CMMC ESP Scoping for MSPs: Follow the CUI Before You Quote
A defense contractor asks your MSP for CMMC help. They want a fast quote for cleanup, policy work, and audit support. The tempting move is to price the remediation project from the client's environment.
That is not enough.
CMMC ESP scoping for MSP work starts with a different question: do your own tools, people, or systems touch the client's CUI, Federal Contract Information, or security protection data? If they do, your service may be part of the client's assessment story. That changes discovery, pricing, evidence, contracts, and who pays for the security work.
This is the field guide version. Not a legal memo. Not a generic CMMC explainer. Before you sell CMMC cleanup, follow the CUI path, map your MSP stack, and decide whether the work belongs in a paid assessment, a controlled enclave, a bigger MSP security project, or a polite no.
What is CMMC ESP scoping for MSPs?
CMMC ESP scoping for MSPs is the process of deciding whether an MSP's services, tools, people, or facilities fall into a client's CMMC assessment scope because they process, store, transmit, or protect CUI, FCI, or security protection data. The goal is to find the boundary before quoting remediation.
The official definition matters. 32 CFR 170.4 defines an External Service Provider as external people, technology, or facilities used for IT or cybersecurity services on behalf of an organization. For the CMMC program, CUI or Security Protection Data must be processed, stored, or transmitted on the ESP assets for the provider to count as an ESP.
That last sentence is where MSP scope gets real. You are not in scope just because you are the IT provider. You may be in scope because your RMM, EDR console, backup platform, remote access tool, ticket notes, admin workstation, or SOC workflow touches the data or protects the environment that handles it.
Scopable fits here because this is not only a compliance question. It is a quoting question. MSPs need a way to turn assessment findings into scoped work, client decisions, project budgets, and clear exclusions. If the CUI path is unclear, the quote is not ready.
Why MSPs get pulled into CMMC scope
The client is usually the Organization Seeking Assessment or Organization Seeking Certification. That does not make the MSP invisible.
For Level 2, 32 CFR 170.19 says the assessment scope includes CUI assets, Security Protection Assets, Contractor Risk Managed Assets, and certain specialized assets. It also says the organization must consider whether an ESP is a cloud service provider and whether the ESP processes, stores, or transmits CUI or Security Protection Data.
Security Protection Data is easy to underestimate. The same regulation defines it as data stored or processed by Security Protection Assets used to protect the assessed environment. Examples include configuration data, log files, vulnerability status data, and passwords that grant access to the in-scope environment.
That means a tool can pull your MSP into scope even when it does not store a contract drawing or technical package. If it stores logs from CUI assets, configuration data for security tooling, privileged credentials, or vulnerability data for the in-scope environment, it needs review.
For Level 1, the scoping language also tells organizations to consider External Service Providers in the environment that process, store, or transmit FCI. So do not reduce the question to "does our tool hold CUI?" Ask what information the contract requires the client to protect, then map the MSP touchpoints.
Map the MSP stack before you quote
Use this table during discovery. It is not a final legal determination, but it gives your team a practical starting point.
| MSP tool or service | Likely scope posture | What to check before quoting |
|---|---|---|
| RMM on in-scope endpoints | Needs review, often in scope | Admin access, scripts, inventory data, logs, credential storage, and whether the tool can affect CUI assets. |
| EDR, SIEM, MDR, or SOC service | Needs review, often Security Protection Asset support | Whether logs, alerts, vulnerability data, or response actions protect the CUI environment. |
| Backup and disaster recovery | High risk for scope | Whether backups include CUI, system images from CUI assets, encryption keys, or restoration access. |
| Remote access tools | Needs review | Whether sessions reach CUI systems, whether recordings or clipboard data exist, and how privileged access is controlled. |
| PSA and ticketing | Depends on ticket content | Whether users paste CUI, screenshots, credentials, configuration details, logs, or security findings into tickets. |
| Microsoft 365 administration | Depends on tenant and workload | Whether the tenant stores CUI, whether admin roles reach CUI data, and whether Purview, SharePoint, Teams, or Exchange are in scope. |
| Documentation platform | Depends on contents | Whether it stores network diagrams, credentials, system configurations, procedures, or evidence for the assessed environment. |
| Plain help desk for out-of-scope systems | Often out of scope | Prove separation. Document which systems are excluded and why they cannot process, store, or transmit CUI or SPD. |
The point is not to scare every MSP into treating the whole company as CMMC scope. The point is to stop pretending scope is known before anyone has traced the data.
The three commercial paths
Once you map the tools, the sales path usually lands in one of three places.
1. Walk away
Sometimes the honest answer is no. If the client needs CMMC Level 2 support and your MSP cannot protect its own admin workstations, tool stack, evidence handling, or privileged access process to the required standard, selling the project may create more risk than revenue.
This is not weakness. It is client selection. If you are not ready to deliver compliance work, read when not to offer compliance services before turning a bad fit into a liability problem.
2. Secure the whole MSP delivery path
If CMMC clients are a strategic market, you may choose to bring the relevant MSP systems, processes, people, and evidence practices up to the level needed to support those accounts. That can include admin device hardening, privileged access management, logging, separation of duties, ticket hygiene, change control, evidence retention, and security training.
This path can create a stronger compliance service line, but it should be priced as an internal investment plus a client-facing offer. Do not hide the cost inside a cheap readiness quote.
3. Build a controlled enclave
For many MSPs, the practical answer is a controlled delivery lane for CMMC clients. Limit the tools, accounts, workflows, documentation, and evidence paths that touch CUI or SPD. Keep unrelated clients and everyday help desk noise away from that environment.
An enclave does not make scope disappear. It makes scope smaller, clearer, and easier to price. It also gives you cleaner inputs for the shared responsibility matrix, the client SOW, and the remediation roadmap.
Discovery checklist before quoting CMMC cleanup
Do this before you write the remediation quote.
- Find the contract driver. Ask whether the client has FCI, CUI, a current CMMC clause, a prime flowdown, or a future solicitation target. Do not sell Level 2 work to a client that has not established the need.
- Trace the CUI path. Identify where CUI is created, received, stored, processed, transmitted, backed up, printed, shared, and archived. If nobody can point to the data flow, the quote is guessing.
- Trace the security protection data path. Map logs, configurations, vulnerability findings, credentials, backup metadata, and security console data tied to in-scope assets.
- Map MSP access. List every MSP tool, account, workstation, vendor, and person that can administer or observe in-scope systems.
- Separate client-owned and MSP-owned work. Use a shared responsibility matrix template to document who owns each control, evidence artifact, approval, and exception.
- Define exclusions. If a tool, system, or workflow is out of scope, document why. Physical or logical separation needs evidence, not vibes.
- Price assessment before remediation. Sell a fixed-scope discovery and gap analysis first. Then use the findings to build the cleanup quote with phases, assumptions, and change-order triggers.
- Turn findings into a SOW. Put deliverables, exclusions, dependencies, acceptance criteria, and client responsibilities into an MSP scope of work. Do not let the PSA ticket become the contract.
That sequence protects both sides. The client gets a cleaner path to assessment. The MSP avoids inheriting unpriced work.
What to include in the quote after scoping
After discovery, the quote should separate five things.
| Quote section | What it should cover |
|---|---|
| Assessment and gap analysis | CUI flow, asset categories, MSP tool review, evidence gaps, risk register, and remediation plan. |
| MSP environment remediation | Work needed inside your own delivery path, if your tools or people are in scope. |
| Client environment remediation | Controls, configuration changes, documentation, evidence, and process changes in the client's environment. |
| Shared responsibility documentation | Customer responsibility matrix, control ownership, exclusions, decision log, and accepted risks. |
| Ongoing support | Evidence maintenance, quarterly reviews, roadmap updates, change control, and quote refreshes as scope changes. |
This also changes pricing. CMMC work is not a single managed service add-on. It may include a paid assessment, separate remediation projects, ongoing evidence support, and a premium for the MSP systems that must meet higher operating discipline. Use a pricing model built for compliance work, not generic managed IT. The MSP compliance pricing guide is the better starting point.
The line to use with clients
Here is the simplest way to frame it:
"Before we quote cleanup, we need to know whether your CUI or security protection data passes through our tools, our accounts, or any third-party platforms we manage. If it does, the quote needs to include that scope. If it does not, we need evidence showing why."
That sentence changes the conversation. It moves the client from "can you make us CMMC compliant?" to "what is actually in scope, who owns it, and what are we buying?"
That is where a serious MSP should want the conversation. Scopable helps teams turn that scope into client-facing roadmaps, budgets, quotes, and follow-up actions so CMMC findings do not get trapped in spreadsheets. If you want that workflow in your MSP, join the early access list.
