We at ECN IT Solutions are excited to announce our commitment to achieving Cybersecurity Maturity Model Certification (CMMC) Level 2. In fact, we have officially scheduled our CMMC Level 2 assessment for October 2025, underscoring our dedication to supporting our clients’ cybersecurity and compliance needs. This step marks a significant milestone for us as a Managed Service Provider, and we’re eager to share what it means for our customers and why we’re pursuing certification.
What is CMMC Level 2?
CMMC Level 2 is an intermediate cybersecurity certification focused on protecting sensitive data for organizations working with the U.S. Department of Defense. It entails implementing 110 rigorous security controls aligned with the NIST SP 800-171 standard and is essentially a prerequisite for any contractor handling Controlled Unclassified Information (CUI). In simple terms, Level 2 requires going beyond basic cyber hygiene to ensure strong safeguards are in place. Achieving this level means undergoing a thorough third-party assessment to verify that we meet these high standards in our own operations. By pursuing Level 2, we’re demonstrating that we practice the same advanced security measures that we recommend to our clients, reinforcing trust in our services.
Leading the Way for Arizona MSPs
By undertaking CMMC Level 2 certification, we aim to be the first MSP in Arizona – and among only a handful on the West Coast – to reach this milestone. This leadership position isn’t just a point of pride; it translates to direct value for our clients. Under the latest DoD rules, external IT providers (MSPs) that don’t directly handle CUI are not strictly required to obtain their own CMMC certification. However, we believe in going above and beyond baseline requirements. Our decision to pursue certification proactively shows that we’re fully committed to the same security framework our defense-contractor customers must follow. We even recently added a Certified CMMC Assessor (CCA) to our staff, bolstering our in-house expertise. Having a CCA on our team means we stay at the forefront of CMMC knowledge and can guide clients with first-hand insight into the assessment process. In short, we’re not waiting for mandates – we’re leading by example to better serve and instill confidence in the businesses we support.
Comprehensive Compliance Services for Our Clients
Our journey toward certification goes hand-in-hand with the robust compliance services we provide to our customers. ECN IT Solutions offers end-to-end CMMC compliance support, including:
- Documentation Assistance: Helping prepare essential security documentation, policies, and procedures required for CMMC. We guide you in building the proper System Security Plans, incident response plans, and other paperwork so nothing falls through the cracks.
- Technical Implementation: Deploying and configuring the necessary security controls and tools. From multi-factor authentication and encryption to continuous monitoring solutions, we handle the technical heavy lifting to align with CMMC’s requirements.
- Gap Assessments & Remediation: Performing thorough gap analyses to evaluate your current cybersecurity posture against CMMC Level 2 standards. We identify any shortcomings and provide a clear roadmap to close those gaps before your official assessment.
- Ongoing Support and Training: Beyond initial compliance, we offer ongoing monitoring, maintenance, and user training to ensure you remain compliant and secure over time. Cybersecurity is not a one-time project – we partner with you for the long haul.
By leveraging these internal compliance services, our clients can navigate the CMMC process more smoothly. Our upcoming Level 2 certification doesn’t just validate our own practices – it also enriches the support we can give. With real-world experience meeting CMMC requirements ourselves, we will be even better equipped to help businesses achieve readiness for their own certifications.
Pros and Cons of Pursuing Our Own Certification
Undertaking our own CMMC Level 2 certification was a carefully considered decision. Below, we break down some of the key pros and cons that factored into our choice to pursue certification as an MSP:
Pros:
- Enhanced Trust & Industry Credibility: Achieving Level 2 sends a strong message that we meet the same high bar set for defense contractors. It builds client confidence knowing their IT partner is certified to protect sensitive data. We will effectively stand shoulder-to-shoulder with our customers as a fully vetted, security-conscious partner. Being one of the first certified MSPs in our region also showcases our commitment to leadership in cybersecurity.
- Reduced Liability & Risk for Clients: Choosing a certified MSP can reduce a client’s direct liability for cybersecurity compliance. We will assume responsibility for the controls we manage, so our customers won’t be left vulnerable due to any MSP gaps. This not only lowers risk for clients but also demonstrates that we take our role in protecting their data very seriously. Everyone’s security is stronger when we internally adhere to the CMMC framework.
- Stronger Internal Security & “Practice What We Preach”: The certification process forces us to continuously refine and improve our own internal security practices. This is a significant benefit in itself. By meeting the rigorous Level 2 requirements, we ensure our house is in order – from technical safeguards to documented processes. Ultimately, that makes us a more resilient company. It also means we truly practice what we preach when advising on cybersecurity; we’ll have first-hand experience implementing the same controls and policies we recommend to clients.
Cons:
- Significant Time and Resource Investment: Pursuing CMMC Level 2 is no small undertaking. Preparation and implementation can take many months (industry estimates range from 6 to 18 months on average). It’s also expensive – estimated to be around $250,000 for an organization of our size. This represents a substantial commitment of time, money, and effort on our part.
- Ongoing Compliance Maintenance: Certification isn’t a one-and-done deal. We must continuously maintain strict security practices and update our documentation as standards evolve. This adds some operational overhead. Our team will be dedicating ongoing attention to internal audits, employee training, and system monitoring to ensure we remain compliant every day. While this is a healthy practice, it does require sustained focus and resources.
- Not Legally Required for MSPs: As mentioned, current regulations do not mandate MSPs to get CMMC certified if they don’t handle CUI directly. In theory, we could have opted to forego certification and simply support clients through their audits. By choosing to certify anyway, we’re taking on extra work that many of our competitors might avoid. It’s an optional burden, and we had to weigh that fact. (Ultimately, we concluded the benefits to our clients outweigh this concern.)
Despite the above challenges, we firmly believe that the pros of being a CMMC Level 2-certified provider vastly outweigh the cons. The investment we’re making now will pay dividends in the quality, security, and peace of mind we can deliver to our customers.
Ready for CMMC Level 2? Let’s Talk.
Our commitment to CMMC Level 2 is ultimately about serving you better. We’re not just aiming for a badge on the wall – we’re ensuring that we have the credentials and first-hand experience to be the best possible IT partner for companies facing CMMC requirements. If your business is evaluating IT partners for CMMC readiness or needs support in achieving or maintaining CMMC Level 2 compliance, we’d love to help. Reach out to learn how our team can assist with gap assessments, remediation, documentation, and technical implementation.
Contact Us or Learn More