← Custodia

CMMC MSP and Managed Services, Explained

What a CMMC managed service provider actually does, what it costs, and the honest answer to the question nobody selling a retainer will give you: for CMMC Level 1, you probably do not need one.

MSP retainers: ~$1k to $5k/monthCustodia: $249/monthLevel 1 is a self-assessment

The answer in 50 words

A CMMC MSP is a managed service provider that runs your IT in a CMMC-satisfying configuration and produces the technical evidence. For CMMC Level 1, most small contractors do not need one: the 15 FAR 52.204-21 requirements are a self-assessment a guided platform handles for far less.

What a CMMC MSP actually does

Runs your IT and security stack

A CMMC MSP manages your Microsoft 365 or Google Workspace tenant, endpoints, patching, antivirus, and backups in a configuration that satisfies the safeguarding requirements your contracts impose.

Maintains the technical evidence

Because the MSP operates the systems, it can produce the screenshots, configuration exports, and logs your self-assessment or certification assessment needs.

Handles users and access

Onboarding, offboarding, MFA enforcement, and permission reviews, the identity and access work behind several of the 15 FAR 52.204-21 requirements.

Watches the boundary

Firewall management, DNS filtering, and monitoring of external connections, which map to the boundary protection requirements at every CMMC level.

Do you need managed services for CMMC Level 1?

It depends on one question: do your contracts involve only Federal Contract Information, or something more sensitive? If it is FCI only, you are a CMMC Level 1 company. Level 1 is a self-assessment of 15 basic safeguarding requirements, things like unique user accounts, physical access control, antivirus, and timely updates. A small shop on Microsoft 365 or Google Workspace can satisfy every one of them with built-in settings and a few procedures. That is exactly the work a guided platform walks you through.

 CMMC MSP retainerYour current MSP + CustodiaCustodia alone
Typical monthly cost$1,000 to $5,000+Existing IT bill + $249$249 ($397 with officer)
Best fitNo IT staff, complex scopeYou outsource IT alreadySelf-managed M365/Google
Who assesses and affirmsStill youYou, guidedYou, guided
SSP + affirmation outputVaries by MSPAuto-generatedAuto-generated

One thing no provider can take off your plate: the affirmation. A senior official of your company signs the SPRS affirmation and accepts responsibility for its accuracy. An MSP configures systems; it cannot affirm for you. That is why the assessment workflow itself, not the IT operations, is the piece worth automating first.

If you are an MSP whose clients are asking about CMMC

Defense subcontractors are hearing about CMMC from their primes and turning to their IT provider first. For your FCI-only clients, the play is simple: keep running their stack, and give them a guided path through the Level 1 self-assessment instead of hand-building SSPs yourself. Custodia generates the System Security Plan and affirmation packet from the client's own answers and evidence, with per-provider walkthroughs for Microsoft 365, Google Workspace, Okta, Active Directory, and AWS that your technicians can execute directly.

CMMC MSP and managed services: FAQ

What is a CMMC MSP?

A CMMC MSP is a managed service provider that runs a defense contractor's IT and security systems in a configuration that satisfies CMMC requirements. It manages the tenant, endpoints, identity, patching, and monitoring, and produces the technical evidence used in a CMMC self-assessment or certification assessment.

Do I need an MSP for CMMC Level 1?

Usually not. CMMC Level 1 is a self-assessment of 15 FAR 52.204-21 safeguarding requirements on Federal Contract Information, and a small contractor on Microsoft 365 or Google Workspace can meet all 15 with built-in settings. A guided platform walks you through each requirement for a fraction of an MSP retainer. If you already pay an MSP for day-to-day IT, involve them in applying settings, but you do not need to hire one just for Level 1.

How much do CMMC managed services cost?

CMMC-focused MSP retainers for small contractors are commonly quoted from roughly $1,000 to $5,000 per month depending on seat count and scope, and higher when 24/7 monitoring or an enclave is involved. By comparison, Custodia guides your CMMC Level 1 self-assessment for $249/month self service, or $397/month with a credentialed compliance officer, with a 7-day free trial.

Can my existing MSP make me CMMC compliant?

Your MSP can apply the technical settings, but compliance is not something an MSP can hand you. The self-assessment, the System Security Plan, and the SPRS affirmation belong to your company, and the senior official who signs accepts responsibility for accuracy. The practical division of labor: the MSP configures and produces evidence, you assess and affirm.

Does my MSP itself need to be CMMC certified?

At Level 1 there is no certification for anyone, including your MSP, because Level 1 is self-assessed. At higher levels, an external service provider that handles CUI on your behalf can fall inside your assessment scope, which is a common reason contractors re-evaluate their provider. If you only handle Federal Contract Information, that complexity does not apply to you.

What is the difference between an MSP and an MSSP for CMMC?

An MSP runs your general IT: tenant, devices, helpdesk, patching. An MSSP focuses on security operations: monitoring, detection, and response. For CMMC Level 1, the 15 requirements are basic safeguarding, so a competent MSP or your own admin covers them. MSSP-grade monitoring becomes relevant at higher levels, not at Level 1.

Skip the retainer. Keep the result.

Take the free two-minute check to see whether Level 1 covers you, then run your whole self-assessment in the platform. 7-day free trial, no credit card.

Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)