Hello all, I have a questions regarding some companies that offer software to help with compliance management. I have been getting ads for Fortra:

https://dataclassification.fortra.com/compliance/cmmc

And well I work for an MSP looking to becoming an RPO. We currently mostly use Kaseya for monitoring and deploying (datto/edr/rocket cyber, etc), and they have been trying to sell a compliance service similar to Fortra:

https://www.compliancemanagergrc.com

My main question is, if both of these cannot be found on fedramp or have any association with CMMC how can their systems run compliance? I tried asking Fortra about it, but they stated since they don’t explicitly see or handle CUI it’s okay to sell their services. I’m cautious on this, because they may not see CUI but under their documentation and systems, but they will still have information as to how the company runs their IT infrastructure and how they manage CUI.

Kasey’s also states in can be implemented with other Kasey’s software we use. I think I know the answer to this one, but basically us being an MSP and using Kaseyas applications for the majority of our systems would not work out for CMMC? Since none of kaseyas software is fedramped.