Sentinel Blue, a MSSP, wrote an update to CMMC I wanted to highlight. The company announced that it successfully passed its Cybersecurity Maturity Model Certification Level 2 assessment in January 2025, marking a significant achievement in the implementation of security controls designed to protect government information. The CMMC program went live at the end of 2024, transitioning from a draft to an active certification process, with the majority of discussions focusing on Level 2 compliance. While certifications are not yet mandatory for Department of Defense contracts, companies are advised to prepare in anticipation of future requirements.
Let’s quote a passage.
“In my previous post, our expectation was that MSPs would need to be CMMC Level 2 certified to support clients that have a Level 2 certification requirement. That is no longer explicitly true.
MSPs (who are part of a broader definition of “External Service Providers”, or ESPs) can be included in the scope of a contractor environment, and should expect to be assessed as part of the contractor environment. So while you may not need to get certified, you will be expected to participate in assessment and explain how the tools and capabilities you provide to your clients is implementing some or all of the security requirements.
But, while you technically don’t need a certification per the contract rules, I would advise you to pursue certification if you want to operate in this space. So far, 7 weeks into CMMC Level 2 certifications beginning, I have seen about 8 companies announce their certification – more than half so far are MSPs. Straight up, your competition in the market is going to have certifications, and they are going to use that as an advantage over you in the sales process. It’s a demonstration of the seriousness with which we take the program, and also serves to demonstrate we know how to get companies through the certification. The higher quality clients will recognize this and opt to work with MSPs who have the certification.
And, in my perspective as a C3PAO, there’s potential for so much more smoothness and confidence in an assessment when the involved MSP has their certification.”
Why do we care?
MSPs may not be required to hold CMMC Level 2 certification—but those without it will face an uphill battle in the market. Expect certification to become the norm, not the exception, for any MSP serious about government contracts.
