult their CMMC advisor, C3PAO, or compliance counsel for environment-specific guidance."
November 2025 marked a significant shift for MSPs serving defense contractors.
CMMC clauses began appearing in DoD solicitations, and third-party assessments have become increasingly standard for CUI-handling contracts. The timeline and full rollout details continue to evolve, so MSPs should verify current requirements with their compliance advisor or C3PAO.
The MSP blind spot was clear: many MSPs assumed compliance was solely the client's problem. That assumption carries real risk.
If your systems process, store, transmit, or provide security protection for client CUI environments, you may be considered an External Service Provider (ESP) and could fall within scope. Scope should always be confirmed with the customer, compliance advisor, and assessor.
The stakes are significant. Over 76,000 organizations are expected to need CMMC Level 2 certification.
MSPs that can demonstrate compliance-ready infrastructure and organized documentation gain a meaningful competitive advantage. Those that can't may risk losing clients or scrambling to retrofit under pressure.
This blog covers ESP scope determination, the shared responsibility model, documentation platform considerations, and the five questions every DIB client is likely to ask before they sign.
You'll finish with actionable next steps to build a CMMC-ready MSP practice.
Understanding ESP Designation Under CMMC
When Your MSP Becomes an External Service Provider
An External Service Provider (ESP) is any third-party organization whose systems or services process, store, or transmit CUI on behalf of a defense contractor.
Common MSP triggers that put you in scope
- Hosting or managing client documentation platforms that contain CUI-related configs or credentials.
- Providing RMM, backup, or ticketing systems with access to client CUI environments.
- Storing or managing admin credentials, network diagrams, or system configurations for CUI-handling clients.
What doesn't automatically make you an ESP
Purely tactical break-fix support or monitoring tools that never touch CUI may stay out of scope, but the line is narrow and assessor-dependent.
The assessment boundary question
If any part of your platform holds or provides access to CUI-adjacent data, it falls inside the client's CMMC assessment boundary.
Practical example walkthrough
An MSP manages documentation for a defense contractor. The platform stores network configs, firewall rules, and admin credentials.
That MSP may be considered an ESP and may need to support the same AU, AC, and IA controls as the contractor. The specific requirements should be confirmed with the client and their assessor.
The Documentation Platform Trap
If any of your documentation belongs to a defense contractor handling CUI, your documentation platform is now inside their CMMC assessment boundary.
That means your platform needs to be FedRAMP authorized OR deployed on-premises inside an assessed boundary.
Read also:
CMMC Is Live. Your IT Documentation Platform Might Be the Problem.
Shared Responsibility Model - What You Own vs. What Your Client Owns
Dividing the 110 CMMC Level 2 Practices Between MSP and Client
CMMC uses a shared responsibility matrix (Customer Responsibility Matrix / CRM) with three categories:
- Vendor (MSP) responsibility
- Customer responsibility
- Shared responsibility
What MSPs typically own in a documentation platform context
- Access Control (AC): Enforcing RBAC and MFA in the platform. IT Portal's granular permissions system lets you scope access precisely to record types and functions.
- Identification & Authentication (IA): Managing user identities and authentication.
- Audit & Accountability (AU): Generating and protecting audit logs.
- System & Communications Protection (SC): Implementing encryption and secure configurations.
What remains client responsibility
- Configuration Management (CM) of their own systems and data.
Shared responsibility examples
- The MSP secures the documentation platform; the client defines who gets access and what roles are appropriate.
Why this matters for MSPs
Clear shared responsibility documentation protects both parties during assessments and builds trust with defense contractor clients.
Practical Implementation Table
| CMMC Practice | Practice Description | MSP Responsibility | Client Responsibility |
|---|---|---|---|
| AC.L2-3.1.1 | Limit system access to authorized users | Enforce RBAC, MFA in platform | Determine who gets access, what roles |
| AU.L2-3.3.1 | Create and retain audit logs | Platform generates logs for all access/changes | Configure their systems to log; review logs |
| SC.L2-3.13.11 | Employ FIPS-validated crypto | Enable FIPS mode in platform if on-prem | Deploy FIPS-validated crypto in their environment |
The On-Premises Deployment Path for MSPs
Why On-Prem Deployment Is the Clean Path Through FedRAMP
The FedRAMP problem
Many clients require FedRAMP authorization for cloud services handling CUI. Achieving and maintaining it is expensive and time-consuming for MSPs.
The on-premises solution
Deploy IT Portal inside the customer's assessed boundary. When deployed on-premises inside the client's properly managed CMMC assessment boundary, IT Portal may support the customer's compliance efforts as part of their internal environment. The customer remains responsible for managing, securing, and validating that deployment according to applicable requirements.
Boundary inheritance
When properly deployed on-prem inside the client's enclave, the platform may allow the client to apply their existing compliance posture to the documentation environment, subject to assessor review.
MSP multi-tenant considerations
Separate instances or strict tenant isolation are required to help maintain clear boundaries between clients.
What this means practically
You may be able to offer documentation services to DIB clients without pursuing FedRAMP authorization for the MSP's own instance, depending on how the deployment is scoped and managed.
IT Portal Capabilities for CMMC-Related Environments
IT Portal provides deployment flexibility and documentation structure that can help MSPs organize and prepare documentation for CMMC-related environments:
- Deployment flexibility: Run on-premises inside your client's CUI enclave or use our cloud deployment. The on-premises option may support strict boundary requirements when the customer manages and maintains it within their assessed environment.
- Structured documentation and change history: Hierarchical structure and full change history help organize records that can support CMMC AU control preparation.
- SIEM integration support: Forward audit events via syslog or API, making it easier for clients to correlate and review logs.
- Multi-client isolation: Granular permissions and tenant separation help manage documentation for multiple DIB clients from a single platform while maintaining logical boundaries.
Five Questions Your DIB Clients Will Ask (And How to Answer Them)
Be Ready: The Questions Defense Contractors Ask Before Signing
We support on-premises deployment inside your assessed boundary, allowing clean inheritance of your compliance posture.
Yes, we maintain a detailed CRM that clearly defines shared responsibilities for AC, AU, IA, and SC controls.
IT Portal generates structured audit logs for all access and changes and supports syslog, API, and database query integration with your SIEM.
Yes, we support MFA, Active Directory integration, and SSO out of the box.
We provide full evidence packages, including audit logs, configuration screenshots, and boundary documentation to support your assessment.
Next Steps for MSPs Targeting the DIB Market
Building a CMMC-Ready MSP Practice
Immediate Actions
- Assess which clients handle CUI and determine your ESP status.
- Evaluate your documentation platform's deployment options (on-prem vs cloud).
- Document your shared responsibility matrix for each major service.
Marketing Differentiation
Highlight your CMMC-ready infrastructure and documentation capabilities in proposals and on your website.
Partnership Opportunities
Partner with CMMC consultants and compliance firms to offer end-to-end solutions.
Pricing Considerations
Factor in on-prem deployment and compliance support when quoting for DIB clients - many are willing to pay a premium for proven compliance.
Conclusion
CMMC Level 2 has fundamentally changed the relationship between MSPs and defense contractors. Understanding your ESP scope, clearly defining shared responsibilities, and maintaining compliant documentation are now table stakes.
MSPs that treat documentation as a strategic compliance asset rather than an afterthought will win more DIB clients and build stronger, longer-lasting relationships.
Your MSP CMMC compliance becomes significantly stronger and easier to demonstrate when your documentation platform is audit-ready, securely deployed, and fully integrated with your clients' requirements.
Ready to build a CMMC-ready MSP practice?
Don't wait until a defense contractor asks the tough questions.
See exactly how IT Portal's hierarchical, on-premises-ready documentation platform helps MSPs meet ESP requirements, simplify shared responsibility, and win more DIB.
Explore CMMC Solutions for MSPs or Book a Demo today.
