Cybersecurity Maturity Model Certification (CMMC) is one of those markets that looks attractive from a distance...and dangerous up close.
On paper, it’s lucrative. Mandatory. Non-negotiable for Department of Defense (DoD) contractors.
But for MSPs considering entry into the CMMC market, it also comes with real cost, real liability, and zero room for improvisation.
This decision changes how your business runs. MSPs know the upside exists, but most don’t have a framework to decide whether stepping in is smart for their business.
To unpack that decision, we’re drawing insights from Compliance Veteran and Empath Navigator Jennifer VanderWier.
She has spent decades helping MSPs and regulated contractors evaluate, prepare for, and survive compliance decisions in Defense Federal Acquisition Regulation Supplement (DFARS) and CMMC environments.
For more than two decades, Jennifer co-owned and led F1 Solutions in Huntsville, Alabama, a city where government contracting was essentially the economic engine.
With U.S. Missile Command, Space Command, and a dense concentration of DoD contractors in the region, regulated work was unavoidable.
Roughly fifteen years ago, Jennifer and her team recognized that to keep serving the businesses around them, they had to pivot toward government and defense contractors, and that meant stepping into compliance well before enforcement and third-party validation became the norm.
That pivot began with DFARS, which was introduced in 2014 and later made law in 2017. Jennifer’s team sought outside expertise, learned how to read and interpret controls, performed assessments, remediated gaps, and walked clients through what compliance actually required in practice.
When early versions of CMMC began circulating in 2019, the move felt less like a leap and more like a continuation. While the framework was still being debated and reworked, Jennifer and her team stayed close to how it was evolving.
By the time CMMC became enforceable, she already understood the mechanics, expectations, and culture surrounding regulated assessments.
Today, that history shapes how she advises MSPs.
While DFARS compliance operated in the background for a few years and contractors were required to comply with it, enforcement was uneven. Most organizations relied on self-attestation without consistent third-party validation.
CMMC changes the standard by introducing verification as the baseline.
It’s at this point that MSPs start asking the question Jennifer hears most often: How far into this do we actually want to go?
She hears it when an MSP has picked up a few regulated clients and realizes CMMC isn’t going to stay a one-off request. What began as accommodating a client here or there is now forcing a broader business decision.
Jennifer shifts the conversation toward the business realities behind the decision. Before tools, training, or certifications, she urges MSPs to run a business impact analysis:
“If you have three clients that represent $20,000 a month in MRR, then yes, it may make sense,” Jennifer says.
But she’s just as clear when the numbers don’t support the effort.
“If you’re only bringing in five, six, ten thousand dollars a month in MRR with those clients,” she explains, “it’s going to cost you more to really understand this and be in that world.” In those cases, she often advises MSPs to consider partnering—or stepping away—rather than absorbing costs that outweigh the return.
At the same time, Jennifer is careful to point out that CMMC doesn’t only make sense as a defensive move. She regularly works with MSPs that have no current exposure to regulated clients and still choose to pursue the market intentionally.
“If you’ve made it a business target...if your executive team has said, ‘We want to grow revenue through this industry,’ then yes, it can make sense,” she says. “But it’s a harder slog.”
That slog usually means investing before revenue shows up, through experienced hires, formal training, or partnerships with firms that already operate inside regulated environments.
What Jennifer sees consistently is that successful MSPs don’t drift into CMMC because enforcement caught them off guard. They either commit to it deliberately or decide early that it isn’t the right fit.
For MSPs who decide CMMC is at least worth exploring, the first step is understanding the substance of what you’re dealing with. “Understanding not only what the regulation says, but also what the controls say,” Jennifer asserts.
High-level summaries of CMMC make it sound manageable. The controls reveal the real lift. They expose how expectations are interpreted, what evidence is required, and where assumptions tend to fall apart. Until an MSP understands that layer, it’s impossible to assess whether the market is a fit.
Jennifer encourages MSPs to spend time observing the CMMC ecosystem before trying to operate inside it.
“Immerse yourself in the culture,” she says. “Follow people on LinkedIn. Read what’s being produced. The CMMC Cyber Board puts out videos and does webinars on a regular basis, make sure you’re signed up for that.”
This kind of exposure matters because it reveals how the rules are actually being interpreted.
The Cost of Getting CMMC Wrong
Treating CMMC services for MSPs like an add-on is where firms get into trouble. Jennifer is firm against that approach.
“If they’re new getting into this and they just piecemeal this and hodgepodge it, it will fail,” she advises. “Do not do that.”
Her warning comes from having lived through the cost of doing this work correctly, when her team committed to regulated compliance nearly a decade ago.
“We spent half a million dollars,” she says. “We changed tool sets, changed processes, brought in expertise, and had experts come in to do gap assessments. This was not cheap.”
That investment was about understanding how controls are interpreted, what evidence actually holds under scrutiny, and where internal assumptions tend to break down.
The consequences don’t necessarily stop at a failed assessment. If an MSP has charged for readiness work and the client fails, the liability can come back fast.
“They have every legal right to come back and say, ‘Give me my money back. You didn’t deliver,’" Jennifer says.
That’s why she keeps returning to the same corrective: planning before action.
“If you do not create a business plan, if you do not have a plan for this, it’s a very tough lift,” she starts. “And if you don’t have all of those pieces in place and financing behind you to support them, this is not a business you should get into.”
CMMC asks MSPs to take ownership of process, of interpretation, and often of outcomes. That requires planning, capital, and a willingness to either build the capability properly or partner with those who already have it. Anything less exposes both the MSP and the client to risk they didn’t intend to take on.
“This is not an easy lift,” Jennifer says. “It is doable. Absolutely. But you got to do it the right way.”
If this article raised more questions than answers, that’s okay. CMMC isn’t something to rush into, and it’s not something you should evaluate alone.
If you’re still deciding what CMMC for MSPs really means for your business, Jennifer’s course Should My MSP Service CMMC Clients? is designed to help you make that call with clarity.
Start your 14-day free trial to access Jennifer’s full course along with Empath’s entire library and make the decision with your eyes open.