Reflections on "Climbing Mount CMMC" Podcast: A Fresh Take on MSPs in the CMMC Ecosystem

I recently caught up with Brian Hubbard to talk about all things CMMC, and he strongly recommended I listen to the latest episode of “Climbing Mount CMMC”, where Bobby Guerra and Kaleigh Floyd delivered a fantastic discussion around the recent release of 32 CFR. This episode offered some deep insights, particularly for Managed Service Providers (MSPs) and their evolving role within the CMMC framework. If you haven’t tuned in yet, this is a must-listen!

One of the most striking points discussed was the growing emphasis on MSPs as External Service Providers (ESPs) managing critical security protection assets within the ecosystem (extending to the tools they use to process that data like SIEM, EDR, etc.). Traditionally, MSPs may not have been considered central players in government contracting cybersecurity, but Bobby and Kaleigh made it clear: the landscape is shifting. Even if MSPs don’t directly handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI), their indirect exposure to sensitive data requires them to step up their cybersecurity game.

While this shift has been developing for a while, Bobby and Kaleigh did an excellent job of explaining why it’s truly a game-changer for those unfamiliar with the CMMC landscape. They underscored the tight interconnectedness between government subcontractors and service providers. Essentially, if MSPs are involved in data processing—whether through log files, ticket data, or processes on workstations that store or touch CUI—they need to ensure their own cybersecurity hygiene is in top shape. My personal takeaway was that it's time for MSPs to "clean up their own backyard."

Bobby and Kaleigh also used a powerful analogy to describe the potential risks of neglecting cybersecurity—comparing the situation to handling a cobra. If you don’t treat it with the appropriate level of caution, it’ll bite you right in the throat. That image really stuck with me because it highlights how quickly things can go wrong if MSPs fail to take cybersecurity seriously.

This might be the push MSPs need to assess and bolster their internal cybersecurity processes, especially when supporting government contractors aiming for CMMC Level 2 compliance. By taking this step, MSPs can eliminate layers of complexity for their clients, allowing those clients to inherit the compliance of their service provider. This not only streamlines the path to certification for the entire supply chain but also positions MSPs with a significant competitive advantage.

What makes this an exciting opportunity for MSPs is that becoming CMMC Level 2 compliant on their own gives them more than just compliance—it gives them a distinct value proposition. They’re not just meeting the baseline; they’re exceeding it, positioning themselves as highly secure, trusted partners for government contractors. This creates a strong selling point, making MSPs far more attractive in a crowded marketplace.

This is an area where we can help. Whether it’s partnering directly with an MSP that needs to get CMMC compliant or working with their clients to prepare for certification when the MSP lacks CMMC-specific expertise, we provide the support necessary to make the process seamless for both. By working with us or a team like Bobby and Kaleigh’s, MSPs can effectively guide their clients through the complexities of CMMC, maintaining their role as a trusted advisor. Whether we’re assisting the MSP, the client, or both, North Star Strategies ensures that everyone is aligned on compliance goals, helping MSPs strengthen their cybersecurity posture while also enhancing client trust. Ultimately, this partnership empowers MSPs to better serve their clients, unlock new business opportunities, and stand out in the competitive defense sector market.

Bobby and Kaleigh also highlighted the critical nature of anticipating client cybersecurity needs. As the Department of Defense intensifies its focus on supply chain security, service providers and subcontractors are going to be scrutinized, not just for how well they support clients, but for how robustly they secure their own operations. It’s about being proactive and not waiting until the last minute to meet these challenges.

It’s important to point out, as Bobby and Kaleigh emphasized, that while an MSP’s client may need to achieve CMMC Level 2 compliance, the MSP itself doesn’t automatically have to. However, this doesn’t excuse MSPs from securing their systems. Instead, it sets a clear expectation: manage your systems rigorously, even if you aren’t required to meet the same compliance level as your clients. Personally, I believe that MSPs should aim for compliance as a best practice, but at the very least, this rule outlines the minimum standards. This proactive approach aligns MSPs with the broader goals of the CMMC framework.

For any service provider in the defense sector, this episode should serve as a wake-up call. It’s no longer just about serving the client—it’s about being a secure and reliable link in a well-protected supply chain ecosystem. Bobby and Kaleigh made it abundantly clear: the time for MSPs to take cybersecurity seriously is now.

Stay tuned to Climbing Mount CMMC for more great insights—Bobby and Kaleigh are a fantastic resource for the entire CMMC community, including us at North Star Strategies. We deeply appreciate their efforts as we continue guiding our clients on their own compliance journey. Together, we’re all contributing to making CMMC more accessible and achievable for everyone.