Security Tool Vendors:

You must do CMMC right the first time

and it can't wait.

Security Tool Vendors:

Your MSP Partners Need Your CMMC Assessment-Ready Customer Responsibility Matrix (CRM)—

Not Generic Security Claims or Marketing Fluff.

And they can't wait.

Doing compliance wrong can cost you time and long-standing relationships and millions of dollars.

Doing compliance right can save time and keep you from losing partners, bring you new partners, and generate incremental revenue worth millions of dollars.

Spinning your solution as a compliance tool can be the silver bullet differentiator against your competitors in a crowded market. That may add company acquisition value that makes your investors happy.

Your investment in doing compliance right is much less than what you stand to gain.

I can accelerate your success.

How am I so sure? Because I've done it before.

The CMMC Final Rule removed the difficult and expensive FedRAMP requirement for cloud services that only store Security Protection Data (SPD). But the requirement for the Customer Responsibility Matrix (CRM) remained. Defense contractors must give their clients the CRMs for the security tools they use as part of their documentation packet.

If your MSP partners support defense contractors, they’re being asked for something most vendors can’t produce: an accurate and thorough assessment-ready CRM that maps your service responsibilities to CMMC Level 2 assessment objectives—up to all 320.

I've seen so-called 'CMMC CRMs' that were nothing more than marketing fluff and others that were so incomplete that any CMMC assessor with integrity would not accept the document. That puts their partner's client relationships at risk, which put their vendor's partner relationships at risk. Some of the CRMs were done by well-meaning security specialists who weren't formally trained or certified in CMMC and did not understand how different it is from other regulations. Some ignored the fact that vendors can access their partners' data.

When your answers are vague, inconsistent, created by staff members without CMMC certifications or are “AI-generated,” you don’t just lose deals—you create risk for your partners and their clients.

Why are MSPs demanding CRMs right now and threatening to leave if you don't deliver? Two reasons.

Some MSPs are committed to CMMC and have voluntarily chosen to pass their own Level 2 certification assessment. They need to provide your CRM to their assessors.

MSPs that have been preparing defense contractor clients for their assessments now must deliver all the required documentation - including the CRMs from their security stack vendors - so their clients can schedule their assessments.

Not having an CRM or having one that won't pass scrutiny leaves your partners no other choice than to stop working with you.

Doing it right costs a lot less than you stand to lose.

Avoid the pain.

Anticipate the needs of your partners and have a professional solution ready when they need it.

  • Stop “Can you map this to CMMC?” deals from stalling

  • Stop the embarrassing silence when a CMMC-savvy MSP asks you pointed questions about your CRM

  • Reduce partner escalation calls and last-minute scramble before assessments

  • Prevent risky overstatements in marketing and sales conversations

  • Avoid embarrassing posts on MSP forums

  • Give MSPs documentation they can hand to a defense contractor + assessor with confidence

  • Make your product easier to sell, easier to implement, and harder to replace

Get Your CRM Scoped (in just 15 minutes)

See What a CMMC CRM Looks Like

Talk directly to Mike Semel, a CMMC Certified Assessor (CCA)

who has been a cloud service manager, MSP, and CIO for regulated organizations

and has experience creating CRMs.

Every day you wait is another day risking partner relationships, long-term profits,

and company value.

The uncomfortable truth.

Your MSP partners aren’t being evaluated on your SOC 2 report.

They’re being asked, in plain English, specifically about your solution, to prove:

  • Who does what

  • Which CMMC controls are covered by the MSP

  • Which CMMC controls are covered by your platform

  • Which CMMC controls belong to the client

  • What evidence exists

  • How it’s demonstrated

  • How it holds up across CMMC Level 2 assessment objectives

When a defense contractor is preparing for a CMMC Level 2 assessment, the assessor (and the contractor’s leadership) needs clarity down to the objective level. “We’re secure” isn’t evidence. Only addressing the 110 practices isn't enough.

AI (keep the edge, make it defensible)

You can use AI to write words. But you can’t use AI to take accountability.

Bad AI compliance guidance—especially around shared responsibility—creates:

  • partner churn and reputational damage

  • delayed deals and lost channel momentum

  • expensive rework (“rabbit holes”)

  • assessment failures, corrective actions, and executive panic

Your partners need compliance artifacts that are defensible, consistent, and aligned to the assessment reality.

AI can't replace a CMMC Certified Assessor with 25+ years of hands-on experience:

  • Managing operations at a cloud backup service

  • As a successful MSP helping regulated clients

  • As Chief Information Officer (CIO) for a regulated hospital and regulated K-12 school district

  • Leading hundreds of compliance assessments and remediation projects

  • Helping businesses in multiple industries pass audits

  • Teaching compliance to thousands of MSPs, vendors, and end-users

  • Helping RapidFire Tools, Kaseya, and Liongard with their compliance needs

How I can help you.

  • Your personalized CMMC Customer Responsibility Matrix (CRM) Kit for Security Cloud Vendors

    A structured deliverable package your MSP partners can use repeatedly—built to address CMMC Level 2 assessment objectives (up to 320) that apply to your service and its use in a partner-delivered solution. It takes an expert with proven CMMC knowledge and experience as an MSP and cloud service manager to get this right.

    What you get:

    • CMMC Level 2 Customer Responsibility Matrix (Objective-Level Mapping)
      Clear assignment of responsibilities (Vendor / MSP Customer) per applicable objective - based on we invest the time needed to understand your environment. We ask the right questions - we don't just put a bunch of X's in the table - and we explain what needs to be done

    • CMMC Service Description
      Clear guidance for assessors so they understand what you do and where you fit into a CMMC assessment

    • Partner-Ready Guidance
      How MSPs should position your responsibilities, what they must still do, and what the customer must do

    • Evidence & Demonstration Notes
      What “good evidence” looks like and how it is typically demonstrated during an assessment

    • Scope & Boundary Assumptions
      What’s in/out (tenancy model, managed vs self-managed components, customer responsibilities)

    • Partner Enablement Pack
      FAQ, sales-safe talking points, and escalation handling so support doesn’t become your sales engineer team

    Optional add-ons

    • Quarterly CRM maintenance (updates as your product changes)

    • Partner webinar (train MSPs how to use the CRM)

    • Sales enablement (battle cards + claims review)

    CTA: Request CRM Kit Details

Accelerate Your Success with Compliance

I can bring certified compliance expertise to your products, websites, marketing, tradeshow booths, breakout sessions, and webinars.

  • I helped RapidFire Tools change from being a cybersecurity software vendor to a compliance software vendor.

  • I helped Kaseya build, market, and support Compliance Manager GRC, including battle cards for its sales team, partner webinars, booth sales and support, breakout sessions, training classes, marketing collateral, partner satisfaction calls, and product development for worldwide regulations.

  • I helped Liongard create a CMMC Customer Responsibility Matrix (CRM) to meet the needs of demanding partners.

RapidFire Tools/Kaseya Timeline to Compliance Success

“When it comes to compliance there is nobody else in the industry who knows more and is a better resource than Mike Semel.

The truth is that we could not have developed the software without the input, guidance and expertise of Semel Consulting.

You can count on him.”

Michael Mittel, Founder & President, RapidFire Tools

Why Mike

You don’t need another “compliance writer.”

  • Former MSP owner/operator: understands how partners actually implement and support

  • Vendor-side experience: GRC tool content and guidance, product messaging, enablement, training, and channel execution

  • CIO for a regulated hospital and K-12 school district - Real audit and litigation exposure: knows what holds up when things get challenged

  • Current formal training and certifications that stand up to scrutiny

There are a lot of people that claim to have CMMC expertise. Some are CMMC Registered Practitioners (RP) with just a few hours of training and not enough assessment process knowledge to help you. Others are CMMC Certified Professionals (CCP). The highest level is CMMC Certified Assessor (CCA) with proven knowledge about CMMC and the assessment process. That's who you want preparing your CRM.

There's only one place where you can verify CMMC credentials - the Cyber AB (CMMC Accreditation Body) website.

Go to the Cyber AB Marketplace, enter the person's last name in the search box, and click the Search button. (Enter 'Semel' to find mine.) If they don't show up, they have not met the requirements for certification.

Mike Semel's Current Certifications and Memberships

Empower Your Partners & Your Team

Pre-built training systems you can:

Use internally to align sales/support/product teams

Offer to MSP partners as enablement

Bundle into your platform as “trusted guidance” content

Available systems include:

CMMC for MSPs

NIST 800-171 / CMMC fundamentals

Shared Responsibility Matrix training

Risk-based selling for regulated clients

Assessment prep and evidence readiness


If your partners sell into regulated markets, training isn’t optional—

it’s how you keep outcomes consistent.

How it works

  • CRM Discovery Call – understand your offering, deployment model, and partner use cases

  • Document Review – onboarding, implementation, architecture, platform support

  • Scope & Objective Mapping – identify which CMMC Level 2 objectives apply and where responsibility sits

  • Draft + Validation – produce the CRM + partner guidance; review with your technical owner(s)

  • Enablement Rollout – partner pack + optional webinar + internal training for consistency

  • Ongoing Maintenance – keep it current as the product changes

CTA: Start CRM Discovery

Contact me now - every day you wait is another day you risk losing partners.

Stop losing CMMC-driven channel deals and loyal partners who cannot wait.

If your MSP partners support defense contractors, you need CRM answers NOW that are consistent, defensible, and objective-level when required.

Call Mike Semel: 888-997-3635 x 101

Email Mike: [email protected]

CONTACT

Phone: 888-997-3635

Fax:888-667-7849

Semel Consulting, LLC

6547 Midnight Pass Road #90

Sarasota, Florida

34242

FOLLOW US

© 2026 Semel Consulting, LLC