Is Your MSP Support Ready for CMMC Level 2 Compliance?

If a prime contractor is requiring CMMC compliance and has given your company a deadline, you need clarity immediately — not guesswork. 

For subcontractors in the Defense Industrial Base (DIB) that handle Controlled Unclassified Information (CUI), a prime’s CMMC requirement changes your risk profile overnight. Whether the notice references Level 1, Level 2, DFARS 252.204-7021, or self-attestation, the underlying issue is the same: 

Are you actually prepared for what your prime is asking? 

Before you invest in new tools, migrate to GCC High, or assume your current MSP can handle it, you need to understand three things: 

• Whether you truly handle CUI 

• What CMMC level applies to your contracts 

• What your real infrastructure and compliance gaps look like 

Here’s what subcontractors should do first. 

Step 1: Determine Whether CMMC Level 1 or Level 2 Applies to Your Contracts 

When a prime contractor requires CMMC compliance, many subcontractors immediately assume: 

• “We’ll self-assess Level 1.” 

• “This is basic cybersecurity.” 

• “We just need to check the box.” 

That assumption can create serious problems. 

CMMC Level 1 applies to organizations handling Federal Contract Information (FCI).
CMMC Level 2 applies to organizations handling Controlled Unclassified Information (CUI). 

If you manufacture components, work from technical drawings, access defense portals, or receive ITAR-controlled specifications, there is a strong likelihood that CUI exists in your environment. 

And if CUI exists, Level 2 is not optional. 

Before you do anything else, you need to determine: 

• Whether CUI is present 

• Where it lives 

• How it moves 

• Who has access 

Many subcontractors discover too late that they scoped themselves incorrectly — and built a Level 1 strategy for what is actually a Level 2 obligation. 

If you need a structured starting point, a CMMC compliance checklist can help you understand baseline requirements before moving further. 

Confirm the level first. Everything else depends on it. 

Related Topic: What Are the Main Red Flags That CMMC Assessors Are Looking For?

Step 2: Identify Where Controlled Unclassified Information (CUI) Resides in Your Systems 

Once you confirm the applicable level, the next priority is scope. 

Most subcontractors underestimate where CUI actually exists. 

It rarely sits in a single folder labeled “Government.”
It typically spreads across systems over time. 

In DIB manufacturing and subcontracting environments, CUI commonly appears in: 

• Engineering drawings and CAD files 

• Technical specifications from primes 

• Secure portals and file transfer systems 

• Email attachments and shared drives 

• File servers and local desktops 

• Backup repositories 

• ERP systems tied to defense contracts 

• Shop floor job packets containing controlled drawings 

• Printed work instructions 

• Network-connected copiers and scanners 

If even one of those systems contains CUI, it becomes part of your CMMC scope. 

That affects: 

• Encryption requirements 

• Access controls 

• Logging and monitoring 

• Backup architecture 

• Network segmentation 

• Assessment evidence 

Before making infrastructure decisions — including moving to GCC High — you need a documented CUI data flow: 

• How does it enter your organization? 

• Where is it stored? 

• Who can access it? 

• Does it leave your environment? 

CMMC assessments are not based on assumptions.
They are based on evidence tied to scoped systems. 

Mapping CUI correctly at the beginning prevents both overbuilding and dangerous blind spots. 

Related Topic: Do Defense Subcontractors Need CMMC Level 2 for CUI?

Step 3: Confirm Your MSP Can Support a CMMC Level 2 Assessment 

Once you understand your CUI scope, the next question is execution. 

Many subcontractors assume their existing Managed Service Provider can simply “add CMMC” to what they already do. 

That assumption often becomes a problem. 

Traditional MSP services typically include: 

• Helpdesk support 

• Endpoint protection 

• Backups 

• Firewall management 

• Microsoft 365 administration 

CMMC Level 2 requires more than managed IT. 

It requires: 

• Implementation and maintenance of 110 NIST SP 800-171 practices 

• A documented System Security Plan (SSP) 

• Formalized policies and procedures 

• FIPS-validated encryption 

• Access control enforcement 

• Ongoing log collection and monitoring 

• Evidence management 

• Assessment readiness 

At assessment time, someone must: 

• Explain how each control is implemented 

• Demonstrate that it is consistently enforced 

• Produce supporting documentation 

• Defend architectural decisions 

• Address assessor questions without creating new exposure 

A CMMC Level 2 assessment is not a checklist review. It is a structured validation process. 

If your MSP has never participated in a Level 2 assessment — or achieved CMMC Level 2 certification themselves — they may be navigating the process for the first time alongside you. 

Right Hand Technology Group is one of fewer than 40 MSPs nationwide that has achieved official CMMC Level 2 certification for our own environment. 

We operate under the same compliance obligations we help subcontractors implement. 

We have: 

• Built compliant environments 

• Documented and defended controls 

• Addressed assessor findings 

• Managed evidence under audit conditions 

• Sat in assessments and explained our clients’ environments directly to assessors 

That distinction matters. 

When a prime contractor sets a deadline, someone must be prepared to stand behind the controls during assessment. 

Confirm not only that your MSP can implement controls — but that they will defend them. 

Related Topic: How Small Businesses Can Stop Ransomware Attacks Effectively?

Step 4: Align Your CMMC Timeline With Your Prime’s Deadline 

When a prime issues a compliance deadline, the instinct is to move quickly. 

Speed matters — but precision matters more. 

Level 1 can often be addressed relatively quickly if your cybersecurity baseline is solid. 

Level 2 is different. 

Even in well-managed environments, Level 2 typically requires: 

• Infrastructure validation or upgrades 

• Encryption verification 

• Policy formalization 

• Access control refinement 

• Backup architecture review 

• Network segmentation 

• Documentation development 

• Internal process alignment 

Infrastructure changes such as migrating to GCC High, restructuring file systems, or replacing legacy systems cannot be done overnight without risk. 

Rushed compliance work often creates: 

• Scope errors 

• Documentation gaps 

• Technical shortcuts 

• Avoidable assessment findings 

The earlier you begin structured evaluation, the more flexibility you retain. 

CMMC compliance is achieved through controlled execution — not urgency-driven reaction. 

Related Topic: Why Data Security Management Is Critical for Modern Businesses?

Step 5: Conduct a Structured CMMC Readiness Assessment Before Taking Action 

At this point, most subcontractors face the same decision: 

Do we start buying tools and making changes — or do we first confirm what actually needs to happen? 

Moving infrastructure before confirming scope often leads to: 

• Overspending 

• Over-scoping 

• Rework 

• Operational disruption 

The disciplined approach is to establish clarity first. 

A structured readiness assessment should confirm: 

• Whether you truly handle CUI 

• What systems fall inside scope 

• Where your most material compliance gaps exist 

• Whether your current environment can support Level 2 

• What infrastructure changes are necessary — and which are not 

• What a realistic timeline looks like 

This prevents both underreaction and overreaction. 

For subcontractors facing a CMMC requirement from a prime contractor, the responsible next step is structured evaluation. 

A Right Sentry Snapshot provides: 

• Confirmed CUI scoping 

• Infrastructure gap analysis 

• MSP capability evaluation 

• Timeline alignment 

• Strategic sequencing guidance 

We do not begin with migration. 

We begin with confirmation. 

If your organization has been given a CMMC deadline, schedule a Right Sentry Snapshot to understand exactly where you stand — and what it will take to move forward confidently. 

Related Topic: Small Business Cybersecurity Best Practices That Actually Work

Frequently Asked Questions 

What if my prime contractor only mentioned CMMC Level 1? 

Some primes initially require Level 1 as a transitional step. However, if your organization handles Controlled Unclassified Information (CUI), Level 2 may ultimately apply. Before self-attesting at Level 1, confirm whether CUI exists in your systems and whether future contracts will require Level 2 certification. 

Can we become CMMC compliant using our current IT provider? 

Possibly — but only if your provider has direct experience implementing and defending CMMC Level 2 controls during an assessment. Compliance requires documentation, evidence management, and audit participation, not just technical configuration. Confirm that your MSP can support the full assessment lifecycle. 

How long does it take to become CMMC Level 2 compliant? 

Timelines vary based on current infrastructure, CUI scope, and documentation maturity. For many subcontractors, Level 2 readiness requires staged infrastructure validation, policy development, and assessment preparation. Beginning with a structured evaluation shortens delays caused by rework or mis-scoping.