We have been burning the midnight oil a lot lately, and we mean that somewhat literally. Between crying babies, tired bones, and the relentless pace of a compliance market that refuses to slow down, finding time to just sit and think is a luxury neither of us can quite afford. But we made time to have a conversation that we think is genuinely worth sharing, because what is happening out there in the Managed Service Provider (MSP) market right now is too important to keep to ourselves.
Steven Molter is the founder of IntelliGRC, a Governance, Risk, and Compliance (GRC) platform and consulting firm that helps organizations navigate Cybersecurity Maturity Model Certification (CMMC), NIST SP 800-171, and related compliance frameworks. Michael Diab serves as the Director of Regulatory and Compliance at Ntiva. In this role, he supports the GovCon practice at Ntiva, a major MSP that has gone all-in on CMMC readiness and compliance-as-a-service (CaaS) for their regulated clients. The two of us have been working closely together for the past year-plus, and the journey Ntiva has been on is one of the best real-world examples we have seen of an MSP actually doing this right.
This blog is about MSPs and GRC specifically, and why MSPs that operate in regulated markets (or want to) can no longer treat Governance, Risk, and Compliance as an afterthought. Not as a spreadsheet. Not as the client's problem. Not as something to figure out later. We will talk about why the old avoidance instincts exist, why they are now a liability, and how a proper GRC platform transforms the way an MSP operates. We will also be honest about the hard parts, because there are hard parts, and you need the truth on that, too.
Buckle up!
Let's start with context. The need for MSPs to care about real compliance (not checkbox compliance) has arguably never been higher. CMMC is probably the biggest forcing function right now, but it is not the only one.
HIPAA has long required covered entities and their service providers to think carefully about how they handle protected health information and is going to be more stringent with the new rulemaking that’s coming down the pipe. State-level data privacy laws are proliferating. And the federal government's pivot toward holding the entire Defense Industrial Base (DIB) and, eventually, the rest of the Federal government accountable for the security of Controlled Unclassified Information (CUI) is reshaping what it means to be an IT service provider in regulated spaces.
Here is what that means practically: If an MSP has clients who hold DoD contracts that involve CUI, and many do, then those clients need to achieve CMMC certification. CMMC does not just ask, "Did you implement the controls?" It asks, "Can you prove you implemented the controls, do you have documented evidence, is it repeatable, and does your implementations apply to all applicable parts of your system boundary, including the relevant portions of your external service providers like MSPs?"
If you’re not ready to speak to those questions, your client's assessment could be in jeopardy. At best, it’s an awkward conversation. At worst, your client loses or becomes ineligible for certain contract awards and continuation.
From the Ntiva side of this conversation, the results have been striking. Their success is the result of being one of the few MSPs in the space that has actually prepared for this, committed to it, and built their operations around compliance readiness. Once Ntiva achieved their CMMC Level 2 Certification and started prioritizing it internally, it acted like a magnet for regulated clients!
The MSPs that are winning right now in regulated markets are not necessarily the biggest or the cheapest. They are the ones that are GRC-minded. Those that are not GRC-minded are either quietly losing DIB clients to providers who are ready, or they are avoiding regulated clients altogether and missing a market that is only going to grow.
To be fair, there are genuinely understandable reasons why MSPs have historically kept GRC at arm's length. This is not a case of laziness or even bad business instincts. These were (and in some cases still are) reasonable concerns. Let’s walk through them.
Open up NIST SP 800-171 for the first time. 110 controls. 320 assessment objectives. Pages and pages of nuanced, layered guidance on access control, configuration management, incident response, system and communications protection... it feels like a lot because it is! And that’s just the security requirements themselves, let alone the other nuanced guidance and requirements from other documents like the scoping and assessment guides or the regulations themselves like the 32 CFR Part 170. For an MSP that has built its business around help desk ticketing, endpoint management, and network monitoring, not compliance-related services and support, that document can feel like staring at a mountain you did not sign up to climb.
In the world of government contracting, compliance is a constant presence rather than a sudden shock. However, for many MSPs encountering NIST SP 800-171, CMMC, and DFARS requirements for the first time, the sheer complexity can feel overwhelming. Transitioning a team into this regulated space takes significant time and energy, especially when the initial reaction to these complex frameworks is one of avoidance rather than enthusiasm.
"If we touch compliance, are we on the hook?" This one may be the single biggest concern we hear from MSPs at industry events and conferences, -- and it is one of the most common reasons for holding back.
There is a certain comfort in being a basic IT services provider because it creates a kind of protective buffer. The moment you step into GRC territory, when you are not just managing endpoints but actively helping a client demonstrate CMMC readiness, you are lowering that shield.
The liability question becomes real. The key nuance, though, is that it is a shared liability between the MSP and the client. The MSP does not absorb all of it. But you have to actually understand that distinction before the fear starts to loosen its grip.
Compliance work without a platform is, in a word, chaos. Spreadsheets, screenshots, shared folders, policies with no version control, evidence scattered across three cloud tools and a SharePoint site no one has logged into in six months.
When prospective Ntiva clients were previously asked whether they were using a GRC platform for their CMMC journey, the answer was "no" about 9 out of 10 times. The tool sprawl and manual overhead involved in trying to manage compliance without proper tooling is a real cost, and most MSPs feel it viscerally before they ever find a better way.
MSPs are built to manage IT and infrastructure. Servers, endpoints, networks, and help desk are our wheelhouse. GRC can feel like mission creep. There is a legitimate business argument to be made that you cannot be everything to everyone. We will actually come back to that point, because it deserves an honest discussion.
The point is: These are not crazy concerns. They represent legitimate hesitation. But as we have found from experience, and as Ntiva can speak to firsthand, those concerns do not disappear. You decide they are worth pushing through. You put your overalls on, lace up your boots, and get to work, adjusting mindsets, technologies, and processes along the way.
Here is the fundamental shift: When clients operate in regulated environments like the DIB, healthcare, or organizations subject to federal cybersecurity mandates, the nature of an MSP's obligations change as their service provider changes.
It is not enough that controls exist. They need to be documented, assigned ownership, actively monitored, and evidence. Often, that implicates MSPs because they are heavily involved in such implementations. Compliance has to become operational, not a once-a-year audit prep scramble, but an ongoing, structured part of how those services are delivered.
Think about what that means practically. Regulated clients cannot be managed using tribal knowledge. You cannot rely on one person's memory of where the evidence lives or how things “have always been done." You cannot afford to have a client's compliance posture living in your or their heads with the hopes that explaining it really well and demonstrating the things you do here and there will be sufficient. We’ve been a part of several assessments now, and that’s so obviously not how that works!
And critically, this is not just about an MSP's own compliance obligations. If the MSP is an External Service Provider (ESP) under CMMC, which many are, and if they store, process, or transmit CUI or Security Protection Data on behalf of a client, or provide a security function to their client, then their posture directly affects the client's assessment. Controls, evidence, documentation...all of it gets examined, and how well an organization and their MSP prepare is apparent in the actual assessment.
The narrative around GRC platforms often stays too abstract. People hear "GRC tool" and picture a fancy dashboard that costs a lot and generates PDF reports for assessors. That is not what we are talking about.
A properly implemented GRC platform is a key part of the routine maintenance of the security and compliance of a system. It’s a conceptual equivalent to PSA and RMM for IT services. Could you do IT services without these tools? Sure, but it would not be fun.
GRC platforms are the same. Sure, you can track your key GRC-related projects, tasks, documentation, and artifacts through file shares and folders, spreadsheets, and human intuition and memory. It’s possible, but it’s not sustainable. GRC platforms are meant to be the operational backbone of how compliance-related services get delivered.
Here is what changes:
Without a platform, the word that comes up time and again is "chaos." Even the most organized individual, the person who color-codes their email folders and reads the whole meeting agenda before joining a call, is operating in a chaotic world when compliance work is distributed across documents, inboxes, shared drives, and the memories of different team members.
A GRC platform does not just reduce chaos. It operationalizes compliance, which means it transforms something reactive and panicky into something structured and sustainable for the long haul.
In the MSP world, long-term relationships are the bedrock of success. By providing a sustainable GRC service, you offer a clear path through the chaotic landscape of compliance, delivering tangible value that directly impacts a client's stability. When an MSP can simplify these complex requirements, it moves beyond a basic service provider role and fosters a true, lasting partnership built on trust and shared goals.
A GRC platform is necessary but not sufficient. The platform gets you there faster. The people with expertise help you get there right.
When Ntiva was going through their CMMC journey, the relationship with IntelliGRC was not just a software purchase. It was a partnership. Platform support, feature enhancement requests, CMMC consulting, sales strategy conversations, preparation for C3PAO assessments were all part of what the two organizations built together. Not because it was buried in a contract SLA, but because that is what genuine partnerships look like when the stakes are high. As Michael has put it, “The differentiator was not just the technology. It was that the people behind the platform had skin in the game of compliance, not just in the game of software sales.”
Compliance frameworks like CMMC are genuinely complex. A GRC platform built by people who have actually done the work of assessing and implementing, not just a SaaS product stitched together from template content, is going to be a different kind of tool. The expertise baked into the platform, and the people available when you are confused or stuck, matter enormously.
For MSPs evaluating GRC platforms, make sure the vendor you choose has actually walked this road.
Here is the part that might surprise you coming from a GRC vendor and an MSP that has gone all-in on compliance.
Not every MSP should try to serve regulated clients. There. We said it.
If your organization does not have the risk appetite for it, the internal expertise to support it, the financial bandwidth to make the necessary technology investments, or the commitment to build the mindset and culture that GRC requires, then attempting to serve regulated clients will likely not end well, especially for your clients.
Half-committed compliance support is arguably worse than none, because it creates false confidence. The client thinks their MSP has their back on compliance. Then an assessor shows up.
The honest framing here is this: Either do it and be committed to it, or do not do it and remain a standard IT MSP. Both are valid. There are thousands of client organizations out there that do not have regulated compliance requirements and just need solid IT services. That is a real market. That is a real business. There’s nothing wrong with it.
But if you want to operate in the DIB, healthcare, or other regulated markets, and especially if your existing clients are in those markets and you are at risk of losing them to MSPs that are ready, then you need to make the choice and commit. The middle ground is where relationships sour and assessments fail.
Let us close the loop on why this is a growth opportunity and not just a cost center.
Regulated industries are not a niche anymore. They are a growth segment. CMMC is expanding across the DIB and, potentially, the rest of the federal contracting base. Healthcare compliance requirements continue to tighten. FedRAMP-authorized cloud solutions are becoming the baseline expectation for many government-adjacent organizations. The compliance market is growing, and MSPs positioned to serve it are going to be in a very strong place over the next several years.
There is also a customer retention dimension here that does not get enough attention. If your MSP currently serves clients in the DIB, and CMMC Phase 2 requirements are starting to affect their contract renewals and new contract bids, those clients are going to need a compliant MSP. If you are not ready, they will find one who is. The choice to commit to GRC is not just about acquiring new regulated clients;, it is also about keeping the ones you already have.
MSPs that treat GRC as part of their normal, operational disciplines, and not overhead, tend to win better clients, reduce delivery risk, and differentiate themselves in a crowded market. And as Ntiva's experience demonstrates, that differentiation compounds over time. It becomes a mindset, a culture, and a competitive and pragmatic identity.
One of the clearest ways to frame the MSP condition when it comes to compliance is this: We are not an internal IT department managing one organization's compliance program. We are managing the IT and potentially the compliance posture of multiple organizations, often simultaneously, often with lean teams. MSPs don’t have the luxury of inefficiency.
You cannot do that with spreadsheets. You cannot do it on just head- knowledge and habit or routine. You cannot do it without a structured, repeatable, visible way to manage controls, evidence, and compliance obligations across your client base.
That is what a GRC platform does.
If you are an MSP on the fence about whether this is worth committing to, we hope something in this article has helped clarify the picture. We don’t see the compliance market going backwards but moving forward with more and more intentional GRC expectations.
The question is not whether regulated environments will demand more from your MSP. They already do. The question is whether you will be the MSP that is ready.
Whether you are an MSP trying to build out your GRC practice, a DIB contractor looking for a service provider that is actually ready to support your CMMC journey, or just someone trying to figure out where to start, the IntelliGRC team would love to connect. We are in the trenches on this stuff every day, and it’s not trivial.
Head over to the Contact Us page on the IntelliGRC website, or send an email to sales@intelligrc.com.
You can also connect with Steven Molter directly on LinkedIn. And if you would like to learn more about how Ntiva approaches compliance-as-a-service for regulated clients, Michael Diab would be glad to hear from you as well.
As always, Happy Implementing!
Steven Molter & Michael Diab