Send a message
Careers
Would you like to join our growing team?
careers@email.com
Consulting
We’ll figure out the best option for you.
connect@email.com
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
close icon
CMMC

CMMC Level 2 Compliance Guide: How to Choose the Right MSP, Consultant, or ESP

How to Choose a CMMC Partner (Advice from a Level 2 Certified MSP Owner)

Organizations that seek Cybersecurity Maturity Model Certification (CMMC) compliance face daunting tasks and choices when it comes to achieving their certification. Protecting Controlled Unclassified Information (CUI), preparing for third-party assessment, and selecting the right CMMC consulting partner can directly impact contract eligibility and certification timelines. We had firsthand experience helping other companies achieve their Level 2 (L2) certification before we even received our own. Because of that, I understand that it can feel a bit self-serving when a provider tells you to "only work with L2-certified RPOs."

While having our own certification allows us to support clients as a certified External Service Provider (ESP), I want to be transparent: if you aren't looking for a full-service ESP, there are still great consulting resources out there that don’t have their own Level 2 certification. However, you need to know exactly what to ask to ensure you aren't being led down a dead end.

The "Good Intentions" Trap

Organizations Seeking Certification (OSCs) have deep faith in their existing managed IT partners. We wouldn't be where we are if our clients didn't feel the same way about us. But we’ve seen too many OSCs come to us late in the game because they trusted a provider who simply couldn't deliver on CMMC controls.

My intention is not to paint these providers in a bad light. Most have the best intentions for their clients. But there is a stark difference between a piecemeal approach to CMMC implementation and a rigorous full-fledged organization focus including attending relevant conferences, investing time and money in staff training, seeking internal certification, and developing relationships with C3PAOs (assessors). Without this wholehearted commitment to understanding the CMMC ecosystem, it is incredibly difficult to effectively guide a client through a passing assessment.

To help you navigate your own path forward, I’ve broken down the four most common categories OSCs fall into as they consider CMMC certification and my recommendations for each.

Organization A: "We Have Internal IT"

These organizations usually just need a consultant to help them implement the framework. My advice here is consistent: Not all certifications are created equal. When evaluating whether a consulting firm will fit your needs, here are some certifications to look for on their staff.

  • RP & RPA (Registered Practitioner / Advanced): These are relatively simple to obtain. They don't prove an individual can complete the work in a way that satisfies a rigorous assessment. I would not hire a firm that only holds these.
  • CCP & CCA (Certified CMMC Practitioner / Assessor): At a minimum, look for a CCP. Ideally, find a firm with a CCA on staff. This means that they have a deeper understanding of the full assessment process.

The Insider Questions:

  • Who is my daily contact? Are you actually working with the CCA, or is the CCA just "overseeing" five different RPs who are doing the actual work? Make sure you have direct access to the expertise you’re paying for.
  • Where did the documentation come from? Did they develop their own package, or are they using someone else's? Beware of "passthrough" RPOs that are just marking up another company’s templates without understanding the "why" behind them.  

Organization B: "We Need an MSP"

Simple answer: Don’t hire an MSP that doesn't have their own Level 2 certification.

When you use an MSP, they are installing external tools on your machines. Those services fall into the scope of your assessment. If they don't have their own L2, you are essentially gambling that their internal tools will pass an assessment. Don't put yourself in a position where your certification is held hostage by an MSP that can't provide proof of their own compliance.

The Golden Rule: Regardless of the provider, they must provide you with a Shared Responsibility Matrix (SRM). If they can't (or won't) produce this, walk away.  

Organization C: "We Have an MSP, but Want a CMMC Enclave"

This is a perfectly valid "best of both worlds" approach. If you love your current MSP but they aren't ready for CMMC, you can build a compliant "enclave" for your CUI (Controlled Unclassified Information) and have a different ESP manage just that environment.

This keeps your primary MSP out of scope, allowing them to keep using their existing tools without triggering an assessment of their entire operation. It adds some operational hurdles for your staff (switching between environments), but it’s a popular way to maintain "business as usual" for the non-CMMC side of the house.

Note: If you go this route, scrutinize the "touchpoints" between the enclave and your general office network. If they bleed together, your non-compliant MSP is back in scope.

Organization D: "We Want Our Existing (Non CMMC L2 Compliant) MSP to Do It All"

I’ll be blunt: This is rarely realistic. I’ve seen so many failed attempts where an MSP tries to hold onto a client without realizing they are about to cost that client a fortune in failed implementation and assessor fees.

A standard MSP uses a suite of tools for monitoring and security. They’re usually quality, functional tools. But for CMMC L2, those tools must meet FedRAMP Moderate equivalency, and many do not.

The Reality Check:

  • The "Rip and Replace": Your MSP will likely have to gut their existing toolkit and replace it with more expensive, FedRAMP-compliant versions.
  • The Assessment Fatigue: Ask for a SRM. Look at the "Shared" or "Provider" controls. Can your MSP sit in a room with an assessor for 7 hours a day, over 5 days, and defend every single procedure? Can you answer all of the question that you are responsible for?

Being a "good IT company" and being a "compliant CMMC provider" are two different professions. If you aren't moving to an enclave, you must require your MSP to get their own L2 certification. Until then, your fates are intertwined.

If you are at a loss, reach out to a CMMC L2 managed IT service provider and get some guidance. An MSP worth working with should be happy to talk through your current environment and provide you with recommendations.

Don’t be shy in asking about their track record. CMMC compliance standards are not new and by now they should be able to provide you with some success stories, as well as notes from their own L2 assessment.

Check out the Cyber AB Marketplace to see who might be a good fit for you. And as always, feel free to give Stratus a call.

View more posts about:
CMMC
Category
News
Support and Best Practices
Virtualization
Emerging Technology
Hardware/Software Solutions
Infrastructure
IT Management
Networks
Security
Recent
Feb 18, 2026
By
Joshua Rabe
CMMC Level 2 Compliance Guide: How to Choose the Right MSP, Consultant, or ESP
Feb 12, 2026
By
Owen Phillips
Press Release: Stratus Services achieves CMMC Level 2 Certification
Feb 4, 2026
By
Jason Isenhart
The Hidden Risk in Medical IT: Why HIPAA Compliance Fails Without Proper Management
Jan 23, 2026
By
Joel Recane
CMMC for A/E/C Firms: Practical Impacts, Real Challenges, and What to Expect
Tags
Information Technology
Video
Cybersecurity
Cloud Computing
Virtualization
Data Management
CMMC
A/V
Awareness Training
Backups
Infrastructure Design
Compliance
AI and Machine Learning
Desktop Support