Which Compliance Framework Do Your MSP Clients Actually Need?
HIPAA, SOC 2, PCI DSS, CMMC, CJIS, CIS, NIST — there are dozens of frameworks and your clients have no idea which ones apply to them. Here's how to figure it out and turn it into revenue.
Which Compliance Framework Do Your MSP Clients Actually Need?
TLDR: Most MSPs either avoid the compliance conversation entirely or default to whatever framework they know best. Both approaches leave money on the table. The right framework depends on the client's industry, their customers, their insurance carrier, and what contracts they're chasing. Here's a practical breakdown of the major frameworks and how to match them to your client base.
The Framework Problem
Walk into any MSP community and ask about compliance frameworks and you'll get a dozen different answers. SOC 2 is the gold standard. No, NIST CSF is better. CIS Controls is the only practical one. HIPAA is mandatory. CMMC is coming for everyone.
They're all right. And they're all wrong. Because the answer is never "which framework is best" — it's "which framework does this specific client need right now."
Your clients don't care about frameworks. They care about:
- Passing an audit they just got notified about
- Renewing their cyber insurance policy
- Winning a contract that requires security documentation
- Avoiding the fine that just hit their competitor
The framework is just the tool. The job is answering whatever question is keeping your client's CEO up at night.
The Framework Cheat Sheet
Here's the quick reference. If a client matches the trigger, they need the framework. No exceptions.
| Framework | Who Needs It | Typical Trigger |
|---|---|---|
| HIPAA | Healthcare providers, business associates, anyone touching PHI | HIPAA audit notice, new healthcare client onboarding, insurance requirement |
| SOC 2 | SaaS companies, service providers, anyone whose customers ask "are you secure?" | Customer or partner requesting a SOC 2 report, enterprise sales process |
| PCI DSS | Anyone processing, storing, or transmitting credit card data | Payment processor audit, merchant bank requirement, new e-commerce platform |
| CMMC Level 1 | DoD contractors handling Federal Contract Information (FCI) | New DoD contract, subcontractor to a prime contractor |
| CMMC Level 2 | DoD contractors handling Controlled Unclassified Information (CUI) | DFARS clause in contract, handling CUI data |
| CJIS | Law enforcement agencies, anyone accessing criminal justice data | Working with police departments, courts, jails, dispatch systems |
| NIST CSF | General-purpose risk management, often used as a baseline | Board asking "what's our security posture?", no specific mandate but want structure |
| CIS Controls | Internal security baseline, practical implementation guide | MSP wanting to secure their own house, client wanting actionable steps |
Framework-by-Framework Breakdown
HIPAA: The Healthcare Non-Negotiable
If your client touches protected health information (PHI) — patient records, billing data, insurance claims, appointment schedules — HIPAA applies. Period. It doesn't matter if they're a two-person dental office or a 500-bed hospital system.
What most MSPs miss: HIPAA also applies to business associates. If your client provides IT services, billing, transcription, cloud hosting, or any other service to a healthcare provider and they access PHI in the process, they're a business associate and they need HIPAA compliance.
The revenue angle: HIPAA risk assessments are required annually. That's a built-in renewal cycle. Monthly compliance monitoring, policy management, and evidence collection turn a one-time assessment into a $300-$800/month retainer per client.
SOC 2: The Trust Currency
SOC 2 is the framework that keeps coming up in enterprise sales conversations. When a prospect asks your client "can you prove your security practices?", they're usually asking for a SOC 2 report or something equivalent.
Important distinction: most SMB clients don't need full SOC 2 certification (which requires a CPA audit and costs $50K+). They need SOC 2 readiness — evidence that their controls align with the Trust Services Criteria. That's a service you can deliver.
The revenue angle: SOC 2 Type II evaluates controls over time, so continuous monitoring is baked into the framework. Quarterly readiness assessments, evidence collection, and gap remediation make this a natural recurring service. $500-$1,500/month depending on complexity.
PCI DSS: Follow the Credit Cards
PCI DSS applies to any organization that processes, stores, or transmits cardholder data. Version 4.0 went into full effect in 2025 and tightened requirements significantly — especially around authentication, encryption, and continuous monitoring.
Most SMBs think PCI only applies to retailers. Wrong. If a client has an online payment form, a point-of-sale terminal, or even a phone-order process where staff type card numbers into a system, PCI DSS applies.
The revenue angle: PCI has 12 requirement categories with hundreds of individual controls. The Self-Assessment Questionnaire (SAQ) alone overwhelms most small businesses. Managed PCI compliance is a natural MSP service — especially when you bundle it with the technical controls (firewalls, encryption, access management) that you're already providing.
CMMC: The Government Contractor Gateway
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is now being enforced in DoD contracts. Level 1 covers basic cyber hygiene (17 practices) for anyone handling Federal Contract Information. Level 2 maps to all 110 controls in NIST SP 800-171 and covers Controlled Unclassified Information.
Here's what makes CMMC interesting for MSPs: it cascades down the supply chain. A prime contractor needs CMMC Level 2. Their subcontractors need it too. The machine shop making parts for a defense company, the accounting firm handling their payroll, the IT company managing their network — they all need CMMC if they touch CUI.
The revenue angle: CMMC compliance is complex enough that most SMBs can't do it alone. The assessment, remediation, documentation, and ongoing monitoring can command $1,000-$3,000/month per client. And once a client is in the DoD supply chain, they're not leaving — this is sticky revenue.
CJIS: The Law Enforcement Standard
The Criminal Justice Information Services (CJIS) Security Policy applies to any organization that accesses FBI criminal justice databases or handles Criminal Justice Information (CJI). That includes law enforcement agencies, courts, jails, dispatch centers, and — critically — any vendor or MSP that supports them.
If you're managing IT for a police department, a sheriff's office, a 911 dispatch center, or a court system, CJIS compliance isn't optional. It covers encryption, access control, audit logging, personnel security, and incident response.
The revenue angle: Government contracts are long-term and renewal-heavy. CJIS compliance requires ongoing documentation, access control reviews, and security awareness training. MSPs serving law enforcement can build $500-$2,000/month compliance retainers on top of their managed services contracts.
NIST CSF and CIS Controls: The Baselines
These two frameworks serve a different purpose than the others. They're not mandated by any specific regulation — they're voluntary frameworks that provide structure for organizations that want to improve their security posture.
NIST Cybersecurity Framework (CSF) is a risk-based approach. It's organized around five functions: Identify, Protect, Detect, Respond, Recover. It's great for answering "what's our overall security posture?" but it's broad and non-prescriptive. Think of it as a map, not a set of driving directions.
CIS Controls is more actionable. It's a prioritized list of specific things to do: inventory your hardware, inventory your software, configure things securely, control admin privileges, maintain audit logs. If NIST CSF is the "what," CIS Controls is the "how."
The revenue angle: Use these as your baseline assessment framework for every new client. Run a CIS Controls assessment during onboarding, identify gaps, and build a remediation roadmap. That roadmap becomes your upsell pipeline for the next 12 months.
The Overlap Advantage
Here's something most MSPs don't realize: these frameworks overlap significantly. A huge portion of HIPAA's Security Rule maps directly to NIST SP 800-171 controls. CMMC Level 1 covers basics that also satisfy CIS Controls Implementation Group 1. SOC 2's Trust Services Criteria align with large sections of NIST CSF.
This means once you've done the work to assess a client against one framework, you're 40-70% of the way to a second framework. A healthcare company subject to HIPAA that also wants SOC 2 readiness doesn't need twice the work — they need incremental gap filling.
This is how you scale compliance services. Don't treat each framework as a separate silo. Map the controls once, then generate reports against multiple frameworks from the same evidence base.
How to Match Frameworks to Your Client Base
Here's the practical workflow:
1. **Audit your client list by industry.** Healthcare? HIPAA. Government contractor? CMMC. Law enforcement? CJIS. Retail or e-commerce? PCI DSS. SaaS or professional services? SOC 2.
2. **Ask about contracts and audits.** "Has a customer or vendor ever asked you for security documentation?" "When does your cyber insurance renew?" "Are you subject to any compliance requirements?" These three questions surface 90% of framework needs.
3. **Start with the urgent one.** Don't pitch five frameworks at once. Find the one that has a deadline or a contract attached to it. Deliver that first. Then expand.
4. **Use a baseline for everyone else.** For clients with no specific mandate, run a CIS Controls or NIST CSF assessment. It gives them structure, gives you a gap list, and positions you as the compliance advisor for when a mandate does show up.
5. **Layer frameworks over time.** Once a client is compliant with one framework, show them where they already satisfy controls in a second framework. "You're already 65% of the way to SOC 2 readiness based on the HIPAA work we did" is a much easier sell than starting from zero.
The Bottom Line
The right compliance framework isn't the one you know best — it's the one your client needs. And most of your clients need at least one, whether they know it yet or not.
The MSPs building real compliance practices aren't framework specialists. They're framework-agnostic advisors who can assess a client's situation, recommend the right standard, deliver the assessment, and monitor ongoing compliance. That's a high-value, high-margin, recurring service that your clients can't easily replace.
Stop asking "which framework should I learn?" Start asking "which framework does each of my clients need?" The answer is probably sitting in their industry, their contracts, and their insurance policy. Go find it.
*Want to see how multi-framework compliance works in practice? Sign up free for Nuronus — map a client against HIPAA, SOC 2, CMMC, CJIS, or PCI DSS and generate a white-label readiness report in minutes. Free for 2 clients, all features included.*
Ready to Add Compliance Services to Your MSP?
Free forever for 2 clients. All features included. No credit card required.
Get Started FreeBrett Coffin
Founder, Nuronus
20+ years in IT infrastructure and security. Built Nuronus after watching MSPs leave compliance revenue on the table because the tooling made it impossible to deliver profitably.