CMMC Consulting Services: What to Buy, How to Vet, and the Independence Rule That Limits Who You Can Hire

By The Defense Compliance Report Editorial Team · The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance.

Published: May 26, 2026 · Last verified: May 26, 2026

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Cyber AB Registered Practitioner before acting.

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not contain named provider rankings, endorsements, or “best provider” awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy.

Educational only. Not legal, contractual, or compliance advice. The Defense Compliance Report is not affiliated with the Cyber AB, the Cybersecurity Assessor and Instructor Certification Organization (CAICO), the Department of Defense (DoD), the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), or any U.S. government agency.

The Bottom Line, Before You Scroll

For most Defense Industrial Base (DIB) contractors searching for CMMC consulting services, the right first purchase is a readiness engagement — not a Certified Third-Party Assessment Organization (C3PAO) assessment. A credible consultant confirms your Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) scope, identifies your CMMC level and assessment type from the contract clause, builds your System Security Plan (SSP) against the 110 security requirements in NIST SP 800-171 Revision 2, identifies gaps, and guides remediation — then steps aside so a separate C3PAO can conduct the actual certification assessment. That sequence is not optional: the Cyber AB conflict-of-interest rules embedded in the CMMC Assessment Process (CAP) and in R2002 (January 2026) prohibit the same firm from doing both.

The rest of this page is the buyer’s guide we wish existed when we started covering this market: what consulting actually includes, what it costs at your size and Level, the Cyber AB independence rule that quietly disqualifies most “we’ll handle the whole thing” pitches, and the nine-point checklist that separates a defensible engagement from a six-figure billable wish.

What We Actually Verified

We built this page against primary sources. On May 26, 2026, we re-opened each of the following documents:

• 32 CFR Part 170 (the CMMC Program Rule) became effective December 16, 2024, published October 15, 2024 at 89 FR 83092. Source: Federal Register; eCFR.
• The DFARS final rule (Case 2019-D041, 48 CFR Part 204) implementing CMMC into contracts became effective November 10, 2025, published September 10, 2025. Source: Federal Register.
• Phase 1 runs November 10, 2025 – November 9, 2026. Per 32 CFR § 170.3(e), Phase 2 begins November 10, 2026; Phase 3 November 10, 2027; Phase 4 November 10, 2028.
• CMMC Level 2 incorporates NIST SP 800-171 Revision 2 (110 security requirements, 14 control families). NIST has published Revision 3, but the controlling CMMC rule still references Revision 2 unless and until DoD amends 32 CFR Part 170. Source: NIST CSRC.
• Level 3 layers a selected subset of NIST SP 800-172 enhanced requirements onto a Final Level 2 certification and is assessed by DIBCAC, not by a C3PAO.
• Cyber AB CMMC Assessment Process (CAP) requires C3PAOs to identify and manage conflicts of interest and to not proceed if a conflict cannot be sufficiently mitigated. The CAP requires a C3PAO and Assessor Conflict of Interest Attestation stating that assessment team members and the C3PAO have not provided consulting, advisory, or implementation support to the OSC.
• Cyber AB R2002 — C3PAO Accreditation Requirements (January 2026) builds C3PAO accreditation on ISO/IEC 17020:2012 as a Type A inspection body — meaning a C3PAO that also offers consulting services or managed services cannot operate as Type A and therefore cannot conduct the CMMC certification assessment as a fully independent third party. Source: Cyber AB R2002 (January 2026).
• The contractual mechanism in DoD acquisitions is DFARS 252.204-7021 (the CMMC clause itself) and DFARS 252.204-7025 (the solicitation provision used with it under DFARS 204.7504). Related cybersecurity clauses (DFARS 252.204-7012, -7019, -7020) operate alongside but are not the CMMC clause. Source: Acquisition.gov DFARS Subpart 204.75.
• DoD’s modeled cost in the 32 CFR Part 170 Regulatory Impact Analysis is $101,752for a small entity’s Level 2 certification assessment plus annual affirmation, including a modeled C3PAO cost of $31,234. This is a modeled estimate from the rule’s economic analysis, not a market quote.

Where we relied on industry analysis rather than a primary government source — for example, Cyber AB Marketplace counts, market-rate cost ranges, or scheduling pressure observations — we say so in the section where the data appears.

At a Glance: The DCR CMMC Consulting Fit Matrix

If you remember nothing else from this page, remember this table. It maps your situation to the first thing to buy, the thing not to buy first, and the primary-source anchor for the call.

Editorial framework built by The Defense Compliance Report from 32 CFR Part 170, DFARS 252.204-7021, the Cyber AB CMMC Assessment Process (CAP), and R2002. Last verified May 26, 2026.

Every row of this matrix is an editorial conclusion. The Levels, controls, and assessment types are regulatory facts.

What CMMC Consulting Services Actually Cover

CMMC consulting services are readiness and assessment-preparation services delivered to help a Defense Industrial Base contractor prepare for the CMMC status required by its contract or flow-down. The Cyber AB ecosystem roles for consulting and preparation are the Registered Practitioner Organization (RPO) and the individual Registered Practitioner (RP) or Registered Practitioner Advanced (RPA); the work itself can also be delivered by qualified MSPs, MSSPs, vCISOs, GRC platforms, and in-house teams — none of whom hold the Cyber AB consulting credential but all of whom may still provide legitimate support. None of these roles issues the CMMC certification. That’s the C3PAO.

“CMMC consultant” is a market term, not a single official credential. When you take sales calls, you’ll meet RPOs and individual RPs/RPAs (the credentialed consulting roles), plus MSPs, MSSPs, vCISOs, and GRC vendors offering legitimate but non-credentialed support. None of them issues the CMMC certification — that’s the C3PAO. The vendor pages currently ranking for “CMMC consulting services” are largely sales pages for one firm’s bundle; none of them shows you the deliverables table, the independence rule, or the cost matrix by size. This page does.

The Nine Deliverables a Credible Engagement Should Produce

DCR buyer standard — not an official Cyber AB deliverables list. Each item ties to scope, SSP, evidence, and SPRS expectations documented in the Cyber AB CAP and 32 CFR Part 170.

1. CUI/FCI Scoping Memo. A documented identification of where covered information is processed, stored, and transmitted, which systems and people are in scope, and the rationale for any scope-reduction strategy such as an enclave. Scope is the highest-leverage decision in a CMMC program. A well-scoped engagement can materially reduce the systems, users, assets, and evidence included in the CMMC assessment scope compared with placing the entire enterprise in scope.
2. System Security Plan (SSP). A written description of how your organization meets each of the 110 NIST SP 800-171 Revision 2 security requirements within your defined scope. The SSP is the document a C3PAO will read first.
3. Plan of Action and Milestones (POA&M).Open items with owners, dates, and explicit notation of which requirements are eligible to remain on the POA&M at assessment time. Under 32 CFR Part 170, a Conditional Level 2 status is allowed only when the assessment score divided by 110 is at least 0.8, no POA&M item has a point value greater than 1 (narrow exception for SC.L2-3.13.11 CUI Encryption where encryption is employed but not FIPS-validated), and the POA&M is closed within 180 days.
4. Evidence Inventory. A mapping of named artifacts (configurations, screenshots, logs, policies, training records) to each in-scope requirement.
5. SPRS Score Support.Calculation of your basic-assessment score under the DoD Assessment Methodology and a walkthrough of the Supplier Performance Risk System (SPRS) posting workflow. SPRS is the DoD’s system of record for posted scores under DFARS 252.204-7019 and -7020 and for CMMC status under the Final Rule.
6. Mock Assessment. A practice run using the examine, interview, and test methods that the C3PAO will use, against a sample of higher-risk controls.
7. Control Implementation Guidance.Written guidance for closing gaps, scoped to your environment — Microsoft 365 GCC High, AWS GovCloud, on-prem, or hybrid. Note: guidance is not the same as implementation labor. If you need engineers to deploy MFA across 400 endpoints, that’s a separate scope of work.
8. Annual Affirmation Briefing.The process for the senior official’s annual affirmation that the CMMC status remains current and the controls remain in place.
9. Stop-Line Statement. A written boundary saying the consultant disengages at assessment readiness and a separate C3PAO conducts the certification. This is what preserves your assessor independence.

If a proposal doesn’t name those nine artifacts as deliverables — explicitly, in writing, with completion criteria — ask why.

The One Damaging Admission We Owe You

CMMC consulting services will not, by themselves, make your company compliant. If your CUI is scattered across personal email accounts, consumer file-sharing tools, unmanaged endpoints, and undocumented workflows, a consultant will find the problem and tell you what’s broken — but you’ll still need remediation labor, often managed services, often a cloud migration, and almost always cultural change inside the company before you can credibly walk into a C3PAO assessment.

Here’s the pivot: that’s exactly whyyou’re hiring a consultant. The C3PAO is not going to be lenient because you bought a platform. The DoD contracting officer is not going to extend the option period because you tried hard. A competent consultant’s job is to tell you, on day 10, that the SSP you’ve been editing for six months doesn’t match the environment your IT team built. That conversation is what you’re buying.

When You Need a CMMC Consultant — and When You Should Walk Away

You should hire a CMMC consultant if your contract requires Level 2 (self-assessed or C3PAO-assessed), your internal team lacks NIST SP 800-171 Revision 2 fluency, your CUI environment is not yet scoped, or you have less than 12 months until a Phase 2 or Phase 3 requirement applies to your contracts. You probably shouldn’t if your only obligation is Level 1, your DoD revenue is small relative to compliance cost, or you already maintain mature ISO 27001 or SOC 2 documentation with a strong internal security team. Disqualifying yourself is also a credible move.

Use this segmentation table to find yourself.

If you fell in the first or last row, the rest of this page may not apply to you. We’d rather lose you to the checklist than overbuy. Come back when the contract picture changes.

The Six Provider Categories That Compete for the “CMMC Consultant” Slot

When you search “CMMC consulting services” and start taking sales calls, six different provider categories will respond to your RFQ — Registered Practitioner Organizations (RPOs), individual Registered Practitioners (RPs/RPAs), MSSPs offering CMMC consulting, virtual or fractional CISOs (vCISOs), GRC platform consulting arms, and in-house plus platform-only approaches. They are not interchangeable. Among consulting and readiness roles, RPOs and RPs/RPAs are the Cyber AB credentialed categories; the others can still provide legitimate value, but for different problems and at different cost structures.

This is the comparison table buyers currently have to build themselves across five tabs. Here it is in one place.

Cost ranges in the table are DCR editorial market-planning ranges intended for quote preparation. They are not DoD-published rates. There is no published industry rate card for CMMC consulting — always RFQ at least three providers against the same defined scope.

What CMMC Consulting Services Actually Cost in 2026

For a Level 2 readiness engagement, editorial market-planning ranges for the readiness portion alone span roughly $25,000 to $300,000+ depending on employee count, environment, and starting maturity. The DoD’s own Regulatory Impact Analysis in 32 CFR Part 170 modeled $101,752 for a small entity’s Level 2 certification assessment and annual affirmation (including $31,234 in modeled C3PAO assessment cost) — but that figure is an estimate of the assessment-and-affirmation burden the DoD used in its economic analysis, not a market quote for the multi-month readiness consulting that comes before it. Costs in this section exclude the C3PAO assessment fee itself, CUI enclave or GCC High licensing, GRC platform subscriptions, security tooling, and internal labor.

The cost ranges below are the table buyers actually need: segmented by company size, Level, and assessment type. Each cell is the readiness consulting cost only.

The DCR CMMC Consulting Cost Reality Matrix

Methodology: These ranges are DCR editorial estimates for readiness consulting only. They exclude C3PAO assessment fees, licensing, tooling, remediation labor, managed services, and internal staff time. They were compiled from published 2026 industry pricing on RPO and MSSP service pages, normalized by employee band and assessment type, and last checked May 26, 2026. They are not DoD-published rates. The only official modeled cost cited on this page is DoD’s 32 CFR Part 170 Regulatory Impact Analysis estimate for Level 2 certification assessment and affirmation.

What drives you toward the high end of the range:

• Large CUI footprint that resists scope reduction
• Mixed-cloud environments (commercial Microsoft 365 mixed with GCC High mixed with on-prem CUI)
• No existing NIST 800-171 documentation
• Weak identity and MFA baseline
• Multiple sites or subsidiaries
• Flow-down obligations to multiple subcontractors

What drives you toward the low end:

• Narrow CUI workflows that enclave cleanly
• Existing ISO 27001 or SOC 2 documentation usable as crosswalk input
• Established identity, logging, and endpoint baselines
• Single-cloud environment
• Tight executive sponsorship

What the matrix does not include:

• C3PAO assessment fees (a separate engagement, separately priced)
• CUI enclave or GCC High licensing (per-user, per-month)
• GRC platform subscriptions
• Security tooling (SIEM, endpoint, MFA, encryption)
• Remediation labor
• Internal staff time

CMMC Consultant vs. C3PAO: What’s the Difference?

A CMMC consultant (typically an RPO or RP/RPA) prepares you for assessment — scoping, SSP, evidence, mock assessment, remediation guidance. A C3PAO conducts the official Level 2 certification assessment when your contract requires it. Under Cyber AB conflict-of-interest rules, a C3PAO cannot also serve as your readiness consultant for the same engagement, which means most defense contractors preparing for a Level 2 C3PAO assessment engage two separate firms — one for readiness, a different one for assessment.

The distinction confuses buyers because both roles call themselves “CMMC providers” in marketing. Here’s the operational difference in one line each:

• Consultant (RPO / RP / RPA):“We help you become assessment-ready.” Pays-for-itself measure: a clean SSP, an evidence inventory, a defensible SPRS score, and a stop-line at assessment readiness.
• C3PAO:“We perform the assessment when you’re ready.” Pays-for-itself measure: an objective Examine-Interview-Test review and a Conditional or Final Level 2 status decision submitted to the Cyber AB for quality review.

You’ll engage the consultant first, the C3PAO later, and they won’t be the same firm. The next section explains why.

The Cyber AB Independence Rule: Why Your Consultant Can’t Be Your Assessor

Under the Cyber AB CMMC Assessment Process (CAP), C3PAOs are responsible for identifying and managing conflicts of interest and must not proceed with an assessment if a conflict cannot be sufficiently mitigated. The CAP requires a C3PAO and Assessor Conflict of Interest Attestation stating that assessment team members and the C3PAO have not provided consulting, advisory, or implementation support to the Organization Seeking Certification (OSC). Separately, Cyber AB R2002 — C3PAO Accreditation Requirements (January 2026) — builds C3PAO accreditation on ISO/IEC 17020:2012, which requires a Type A inspection body to be independent of the parties involved; R2002 makes clear that a C3PAO who also offers consulting services or managed services to a given organization cannot operate as a Type A inspection body for that organization’s certification assessment.

This is the single most expensive misunderstanding on the CMMC market right now. A vendor that pitches “we’ll take you all the way through certification” is either misrepresenting how the program works or planning to violate the rule.

Why the Rule Exists

A C3PAO that implemented your controls cannot impartially assess them. The Cyber AB exists to make the certification credible to the DoD. If consultants self-certified their own work, the program would collapse on contact with DIBCAC quality review.

The Independence Decision Tree

When you’re evaluating a provider, walk this logic:

Is the provider authorized/accredited as a C3PAO in the Cyber AB Marketplace?
│
├── NO  → They cannot conduct your CMMC Level 2 certification assessment.
│         They can act as a readiness consultant if they hold RPO/RP/RPA status.
│
└── YES → Have they provided consulting, advisory, or implementation support
          to your organization?
          │
          ├── YES → They cannot serve as your assessor under the CAP
          │         conflict-of-interest attestation. Choose a different C3PAO.
          │
          └── NO  → They may serve as your C3PAO assessor, subject to the
                    firm's ISO/IEC 17020 Type A independence, internal
                    Quality Management System, and the required written
                    conflict-of-interest attestation.

What the Cyber AB Says Out Loud

The Cyber AB CAP explicitly states that the Cyber AB, the CAICO, and the DoD do not make recommendations or facilitated introductions to any C3PAO. They publish the Marketplace; the buyer does the diligence. That’s why a credible independent buyer’s guide matters — there is no official “approved consultant list” to fall back on.

The Practical Consequence for Your Budget

You are paying for two engagements, not one:

• Engagement 1: Readiness consulting with an RPO (typical 6–18 months; cost from the matrix above).
• Engagement 2: Level 2 certification assessment with a separate C3PAO (typical 4–8 weeks of active assessment, plus pre-assessment coordination; priced as a separate engagement).

If a “single quote” covers both, ask which arm of the firm performs which work, demand a written conflict-of-interest attestation, and assume that arm cannot do the other one for you. If they can’t produce the attestation, walk away.

What to Buy First, Based on Why You Started Searching

Buy the service that resolves your current blocker. The first thing on your purchase order should be whatever unsticks the next decision — not whatever the loudest vendor pitched first.

The five most common triggers for “I need a CMMC consultant” each have a different first move.

The most expensive way to fail is to buy in the wrong order. A C3PAO assessment without an SSP is wasted money. A GCC High migration without a CUI scoping analysis is wasted money. An RPO retainer without a defined readiness program is wasted money.

How to Vet a CMMC Consultant: The 9-Point Framework

Vet any CMMC consultant against nine specific facts before signing: their Cyber AB Marketplace listing, named practitioner credentials, a written independence stop-line, three named DIB references, defined deliverables (not vague “help”), NIST SP 800-171 Revision 2 fluency, your specific environment experience, fixed-fee or capped time-and-materials structure, and a written no-certification-guarantee clause. A vendor that won’t supply all nine in writing during the RFQ stage is unlikely to deliver them in the engagement.

1. Cyber AB Marketplace Listing

The check: Open the Cyber AB Marketplace, filter to RPO (or RP/RPA for individuals), and search the exact legal name of the organization. The listing should be active. Screenshot the result with a timestamp.

The red flag: Vendor claims a Cyber AB ecosystem role — RPO, RP, RPA, C3PAO, CCP, CCA, LCCA — and the role does not appear in the Marketplace. Non-credentialed providers may still provide legitimate support, but they should not imply Cyber AB credential status.

2. Named Practitioner Credentials

The check:The proposal should name the specific RPs and RPAs assigned to your engagement. Verify each named individual’s active RP/RPA designation in the Cyber AB Marketplace and ask for project-specific experience.

The red flag:Generic “our team” language with no individual credentials. Hot-swap practitioners mid-engagement.

3. Written Independence Stop-Line

The check: The engagement language must say in writing that the consultant disengages at the point of assessment readiness and does not also serve as your C3PAO for this engagement.

The red flag:“We can take you all the way through” or “we’ll handle the assessment too.” Treat this as a Cyber AB conflict-of-interest concern under the CAP attestation requirement and R2002 Type A inspection-body independence. Walk away.

4. Three Named DIB References

The check: Three named clients with comparable scope — your industry, your Level, your environment. NDA is acceptable; you should still be able to verify named industry, named Level, and named environment.

The red flag:“We can’t share clients” without exception. A serious RPO has at least three DIB clients willing to take a verification call.

5. Defined Deliverables With Completion Criteria

The check:The nine deliverables listed earlier on this page, named explicitly in the SOW, with written completion criteria for each. Not “we’ll help with your SSP” — “we will deliver an SSP authored against NIST SP 800-171 Revision 2 covering 110 requirements, reviewed by an RPA, with traceability to your evidence inventory.”

The red flag:Vague scope language. T&M billing with no deliverable-tied milestones.

6. NIST SP 800-171 Revision 2 Fluency

The check: Explicit confirmation that the engagement is built against Revision 2 — the controlling version for CMMC Level 2 under 32 CFR Part 170 — not Revision 3.

The red flag:Vendor references “NIST 800-171 Rev. 3” as if it were the current Level 2 control set, or pitches a “Rev. 3 readiness” engagement when your obligation is Rev. 2.

7. Environment Fit

The check: Documented experience in your specific environment — Microsoft 365 GCC High, AWS GovCloud, hybrid, or on-prem CUI enclave. Ask for named engagements in each.

The red flag:Generic “cloud experience.” GCC High and AWS GovCloud have specific configurations and gotchas that consultants without prior engagements miss.

8. Fixed-Fee or Capped T&M

The check:Engagement structured as fixed-fee for the readiness program, or T&M with a clear cap and deliverable-tied milestones.

The red flag:Open-ended T&M. Hourly billing with no cap. “We’ll let you know when we’re done.”

9. Written No-Guarantee Language

The check: The engagement says in writing that the consultant does not guarantee certification outcomes. The Cyber AB CAP prohibits C3PAOs from including guarantees or promises about Level 2 assessment results, or bonus/incentive payments tied to certificate issuance, in their assessment contracts. A credible RPO will follow the same posture.

The red flag:“We’ll get you certified” promises in marketing or in the proposal. Run.

How to Normalize a Quote You’ve Already Received

A high CMMC consulting quote can mean the provider is over-scoping, or it can mean your environment is genuinely complex. Before deciding whether the number is reasonable, break the quote into discrete cost buckets — readiness consulting, remediation labor, managed services, software, cloud/enclave, assessment fees, and sustainment — and compare bucket by bucket. Most quote-shock conversations resolve themselves the moment the buyer sees that one line item is consuming 70% of the total.

The DCR Quote Normalization Table

Walk through any received proposal with this matrix.

When a High Quote Is Legitimate

• Broad CUI scope with no realistic enclave option
• No existing SSP or evidence baseline
• Weak identity, MFA, and endpoint controls requiring full deployment
• Logging and monitoring capability missing or fragmentary
• Cloud migration to GCC High or AWS GovCloud required
• Multiple business units or geographic sites
• Aggressive timeline driven by Phase 2 (November 10, 2026) or a near-term solicitation

When a High Quote Is Suspicious

• Vendor cannot explain assumptions when asked
• Quote bundles readiness and assessment in a single engagement (independence concern)
• Major tooling included with no data-flow analysis underlying the recommendation
• Existing MSP capabilities ignored or duplicated
• Certification “guarantee” language present
• Per-user platform costs not broken out
• No scoping memo attached as the basis for the engagement

The Clauses and Standards a CMMC Consultant Should Know

A credible CMMC consultant understands how FAR 52.204-21, DFARS 252.204-7012, DFARS 252.204-7019, DFARS 252.204-7020, DFARS 252.204-7021, DFARS 252.204-7025, 32 CFR Part 170, NIST SP 800-171 Revision 2, and NIST SP 800-172 fit together. The CMMC clause itself is DFARS 252.204-7021, and DFARS 252.204-7025 is the solicitation provision used with it under DFARS Subpart 204.75. The other DFARS clauses are related cybersecurity, reporting, and SPRS-posting clauses that operate alongside CMMC but are not themselves the CMMC clause.

Here’s the citation map, in one place. Bring it to your first consultant call. If the answers don’t match, keep shopping.

The Rev. 2 vs Rev. 3 Trap, and the “Level 1 Has 17 Controls” Trap

NIST SP 800-171 Revision 2 is the controlling control set for CMMC Level 2 under 32 CFR Part 170. NIST has published Revision 3, and Revision 2 is shown as superseded at the NIST publication level — but CMMC is a regulatory program, not a NIST publication. Until DoD amends the CMMC rule, Level 2 maps to Revision 2.

The second common error is “Level 1 has 17 controls.” Level 1 maps to the 15 basic safeguarding requirements at FAR 52.204-21(b)(1)(i) through (xv). The confusion comes from the CMMC mapping table: three of those FAR requirements are broken apart by phrase when mapped to NIST SP 800-171A assessment objectives, producing 17 mapped rows. The Level 1 source requirements are still 15.

A consultant who can’t keep either of those distinctions straight is a consultant who will build your SSP against the wrong control set.

Timeline Reality: What a 6–18 Month Engagement Actually Looks Like

A typical Level 2 readiness consulting engagement runs 6–18 months from kickoff to assessment-ready, across six phases: discovery and scoping (4–8 weeks), gap assessment (4–6 weeks), control implementation (12–32 weeks, often overlapping), SSP and POA&M authoring (overlapping), evidence preparation and mock assessment (4–8 weeks), and handoff to a separate C3PAO (4–6 weeks of pre-assessment coordination). The longest engagements are organizations starting from low maturity with broad CUI scope; the shortest are organizations with narrow scope and existing security baselines.

The Six Phases

What Slips Timelines

The honest answer: it’s almost always implementation, not consulting. Identity and access management rebuilds slip. MFA rollouts across legacy systems slip. CUI workflow redesigns slip. Evidence-gathering across multiple sites slips. Cultural adoption — getting users to stop emailing CUI to personal Gmail — slips most of all.

Phase 2 Is the Real Scarcity

Phase 2 of the rollout begins November 10, 2026. Per 32 CFR § 170.3(e), DoD may require Level 2 (C3PAO) status as a condition of contract award for applicable solicitations from that date forward. If your contracts will face Phase 2 timing, a 12-month readiness engagement starting in mid-2026 has approximately zero buffer before a Phase 2 solicitation could require certification. The math is not subtle.

Red Flags: When to Walk Away

Walk away from any CMMC consultant that guarantees certification outcomes, claims to be both your consultant and your C3PAO, won’t show their Cyber AB Marketplace listing, has no named DIB references, prices the engagement on open-ended T&M, references NIST SP 800-171 Revision 3 as the controlling Level 2 standard, claims affiliation with the Cyber AB or DoD beyond credentialing status, manufactures urgency around Phase timing, or asks you to submit CUI through a normal web form.

1. Certification guarantees. The Cyber AB CAP prohibits C3PAOs from including guarantees, promises, or bonus/incentive payments tied to certificate issuance in their assessment contracts. A credible RPO follows the same posture.
2. Dual-role pitches.“We’ll do your readiness and your assessment.” Treat this as a Cyber AB conflict-of-interest concern under the CAP attestation requirement and R2002 Type A inspection-body independence.
3. No Marketplace listing. A vendor claiming a Cyber AB ecosystem role (RPO, RP, RPA, C3PAO, CCP, CCA, LCCA, ATP, APP) that does not appear in the Marketplace is misrepresenting credential status. Non-credentialed providers may still help legitimately — they just should not imply Cyber AB status.
4. No named references. Generic case studies without industry, Level, or environment specifics.
5. Open-ended T&M. Hourly billing with no cap, no deliverable-tied milestones, no completion criteria.
6. Wrong rule version.References to NIST SP 800-171 Rev. 3 as the controlling Level 2 standard, references to FAR 52.204-21 as having seventeen requirements (the source requirements are 15), or “CMMC 1.0” terminology as current.
7. Affiliation claims.“Cyber AB affiliated” without specifics. “DoD-approved.” “Endorsed by DCMA.” None of those phrasings is true of any private firm — Cyber AB credential status and DoD endorsement are not the same thing.
8. Manufactured urgency.“Sign this week or you’ll miss Phase 2.” Phase 2 begins November 10, 2026, and applies only when a solicitation includes the requirement, not universally.
9. CUI-through-the-web-form ask. No legitimate provider asks for CUI, contract numbers, vulnerability details, or controlled technical information through a normal intake form.
10. Vague affiliation disclosures.Providers that are also resellers of GCC High, AWS GovCloud, or a specific GRC platform should disclose the relationship up front. A vendor who’s secretly a GCC High reseller will recommend GCC High whether or not it’s the right environment for your CUI.

Frequently Asked Questions

What does a CMMC consultant do?

A CMMC consultant provides readiness and assessment-preparation services for the CMMC program — scoping, System Security Plan authoring, gap assessment against NIST SP 800-171 Revision 2, POA&M planning, evidence preparation, mock assessment, and control implementation guidance. The credentialed consulting roles in the Cyber AB ecosystem are the Registered Practitioner Organization (RPO) and the individual Registered Practitioner (RP) or Registered Practitioner Advanced (RPA). MSPs, MSSPs, vCISOs, and GRC platforms may also provide legitimate CMMC support without holding a Cyber AB consulting credential. A consultant cannot conduct the certification assessment itself — that’s a separate engagement with a C3PAO under Cyber AB conflict-of-interest rules.

How much does CMMC consulting cost?

For Level 2 readiness consulting alone, editorial market-planning ranges span roughly $25,000 to $300,000+ depending on employee count, environment, and starting maturity. DoD’s Regulatory Impact Analysis in 32 CFR Part 170 modeled $101,752 for a small entity’s Level 2 certification assessment and annual affirmation, including $31,234 in modeled C3PAO costs — but that figure is the rule’s economic estimate of the assessment-and-affirmation burden, not a market quote for readiness consulting. See the cost matrix above for ranges by company size and Level.

Do I need a CMMC consultant?

If your contract requires Level 2 (self-assessed or C3PAO-assessed) and your internal team lacks NIST SP 800-171 Revision 2 fluency, almost always yes. If your obligation is Level 1 only, your DoD revenue is small relative to compliance cost, or you already maintain mature ISO 27001 or SOC 2 documentation with strong internal security, often no. Start with the CMMC Readiness Checklist before hiring anyone.

What is the difference between an RPO and a C3PAO?

An RPO is a Registered Practitioner Organization, credentialed by the Cyber AB to provide CMMC readiness consulting. A C3PAO is a Certified Third-Party Assessment Organization, authorized to conduct CMMC Level 2 certification assessments. The two roles are independent under Cyber AB conflict-of-interest rules; a defense contractor preparing for a Level 2 C3PAO assessment will typically engage two separate firms — one RPO for readiness, a different C3PAO for assessment.

Can a CMMC consultant also perform my assessment?

Not without a conflict-of-interest concern under Cyber AB rules. The Cyber AB CAP requires a C3PAO and Assessor Conflict of Interest Attestation stating that assessment team members and the C3PAO have not provided consulting, advisory, or implementation support to the OSC. Cyber AB R2002 (January 2026) further builds C3PAO accreditation on ISO/IEC 17020:2012 Type A inspection-body independence, which a C3PAO that also offers consulting or managed services to a given organization cannot satisfy for that organization’s assessment. The practical effect is that most defense contractors preparing for a Level 2 C3PAO assessment engage two separate firms.

How long does a CMMC consulting engagement take?

Typical Level 2 readiness engagements run 6–18 months from kickoff to assessment-ready. Low-maturity organizations with broad CUI scope land at the top of the range; organizations with narrow CUI scope and existing security baselines (ISO 27001, SOC 2) land at the bottom. Phase 2 of the CMMC rollout begins November 10, 2026, so a 12-month readiness engagement starting mid-2026 has approximately zero buffer before a Phase 2 solicitation could require certification.

What is the Cyber AB Marketplace and why does it matter?

The Cyber AB Marketplace at cyberab.org is the public directory of credentialed CMMC ecosystem participants — RPs, RPAs, RPOs, Certified CMMC Professionals (CCPs), Certified CMMC Assessors (CCAs), Lead CCAs (LCCAs), C3PAOs, Authorized Training Providers (ATPs), and Approved Publishing Partners (APPs). For claimed Cyber AB ecosystem roles, verify the role in the Marketplace or the applicable Cyber AB/CAICO source before relying on it. Non-credentialed providers may still provide legitimate support, but they should not imply Cyber AB credential status.

Should I use NIST SP 800-171 Revision 2 or Revision 3 for CMMC?

For CMMC Level 2 today, Revision 2. NIST has published Revision 3 and shows Revision 2 as superseded at the publication level, but the controlling CMMC rule (32 CFR Part 170) still incorporates Revision 2 unless and until DoD amends the rule. A consultant who pitches Revision 3 readiness as your Level 2 obligation is using the wrong control set.

What is SPRS and why does my consultant talk about it?

SPRS (Supplier Performance Risk System) is the DoD’s portal where defense contractors post NIST SP 800-171 basic-assessment scores under DFARS 252.204-7019 and -7020, and the system of record for CMMC status under the Final Rule. Contracting officers check SPRS for current CMMC status at the required level or higher for each applicable CMMC unique identifier before award, option exercise, or period-of-performance extension. Maintaining a current SPRS posting is a substantive deliverable of most CMMC readiness engagements.

What is a POA&M and is it allowed under CMMC?

A Plan of Action and Milestones (POA&M) documents open security gaps with target dates for closure. Under 32 CFR Part 170, a Conditional Level 2 status is allowed only when the assessment score divided by 110 is at least 0.8, no POA&M item has a point value greater than 1 (with a narrow exception for SC.L2-3.13.11 CUI Encryption where encryption is employed but not FIPS-validated), specified excluded requirements are not on the POA&M, and the POA&M is closed within 180 days. Higher-weighted requirements (3-point and 5-point) generally must be fully implemented at assessment time.

Should I use Microsoft 365 GCC High or AWS GovCloud for CUI?

It depends on your CUI workflows, your existing environment, your CSP/ESP relationships, and your contract requirements — not on which platform your consultant resells. A consultant who recommends GCC High to every client without doing a data-flow analysis is selling a product, not advice. Ask the consultant to show you the CUI data flow that justifies the environment recommendation.

Can ISO 27001 or SOC 2 documentation reduce my CMMC cost?

Yes, as crosswalk input. ISO 27001 and SOC 2 controls overlap meaningfully with NIST SP 800-171 Revision 2, and a competent consultant can reuse mature documentation to reduce SSP authoring effort. But the CMMC Final Rule requires NIST 800-171-mapped evidence specifically, so the crosswalk reduces effort rather than eliminating it.

What happens if I’m not CMMC-compliant by the time my contract requires it?

For Phase 1 solicitations and contracts (November 10, 2025 – November 9, 2026), DoD intends to include Level 1 (Self) or Level 2 (Self) CMMC Status requirements where applicable, and may include Level 2 (C3PAO) at its discretion. Contracting officers shall not award if the offeror does not have a current CMMC status posted in SPRS at the required level or higher for each applicable CMMC unique identifier. Level 2 and Level 3 Conditional statuses can support award for a limited window pending POA&M closure; Level 1 requires Final Level 1 for award. For Phase 2 onward, Level 2 C3PAO certification becomes the gate for applicable contracts.

Is my MSP or MSSP also a CMMC consultant?

Sometimes, but verify. Some MSPs and MSSPs are also Cyber AB RPOs; many are not. An MSP that runs your identity, endpoints, and logging may be well-positioned to support readiness, but if they’re not credentialed and don’t produce CMMC-specific deliverables, they may not be the right primary consultant. The risk is overlap between the MSP’s operational scope and the CMMC assessment boundary — your readiness package must clearly define which controls the MSP operates and which they document.

How do I avoid submitting CUI by accident in a quote request?

Never put CUI, contract numbers, vulnerability details, system diagrams, incident timelines, personal information, or controlled technical information into a normal web intake form. Use a non-sensitive scope summary: your Level, employee count band, environment type, CUI volume estimate, contract timing, and current readiness state. A legitimate provider will tell you to share sensitive information only through a secure channel after engagement.

What to Do Next

Start by scoping your CUI environment and reading the contract clause that names your CMMC Level — not by taking a sales call. If you’re Level 1 only, use the CMMC Readiness Checklist and skip most of this page. If you’re Level 2 (self-assessed or C3PAO-assessed), use the cost matrix above to set a realistic budget, request matched quotes from at least three providers using the 9-point framework, and preserve assessor independence by never letting your readiness consultant also serve as your C3PAO. If you’ve already received a quote that feels too high or too vague, run it through the normalization table and request a second matched quote on the same defined scope.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We don’t sell consulting. We don’t perform assessments. We don’t accept editorial-approval rights from sponsors. We do operate a provider-matching form that may generate referral or lead-routing compensation when a matched provider engages with a reader — and we disclose that, every time, including here.

If you want help routing your scope to the right provider category, the matcher takes 60 seconds and routes you to providers whose claimed Cyber AB ecosystem role and status we’ve checked against the Cyber AB Marketplace.

Or, if you’d rather self-scope first: Download the CMMC Readiness Checklist — a 32-point checklist mapped to NIST SP 800-171 Revision 2 control families, used to gauge where your organization stands before engaging any provider.