All of Microsoft's stuff is geared toward CIS.
Honestly, the framework choice is irrelevant. CMMC was created by the US Military, NIST was created by the Federal government on the civilian side with input from the NSA and the US military, CIS was created by another US Federal department and wholly civilian... and notably didn't go along with the NSA's insane idea and accept weakened encryption standards...
Then you have ISO 27001, which looks like all of the above combined with a side of PCI-DSS.
They all describe the same thing! None of them are concerned with security, all are simply models and to prove compliance you document things. I have yet to see an SMB have the budget to adhere to any of them properly.
But I do wish you luck, I closed Intouch because I hit this point, realized what it meant, tried to sell it, got laughed at... then the pandemic hit and far too many good people I know died, and the rest did the... Rob you were right! and either promptly retired, or went out of business. I'm more than a little jaded. I'm glad to be servicing all of the above for larger businesses now that actually have budgets.
If you can get a micro business to let you do this:
https://www.cisecurity.org/controls/cis-controls-list That's a HUGE thing.
Though I can make a strong argument that anything less than full implementation of CIS IG1 is tantamount to suicide... but I've also been accused by people around here of securing a tricycle with Fort Knox.
I'm working on getting a CISSP (STILL), ton of history / legislation to know to get that thing. I think you'll find the study material helpful. FRSecure's annual free boot camp is coming up:
https://frsecure.com/cissp-mentor-program/