While you may be dependent upon your Managed Service Provider (MSP) to fulfill your M365 and Azure needs, at some point in time, they should also be CMMC certified. The primary reason for this is that since you are basically hosting all of your data with them, you will also need to make sure that they have the same safeguards in place to protect the CUI and FCI datasets that the DoD is entrusting to your care.

So how do you know if your MSP is up to this task?  We evaluate some areas that you need to scrutinize more closely.

What You Need To Evaluate

1. Is your MSP in CMMC compliance themselves?

Essentially, since you have outsourced your entire IT and Network infrastructure to your MSP, they will need to be in compliance too. So, you should be asking them such questions as:

  • Because I will be using your resources to transact, process, and store the DoD datasets you will need to have the same controls as I have to possess as well.  Are they already in place?
  • If they are not in place, what are your plans to implement these controls and become compliant? And when?
  • We are seeing the threats of Ransomware attacks growing on a daily basis.  Since I am housing mission critical information and data with you, what are the other protective mechanisms you have in place to further safeguard my virtual databases?

The bottom line here is that if your MSP has already been CMMC certified or is on the road to do  so, then there is really nothing to worry about.  But if they are not, and cannot give a definitive answer to the above questions, then you need to pose this to them:  Will they accept what is known as a DFARS 252.204-7012 flow down? Meaning, since you are client of theirs, whatever CUI and FCI datasets they are handling will be flowing down to you, and as a result, will they be able to pass an audit to make sure the appropriate controls are in place?  If they cannot answer this question either, then it is time to look for another MSP that is not only certified but can also meet your other CMMC requirements as well.

2. Do they have enough experience?

Apart from whether the controls are in place or not, another key question you need to be asking your MSP is the degree of experience they have in handling CMMC needs and requests.  Granted, the CMMC is still a rather new thing, so it won’t be surprising to hear if there is not a lot of experience in place yet.  Thus, there should at least be a dedicated specialist on their team that is qualified to be the CMMC expert.  If no such person exists, then you need to be asking your MSP if they have partnered up with another company that can allocate CMMC resources to them.

3. Does your MSP make use of United States personnel?

Given the sensitive nature of both the CUI and FCI datasets, the CMMC pretty much mandates that only US based employees can be entrusted with this data.  Thus, you need to also be asking your MSP if they will abide by this requirement.  The reason for this is that the DoD is taking great efforts to prevent any type of export control violations to nation state threat actors.

4. Are the right technologies in place?

Just as much as having the right controls in place at your MSP is important, the overall SaaS based technologies that they are using to host your virtual database (which houses the FCI and CUI datasets) must also be CMMC compliant.  If this is not the case, then perhaps you should consider seriously using a CMMC authorized Cloud Provider, such as that of Microsoft Azure, to host these respective databases.


Overall, this article has examined some of the key questions that you should be asking your MSP when it comes to their level of CMMC compliance.  But it is also very important to keep in mind that this is a process that you should not tackle alone.  We can help you with this, please contact us today.


  • https://cisomag.eccouncil.org/cmmc-right-msp-partner/