CMMC L2 Service-Line Blueprint

How a 5–30 tenant MSP turns CMMC L2 readiness into a billable, repeatable service line on Microsoft 365.

A working blueprint, not a sales deck. Print it. Forward it to your sales team. Use the timeline as your 90-day plan. Use the economics page as your pricing argument with your next defense-adjacent prospect.

Read time ~10 minutes · Cmd/Ctrl-P prints to a clean PDF
§ 1 · The opportunity

CMMC L2 is the largest MSP service-line opening in a decade.

80,000+
DoD contractors needing CMMC L2 by 2028
$25B
MSP-addressable service-line opportunity
3 yrs
Assessor cycle — recurring, not one-shot

Two structural facts make this different from previous compliance waves: it's mandatory (not aspirational), and it recurs every three years (not one-and-done). For an MSP, that means the prospect can't say no, can't ignore it, and can't stop paying for it. What they CAN do is sign with whoever can deliver fastest.

Most MSPs aren't ready. The ones who productise the workflow now collect 5–10 years of recurring revenue from clients their competitors couldn't service. The barrier isn't desire — it's the operational lift of mapping 17 domains × N tenants × continuous evidence to a billable monthly fee. That's the gap Stella closes.

§ 2 · What Stella covers

All 17 CMMC L2 domains, with an honest auto-vs-policy split.

Microsoft 365 governs more of CMMC L2 than most MSPs realise. Stella maps each domain to its M365 control points and auto-remediates the technical ones. Policy and human-process domains are evidenced for the assessor but stay your team's call.

AC
Access Controlauto
AT
Awareness & Trainingauto
AU
Audit & Accountabilityauto
CM
Configuration Managementauto
IA
Identification & Authenticationauto
IR
Incident Responsepolicy
Incident plan adoption + tabletop cadence is policy work.
MA
Maintenancepolicy
Field-maintenance procedures remain policy.
MP
Media Protectionauto
PE
Physical Protectionpolicy
Facility security is on-site work.
PS
Personnel Securityauto
RA
Risk Assessmentauto
CA
Security Assessmentauto
SC
System & Comms Protectionauto
SI
System & Info Integrityauto
SR
Supply Chain Risk Mgmtpolicy
Vendor inventory partly automated; relationships are human.
PL
Planningpolicy
Policy adoption is your team.
RM
Risk Management Strategypolicy
Strategy ratification is leadership.
~110 controls auto-remediated via Microsoft Graph API, Exchange PowerShell, and Intune policy push. The rest are evidenced (configs, screenshots, timestamps captured automatically) but require your team to ratify policy or perform on-site work.
§ 3 · Service-line economics

Per-tenant margin math: why this works at 5 tenants and at 50.

LeverValueNote
Per-tenant list price (MSP tier)$1,700/moLaunch rate. Standard $1,900.
Per-tenant cost of delivery (Stella)~$200/moIncludes auto-remediation + reports + audit log.
Gross margin per tenant~88%Before MSP labour overhead.
Time to baseline a new tenant~30 minutesFrom M365 connect to gap report.
Hands-on remediation time per tenant~2 hoursApprove auto-fix queue + manual policy items.
Monthly review time per tenant~30 minutesDrift triage + report ship.

On the MSP tier ($1,700/tenant launch rate), 10 CMMC L2 tenants is $17,000/month MRR against a delivery cost in the low single thousands. On the MSP Pro tier ($2,200/tenant) the same 10 tenants is $22,000/month MRR — and your competitive moat is the assessor-readiness review service that DIY tools can't replicate.

The math survives at five tenants and at fifty. The platform overhead is the same. Every additional tenant after the first runs through the same console, the same playbook, the same auto-remediation queue. Stella was built so adding the eleventh tenant takes the same effort as the second.

§ 4 · 90-day deployment

From "what's CMMC L2?" to "we run that as a service line."

Phase 1 · Day 0
Run a free baseline
MSP signs up, connects one defense-adjacent client tenant. Stella scans M365 in under 30 minutes and produces a CMMC L2 gap report mapped across all 17 domains. The MSP now has a quote-ready document.
Tenant baseline gap report (PDF)
Per-domain coverage breakdown
Remediation queue ranked by assessor impact
Phase 2 · Day 1–7
Productise the offer
MSP picks the tier (MSP $1,700/tenant/mo or MSP Pro $2,200/tenant/mo CMMC-as-a-Service). Stella's templates become the MSP's service description. Pre-priced. Pre-scoped. Pre-delivered.
Statement of work template
White-label cover letter
Internal playbook for tenant onboarding
Phase 3 · Week 2–4
Convert one client
MSP runs the baseline as a sales conversation: 'here's where you stand against CMMC L2 today, here's what we deliver in 30 days, here's the monthly to keep you there.' Auto-remediation queue runs the same week.
Signed MSA + service order
Approved auto-fix queue (~110 controls)
First branded posture report shipped
Phase 4 · Month 2–3
Stand up the service line
MSP onboards 2–3 more clients with the same playbook. The MSP Console shows fleet-wide CMMC L2 posture. Drift events are triaged in 20 minutes Monday morning, not three hours.
Multi-tenant CMMC dashboard
Monthly automated report cadence
Defined upsell path to MSP Pro for higher-stakes clients
Phase 5 · Month 4+
Pre-assessment dry-runs (the upsell)
For clients getting close to a real C3PAO assessment, MSP runs Stella's pre-assessment dry-run. This is the natural upgrade path to MSP Pro — and the deliverable that locks the client into a multi-year relationship.
Pre-assessment scoring report
Written assessor-style explanations per control
Locked-in renewal at the higher tier
§ 5 · Build vs Buy vs Consultant

Why an MSP shouldn't build this and shouldn't outsource it.

LeverStellaDIY (build it yourself)Hire a consultant
Time to first revenueWeek 2–4Month 6+Month 3–4
Per-tenant gross margin~88%~50% (labour-heavy)~25% (pass-through)
Recurring vs projectRecurring MRRRecurring MRRProject fees
Multi-tenant scaleNativeCustom-builtOne client at a time
Assessor-defensible evidenceAuto-capturedHand-assembledHand-assembled
Setup cost~$0 (per-tenant SaaS)~$80K–200K (engineer time)$25K–60K per engagement

DIY is technically possible. Most MSPs who try it stop around month four when they realise the evidence-capture pipeline alone is a full engineer's quarterly project. Consultants deliver one engagement at a time and pocket margin you'd rather keep. Stella collapses both into a SaaS line-item and gives you the productised workflow their tools and engagements can't.

§ 6 · Next steps

Three things you can do this week.

  1. 1
    Run a free baseline on one tenant.
    Pick the one defense-adjacent client where this conversation is easiest. 30 minutes. No card. Walks out with a CMMC L2 gap report you can quote against.
    Start free baseline
  2. 2
    Send the readiness checklist to your sales team.
    The 17-domain self-assessment we use on every Stella beta tenant. Use it to qualify your next defense-adjacent prospect on the discovery call.
    Get the checklist
  3. 3
    Book a 15-minute call with the founder.
    Bring a real client scenario. We'll walk through what the Stella workflow would look like for that tenant in week 1, week 4, and month 6.
    Talk to founder
Stella Unified · CMMC L2 Service-Line Blueprint v1 · stella-ai.aiThis document supersedes any earlier blueprint version.
Ready to run it?

Connect one client tenant. We'll show you what week 1 looks like.

Run free baseline Back to CMMC overview