Managing MSP Responsibilities for CMMC Compliance

Managed service providers (MSPs) offer a wide variety of services that can satisfy CMMC practice objectives. However, most organizations seeking certification (OSCs) don’t have a clear picture of who does what to achieve compliance. By transforming the CMMC model into a management model, OSCs can drastically improve the compliance value they receive from MSPs.

Step 1: Separate Governance and Performance Objectives

The “real” CMMC 2.0 model is a set of 320 assessment objectives. CMMC practices will often have more than one assessment objective. For example, here are the assessment objectives for one CMMC practice CM.L2-3.4.9 – User-Installed Software:

  • 3.4.9[a] a policy for controlling the installation of software by users is established.
  • 3.4.9[b] installation of software by users is controlled based on the established policy.
  • 3.4.9[c] installation of software by users is monitored.


The first objective is a governance objective. It uses “non-functional” language like established, defined, and specified. These objectives are often documented in a policy, standard, system specification, or all three.

Identify which assessment objectives are “governance” objectives (often the first objective listed) and separate them from “performance” objectives that use functional verbs like enforced, limited, and controlled. Don’t assign governance objectives to your MSP. MSPs are built to “do” (perform) based on client expectations (governance).

Step 2: Pre-Satisfy Governance Objectives

Determine your own definitions, specifications, and measures of performance so that service providers’ expectations are clear and manageable.

You could pre-satisfy the governance objective for CM.L2-3.4.9 (“a policy for controlling the installation of software by users is established”) through the following actions:

  • Create a software usage policy
  • Review the software usage policy
  • Approve the software usage policy
  • Disseminate the software usage policy

Step 3: Determine Asset Capabilities

There are at least four common asset types in your organization: people, technology, facilities, and information. Three of these can provide protections for information assets: people, technology, and facilities.

MSPs tend to look for technology solutions to satisfy assessment objectives. To keep MSPs focused on the objectives where technology is a “best fit,” identify which CMMC assessment objectives are best satisfied by people, technology, or facilities.

Chart of the people, technology, and facilities needed for 3.4.9

This step is also an excellent time for MSPs to identify the tools (“security protection assets” in CMMC terminology) they intend to use in your environment.

Step 4: Describe the Work

If you’ve performed Step 2 (pre-satisfying governance objectives) and Step 3 (determining the best fit for asset capabilities), your organization can provide MSPs with valuable inputs to guide processes involving technology. The next step involves describing an MSP’s tasks and duties.

Mature MSPs use pre-defined terms to describe service delivery. These can be rudimentary keywords (“move, add, change, delete”), verb/noun combos (“configure email clients”), or primary work areas (“server administration”). If your MSP doesn’t use specific terms to describe their activities, now is the time to start. You cannot hold third parties accountable for compliance outcomes until you agree on the defined tasks they will perform on your behalf.

Using our example, verbs (process) and nouns (technology assets or other objects) are combined to describe the work necessary to satisfy “performance” objectives in the model:

3.4.9[b] installation of software by users is controlled based on the established policy.

  • Review software usage policy
  • Configure controlled folders
  • Configure trusted certificate store
  • Configure application control software


3.4.9[c] installation of software by users is monitored.

  • Configure software installation alerts
  • Review software inventory
  • Report software usage policy violations


As an MSP’s listed tasks become unwieldy, sort them into related “duty areas” or “work areas.” Multiple duty areas can be grouped into distinct capabilities. These capabilities may be used to describe individual roles or assigned to the MSP’s service and project teams.

Finally, assign frequencies for performance to these capabilities (annually, monthly, continuously, as-needed) so that MSPs can forecast labor and adjust service level agreements.

Step 5: Assign Responsibilities

Responsibility doesn’t exist in a vacuum. If you assign responsibility to an MSP with no expectations (accountability), guidance (consulting), or reporting chain (informing), your organization will be disappointed in external service providers.

Creating a RACI Matrix identifies who is Responsible for an action, Accountable for outcomes, Consulted with for feedback and input, and Informed of progress and results.

When combined with the results of our prior steps, this forms a more complete view of how implementations will be performed. (Click on the chart to enlarge.)

MSPs must be part of an overall management model in order to produce the results your organization needs during a future assessment. More organizations are becoming aware of the need to create a shared responsibility matrix for their stakeholders. The steps we’ve described in this article will create an informed view of who does what, and by when, along with team dynamics for coordinating work.