This conversation has played out across the DIB for two years now, and we hear a version of it on nearly every scoping call: “We need CMMC Level 2 certification, can you handle that?” The MSP’s answer was almost always some version of yes. That answer is costing contractors failed assessments and lost C3PAO slots.
MSPs are not the problem. The problem is a category mismatch. CMMC Level 2 certification requires purpose-built CMMC consulting services, a GRC-first program built to the 110 practices in NIST SP 800-171 Rev 2 and structured for third-party assessment. Infrastructure management is necessary but not sufficient. The gap between the two is exactly where assessments fall apart.
What MSPs Actually Do, and Where Their Scope Ends
A well-run MSP delivers real value: endpoint management, patch cycles, cloud provisioning, identity management, helpdesk triage. If your MSP is doing those things well, keep them. Nothing in a CMMC program replaces tight infrastructure operations.
But CMMC Level 2 practice AC.L2-3.1.1 doesn’t ask whether access controls are configured, it asks whether you have documented policies governing who can access CUI, under what conditions, with what approval workflow, and with evidence that the policy is followed. NIST 800-171 Rev 2 control 3.14.1 (System and Information Integrity) requires a documented flaw remediation procedure, not just an active patching cadence.
Patching endpoints is infrastructure. A documented, assessor-ready remediation procedure is a GRC deliverable. Those are different things, produced by different disciplines.
The Documentation Gap
The System Security Plan is the load-bearing document in any CMMC Level 2 assessment. It must cover all 110 NIST 800-171 Rev 2 controls, map to the full set of assessment objectives defined in NIST SP 800-171A Rev 2, define the CUI boundary, describe each system component in scope, and provide enough detail that a C3PAO assessor can independently verify the control narrative against the evidence package.
Most MSPs have no process for writing or maintaining an SSP at that standard. POAM tracking, CUI data flow diagrams, system boundary documentation, these are GRC deliverables. They require someone who understands both the technical environment and the regulatory framework well enough to produce documentation that holds up under an assessor’s review.
If your MSP has given you a “compliance report” or a partially filled SSP template, that is a starting point, not a finished program. The distinction matters when your C3PAO slot arrives.
Why CMMC Level 2 Is a GRC Program, Not an IT Checklist
C3PAO assessors, the organizations authorized by the Cyber AB (the CMMC Accreditation Body) to conduct certification assessments, evaluate objective evidence. Not the presence of a tool. Not a vendor’s compliance report. Evidence that a specific control is implemented, consistently applied, and documented in a way that supports independent verification.
A critical clarification on the regulatory baseline: CMMC Level 2 assessments currently map to NIST SP 800-171 Rev 2 under DoD Class Deviation 2024-O0013. NIST 800-171 Rev 3 is published but has not been adopted as the CMMC assessment baseline. Any consultant or MSP referencing Rev 3 as the current requirement is operating on incorrect information.
Three things assessors look for that MSPs typically cannot produce:
- A scoped SSP that accurately defines the CUI boundary, not an org-wide IT inventory, but a precise boundary that includes every system, person, and process that touches CUI.
- A mature Plan of Action and Milestones (POAM), with risk-ranked open findings, realistic remediation timelines, and closure evidence for previously resolved items.
- Objective evidence packages tied to each assessment objective, screenshots, configuration exports, policy documents, and test results tied to specific practices, not generic “the tool is running” attestations.
The Authorization Question
Your MSP is not a C3PAO. The C3PAO conducts your required third-party CMMC Level 2 assessment, your MSP cannot perform that function regardless of their cybersecurity capability. Some MSPs have established partnerships with C3PAOs, which can be valuable for coordination, but partnership does not transfer assessment authority.
The CMMC consultant’s role is to build the program the C3PAO will assess. An MSP that helps you “prepare” without deep GRC expertise is transferring assessment risk to you. When the C3PAO finds an undocumented control or a scoping error on day one, the MSP doesn’t pay for the remediation cycle or the wait until the next available assessment slot, which, depending on C3PAO capacity at the time, can be months away.
The Three Gaps That Surface at Assessment Time
In our experience working with 40+ contractor organizations, these are the patterns that emerge when contractors walk into a C3PAO assessment having relied on an MSP for CMMC readiness.
1. CUI scoping errors. The most common finding in our gap assessments is a CUI scoping error, either over-scoping or under-scoping the environment. Over-scoping multiplies the control burden; every system you include expands the evidence package required. Under-scoping produces findings the assessor flags in the first hour. Getting the CUI boundary right requires legal analysis of the contract’s handling requirements, technical analysis of data flows, and a working knowledge of the CMMC scoping guidance documentation. A firewall review doesn’t produce that output.
2. SSP and POAM documentation that doesn’t hold up under assessor review. A pre-built SSP template completed by an MSP without GRC depth typically fails the “detailed description” threshold C3PAO assessors apply. Vague control narratives, “We use Active Directory for access control” without a configuration export, an access control policy, and evidence of periodic review, generate NOT MET findings under practices like AC.L2-3.1.1 and IA.L2-3.5.3. Each NOT MET finding requires remediation and reassessment.
3. Incident reporting chain under DFARS 252.204-7012. Under DFARS 252.204-7012(c), contractors must report cyber incidents to DoD within 72 hours and preserve forensic images for 90 days. This requires a documented, tested incident response procedure, not a generic IR template. CMMC practices IR.L2-3.6.1 and IR.L2-3.6.2 specifically require documented incident handling capability and tested procedures. In our experience, DFARS-specific reporting chains are seldom built into standard MSP contracts or runbooks, and a generic IR plan won’t satisfy an assessor asking for evidence the procedure has been exercised. For additional context, see the DFARS 252.204-7012 compliance guide.
What CMMC Consulting Services Actually Cover
CMMC consulting services are GRC-first engagements. The infrastructure your MSP runs is the environment the CMMC consultant has to document, assess, and harden to certification standards. These are complementary roles, the MSP keeps the infrastructure running; the CMMC compliance consultant builds the program the infrastructure has to support.
A qualified CMMC consultant does the following work your MSP is not positioned to perform:
- Scopes the CUI environment and drafts the SSP to assessor standards, not from a generic template, but from a technical understanding of your specific architecture and data flows
- Runs a gap assessment against all 110 NIST 800-171 Rev 2 controls, producing a prioritized finding list with remediation effort and risk ranking
- Builds and maintains the POAM with realistic timelines, closure evidence standards, and a tracking process your team can sustain
- Prepares objective evidence packages for each assessment domain, the documentation an assessor needs to mark a practice MET without asking follow-up questions
- Coordinates directly with your chosen C3PAO so your assessment isn’t the first time they’ve seen your environment
Download the CMMC Level 2 audit readiness checklist for a detailed breakdown of what documentation an assessor will expect. Or review the free System Security Plan template to understand what a complete SSP requires, and assess whether what your MSP has produced meets that bar.
When to Bring In a CMMC Consultant
The clearest trigger is a new or renewed contract that includes a CMMC Level 2 requirement. But there are several other signals that the MSP handoff moment has arrived:
- Your MSP has provided a compliance report but there’s no complete SSP, no active POAM, and no CUI boundary diagram
- You’re within 90 days of a C3PAO assessment slot and documentation isn’t assessor-ready, see the CMMC audit preparation roadmap for what that timeline looks like
- Your prime contractor is asking for your CMMC status under their flow-down obligation and you can’t answer definitively
- A self-assessment or gap review has surfaced more than a handful of open POAMs and there’s no clear remediation owner
C3PAO assessment capacity is constrained, and the timeline is tightening. Phase 2 of the CMMC rollout begins November 10, 2026, the point at which Level 2 C3PAO certification starts becoming a condition of award in a growing share of CUI contracts. As that demand lands on a limited pool of authorized assessors, slots are expected to stay under pressure; confirm current availability and timelines directly with the Cyber AB. A failed first attempt doesn’t just cost the reassessment fee; the next available slot can be months out, depending on C3PAO capacity at the time. That window has direct contract eligibility consequences.
The Bottom Line
MSPs are essential to the infrastructure your CMMC program runs on. They are not a substitute for CMMC consulting services. The documentation, scoping, gap assessment, and evidence preparation work that determines whether a C3PAO assessor marks your practices MET requires GRC expertise your MSP was never built to provide.
If your current CMMC preparation has been led by your MSP, the right move is a candid gap assessment against what your C3PAO will actually evaluate. The earlier that happens relative to your assessment slot, the more options you have.
Nexeris brings a 100% first-attempt pass rate across 40+ contractor assessments, 50+ ISO certifications, 50+ SOC 2 attestations, 10+ HITRUST, and 10+ NIST 800-171 engagements. Zach Tracy, CISSP and CMMC Registered Practitioner, leads every engagement. Schedule a CMMC scoping call to find out where your program actually stands.
