Compliance

FedRAMP and CMMC Compliance – What MSPs Need to Know

See how CMMC 2.0 compliance can benefit MSPs that must comply with the cybersecurity standards mandated in FedRAMP.

5 minute read

The U.S. government rolled out an update to its Cybersecurity Maturity Model Certification (CMMC), known as CMMC 2.0, in December 2024. Managed service providers (MSPs) supporting contractors who serve the U.S. Department of Defense (DoD) must prioritize alignment with the updated compliance requirements. This requires MSPs to audit their security practices to ensure that they are in line with the new standard.

Fortunately, MSPs providing cloud services to defense contractors with Federal Risk and Authorization Management Program (FedRAMP) authorization will find many of the security practices FedRAMP mandates are also in accordance with CMMC 2.0 requirements, especially at Level 2 and above.

What is FedRAMP?

FedRAMP is a U.S. government program that provides a standardized approach to assessing, authorizing and monitoring the security of cloud services used by federal agencies. FedRAMP applies to all federal agencies using cloud services and cloud service providers (CSPs) that intend to do business with those agencies.

Initially instituted in 2011, the primary goal of FedRAMP is to ensure that CSPs serving federal agencies meet rigorous security requirements to protect federal data. FedRAMP authorization enables federal agencies looking to purchase cloud services without conducting their own security assessments because those assessments have already been completed through the FedRAMP process. In December 2022, the FedRAMP Authorization Act was passed as part of the FY23 National Defense Authorization Act (NDAA), which formally codified the program into law.

What is CMMC?

CMMC is a certification program established in 2019. Through CMMC, the U.S. DoD laid out requirements to ensure that its contractors and subcontractors maintain a robust cybersecurity posture. The program is designed to make sure that companies in the Defense Industrial Base (DIB) adequately protect Controlled Unclassified Information (CUI) and other sensitive data shared by the DoD.

The CMMC framework has five security levels. Each level mandates progressively more advanced cybersecurity controls and practices that organizations must comply with to achieve certification at that level. CMMC was updated in late 2021, becoming CMMC 2.0, to simplify and align it with frameworks previously established by the National Institute for Standards in Technology (NIST), including NIST SP 800-171 and NIST SP 800-53. Compliance with CMMC 2.0 became mandatory for DoD contractors in December 2024.

What is the difference between FedRAMP and CMMC?

Both CMMC and FedRAMP enforce federal cybersecurity standards for private companies, but they serve different purposes:

  • FedRAMP focuses on cloud service providers (CSPs) that work with federal agencies, ensuring they meet security standards based on NIST SP 800-53. It requires a third-party assessment and continuous monitoring to maintain authorization.
  • CMMC applies only to Department of Defense (DoD) contractors. It has five levels of cybersecurity maturity aimed at ensuring that those contractors can protect Controlled Unclassified Information (CUI). To achieve certification, contractors must undergo third-party assessments.

In short, FedRAMP is for cloud services used by all federal agencies, while CMMC applies to contractors working for the DoD that handle sensitive defense data.

Meet CMMC requirements with Compliance Manager GRC

Compliance standards can be complex and difficult to implement. Compliance Manager GRC is a hosted, role-based solution featuring a built-in workflow automation engine that helps you meet the immediate requirements of the NIST SP 800-171 Interim Rule while preparing for CMMC compliance. It automatically generates a variety of compliance reports, including those required by the Interim Rule, and provides a comprehensive security risk assessment and management plan to address any identified issues.

Compliance Manager GRC supports ongoing CMMC compliance while ensuring a strong audit posture. Request a demo today and let us show you how Compliance Manager GRC can streamline your compliance process.

Kaseya launches FedRAMP authorization process across its entire software stack

Kaseya is actively pursuing FedRAMP certification across its entire software stack. Undertaking this complex process, which could take six months or more, represents a strategic effort to unlock significant business opportunities and revenue potential for Kaseya and its MSP customers.

According to Max Pruger, General Manager of Kaseya’s Audit and Compliance Suite, Kaseya, “Kaseya’s pursuance of FedRAMP provides new and lucrative revenue opportunities for MSPs while delivering a higher level of security to their end customers.”

As one of the first MSP-focused platform vendors to commit to FedRAMP authorization, Kaseya once again demonstrates its dedication to helping MSPs grow their revenue. Most FedRAMP-authorized vendors cater to enterprise clients, but Kaseya’s authorization will make advanced security accessible to small and midsize businesses (SMBs) by offering MSPs solutions that align with their budgets and scale while enabling business growth.

“Compliance is becoming a key focus for the MSP and IT industry as government agencies respond to rising cybercrime,” said Pruger. “MSPs that integrate compliance services into their security offerings are positioning themselves to capitalize on new revenue streams while enhancing security for their customers.”

Kaseya proves its commitment by adding a new leader to its team

To lead this initiative, Kaseya has welcomed industry expert Jon DePerro to the team as VP of FedRAMP and Compliance Solutions. DeParro brings over 20 years of experience to the table, including 15 years as a U.S. Army counterintelligence officer and five years developing compliance solutions for MSPs. Kaseya is confident that DePerro will successfully guide the company to FedRAMP certification.

Pruger highlighted the benefits of launching its FedRAMP initiative under DeParro’s guidance, “Jon’s expertise will help our customers stay ahead of the curve, enabling early adoption of CMMC certifications and other upcoming regulatory requirements.”

Kaseya’s pursuit of FedRAMP certification is the first step in its plan to empower MSPs and their customers with the advanced security and compliance solutions needed to pursue lucrative federal contracts, unlocking new business opportunities as compliance becomes increasingly crucial to cybersecurity strategies. With experienced leadership like Jon DePerro driving our FedRAMP initiative, Kaseya is well-positioned to achieve certification and continue delivering the solutions and support MSPs need to expand their businesses while providing unmatched security for their clients.

Improve Your IT Compliance Processes With the Right Software

With the growing importance of GRC, it is vital to implement the right tool for your organization. In this buyer's guide, learn about the essential features to look for to manage the IT security standards you are tasked with supporting.

Download Now
Compliance & IT Security Assurance Software Buyer's Guide

Your Complete IT Risk
Management Toolkit

Every device. Every user. Everywhere.

Network Scanning & Assessments
Vulnerability Management
Critical IT Change Detection
Governance, Risk & IT Compliance