CMMC 2.0 Phase 2 Playbook for MSPs

CMMC 2.0 MSP work is no longer a vague compliance conversation. Phase 1 has already started. Phase 2 starts November 10, 2026, and many contractors handling Controlled Unclassified Information (CUI) will need a Level 2 C3PAO assessment tied to contract award.

That puts MSPs in a weird spot. You might be the service provider whose tools sit inside the assessment boundary. You might be the implementer fixing the client's Level 2 gaps. You might be both, which is where the margin and the risk live.

This playbook assumes you already know what CMMC is. If you need the lighter overview, start with the CMMC 2.0 guide for MSPs. If you need the date mechanics, read the CMMC 2026 deadline guide for MSPs. This article is the operating plan: what to scope, what to document, what to quote, and what not to promise.

What is the CMMC 2.0 MSP playbook for Phase 2?

The CMMC 2.0 MSP playbook is a client readiness workflow for November 2026: qualify the contract driver, map FCI and CUI, define the assessment boundary, document the MSP's External Service Provider role, build Level 2 evidence, quote remediation in phases, and prepare the client for C3PAO review.

The reason this needs a playbook is simple. CMMC is not only a technical checklist. It is a proof system attached to contract eligibility.

32 CFR 170.3 says Phase 2 begins one calendar year after Phase 1 and adds the intended requirement for Level 2 C3PAO status for applicable DoD solicitations and contracts as a condition of award. The DFARS acquisition rule is effective November 10, 2025. One year later is November 10, 2026.

For MSPs, the practical deadline is earlier. If a client starts in October 2026, they are not starting a readiness project. They are starting a panic tour.

Why Phase 2 is different from Phase 1

Phase 1 mainly introduces Level 1 and Level 2 self-assessment requirements into applicable contracts, with DoD discretion to require Level 2 C3PAO status earlier in some cases. Phase 2 is the point where Level 2 third-party assessment pressure becomes the default planning assumption for CUI-heavy contract work.

That distinction matters because a self-assessment and a C3PAO assessment are not the same project.

Area	Phase 1 self-assessment posture	Phase 2 Level 2 C3PAO posture
Evidence	Client enters assessment results and affirmations	Authorized C3PAO reviews documentation, interviews people, and reports through CMMC eMASS to SPRS
Timing	Easier to complete quickly if the environment is mature	Needs scheduling, evidence cleanup, remediation, and closeout planning
Failure mode	Bad SPRS score, compliance exposure, client delay	Lost bid eligibility, conditional status risk, contract remedies
MSP role	Advisor and implementer	Advisor, implementer, evidence owner, and often in-scope service provider

The DoD CMMC overview is clear on the core shape: Level 1 uses the 15 safeguarding requirements in FAR 52.204-21, Level 2 uses the 110 NIST SP 800-171 Rev. 2 requirements, and Level 3 adds selected NIST SP 800-172 requirements after Level 2.

Most MSP clients in the defense supply chain will care about Level 1 or Level 2. Level 3 is real, but it is not where most MSP readiness packages start.

The two MSP roles: provider and implementer

CMMC creates two separate questions for an MSP.

First: are your services in scope as an External Service Provider?

Second: are you the team building the client's readiness plan?

Do not blur those. They create different responsibilities.

Role 1: The MSP as External Service Provider

32 CFR 170.19 says an organization seeking assessment must consider whether an External Service Provider processes, stores, or transmits CUI or Security Protection Data. If a non-cloud provider does, the services it provides are in the client's assessment scope and must be assessed as part of the client's assessment.

That can include MSP tools and services such as:

• RMM tools used to administer in-scope endpoints or servers
• EDR or MDR platforms protecting CUI assets
• Backup systems that store CUI or system images from CUI environments
• Remote access tools used by MSP staff
• Ticketing systems that contain screenshots, logs, hostnames, security findings, or client configuration detail
• Documentation platforms holding diagrams, inventories, or control evidence
• SIEM or log management tools receiving telemetry from CUI assets

Here is the sentence MSPs should tape to the wall: your client can outsource work, not responsibility.

If your tool touches the CUI environment, the client still needs to explain how that tool is governed. If your ticketing system holds security protection data, the client still needs to explain where that data goes. If your techs have privileged access, the client still needs evidence for access approval, MFA, logging, and removal.

32 CFR 170.17 gets very specific for non-cloud ESPs at Level 2. The client's System Security Plan must document the use of the provider, the relationship, and the services provided. The ESP's service description and customer responsibility matrix must describe the service split. The services used to meet the client's requirements are assessed within the client's scope.

That does not mean every MSP automatically needs its own CMMC certification. It does mean an MSP serving defense clients needs assessment-ready service documentation. A voluntary MSP assessment may reduce repeated client-by-client evidence work, but the client's contract requirement still drives the minimum assessment type.

Role 2: The MSP as readiness implementer

This is the revenue side. Clients need someone to turn CMMC findings into projects they can approve.

The implementation work usually falls into five buckets:

1. Scope and contract discovery. What contract, subcontract, prime requirement, or renewal is driving CMMC?
2. CUI boundary design. Which systems process, store, or transmit CUI? Which systems protect those systems?
3. Technical remediation. Identity, MFA, logging, endpoint protection, backup, encryption, vulnerability management, segmentation, hardening, and tool cleanup.
4. Documentation and evidence. SSP, policies, procedures, inventories, diagrams, access reviews, training records, incident response tests, and hashed artifacts.
5. Assessment preparation. Mock interviews, C3PAO readiness, POA&M triage, and executive signoff.

Scopable fits the CMMC readiness workflow because the hard part is turning findings into a roadmap, project scopes, budgets, and quotes while the assessment context is still fresh. MSPs can use Scopable to move from gap analysis to client roadmap to remediation quote without losing the evidence trail in a spreadsheet.

Level 1 vs Level 2: what MSPs should sell first

Level 1 and Level 2 are different offers. Treating them as one compliance blob is how MSPs either underprice the work or scare off clients who only need the basics.

CMMC level	What it covers	Requirement base	Assessment posture	MSP offer
Level 1	Federal Contract Information	15 FAR 52.204-21 safeguards	Annual self-assessment and affirmation	Basic safeguarding review, policy cleanup, access and device hygiene
Level 2 self	Controlled Unclassified Information	110 NIST SP 800-171 Rev. 2 requirements	Self-assessment every three years, annual affirmation	Paid gap assessment, SSP refresh, SPRS score support, remediation roadmap
Level 2 C3PAO	Controlled Unclassified Information where contract requires third-party assessment	Same 110 requirements	C3PAO assessment every three years, annual affirmation	Full readiness program, remediation projects, evidence operations, mock assessment

32 CFR 170.14 says Level 2 security requirements are identical to NIST SP 800-171 Rev. 2. The NIST SP 800-171 Rev. 2 page notes that Rev. 2 has been superseded by Rev. 3 for NIST publication purposes, but CMMC Level 2 still points to Rev. 2 in the CMMC rule. Do not casually swap baselines because a client found a newer PDF.

Your first paid offer should usually be discovery and gap assessment, not full remediation. You cannot quote remediation honestly until the contract driver, CUI boundary, MSP tool contact, and evidence condition are known.

The 110 Level 2 requirements in MSP-manageable categories

Level 2 has 110 requirements across 14 families. MSPs do not need to recite every control in a sales meeting. They do need to translate the work into categories clients can understand.

MSP category	What it includes	Common gap
Identity and access	MFA, privileged access, account reviews, least privilege, remote access	Shared admin accounts, stale users, weak joiner and leaver process
Endpoint and server management	Hardening, patching, EDR, configuration baselines, vulnerability remediation	Tools deployed but evidence not retained
Logging and monitoring	Audit logging, log review, alerting, retention, event response	Logs exist, nobody can prove review or escalation
Network and CUI boundary	Segmentation, firewall rules, secure remote access, data flow diagrams	Scope is drawn from a hope, not from a diagram
Backup and media protection	Backup access, encryption, portable media controls, restoration evidence	Backups include CUI but are treated like ordinary data
Policy and procedures	SSP, policies, procedures, POA&M, training, incident response	Policy says one thing, technicians do another
Evidence operations	Artifact collection, retention, hashing, ownership, review cadence	Nobody owns the proof until the assessor asks
Vendor and MSP responsibility	ESP service description, customer responsibility matrix, downstream vendors	Client and MSP both assume the other side owns the control

The official assessment is still requirement-by-requirement. This table is for packaging and client communication. It helps the MSP avoid a 110-row quote that nobody wants to read.

The documentation set MSPs should prepare before clients ask

An MSP serving defense contractors should build a reusable CMMC documentation package now. Do not wait until a C3PAO asks the client for it.

Start with these artifacts:

1. MSP service description. Describe each managed service, what systems it touches, what data it may process, and which security functions it supports.
2. Customer responsibility matrix. Show what the MSP owns, what the client owns, and what is shared. Use the shared responsibility matrix template as a structure, then map it to the client's actual services.
3. Remote access model. Document tools, MFA, approval, session logging, privileged access, emergency access, and offboarding.
4. Tool inventory. List RMM, EDR, backup, SIEM, documentation, ticketing, identity, and remote support platforms used for the client.
5. Data handling statement. State whether each tool processes, stores, or transmits CUI, Federal Contract Information, or Security Protection Data. If it does not, explain why.
6. Evidence handling process. Define artifact owners, storage location, retention, change control, and integrity checks.
7. Incident response interface. Clarify who detects, who escalates, who communicates, who decides, and who reports.
8. Subcontractor and vendor view. Identify downstream tools and providers the MSP uses to deliver service.

This is not paperwork cosplay. 32 CFR 170.17 requires Level 2 assessment results to include details such as the SSP name and version, assessment results for each objective, POA&M usage, and artifact names with hash values. It also requires assessed artifacts to be retained for six years from the CMMC status date.

That six-year artifact requirement should change how MSPs think about compliance operations. A screenshot dropped into a random ticket is not an evidence system.

A practical CMMC Phase 2 roadmap

Do not sell the client a giant CMMC project with one price and 47 assumptions. Sell phases.

Months 1 to 3: qualify, scope, and score

The first phase answers whether the client has a real CMMC problem and how large it is.

Work to complete:

• Collect contract clauses, prime flowdown language, and expected renewal or bid dates.
• Separate Federal Contract Information from CUI.
• Map where CUI enters, lives, moves, gets backed up, and leaves.
• Identify CUI assets, Security Protection Assets, Contractor Risk Managed Assets, specialized assets, and out-of-scope assets.
• Identify MSP tools that touch the in-scope environment.
• Review the current SSP, SPRS score, POA&M, policies, diagrams, and evidence.
• Deliver a gap scorecard and remediation backlog.

Commercial output: fixed-fee gap assessment and a quote-ready remediation roadmap.

Months 4 to 6: remediate the gaps that kill assessments

This is where the project becomes technical and political.

Prioritize gaps that affect scope, identity, logging, evidence, and non-POA&M-eligible requirements. 32 CFR 170.21 limits what can go on a POA&M for Level 2 conditional status. It requires a score of at least 0.8, blocks requirements with point values above 1 in most cases, and excludes specific requirements such as System Security Plan.

Work to complete:

• Enforce MFA and privileged access controls across in-scope systems.
• Clean up shared accounts, stale accounts, and emergency access.
• Harden endpoints and servers against documented baselines.
• Configure logging, review cadence, alert routing, and retention.
• Validate backup encryption, access control, and restoration evidence.
• Segment the CUI boundary where it reduces assessment scope.
• Update policies and procedures so they match actual operations.
• Assign owners for recurring evidence.

Commercial output: remediation projects with clear exclusions and client decisions documented.

Months 7 to 9: prepare for assessment

By this point, the MSP should not still be discovering basic scope issues. The goal is to make the assessment boring.

Work to complete:

• Run a mock assessment against NIST SP 800-171A objectives.
• Clean up evidence naming, retention, and hash process.
• Reconcile the SSP, network diagram, asset inventory, and tool inventory.
• Review the customer responsibility matrix with the client executive who will affirm compliance.
• Confirm C3PAO scheduling, assessment scope, and contact list.
• Triage any remaining POA&M candidates against the official rules.
• Prepare interview owners so they can explain the process without guessing.

Commercial output: C3PAO readiness package, final risk register, and client signoff.

How to price CMMC without eating the risk

The official cost numbers are useful, but only if you read the footnote hiding in plain sight.

The 2024 CMMC Program final rule estimated the cost to support a Level 2 certification assessment and affirmation at $101,752 for a small entity and $112,345 for an other-than-small entity. It also says there are no engineering costs associated with that estimate because it assumes the contractor has already implemented NIST SP 800-171 Rev. 2.

That assumption is doing a lot of work.

If the client has weak MFA, stale identities, no log review evidence, poor diagrams, unmanaged backups, and an SSP from two years ago, the official assessment support estimate is not the full budget. It is the bill after the house has already been cleaned.

A sane MSP offer separates the money like this:

Offer	What the client buys	Pricing model
Discovery and gap assessment	Scope, CUI flow, MSP contact, control review, evidence review, gap backlog	Fixed fee
Remediation projects	Technical fixes, documentation, policy alignment, tool cleanup	Scoped projects with assumptions
Assessment preparation	Mock assessment, evidence cleanup, interview prep, POA&M triage	Fixed fee or short retainer
Ongoing evidence management	Access reviews, vulnerability management, artifact refresh, affirmations, QBR reporting	Monthly recurring service

For the wider pricing model, use the MSP compliance pricing guide. The key point is not the exact sticker price. The key point is that CMMC work carries advisory risk, evidence labor, and contract impact. Price it like that.

Common MSP mistakes that create C3PAO pain

Mistake 1: quoting remediation before scope. If you do not know the CUI boundary, you do not know the project.

Mistake 2: treating the MSP role as outside the client's assessment. If your services process CUI or Security Protection Data, or provide security functions for the CUI environment, they can be in scope.

Mistake 3: selling tools as compliance. EDR is not a control result by itself. MFA is not a procedure. A SIEM without review evidence is just a bill.

Mistake 4: hiding behind the client's SSP. If the SSP says the MSP does monthly access reviews, someone needs to prove the review happened.

Mistake 5: assuming POA&Ms save bad planning. Level 1 does not allow POA&Ms. Level 2 conditional status has limits and a 180-day closeout clock under 32 CFR 170.21.

Mistake 6: forgetting annual affirmations. DFARS 252.204-7021 requires contractors to complete annual affirmations in SPRS and maintain current CMMC status for systems that process, store, or transmit FCI or CUI.

The client conversation script

Do not lead with fear. Lead with contract eligibility.

Use questions like these:

• Which DoD contracts, subcontracts, or prime flowdowns drive your CMMC requirement?
• Do you handle Federal Contract Information, CUI, or both?
• Which systems process, store, or transmit CUI?
• Which tools protect those systems?
• Which MSP systems touch them?
• What is your current SSP date and SPRS score?
• What evidence exists today for access reviews, training, vulnerabilities, backups, incidents, and log review?
• What DoD revenue is at risk if you cannot bid, renew, or perform?

Then make the offer boring and concrete:

Start with a fixed-scope CMMC discovery and gap assessment. The deliverable is not a certificate. It is a defensible CUI boundary, current evidence score, MSP responsibility map, remediation backlog, and quote-ready roadmap.

That one sentence saves MSPs from accidental unlimited consulting.

Where Scopable fits

CMMC readiness creates a handoff problem. The assessment identifies gaps. The MSP turns those gaps into projects. The client needs budgets, priorities, and business decisions. Then someone has to build a quote that still matches the scope everyone agreed to.

That is exactly where Scopable helps. Scopable connects assessment findings, client roadmaps, remediation scope, quoting, approvals, and project creation. For CMMC work, that means your gap assessment can become a client-facing roadmap, and the roadmap can become quoted remediation work without retyping the whole story into another spreadsheet.

If your MSP is building a CMMC service line, standardize three things first: the discovery output, the responsibility matrix, and the remediation quote structure. Then put them into a repeatable workflow. If you want that assessment-to-roadmap-to-quote motion in one place, join Scopable early access.

CMMC Phase 2 FAQ for MSPs

When does CMMC Phase 2 start? CMMC Phase 2 starts November 10, 2026. 32 CFR 170.3 says Phase 2 begins one calendar year after Phase 1. The DFARS CMMC acquisition rule is effective November 10, 2025.

Do MSPs need their own CMMC Level 2 certification? Not automatically. If an MSP processes, stores, or transmits CUI or Security Protection Data, or provides security functions for the client's CMMC scope, its services may be assessed inside the client's assessment. Some MSPs may pursue their own assessment to reduce repeated client evidence work, but the client's contract requirement drives the minimum assessment type.

What are the main CMMC compliance MSP requirements? The MSP needs to help the client define FCI and CUI scope, document in-scope assets, identify MSP tools and services, build the SSP and evidence package, remediate Level 2 gaps, prepare for assessment, and support annual affirmations where the contract requires them.

What should an MSP do first to prepare for CMMC certification? Start with a fixed-scope discovery and gap assessment. Do not begin with tool rollout. The first deliverable should be the contract driver, CUI flow, assessment boundary, current evidence state, MSP responsibility map, and prioritized remediation backlog.

Can a client pass CMMC Level 2 with a POA&M? Sometimes, but only under strict conditions. Level 2 conditional status requires a score of at least 0.8, excludes certain requirements from the POA&M, and requires closeout within 180 days. The System Security Plan cannot be left for later.

The MSP advantage is discipline

CMMC Phase 2 is not a reason to turn every defense contractor client into a giant compliance project. It is a reason to get disciplined.

Qualify the contract driver. Define the boundary. Document the MSP role. Separate technical gaps from proof gaps. Quote phases. Keep annual evidence alive after the assessment.

The MSPs that do this well will not win because they shout CMMC the loudest. They will win because they can turn a messy compliance requirement into a scoped plan the client can understand, approve, and defend.