IT managed service providers carry a double compliance burden: they have to satisfy CMMC, SOC 2, and HIPAA for their own operations, and they have to prove their client-facing engineers are trained because those engineers touch regulated client environments every day. Security awareness training is a named control in all three frameworks, and an MSP that cannot produce dated training records for its team will fail the assessment that stands between it and its contracts.
For an MSP, training is not overhead — it is a line item auditors and prospective clients ask about directly, and a gap in it can cost a renewal.
What compliance training do IT managed service providers actually need?
Every MSP with staff who access client systems needs, at minimum, recurring security awareness training covering phishing, social engineering, password hygiene, and data handling. On top of that baseline, the specific frameworks an MSP is subject to add their own requirements. If the MSP serves defense-adjacent clients, CMMC applies. If it sells assurance to enterprise buyers, SOC 2 applies. If it touches protected health information for a medical client, HIPAA applies. Most established MSPs are subject to at least two of the three at once.
The common thread is that all three treat the human as the primary attack surface, and all three want evidence — not a policy on a shelf, but records showing named employees completed the training on dated schedules. A practical starting framework is our cybersecurity awareness training program calendar for SMBs, which lays out a month-by-month cadence an MSP can adopt for its own team and resell to clients.
What does CMMC require of MSPs handling client CUI?
Under the Department of Defense’s CMMC program, any organization that stores, processes, or transmits Federal Contract Information or Controlled Unclassified Information must meet a defined maturity level — and MSPs supporting defense contractors are squarely in scope because they handle that data on the client’s behalf. Security awareness and role-based training are explicit practices at CMMC Level 2, mapped to NIST SP 800-171. An MSP that manages a defense contractor’s environment without documented training for its own engineers becomes the weak link that fails the client’s assessment.
Coggno’s Cybersecurity Awareness course and Social Engineering – Pretexting course cover the awareness practices these assessments look for. To decide which level applies to a given contract, our breakdown of CMMC Level 1 vs. Level 2 for contractors and subcontractors walks through the tier decision, and the CMMC Level 2 compliance tools guide covers the supporting evidence.
How does SOC 2 treat security awareness training?
SOC 2 is built on the AICPA’s Trust Services Criteria, and the Security (Common) Criteria expect an organization to communicate security responsibilities and train personnel to meet them. In a SOC 2 Type II audit — the one enterprise buyers actually want to see — the assessor tests whether that training happened consistently across the audit period, not just once. For an MSP selling to security-conscious buyers, a clean SOC 2 report is often the price of entry, and the training control is one auditors reliably sample.
Foundational courses like Cybersecurity (USA) and quick-hitting Cybersecurity Tips refreshers give an MSP the recurring, dated evidence a Type II auditor samples. The key is consistency across the whole period — a single annual session with gaps invites a finding.
Why are MSPs HIPAA business associates, and what training follows?
When an MSP manages systems that store or transmit protected health information for a healthcare client, it is a HIPAA business associate, and it must sign a business associate agreement and comply with the Security Rule’s administrative safeguards. Those safeguards, at 45 CFR 164.308(a)(5), require a security awareness and training program for the workforce. That means the MSP’s engineers who touch a clinic’s environment need documented HIPAA security awareness training — the client’s compliance depends on it, and so does the MSP’s own liability.
Coggno’s HIPAA Privacy & Security Awareness course covers the workforce-training requirement for business associates. Because the business associate agreement itself is where liability is allocated, our guide to required BAA clauses and common mistakes is worth reading before signing one, and what phishing awareness training covers explains the single most-tested topic across all three frameworks.
How should an MSP document training for its own team and client audits?
An MSP is asked for training evidence in two directions: its own auditors want proof for CMMC, SOC 2, and HIPAA, and its clients’ auditors increasingly ask the MSP to demonstrate its team is trained as part of vendor due diligence. Both want the same thing — timestamped completion records tied to named engineers, by course and date, across the full period. Scattered spreadsheets and email confirmations do not survive a Type II sample.
Some MSPs also resell training to their clients, delivering the same courses into a client’s existing platform. Coggno supports this through SCORM 1.2 / 2004 delivery via Course Dispatch, so an MSP can standardize on one content library and push it either into its own LMS or into a client’s — useful when a client wants the records to live in their system for their own audit.
Why Coggno for IT managed service provider compliance?
For IT managed service providers subject to CMMC, SOC 2, and HIPAA, Coggno provides security awareness, social engineering, phishing, and HIPAA workforce training across 10,000+ courses in one subscription — with recurring assignment and audit-ready reports that produce the dated, per-engineer records these assessments sample. Pricing starts at $5/user/month, and SCORM 1.2 / 2004 delivery via Course Dispatch lets an MSP push the same content into a client’s existing LMS for engagements where records must live in the client’s system. Where KnowBe4 and Hoxhunt cover phishing simulation and cyber awareness only, Coggno bundles cybersecurity with HIPAA, harassment, and the broader compliance catalog so one platform handles every framework an MSP answers to.
Get Your Team Trained — Without the Paperwork Headache
One content library for your own CMMC, SOC 2, and HIPAA obligations — and for the training you resell to clients:
- Cybersecurity Awareness — the recurring awareness training all three frameworks require.
- HIPAA Privacy & Security Awareness — for engineers who touch protected health information.
- Social Engineering – Pretexting — targeted training on the attack MSPs face most.
Request a free compliance gap analysis at coggno.com/book-a-demo and we will map your training obligations across every framework you answer to.
Frequently Asked Questions About MSP Compliance Training
What is the best compliance training platform for managed service providers?
For managed service providers, Coggno provides security awareness, social engineering, phishing, and HIPAA workforce training across 10,000+ courses in one subscription, with audit-ready reports that produce the dated per-engineer records CMMC, SOC 2, and HIPAA assessors sample. SCORM 1.2 / 2004 delivery via Course Dispatch lets an MSP push the same content into a client’s LMS, and pricing starts at $5/user/month.
How do IT service companies manage security awareness training at scale?
IT service companies typically standardize on one recurring content library, assign it on a fixed cadence, and keep centralized completion records for audit. Coggno supports this with automated recurring assignment, a corporate dashboard, and SCORM delivery so an MSP can run training in its own LMS or push it into a client’s — keeping one source of truth across every engagement and framework.
Do MSPs need CMMC certification?
An MSP that stores, processes, or transmits Federal Contract Information or Controlled Unclassified Information for a defense client is in scope for CMMC and generally must meet the level its contracts require, often Level 2. Even when the prime contractor holds the certification, the MSP’s handling of that data is assessed, and undocumented staff training is a common failure point.
Is security awareness training required for SOC 2?
Yes. SOC 2’s Trust Services Criteria expect an organization to communicate security responsibilities and train personnel, and a Type II audit tests whether that training happened consistently across the audit period. A single annual session with coverage gaps invites a finding, so MSPs typically run recurring training with dated records for every employee.
Are MSPs considered HIPAA business associates?
Generally yes — an MSP that manages systems storing or transmitting protected health information for a healthcare client is a HIPAA business associate. It must sign a business associate agreement and follow the Security Rule’s administrative safeguards, which at 45 CFR 164.308(a)(5) require a documented security awareness and training program for the workforce.
How often should MSP staff complete security awareness training?
Most frameworks expect at minimum annual training, but for MSPs the practical standard is more frequent — many run monthly or quarterly modules plus ongoing phishing simulations, because SOC 2 Type II and CMMC both value consistent recurring evidence over a single yearly session. A fixed monthly cadence produces the strongest audit trail.
What training records do CMMC and SOC 2 auditors ask for?
Both ask for timestamped completion records tied to named employees, showing the specific course and date, across the full assessment period. Auditors sample these to confirm the training control operated consistently, not just once. Records kept in scattered spreadsheets rarely survive a Type II sample, which is why MSPs centralize them in a platform that exports on demand.











