Skip to content
Scopable logoScopable
Compliance

CMMC 2.0 for MSPs: What the 2026 Deadline Actually Requires

Scopable Team16 min read
CMMC 2.0 for MSPs: What the 2026 Deadline Actually Requires

If your defense contractor clients are calling it the October 2026 CMMC deadline, correct the date before you quote the work. The contract trigger MSPs need to plan around is November 10, 2026, one year after the CMMC acquisition rule takes effect.

That date matters because CMMC 2.0 for MSPs moves from mostly self-assessed contract language into Level 2 third-party assessment pressure for many contractors handling Controlled Unclassified Information (CUI). Your client may be the organization seeking certification, but your tools, your remote access, your ticket notes, your backups, and your security stack can become part of the assessment story.

This article does not repeat the basic CMMC overview. If you need the broad version, start with the CMMC 2.0 guide for MSPs. If you need the phase-by-phase action list, read the CMMC Phase 2 MSP action list. This piece is narrower: what the 2026 deadline actually requires, what an MSP has to document, and how to turn that into a scoped readiness engagement instead of a vague compliance promise.

What is the CMMC 2026 deadline for MSPs?

The CMMC 2026 deadline for MSPs is November 10, 2026. That is when Phase 2 begins under 32 CFR 170.3, one calendar year after the DFARS CMMC acquisition rule takes effect. In Phase 2, DoD intends to require Level 2 C3PAO assessments for applicable contracts as a condition of award.

The source chain is simple. The Federal Register final DFARS rule says the acquisition rule is effective November 10, 2025. 32 CFR 170.3 says Phase 2 begins one calendar year after Phase 1 starts. That makes the Phase 2 start date November 10, 2026.

There is still nuance. DoD says it intends to include Level 2 C3PAO requirements for applicable solicitations and contracts in Phase 2. It may delay the requirement to an option period in some cases. It may also include Level 3 requirements at its discretion. Your client should not treat November 10 as a universal contract cliff, but an MSP should treat it as the planning date.

Scopable is useful here because CMMC readiness creates quoting work, not just security work. MSPs need to turn assessment findings into remediation roadmaps, project scopes, budget ranges, and client-facing decisions. Scopable connects assessment context, roadmap priorities, and quotes so the compliance conversation does not die in a spreadsheet.

The October problem: wrong month, real urgency

The issue with saying "October 2026" is not that the risk is fake. The risk is very real. The issue is that sloppy deadline language leads to sloppy client planning.

The CMMC Program final rule was published in October 2024 and became effective in December 2024. The acquisition rule that puts CMMC requirements into DoD contracts was published in September 2025 and takes effect on November 10, 2025. Phase 2 starts one year after that.

So if a client says "we have until October," do not spend the meeting correcting them like a hall monitor. Use the moment to tighten the plan:

  • Which current contracts or renewals involve Federal Contract Information (FCI) or CUI?
  • Which future solicitations are likely to include a CMMC Level 2 requirement?
  • Which systems process, store, or transmit CUI?
  • Which MSP systems touch the CUI environment or provide security protections for it?
  • What evidence exists today, and what is still just an assumption?

That last question is where most readiness projects become real. CMMC is not only a control checklist. It is a proof system. If the client cannot prove the control, the control might as well not exist during assessment.

What Phase 2 actually requires

Phase 2 is not "everyone gets audited on November 10." It is more specific than that.

Under 32 CFR 170.3, Phase 2 adds the planned requirement for CMMC Status of Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of contract award. DoD may delay that requirement to an option period for a specific procurement. It may also require Level 3 (DIBCAC) for applicable contracts.

For an MSP, the practical meaning is this:

QuestionWhat changes in Phase 2MSP implication
Does every DoD contractor need Level 2 C3PAO?No. The required status depends on the information involved and the contract requirement.Do not sell Level 2 to every client. Qualify based on FCI, CUI, contract language, and prime flowdown.
Is self-assessment still relevant?Yes. Level 1 and some Level 2 self-assessment requirements still exist.Keep Level 1 and Level 2 self-assessment support packaged, but do not confuse it with C3PAO certification.
Can the client wait until the solicitation appears?Usually no. Certification work takes longer than a sales cycle.Start with discovery, CUI scoping, and a paid gap assessment now.
Does the MSP get assessed directly?Sometimes indirectly. MSP services can be in the client's assessment scope.Prepare service descriptions, access diagrams, evidence, and a customer responsibility matrix.
Is conditional status enough?It can support eligibility only when POA&M rules are met.Do not promise clients they can POA&M their way out of major gaps.

The DFARS CMMC clause at 252.204-7021 is the part your clients will feel in contracts. It requires the contractor to have and maintain a current CMMC status at the contract-required level, only process FCI or CUI on systems with the required CMMC status, complete annual affirmations in SPRS, and flow down the right CMMC requirements to subcontractors.

That means CMMC becomes a sales eligibility issue. The client is not buying "compliance." They are protecting the right to bid, renew, and perform DoD work.

What Level 2 requires in plain English

CMMC Level 2 maps to NIST SP 800-171 Rev. 2. 32 CFR 170.14 says Level 2 security requirements are identical to the requirements in NIST SP 800-171 Rev. 2. The NIST security requirements data set contains 110 rows, which is why MSPs often describe Level 2 as 110 requirements across 14 families.

Those requirements are not just technical settings. They include access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

For Level 2 C3PAO certification, 32 CFR 170.17 says the organization seeking certification must achieve a MET result for all Level 2 requirements, obtain a Level 2 certification assessment from an authorized or accredited C3PAO, and have results submitted through the CMMC instance of eMASS for transmission to SPRS.

It also says Level 2 certification assessment results must include details such as the assessment date and level, C3PAO name, assessment identifier, assessor information, CAGE codes, SSP name and version, CMMC status date, assessment result for each requirement objective, POA&M usage if applicable, and hashed artifact details.

That is the hidden work. A client might say they need MFA, EDR, and logging. The assessment asks for the control, the procedure, the evidence, the inventory, the diagram, the artifact hash, and the person who can explain it without guessing.

Why MSPs end up in the assessment boundary

MSPs get uncomfortable with this part because they want a clean line: the client is the contractor, so the client gets assessed. CMMC does not make it that tidy.

32 CFR 170.19 says the Level 2 assessment scope includes CUI assets, Security Protection Assets, Contractor Risk Managed Assets, and certain specialized assets. It also says External Service Provider use must be considered when the provider processes, stores, or transmits CUI or Security Protection Data.

For an MSP, that can include:

  • Remote monitoring and management tools that administer in-scope systems
  • Endpoint detection tools protecting CUI assets
  • Backup platforms storing CUI or system images from CUI assets
  • Ticketing systems that contain screenshots, logs, hostnames, user details, or other security protection data
  • Remote access systems used to maintain the CUI environment
  • SIEM or log platforms receiving logs from CUI assets
  • Documentation systems containing network diagrams, asset inventories, or control evidence

The regulation is explicit about non-cloud External Service Providers. For Level 2, 32 CFR 170.17 says the use of the provider, the relationship to the organization, and the services provided must be documented in the organization's System Security Plan and described in the provider's service description and customer responsibility matrix. It also says the provider services used to meet the organization's requirements are assessed within the organization's assessment scope.

That does not automatically mean every MSP must hold its own CMMC certification. It does mean an MSP serving DIB clients needs assessment-ready documentation. "We manage their IT" is not a service description. "We handle access control" is not a customer responsibility matrix.

The MSP documentation set clients will ask for

Do not wait for a C3PAO to request documentation. Build the package now and reuse it across DIB clients with client-specific scoping.

At minimum, an MSP should prepare:

  1. Service description. Describe the managed services used by the client, which systems they touch, what data they may process, and which security functions they provide.
  2. Customer responsibility matrix. Document what the MSP owns, what the client owns, and what is shared. For CMMC, this should be specific enough to map to Level 2 families and control areas.
  3. Remote access model. Show how MSP staff access client systems, how MFA is enforced, how sessions are logged, and how access is approved and removed.
  4. Tool inventory. List RMM, EDR, backup, documentation, ticketing, SIEM, identity, and remote support tools that touch the in-scope environment.
  5. Data handling statement. Explain whether tools process, store, or transmit CUI, FCI, or Security Protection Data. If the answer is no, justify it clearly.
  6. Evidence handling process. Define where artifacts live, who can change them, how they are retained, and how integrity is protected.
  7. Incident response interface. Clarify who detects, who escalates, who declares an incident, who reports, and how fast the client must make business decisions.
  8. Subcontractor and vendor view. Identify any downstream tools or providers the MSP uses to deliver the service.

If this sounds like a lot, good. This is exactly why CMMC readiness should not be buried inside a managed services agreement as "included compliance help." It is separate work, separate risk, and separate value.

For a starting point, use a shared responsibility matrix template for MSP compliance engagements. The template is not a substitute for legal or assessment advice, but it gives you a usable structure for the MSP-client split.

How to scope the client before you quote remediation

The most expensive CMMC mistake is quoting remediation before the boundary is real.

CMMC scope is not "the whole company" unless the whole company processes, stores, or transmits CUI. But it is also not "just the file server" if identity, logging, backup, remote access, or endpoint tooling protects that file server.

Use this sequence before you price the work:

  1. Confirm the contract driver. Ask for the contract clause, prime requirement, solicitation language, or renewal trigger. If the client only has a rumor from a prime, mark that as a risk.
  2. Classify the information. Separate FCI from CUI. CUI drives Level 2 conversations. Basic FCI may only require Level 1, depending on the contract.
  3. Map CUI flow. Where does CUI enter, who uses it, where is it stored, where is it backed up, and where does it leave?
  4. Draw the asset boundary. Identify CUI assets, Security Protection Assets, Contractor Risk Managed Assets, specialized assets, and out-of-scope assets.
  5. Map MSP tool contact. Identify every MSP platform that touches in-scope systems or security protection data.
  6. Score current evidence. Do not ask only whether a control exists. Ask whether the client can prove it with current, reviewable evidence.
  7. Build the remediation backlog. Separate policy work, technical implementation, evidence collection, training, and assessment preparation.
  8. Quote phases, not fog. Package discovery, gap assessment, remediation, mock assessment, and ongoing evidence management separately.

This protects margin and credibility. A client may want a number on the first call, but a clean CMMC quote without scope is fiction.

What to tell clients about cost

Use official numbers carefully. The 2024 CMMC Program final rule estimated that supporting a Level 2 certification assessment and affirmation costs $101,752 for a small entity and $112,345 for an other-than-small entity. Those estimates include assessment and affirmation support, including C3PAO cost assumptions, but they assume the contractor has already implemented NIST SP 800-171 Rev. 2.

That caveat is the sales conversation.

If the client's current environment is messy, the official assessment support estimate is not the full budget. It does not cover every remediation project required to fix missing MFA, logging, segmentation, documentation, backups, policy gaps, incident response testing, or evidence operations.

A practical MSP package usually separates cost into four buckets:

Cost bucketWhat it coversHow to sell it
Gap assessmentScope, asset inventory, control review, initial evidence review, remediation backlogFixed-fee diagnostic with a concrete decision output
Remediation projectsTechnical fixes, policy work, process changes, training, tool cleanupScoped projects with assumptions and exclusions
Assessment preparationEvidence review, mock interviews, artifact cleanup, C3PAO readinessInsurance against avoidable assessment failure
Ongoing compliance managementEvidence refresh, access reviews, vulnerability management, affirmations, QBR reportingRecurring service tied to contract eligibility

For broader pricing ranges, use the MSP compliance pricing guide. The important point is not the exact first number. The important point is that CMMC pricing should reflect advisory risk, evidence work, and contract value, not just technician hours.

How Scopable fits the CMMC workflow

CMMC readiness creates a handoff problem. The assessment produces findings. The findings become remediation decisions. The decisions become quotes, projects, timelines, and client conversations. Too many MSPs manage that handoff with notes, spreadsheets, and a quote built days later by someone who was not in the assessment.

Scopable is built for MSPs that need that workflow connected. You can turn assessment findings into a client roadmap, package remediation into scoped projects, and build quotes with the context still attached. That matters when a CMMC gap turns into a firewall project, Microsoft 365 hardening, backup redesign, endpoint rollout, or managed compliance retainer.

It also helps protect the MSP from the classic compliance trap: saying yes to everything and discovering later that the client expected unlimited advisory work. A clear roadmap and quote make the responsibility split visible before the work starts.

If you are building a CMMC readiness motion, start by standardizing the assessment output. Then standardize the quote structure. Then standardize the recurring evidence rhythm. Scopable gives MSPs a cleaner way to carry that context from assessment to roadmap to quote.

The 2026 MSP readiness checklist

Use this as the working checklist before November 10, 2026.

Client qualification

  • Identify every client with DoD contracts, subcontracts, or prime contractor flowdown.
  • Ask whether the client handles FCI, CUI, or both.
  • Ask for the contract language or prime requirement, not just a verbal summary.
  • Confirm whether Level 1, Level 2 self-assessment, Level 2 C3PAO, or Level 3 is likely.
  • Prioritize clients with renewals, recompetes, or new bids in late 2026 or 2027.

Scope and architecture

  • Map where CUI is created, received, stored, processed, transmitted, and backed up.
  • Define CUI assets and Security Protection Assets.
  • Identify MSP tools touching the in-scope environment.
  • Separate out-of-scope systems with a defensible technical reason.
  • Build or update the network diagram for the CMMC assessment scope.

Evidence and documentation

  • Update the System Security Plan.
  • Build a customer responsibility matrix.
  • Collect current evidence for each requirement.
  • Document access reviews, training, vulnerability management, incident response tests, and change control.
  • Define artifact retention and integrity handling.

Commercial packaging

  • Sell a paid gap assessment before remediation.
  • Quote remediation in phases with clear exclusions.
  • Keep C3PAO fees separate from MSP service fees.
  • Offer ongoing evidence and affirmation support as recurring revenue.
  • Review E&O and cyber insurance before selling compliance advisory services.

Client conversation

  • Anchor the conversation on contract eligibility, not fear.
  • Ask what DoD revenue is at risk if they cannot bid or renew.
  • Show the current evidence gap, not just the technical gap.
  • Explain where the MSP is in scope and where the client still owns decisions.
  • Give the client a decision path: scope, assess, remediate, prepare, sustain.

CMMC 2026 FAQ for MSPs

Is the CMMC deadline October 2026 or November 2026? The contract phase-in date MSPs should plan around is November 10, 2026. The CMMC acquisition rule is effective November 10, 2025, and 32 CFR 170.3 says Phase 2 begins one calendar year after Phase 1 starts.

Do MSPs need their own CMMC certification? Not automatically. But if an MSP processes, stores, or transmits CUI or provides security functions for the client's CMMC scope, its services can be assessed as part of the client's assessment. The MSP should prepare a service description, customer responsibility matrix, access model, and evidence package.

What does CMMC Level 2 require? CMMC Level 2 uses the NIST SP 800-171 Rev. 2 requirements. The NIST requirements data set contains 110 security requirements across 14 families. For Level 2 C3PAO certification, the organization must meet all applicable Level 2 requirements and complete assessment through an authorized or accredited C3PAO.

Can clients pass with a POA&M? Sometimes, but only under strict rules. 32 CFR 170.17 allows Conditional Level 2 status when the POA&M meets CMMC requirements, but the organization must close it out within 180 days. If it does not, the conditional status expires and contract eligibility can be affected.

What should an MSP sell first? Sell a fixed-scope CMMC discovery and gap assessment. Do not sell full remediation until the CUI boundary, MSP tool contact, evidence state, and contract driver are clear. The output should be a prioritized remediation roadmap and a quote-ready project backlog.

The real deadline is proof

November 10, 2026 is the date to plan around, but the deeper deadline is proof. Your client has to prove the right systems are in scope, the right requirements are met, the right evidence exists, and the right responsibilities are documented.

That is where MSPs can either become indispensable or become a liability. The difference is scoping discipline.

If you serve defense contractors, do not wait for a contract clause to start the conversation. Run discovery, define the CUI boundary, document your MSP role, and turn the remediation plan into a quote the client can actually approve. If you want that assessment-to-roadmap-to-quote workflow in one place, join Scopable early access.

Ready to stop guessing?

Scopable automates quoting, roadmaps, and QBRs for MSPs. Join the alpha and help shape the platform you actually want.

Quote Your Next Project In Minutes

Get MSP insights weekly

No spam. Unsubscribe anytime.

Keep reading

🛡️ComplianceApril 29, 2026

CMMC Phase 2 Starts in November: The MSP Action List

CMMC Phase 2 starts November 10, 2026. Here's what changes for MSPs serving defense contractors and how to run a profitable readiness engagement.

🛡️ComplianceFebruary 28, 2026

HIPAA 2026 Changes: What Every MSP Needs to Know (And Sell)

The HIPAA Security Rule is getting its biggest update in 20 years. Here's what's changing, what it means for MSPs, and how to turn it into revenue.

🛡️ComplianceJanuary 30, 2026

MSP Compliance Liability Guide: Protecting Your Business When Things Go Wrong

MSP compliance services create liability exposure. Here's how to protect your business: contract language, E&O coverage, refusal waivers, and shared responsibility.