Why MSPs and MSSPs Are Building Their CMMC Practices on Kiteworks
CMMC 2.0 Phase 2 enforcement is in effect. Defense contractors subject to new or renewed DoD contracts must now demonstrate CMMC Level 2 compliance or lose those contracts. The companies affected span the full breadth of the defense industrial base – aerospace systems integrators, small manufacturers, IT vendors – and the vast majority are small to mid-sized businesses with no dedicated compliance staff. They are looking for a trusted advisor who can guide them through the CMMC compliance roadmap and deliver the technology infrastructure needed to pass a C3PAO assessment.
That opening is where MSPs and MSSPs come in. An MSP credentialed as a Registered Practitioner Organization (RPO) under the CMMC Accreditation Body framework can advise clients on assessment preparation, configure their environments, and manage ongoing compliance as a service. But the practice only works if the platform the MSP deploys actually satisfies the controls a C3PAO will test.
Choosing a platform that claims CMMC readiness without documented certifications is not just a technical shortcoming. Under the False Claims Act, falsely certifying that a contractor is CMMC compliant when it is not carries civil penalties that can reach $28,619 per false claim, plus treble damages. The platform decision is a business and legal decision as much as a technical one.
Kiteworks was designed for this environment. The platform delivers unified CMMC 2.0 compliance across every channel through which Controlled Unclassified Information moves, backed by certifications that satisfy DoD requirements without ambiguity.
Key Takeaways
1. The defense industrial base is now the most clearly defined compliance services market in managed IT.
Over 80,000 DIB contractors require C3PAO-assessed CMMC Level 2 certification, and most lack the internal staff to get there. MSPs and MSSPs that build a credible CMMC practice stand to capture a recurring, mandate-driven revenue stream that does not shrink when IT budgets tighten.
2. Platform choice determines whether a CMMC practice succeeds or fails.
Many vendors claim CMMC alignment without carrying the certifications DoD requirements actually recognize. An MSP that deploys an unqualified platform exposes its clients to failed assessments and, under the False Claims Act, exposes both parties to civil penalties of up to $28,619 per false claim plus treble damages.
3. Kiteworks addresses 90% of CMMC 2.0 Level 2 requirements out of the box.
That coverage spans the control families a C3PAO will scrutinize most carefully – access control, audit and accountability, configuration management, identification and authentication, and system and communications protection – giving clients the strongest possible starting point before the assessment begins.
4. Kiteworks holds a real FedRAMP Moderate Authority to Operate, not a self-attested equivalency claim.
That authorization has been confirmed by a certified third-party assessment organization every year since June 2017, and it satisfies the DFARS 7012 cloud security requirement without any additional equivalency determination from the contractor.
5. A single-tenant architecture and unified audit log make C3PAO assessments faster and cleaner.
Each DIB client gets a dedicated Kiteworks environment with no shared infrastructure. Every CUI channel interaction – email, file sharing, managed file transfer, SFTP, data forms – feeds into a single immutable audit log, giving the assessor a complete, tamper-evident evidence package without the MSP having to assemble it manually.
CMMC 2.0 Compliance Roadmap for DoD Contractors
The CMMC Opportunity MSPs and MSSPs Cannot Ignore
The CMMC Final Rule established a phased compliance timeline that is now past its early stages. Level 2 requirements – which map directly to all 110 controls in NIST 800-171 and require assessment by an accredited C3PAO – apply to any contractor that handles Controlled Unclassified Information under a DoD contract. With over 80,000 contractors in scope for Level 2, the market for qualified CMMC advisors is not theoretical. It is immediate, documented, and growing as contract renewals bring more of the supply chain into scope.
The compliance obligation does not end with the initial certification, which is part of what makes the DIB a strong market for managed services. CMMC certification is valid for three years, but maintaining it requires continuous attention. Contractors must keep their security controls operational, update their System Security Plan when significant changes occur, address any findings through a POA&M process, and prepare the evidence package for reassessment. That is not a one-time project. It is exactly the kind of ongoing operational burden that MSPs are built to take off clients’ plates.
There is also a supply chain dynamic worth understanding. When a prime contractor gets certified, pressure cascades down to its subcontractors. When a Tier 1 subcontractor passes its assessment, the Tier 2 suppliers handling the same FCI come into focus. An MSP embedded in a certified contractor’s compliance program is in a good position to serve that contractor’s subcontractor relationships as requirements propagate down the chain.
Why the Platform Beneath the Practice Is Everything
CMMC Level 2 requires satisfying 110 controls across 17 domains. Those controls govern how users authenticate, how CUI moves across systems, how access events are logged, and how incidents are detected and reported. No single platform addresses all 110 – policies, procedures, and additional tooling are always required – but the platform determines how many controls the client starts with documented and covered, versus how many must be built from scratch.
That starting-point difference matters enormously in practice. A client deploying a platform that covers 40% of Level 2 requirements faces a substantially longer and more expensive road to certification than one that starts at 90%. The MSP’s assessment preparation timeline, the likelihood of a first-attempt pass, and the total engagement cost all follow from that baseline. Kiteworks addresses 90% of CMMC Level 2 requirements out of the box, giving RPOs the best possible foundation before the CMMC gap analysis even begins.
Platform selection also carries legal weight that many MSPs underestimate. DFARS 7012 specifies that cloud services handling CUI must meet FedRAMP Moderate security requirements. Vendors who offer self-attested FedRAMP equivalency are not the same as vendors with a confirmed FedRAMP Moderate Authority to Operate. When a C3PAO examines the cloud service provider an MSP has deployed, that distinction is the difference between a finding and a clean result. Deploying a platform that cannot pass that test puts clients in a documented compliance gap, and under the False Claims Act, that gap becomes legal exposure the moment the contractor certifies compliance to the DoD.
How Kiteworks Covers CMMC Level 2 from the Start
Most organizations attempting CMMC compliance assemble separate tools for email security, file sharing, managed file transfer, SFTP, and data forms. Each tool has its own security posture, its own logging format, and its own policy enforcement model. That fragmentation creates real assessment complexity: the C3PAO must evaluate each system independently against the relevant control families, and a gap in any one of them becomes a finding against the entire assessment. Data classification disciplines applied uniformly across all channels — rather than separately in each tool — are a prerequisite for demonstrating consistent CUI handling to an assessor.
Kiteworks works differently. It is a unified secure data exchange that governs CUI across Kiteworks secure email, Kiteworks secure file sharing, secure managed file transfer, Kiteworks SFTP, and Kiteworks secure data forms through a single control plane. Access policies, DLP rules, malware scanning, and anomaly detection apply once across all channels, rather than being configured and maintained separately in five different products.
The compliance impact is direct. Control families like Access Control (AC), Audit and Accountability (AU), and System and Communications Protection (SC) apply to every system through which CUI flows. In a unified platform, those controls are documented, centralized, and demonstrable in a single location. Kiteworks enforces FIPS 140-3 validated encryption in transit and at rest, generates immutable audit logs for every interaction, and produces automated compliance reports that support CMMC Level 2 documentation requirements without manual assembly.
For an MSP building a CMMC practice, that starting-point coverage changes the client conversation entirely. Instead of arriving with a lengthy remediation roadmap, the MSP walks in with a platform that already handles the hardest technical controls. The engagement focuses on policy documentation, environment configuration, and assessment preparation – work the MSP can deliver efficiently and at scale across multiple clients. The CISO Dashboard gives the MSP real-time visibility into each client’s CUI activity across all channels, enabling proactive compliance monitoring between assessment cycles.
FedRAMP Authorization and What It Actually Means for DFARS
The most common compliance gap in CMMC implementations is also the most avoidable: deploying a cloud service provider that does not actually meet the DFARS 7012 security requirement.
DFARS 7012 requires cloud services that process, store, or transmit CUI on behalf of a DoD contractor to be either FedRAMP Moderate Authorized or to meet equivalent security requirements. The equivalency path exists, but it requires meaningful documentation – a detailed comparison of the CSP’s controls against the FedRAMP Moderate baseline and a letter submitted to the DoD CIO. It is not a checkbox. As CMMC enforcement has matured, the DoD has signaled increasing scrutiny of equivalency claims, and several early assessments have produced findings specifically tied to unqualified cloud services.
Kiteworks holds an actual FedRAMP Moderate authorization, a formal Authority to Operate issued by the Joint Authorization Board and confirmed by an accredited 3PAO every year since June 2017. That is not a marketing claim. It is a documented federal authorization that satisfies FedRAMP compliance requirements under DFARS 7012 without any equivalency determination from the contractor. For an MSP deploying Kiteworks for a DIB client, the cloud service question has a definitive, documented answer.
That matters directly for False Claims Act exposure. A contractor that falsely certifies CMMC compliance – including falsely attesting that its cloud service meets the required security standard – faces civil penalties up to $28,619 per false claim plus treble damages. An MSP that deploys a platform without actual FedRAMP authorization places its client in that exposure window. The Kiteworks authorization closes that risk. Organizations that have mistakenly relied on a vendor’s FedRAMP equivalency claim should treat the switch to an actually authorized platform as an urgent remediation, not a future roadmap item.
Building a Recurring Revenue CMMC Practice
The business case for MSPs and MSSPs goes well past the initial CMMC engagement. Certified contractors must maintain their compliance posture continuously, respond to incidents under documented incident response procedures, and prepare for reassessment at the end of each three-year cycle. New contracts with CMMC requirements reference current certification status, which means any gap in the compliance program has direct contract consequences.
Kiteworks supports that ongoing relationship. Each DIB client receives a fully isolated single-tenant instance – dedicated infrastructure and dedicated encryption keys, with no shared CUI exposure across the MSP’s client base. The MSP configures, monitors, and reports on each environment independently. The platform’s SIEM integrations feed CUI activity data into the MSP’s security operations tools in real time, enabling proactive compliance monitoring rather than scrambling to prepare for a scheduled audit.
This lets the MSP offer platform management, security monitoring, policy governance, and assessment preparation as a continuous engagement rather than a series of one-off projects. That model generates predictable revenue, deepens client relationships, and builds switching costs that protect the account over time. The CMMC gap analysis that starts the relationship becomes the foundation for a compliance management program with defined deliverables and clear renewal logic.
The DIB is not a discretionary market. Contractors that handle CUI under DoD contracts are required to comply – not encouraged, not incentivized, required. That translates directly into demand for qualified MSP partners who can deliver the right platform, configure it correctly, and keep it compliant. Kiteworks gives MSPs 90% out-of-the-box Level 2 coverage, a FedRAMP Moderate authorization that satisfies DFARS 7012 without workarounds, and a unified CUI governance model that holds up under C3PAO scrutiny. MSPs that also serve clients with ITAR compliance obligations will find that Kiteworks’ single-tenant architecture and FIPS-validated encryption satisfy those requirements as well, enabling a single platform to serve the full regulated defense supply chain.
To learn how Kiteworks helps MSPs and MSSPs build high-margin, recurring CMMC practices for their defense industrial base clients, schedule a custom demo today.
Frequently Asked Questions
A Registered Practitioner Organization is a company credentialed by the CMMC Accreditation Body to provide CMMC consulting and implementation services. RPOs are not authorized to conduct formal assessments – that role belongs to C3PAOs – but they guide contractors through assessment preparation, configure their technology environments, and manage ongoing compliance programs. Technically, an MSP can provide advisory services without RPO status, but the credential matters in practice. DIB contractors searching for help in the CyberAB marketplace filter by credentialed organizations, and RPO status signals that the firm has met a recognized knowledge baseline and operates under a professional code of conduct. For MSPs building a serious CMMC practice, the investment in RPO credentialing pays off in deal flow. Use the CMMC compliance checklist as a reference for the full set of Level 2 requirements your clients will need to satisfy. The CMMC Level 2 Assessment Guide is equally useful for understanding what the C3PAO will evaluate during the formal assessment. MSPs should also familiarize themselves with the NIST 800-53 control framework that underpins FedRAMP assessments, since C3PAOs often draw on both frameworks when evaluating cloud service security.
DFARS 7012 requires any cloud service provider handling CUI on behalf of a DoD contractor to be FedRAMP Moderate Authorized or to meet equivalent security requirements. Kiteworks holds a FedRAMP Moderate Authority to Operate confirmed by annual third-party assessment since June 2017, which means it satisfies that requirement directly, without any equivalency determination or additional documentation from the contractor. When an MSP deploys Kiteworks for a DIB client, the cloud service compliance question has a clean, documented answer that will withstand C3PAO scrutiny. This matters given the DoD’s increasing scrutiny of equivalency claims in recent assessment cycles. Review the full authorization details in Kiteworks’ FedRAMP compliance documentation, and see the DFARS glossary entry for context on what the clause requires. MSPs whose clients also handle CUI subject to NIST 800-171 assessment should note that the same Kiteworks authorization package that satisfies DFARS 7012 also supports the System and Communications Protection domain evidence for the C3PAO.
It means the platform’s built-in controls – access management, audit logging, FIPS 140-3 validated encryption, DLP, malware scanning, anomaly detection, and unified channel governance – already satisfy 90% of the 110 NIST 800-171 controls that CMMC Level 2 requires. The remaining controls typically involve policy and procedure documentation – training programs, physical security plans, incident response procedures – rather than additional technology. For an MSP, this compresses the assessment preparation timeline and significantly reduces the risk of a first-attempt failure. Instead of spending most of the engagement on technical remediation, the work focuses on policy documentation, environment configuration, and evidence organization. That is both faster and more profitable than rebuilding a client’s technical foundation from scratch. See the full control mapping in Kiteworks’ CMMC 2.0 compliance documentation.
Single-tenant architecture means each DIB client gets a completely isolated Kiteworks environment – dedicated compute, dedicated storage, dedicated encryption keys, with no shared infrastructure with any other client. For the C3PAO assessment, this has two direct benefits. The assessment boundary is clean: the client’s Kiteworks instance is a self-contained system, and the assessor does not need to evaluate multi-tenant isolation controls or account for data commingling risks. It also eliminates the possibility that a security event in one client’s environment could propagate to another. For an MSP managing multiple DIB clients, the single-tenant model simplifies ongoing compliance management, since each environment can be configured, monitored, and prepared for reassessment independently. The CMMC compliance checklist outlines the system architecture documentation requirements a C3PAO will review. The audit logs from Kiteworks are tamper-evident and cover every CUI interaction across all channels. MSPs should document each client’s System Security Plan to reflect the single-tenant boundary explicitly, as assessors will cross-reference the SSP against the deployed architecture during the assessment.
CMMC Level 2 certification covers a three-year cycle, but maintaining it requires continuous operational attention. Contractors must run their security controls consistently, update their System Security Plan when significant changes occur, address any open findings through a documented POA&M process, and prepare the evidence package for reassessment. Any new DoD contract with CMMC requirements references current certification status, so gaps in the compliance program have immediate contract consequences. MSPs can build a recurring managed service around those obligations: platform management and monitoring, policy documentation updates, evidence collection and organization, incident response support, and pre-assessment readiness reviews. That structure gives clients a defensible, continuous compliance posture and gives the MSP predictable revenue with clear renewal logic. The CMMC Level 2 Assessment Guide is a practical reference for understanding what each reassessment cycle requires from both the contractor and its MSP. MSPs serving clients with broader regulatory exposure — including HIPAA compliance obligations for healthcare-adjacent defense contractors — can extend the same Kiteworks platform and governance model across those requirements, building a multi-framework managed compliance practice on a single technology investment.
Additional Resources
- Blog Post
CMMC Compliance for Small Businesses: Challenges and Solutions - Blog Post
CMMC Compliance Guide for DIB Suppliers - Blog Post
CMMC Audit Requirements: What Assessors Need to See When Gauging Your CMMC Readiness - Guide
CMMC 2.0 Compliance Mapping for Sensitive Content Communications - Blog Post
The True Cost of CMMC Compliance: What Defense Contractors Need to Budget For