How to Run CMMC Self-Assessments for Multiple Clients (MSP & vCISO Guide)
If you're a fractional vCISO, MSP, or consultant working several defense contractors' CMMC prep at once, the hard part usually isn't any one client's assessment — it's keeping all of them straight. Here's a structure that scales past a spreadsheet.
Each client is its own CMMC record — plan around that
A CMMC score, status, and validity window belong to a company (and its CAGE hierarchy), not to whoever helped produce them. There's no consultant-level rollup in SPRS — each client needs their own complete self-assessment, their own POA&M, and their own SSP. The practical implication: your job is less "do one big assessment" and more "run and track N separate ones without losing track of any single one's deadline."
When you're the service provider, you have scoping obligations too
32 CFR 170.19 treats an External Service Provider (ESP) as part of the scope it touches, and where you land depends on what you actually handle for the client:
- If you're a Cloud Service Provider (CSP) handling the client's CUI, you need to meet the FedRAMP Moderate baseline — or a documented FedRAMP Moderate equivalency — under DFARS 252.204-7012.
- If you're not a CSP but you handle the client's CUI directly (e.g., a managed security provider with access to their systems), your services are in scope and get assessed as part of the client's own assessment.
- If you only provide Security Protection Data services (nothing that touches CUI itself), you're scoped and assessed as a Security Protection Asset.
- If you handle neither CUI nor Security Protection Data for a client, you're not an ESP for that relationship at all.
The artifact C3PAOs actually ask for: a Shared Responsibility Matrix
Once your role is defined, document it. The client's SSP needs to describe the ESP relationship, and a Shared Responsibility Matrix — assigning each of the 319 SP 800-171A assessment objectives to Company, MSP, or Shared — is what a C3PAO typically wants to see when a service provider is in the picture. Build the SRM once your scope is settled, not as an afterthought at assessment time.
A repeatable process across clients
- Run level-determination per client — FCI-only vs. CUI, and Self vs. Certification, can differ client to client even in the same industry.
- Keep one CMMC record per client org; resist the urge to consolidate anything into a master account.
- Track every client's validity window on one calendar — the 180-day Conditional clock and annual affirmations don't line up across clients, and a missed one goes invisible to the government the same way a single contractor's would.
- Settle your ESP/CSP role and build the SRM early, before evidence collection, so you're not re-deriving it under deadline pressure.
- Keep remediation guidance centralized so you're not solving the same gap from scratch for every client that has it.
Where a multi-client view actually helps
The workflow above is doable in spreadsheets for two or three clients. Past that, the thing that breaks first is visibility — knowing at a glance which client's Conditional status expires next, which POA&Ms are stalling, and which scores moved since your last check-in. That's the specific gap a multi-organization dashboard is built to close, rather than adding more columns to a tracker.
Key takeaways
- CMMC status lives per client company/CAGE — there's no consultant-level record.
- Your own role (CSP / non-CSP ESP / SPD-only / not an ESP) determines your scoping obligations under 32 CFR 170.19.
- A Shared Responsibility Matrix (319 objectives, Company/MSP/Shared) is the artifact C3PAOs look for when a provider is in scope.
- Track every client's validity window on one calendar — the clocks don't sync across clients.
- Past a couple of clients, a single-view rollup beats a spreadsheet for catching an expiring status before it lapses.
Know your score before you submit
Run a full 110-requirement self-assessment free — no account required to see your score.
Start free assessmentSources
- 32 CFR 170.19 (assessment scope & ESP/CSP)
- NIST SP 800-171A (assessment objectives)
- DoD CIO — CMMC documentation
SentryNexus is a preparation and self-assessment tool. It does not connect to or submit anything to SPRS, and it is informational support only — not legal or compliance certification advice.