Richmond businesses outgrowing a one-person IT department usually arrive at the same crossroads. Either hire more internally, hand everything to an outside provider, or find something in between. Most conversations about managed IT services in Richmond, VA, start with the full outsourcing option, but the middle ground, co-managed IT, often gets missed, and it’s the one most worth understanding before you pick a lane.
Co-managed IT vs managed IT
Co-managed IT means your internal team keeps running day-to-day operations, and an outside provider fills in the gaps. It’s usually the expensive, specialist, or round-the-clock pieces you can’t realistically hire for. Because of this, your team stays the primary point of contact for end users, project priorities, and institutional knowledge. The MSP brings tooling, monitoring, specialist security expertise, and whatever skills don’t justify a full-time hire.
The split can go a lot of ways. Cybersecurity is outsourced entirely, with the rest kept in-house, or strategy and user support are internal, with infrastructure and compliance pushed out to the MSP. What matters is that the arrangement matches what your team does well, rather than following a standard division of labor.
Fully managed IT hands the whole function over. The provider owns the helpdesk, network, security, backups, vendor management, and roadmap planning. You keep an internal owner or sponsor – usually someone in operations or finance – but there’s no internal technical staff doing the work. Most organizations that choose it either don’t have IT staff to begin with or had an internal hire who moved on and decided not to rehire. It’s a simpler model: one provider and one contract, with a single point of accountability. The trade-off is that institutional knowledge lives with the provider, and internal influence over priorities tends to be softer.
A side-by-side
Neither model wins outright, as they suit different businesses. The call mostly comes down to what your internal team already handles well. The practical differences look like this:
Co-managed IT | Fully managed IT | |
Control | Internal team sets priorities; MSP supports | MSP owns execution; client sets direction |
Cost model | Base retainer plus selective services | Flat monthly fee covering agreed scope |
Staffing | Complements existing IT staff | Removes the need for internal IT |
Scalability | Flex capacity up or down as needs shift | Scope renegotiated for major changes |
Compliance support | Shared – MSP leads, internal team operationalizes | MSP-led end-to-end |
Response times | Coverage split between internal hours and MSP | 24/7 coverage via MSP |
Tool access | MSP tools layered over existing stack | MSP stack replaces legacy tooling |
When co-managed IT support in Virginia makes sense
Co-managed works best when you already have IT people you trust, but they’re struggling to keep up. The signs are consistent: after-hours tickets pile up because one person can’t stay on call indefinitely, and cybersecurity tooling sits underused because no one internal has time to tune it. When a compliance deadline lands and there’s no one who’s ever built a System Security Plan, hiring your way out takes months. The 2025 ISC2 Cybersecurity Workforce Study found that 59% of respondents report critical or significant skills shortages on their security teams, up from 44% the year before.
The framing of in-house IT vs co-managed IT misses the point. The better question is where your internal person’s time creates the most value and where an outside specialist is faster. A blended arrangement lets your IT lead stay close to the business – the thing they’re uniquely good at – while the MSP handles work that doesn’t benefit from institutional knowledge.
Fully managed is a better fit when the internal role doesn’t really exist, when the existing IT person is planning to leave, or when the business is small enough that a full in-house function would be too much.
How Richmond shapes the decision
Two factors make Richmond specific: a defense contracting footprint that stretches across the Commonwealth and includes federal contractors in and around the city and a strong healthcare and professional services base. Both bring compliance obligations internal IT staff rarely handle alone.
For defense suppliers, CMMC Phase 1 enforcement began on November 10, 2025, and new DoD contracts now carry CMMC-level requirements as a condition of award. Most Level 2 contracts require implementation of the 110 security requirements in NIST SP 800-171, with self-assessment and affirmation via the Supplier Performance Risk System (SPRS) during Phase 1 and mandatory C3PAO third-party assessments phasing in from November 2026 for applicable contracts. That means months of scoping, documentation, tooling, and remediation. A blended model lets you keep daily operations internal while a specialist handles the CMMC work.
Healthcare providers face HIPAA obligations that work similarly. Your internal person handles clinical IT support, and a specialist handles the audit trail, risk assessments, and breach response planning. Professional services firms without heavy regulatory exposure may not need that depth, but many hit the same after-hours and security coverage limits as everyone else. The specifics change, yet the pattern doesn’t.
Where Infinity Technologies fits
We’ve supported organizations across Virginia since 1996 – SMBs, government contractors, and healthcare providers – and a growing share of what we do now sits on the co-managed side rather than being fully outsourced. That partly reflects how Richmond’s mid-market has evolved. More businesses have internal IT than did ten years ago, but very few have enough of it. Our role tends to be the specialist bench, including 24/7 coverage, compliance depth, security tooling, and someone picking up the phone at 2am when a server goes down.
Managed IT services in Richmond, VA, come in more than one shape. The right one depends on what your internal function looks like today. If you’d like to work through it with someone who’s done both for nearly three decades, our Richmond team can help.
