The Tale of Two Multiples: Generalist vs. Sovereign
In the private equity ecosystem, we are witnessing a bifurcation of the Managed Services market that is as stark as it is profitable. On one side, we have the "Generalist Commercial MSP." This firm services law firms, dentists, and mid-sized manufacturers. They fight a brutal war on price, battle 20% annual churn, and struggle to differentiate. Their exit multiple ceiling is firmly capped at 6x-8x EBITDA.
On the other side is the "Sovereign Cloud Partner." This firm specializes in the Defense Industrial Base (DIB). They hold FedRAMP authorizations or CMMC Level 2 readiness. Their NOC/SOC is entirely US-based (NOFORN). Their contracts are multi-year, sticky, and mandated by federal law. These firms are not trading at 8x. They are trading at a median of 15.0x EBITDA, with premium assets commanding upwards of 20x.
Why the delta? Barriers to entry.
The commercial MSP market has zero barrier to entry; anyone with a laptop and a remote monitoring tool can play. The Azure Government market has a moat that costs $2M+ and 18-24 months to cross. That moat is comprised of FedRAMP High, DoD Impact Level 4/5 (IL4/IL5), and CMMC 2.0 compliance. If your portfolio company is sitting on "government revenue" but lacks these certifications, you are holding a ticking time bomb, not a premium asset.
The Diagnostic: Is Your "Gov" Partner Real or Fake?
Many MSPs claim to be "Government Experts" because they have three municipal clients and a handful of subcontractors. In the era of CMMC 2.0 enforcement, this masquerade is over. Use this diagnostic to determine if you own a 15x asset or a distressed turnaround.
1. The "No Foreign Nationals" (NOFORN) Test
Commercial MSPs survive on labor arbitrage—offshoring Level 1 and Level 2 support to India, the Philippines, or Eastern Europe to protect margins. In the Azure Government world, this is a death sentence. To access IL4/IL5 data (Controlled Unclassified Information), support staff must be U.S. Citizens. Not just green card holders—citizens.
The Audit: Check the payroll of the NOC/SOC. If you find a single non-citizen with admin access to the enclave, the asset isn't just worth less; it's likely non-compliant with DFARS 7012. You cannot "fix" this post-close without firing 40% of the staff and doubling your labor costs.
2. The CMMC Reciprocity Trap
Under CMMC 2.0, External Service Providers (ESPs)—that’s your MSP—must be certified to the same level as the clients they serve. If the client needs CMMC Level 2, the MSP needs CMMC Level 2. This creates a massive consolidation event. Thousands of small MSPs who cannot afford the $150k-$300k annual cost of compliance will be fired by their defense clients.
The Audit: Ask for their System Security Plan (SSP) and their SPRS (Supplier Performance Risk System) score. If they answer "we help our clients with that," but haven't done it themselves, they are about to lose their entire government revenue stream.
3. The "Tenant" vs. "Enclave" Model
Low-value partners resell Microsoft 365 GCC High licenses and walk away. High-value partners build Compliant Enclaves—pre-configured, authorized environments (handling inheritance of controls) that accelerate a client's own compliance. The former is a reseller (low margin); the latter is a platform (high margin, high stickiness).
Strategic Action: Buying the Moat
If you are looking to capture the 15x premium, you cannot simply "market" your way there. You must engineer the asset. Here is the playbook for Portfolio Paul:
1. Segregate the Practice
Do not let your commercial MSP "dabble" in GovCon. The compliance costs (overhead) will destroy your commercial margins, and the commercial laxity will destroy your government compliance. Spin out a dedicated federal subsidiary. Separate the P&L. Separate the ticketing system. Separate the staff.
2. Invest in the ATO (Authority to Operate)
The most valuable IP in this space is an Agency ATO or a FedRAMP Ready status. This is not just a badge; it is a license to print money. It signifies that the federal government has already vetted the security stack. While it costs $750k-$2M to achieve, it serves as a "pass-through" value prop that allows you to charge 40-50% premiums on hourly rates compared to commercial peers.
3. Target "Orphaned" Compliance Books
As mentioned, CMMC 2.0 will force small MSPs to exit the defense market. This creates a rollup opportunity. Acquire the contracts of these smaller players who can't afford the compliance upgrade, and migrate their clients into your pre-certified Azure Government enclave. You acquire the revenue at 4x (distressed), migrate it to your platform, and sell it at 15x.
The Bottom Line: In 2026, compliance is no longer a cost center. In the Azure Government ecosystem, compliance is the product. And it is the only product trading at 15x EBITDA in a flat market.
