The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path

CMMC Level 2 Consulting Services: Who to Hire, What It Costs, and What to Verify (2026)

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance.

Last verified: .

Not legal, contractual, or compliance advice. Confirm contract-specific obligations with your contracting officer, qualified counsel, or a qualified CMMC practitioner.

Here’s the truth most CMMC Level 2 consulting services pages won’t tell you: a consultant cannot certify your company. If your DoD contract requires Level 2 (C3PAO) — meaning a third-party certification assessment — you need readiness help from one firm and an official certification assessment from a separateauthorized C3PAO (CMMC Third-Party Assessment Organization). The Cyber AB’s three-year independence rule prohibits the same C3PAO that consulted on your readiness from then assessing you. If your contract requires Level 2 (Self), you usually need readiness help plus a self-assessment posted to SPRS (Supplier Performance Risk System), with affirmation at assessment and annual affirmations afterward — the status is current for three years if the annual affirmation stays current. The wrong sequence costs six figures. Below is the provider-fit matrix, real cost ranges from DoD’s Federal Register estimates, the quote-comparison framework, and the verification checklist we use ourselves.

What we actually verified for this article

We read the source documents, not summaries of them. Specifically, the team checked:

We are not affiliated with the Cyber AB, the Department of Defense, or any U.S. government agency, and we do not perform CMMC consulting or assessments. Disclosure: when readers use our matching form and our independent introductions result in qualified engagements, we may receive routing compensation. We do not accept payment for editorial coverage, and we do not publish named-provider rankings on this page because that requires a separate verification package per our published Editorial & Advertising Policy.

The fast verdict — pick your row

If this is your situationHire this firstDon’t hire this yet
Unsure whether you actually handle CUIA scoping-first readiness consultant (RPO/RP)Anyone selling you Level 2 work or a C3PAO assessment
Contract specifies Level 2 (Self)RPO/RP, readiness consultant, CMMC-capable MSP/MSSP, GRC toolingA C3PAO — Self status doesn’t require one
Contract specifies Level 2 (C3PAO)but you’re not readyReadiness consultant + MSP/MSSP and/or CUI enclaveThe C3PAO — book them when you’re close to ready, not now
Ready for the official Level 2 assessmentAn authorized C3PAO (verify “Authorized” status — not “Candidate” — on the Cyber AB Marketplace)The same firm that did your readiness — that’s an independence problem under the CoPC’s three-year rule
You’re being pushed toward Level 3RPO with NIST SP 800-172 experience; you’ll prepare for Level 2 firstA C3PAO for Level 3 — DIBCAC (the DoD’s Defense Industrial Base Cybersecurity Assessment Center) performs Level 3 assessments, not C3PAOs

Get matched with CMMC Level 2 providers that fit your assessment type

Tell us whether you’re self-assessing, preparing for a C3PAO assessment, or still unsure. We route by level, scope, environment, and timeline — independent matching, no exclusivity, no spam.

Find your provider match

Do you need a CMMC Level 2 consultant, a C3PAO, or both?

Most defense contractors that handle CUI need readiness help. If the contract requires Level 2 (C3PAO), they also need a separate authorized C3PAO for the official assessment. A consultant prepares you to meet the 110 NIST SP 800-171 Revision 2 security requirements and to defend that implementation under assessment. A C3PAO performs the official Level 2 certification assessment when your contract requires it. Under the Cyber AB Code of Professional Conduct, a C3PAO organization or assessment team member that served as a consultant preparing the Organization Seeking Certification (OSC) for a CMMC assessment within the prior three years cannot participate in that OSC’s Level 2 certification. That’s not a bug — it’s the entire point of the ecosystem.

The damaging admission, said plainly

Here it is, since most vendor pages won’t say it cleanly: a CMMC Level 2 consultant cannot certify your company. Not now, not ever, not even with a perfect engagement. Certification is a separate function performed by an authorized C3PAO that, per CAP v2.0, must manage conflicts of interest, cannot provide remedial advice if the OSC is not ready, and must pause or terminate if a conflict cannot be mitigated.

This sounds like a limitation. It’s not. It’s the reason the rest of this works. If your “consultant” could also issue your certificate, the certificate would be worthless, your prime would discount it, and DoD wouldn’t trust it. So the system splits the work: one firm to help you become ready, a different firm to verify you are.

Why this matters for you: when a vendor pitches “end-to-end CMMC Level 2 services including C3PAO assessment,” scrutinize it. A firm may hold multiple Cyber AB ecosystem roles, but “separate teams” alone is not enough to clear independence. If the C3PAO organization or assessment team previously helped prepare your company for CMMC within the three-year conflict window, that C3PAO should not perform your Level 2 certification assessment. Get the conflict analysis in writing before signing.

Not sure if you need readiness help, a C3PAO, or both?

Get a provider-category match before requesting quotes.

Get a provider-category match

What CMMC Level 2 consulting services actually include

A serious CMMC Level 2 consulting engagement covers CUI scoping, asset inventory by 32 CFR Part 170 asset category, System Security Plan (SSP) development, gap assessment against all 110 NIST SP 800-171 Revision 2 requirements, Plan of Action and Milestones (POA&M) development, evidence organization, remediation planning, and assessment readiness. What it does not include is the certification assessment itself. If you can’t tell whether a “consulting” proposal includes those deliverables or just hours-against-vague-CMMC-help, treat that as a red flag.

The 110 requirements, organized into 14 families

For Level 2, NIST SP 800-171 Revision 2 defines 110 security requirements, organized as follows. We list the exact requirement counts because most ranking pages skip this, and a few get it wrong:

Source: NIST SP 800-171 Revision 2. DCR count of assessment objectives: 320 lettered objectives across 110 requirements (verified ).
Control familyCount
Access Control (AC)22
Awareness and Training (AT)3
Audit and Accountability (AU)9
Configuration Management (CM)9
Identification and Authentication (IA)11
Incident Response (IR)3
Maintenance (MA)6
Media Protection (MP)9
Personnel Security (PS)2
Physical Protection (PE)6
Risk Assessment (RA)3
Security Assessment (CA)4
System and Communications Protection (SC)16
System and Information Integrity (SI)7
Total110

Underneath those 110 requirements sit the assessment objectives in NIST SP 800-171A. The Defense Compliance Report counted 320 lettered assessment objectives across the 110 Rev. 2 requirements on May 26, 2026; count archived in our editorial fact-check sheet. Your evidence has to satisfy the assessment objectives, not just the high-level requirement. An SSP that says “we have multi-factor authentication” without showing which MFA, on which systems, for which users, with what enforcement, under what policy, is going to fail. The objectives in 800-171A are what your evidence package must answer.

The minimum deliverables that should be in your statement of work

DeliverableWhat it doesThe question a buyer should ask
CUI data-flow mapDefines where CUI enters, lives, moves, and exitsDoes this map match how the business actually operates, not just the org chart?
Asset inventory by categoryAligns to 32 CFR Part 170 asset categorizationAre all CUI assets, security protection assets, contractor risk managed assets, specialized assets, and out-of-scope assets named?
System Security Plan (SSP)The single most important assessment artifactDoes it describe the environment as it actually is, not as we wish it was?
Gap assessmentMaps current state against all 110 requirementsIs it mapped to NIST SP 800-171A’s assessment objectives, not just the high-level controls?
POA&MTime-bound remediation planAre POA&M items eligible per 32 CFR § 170.21 (not all requirements are POA&M-eligible, and POA&M closeout is required within 180 days)?
Evidence planOne named artifact per objectiveWhat proves each objective, who owns it, and where it lives?
MSP/MSSP operating planConnects design to daily operationsWho runs logging, vulnerability management, identity, monitoring, and incident response?
Assessment-readiness reviewPre-flight before C3PAOAre we genuinely ready to schedule, or are we forcing the timeline?

Asset categorization is in the rule itself. 32 CFR Part 170 organizes Level 2 scope around CUI assets, security protection assets, contractor risk managed assets, specialized assets, and out-of-scope assets. Most contractors haven’t named which assets fall into which category. That should be the first deliverable of any decent readiness engagement, because every other estimate (cost, timeline, control set, evidence burden) flexes off it.

Which CMMC Level 2 provider category should you choose?

The best CMMC Level 2 provider depends on where your company is stuck: scope, documentation, remediation, operations, secure environment design, or official assessment. Most Level 2 companies need more than one provider category, but they need them in the right sequence. Hire scoping first if scope is unclear. Hire MSP/MSSP if controls aren’t operating. Hire an enclave if scope can’t reasonably be reduced any other way. Hire a C3PAO only when you’re close to ready — not as discovery.

The provider-fit matrix

This is the table competing pages don’t build because it doesn’t sell their service. We do build it because we don’t sell a service.

Your situationBest-fit categoryWhat they can doWhat they cannot doWhat to verify
You handle FCI only, no CUIUsually not Level 2 at all — Level 1 self-assessment with light RP/RPO help if neededConfirm Level 1 scope, annual self-assessment under the 15 safeguards from FAR 52.204-21Turn FCI-only work into Level 2 work unless your contract requires itContract clause language; data type classification
You handle CUI and contract says Level 2 (Self)RPO, RP, readiness consultant, or CMMC-capable MSP/MSSPScope CUI, build the SSP, run gap assessment, organize evidence, prepare the SPRS submission and affirming official’s affirmationIssue a CMMC certificate or Final Status determinationRPO listing on the Cyber AB Marketplace; CCP or RP credentials on the specific staff assigned
You handle CUI and contract says Level 2 (C3PAO) but you’re not readyReadiness consultant plus separate authorized C3PAO at the endTwo distinct engagements: readiness, then assessmentThe same firm should not remediate you and then assess you (CoPC three-year conflict applies)RPO listing first; verify the prospective C3PAO is “Authorized” (not “Candidate”) on the Cyber AB Marketplace
You are close to ready for official Level 2 (C3PAO) assessmentAuthorized C3PAOPerform the Level 2 certification assessment and issue a Status determination via CMMC eMASS, which transmits to SPRSProvide remedial advice if you’re not ready and continue the same assessment (CAP v2.0 prohibits this)Authorized status on the Cyber AB Marketplace; CCA (Certified CMMC Assessor) staff; Lead CCA experience with your environment
CUI is spread across all your business systemsCUI enclave (GCC High, AWS GovCloud, or equivalent) + RPOIsolate CUI workflows to reduce assessment scope and ongoing costEliminate all organizational obligations — you still need controls inside and around the enclaveCSP product/service offering is FedRAMP Moderate authorized or equivalent under DoD policy when it processes, stores, or transmits CUI; CRM/shared-responsibility documentation is clear
You use cloud or external service providers (CSPs/ESPs)CSP/ESP-aware consultant or MSP/MSSPMap shared responsibility, document the ESP/CSP relationship in the SSP, obtain the service description and Customer Responsibility Matrix (CRM)Make a commercial cloud “CMMC-compliant” by itselfFor Level 2 (C3PAO) with cloud handling CUI, the rule requires FedRAMP Moderate authorization or equivalent; include a Customer Implementation Statement (CIS) where the CSP/equivalency package requires it
You’re a prime flowing CMMC down to subsRPO/RP + contracts/compliance supportMap flow-down per DFARS 252.204-7021, track subcontractor CMMC statusMake legal determinations without counselDFARS 252.204-7021 flowdown language; CAGE codes for each subcontractor in scope
You may be Level 3RPO with NIST SP 800-172 experience first; assessment by DIBCAC, not by a C3PAOPrepare you for the Level 2 prerequisite and the Level 3 subsetHave a C3PAO perform the Level 3 assessment (DIBCAC does it)DIBCAC engagement history; NIST SP 800-172 implementation experience

For the full ecosystem map, see our CMMC provider categories reference.

RPO and RP — readiness consulting

A Registered Provider Organization (RPO) is a firm that has signed an agreement with the Cyber AB to provide CMMC advisory services. A Registered Practitioner (RP) is the individual credential, with a more advanced version called RPA. RPOs and RPs help with scoping, gap assessments, SSP authorship, POA&M development, evidence organization, and assessment readiness. They do not — and cannot — issue a CMMC certification. Per the Cyber AB’s role definitions, RPs and RPOs provide non-certified advisory services.

This is where most Level 2 engagements should start. The most common mistake we see in our editorial review of consulting RFPs is contractors who skip readiness and go straight to talking with a C3PAO, only to find out the C3PAO can’t tell them what to fix without compromising the assessment.

MSP and MSSP — operational support

A Managed Service Provider (MSP) handles day-to-day IT operations. A Managed Security Service Provider (MSSP) handles security operations specifically (SIEM, EDR, vulnerability management, logging, identity, monitoring). For Level 2, the MSP/MSSP question matters two ways. First, your controls have to actually operate every day — many of the 110 requirements are operational, not documentary. Second, if your MSP/MSSP touches CUI or your security protection assets, the MSP/MSSP itself is in your assessment scope as an External Service Provider (ESP) under 32 CFR Part 170. Services used to meet your CMMC requirements are assessed within your scope, and they must be documented in your SSP with a service description and a Customer Responsibility Matrix (CRM).

Practical implication: if your current MSP can’t articulate their own CMMC posture in writing, you have a problem to solve before assessment, not after.

GRC platforms — evidence and workflow

Governance, Risk, and Compliance (GRC) platforms are software, not consultants. They organize the 110 controls, store evidence, generate SSPs and POA&Ms, track ownership, and report status. Software helps a mature program; it doesn’t create one. The most defensible way to use a GRC platform is to bring it in after you have scope, an SSP draft, and a remediation plan — not before, because the platform will only structure what you give it.

CUI enclaves and secure cloud — scope reduction

A CUI enclave is an isolated environment (often GCC High or AWS GovCloud) where CUI is processed, stored, and transmitted, separated from the rest of the business. The strategic value: if your CUI scope is the whole company, you have to assess the whole company. If you can legitimately move CUI into an enclave, your assessment boundary shrinks. Enclaves don’t make you compliant by themselves — you still need to implement controls inside the enclave and document the shared-responsibility model. But for small and mid-sized contractors, an enclave is often the single biggest cost lever.

A note on choices: Microsoft 365 GCC is notthe same as GCC High. For CMMC Level 2, the rule question is whether the cloud service offering that processes, stores, or transmits CUI is FedRAMP Moderate authorized or equivalent under DoD policy. ITAR, export-controlled data, or DoD impact-level requirements may push a contractor toward GCC High, but don’t treat “GCC vs. GCC High” as a substitute for a proper scope and data-type analysis. Get this analysis right early — migrating in the middle of remediation is the most expensive way to fix it later.

C3PAO — the assessor, not the consultant

A CMMC Third-Party Assessment Organization (C3PAO) is authorized by the Cyber AB to perform the official Level 2 certification assessment. C3PAO authorization requires a Cyber AB application, agreement to the Code of Professional Conduct, organizational background checks, a DCSA FOCI (foreign ownership, control, or influence) review, a DIBCAC Level 2 assessment of the C3PAO’s own environment, a CAGE code, qualified staffing (Lead CCA, CCAs, QA personnel), professional liability insurance, and progress toward ISO/IEC 17020 accreditation as an inspection body. This is intentionally hard. It’s also why the C3PAO count is in the low triple digits.

Hire a C3PAO when you’re close to ready. Verify “Authorized” status — not “Candidate” status — on the Cyber AB Marketplace before signing anything.

Compare provider categories for your CUI scope

Then request matched quotes only from the category you actually need.

Request matched quotes

How much do CMMC Level 2 consulting services cost in 2026?

There’s no single market rate for CMMC Level 2 consulting services, but there are defensible anchors. DoD’s published cost analysis in the 32 CFR Part 170 final rule gives baseline estimates for assessment support. Real-world readiness and remediation costs sit on top of those. Public provider price examples and observed market commentary show quoted hourly rates between roughly $200 and $400, with total readiness engagements commonly $50,000–$300,000 or more depending on scope, environment, starting maturity, and remediation depth.

What the Federal Register actually says

Per DoD’s cost analysis published in the 32 CFR Part 170 final rule (Federal Register, October 15, 2024), modeled cost estimates for assessment supportnot full implementation — are:

DoD-published estimate (32 CFR Part 170 cost analysis)Initial assessmentThree-year cost
Small entity, Level 2 (Self) assessment support$34,277$37,196
Other-than-small entity, Level 2 (Self) assessment support$43,403$48,827
Small entity, Level 2 (C3PAO) certification support$101,752$104,670
Other-than-small entity, Level 2 (C3PAO) certification support$112,345$117,768

The C3PAO estimates assume a 120-hour engagement at roughly $31,234 for small entities and a 200-hour engagement at roughly $52,056 for other-than-small entities. These are DoD’s published assumptions, not market quotes.

Critically — and this is where vendor pages frequently mislead readers — these figures assume the contractor has already implemented the NIST SP 800-171 Revision 2 requirements. They are cost estimates for the assessment and affirmation work, not for getting you ready. DoD updated these estimates upward in the final rule in response to public comments that the proposed-rule numbers underestimated outsourced IT, consulting, senior management time, and preparation effort. They’re still floors, not ceilings.

What public provider examples show

These are transparent public-price examples, not a market average. Each provider page was checked on the date below and should be re-verified before contracting.

Public exampleSource typeDate checkedWhat was disclosedUse limitation
First Column (provider service page)Provider’s own pricing pageMay 2026Level 2 self-assessment consulting $20,000–$40,000+; C3PAO third-party assessment $90,000–$200,000+One provider’s range; do not generalize
SysAudits (provider pricing page)Provider’s own pricing pageMay 2026C3PAO Level 2 assessment $28,000–$35,000; readiness review $15,000–$19,000; additional consulting $225/hourOne provider’s range; verify scope assumptions before quoting
Public r/CMMC voice-of-customerSelf-reported buyer post2025One small contractor reported consultant quotes of ~$100K for a roughly 20-user CMMC scope, consulting onlyAnecdotal cost shock; not pricing evidence

What drives total cost up

You should expect the following to inflate any Level 2 budget:

If a vendor quotes you a fixed price without naming these drivers and their underlying assumptions, you’re not getting a quote — you’re getting a guess.

Get scoped CMMC Level 2 quotes

Based on your users, environment, assessment path, and timeline.

Request scoped quotes

Level 2 (Self) vs. Level 2 (C3PAO): what your contract clause actually triggers

The 110 security requirements are identical for both. The difference is who performs the assessment and how the status is maintained. Per DoD, Level 2 self-assessment and Level 2 certification assessment use the same security baseline; only the assessor changes. Whether you do Self or C3PAO is set by your contract — DFARS 252.204-7021 paired with the solicitation provision DFARS 252.204-7025 specifies the required level and assessment type for that procurement.

The four DFARS 252.204-7021 statuses

This is the exact terminology you’ll see in your contract. Use it precisely; vendor pages often blur it:

StatusWhat it means
Final Level 2 (Self)All 110 requirements implemented; affirming official affirmation in SPRS; status current for three years when the annual affirmation stays current
Conditional Level 2 (Self)Most requirements met; eligible POA&M items still open; closeout required within 180 days
Conditional Level 2 (C3PAO)C3PAO assessment complete with allowable POA&M items still open; 180-day closeout window
Final Level 2 (C3PAO)C3PAO assessment complete with no open POA&M; status current for three years when the annual affirmation stays current

When the C3PAO completes a Level 2 assessment, the results are uploaded into CMMC eMASS (the DoD’s CMMC enterprise mission assurance support service), and your CMMC Status and CMMC Unique Identifier (UID) automatically transmit into SPRS. The affirming official then submits annual affirmations of continued compliance in SPRS to preserve eligibility. Miss the annual affirmation and your status lapses.

Why this matters when you pick a consultant

A consultant or MSP that doesn’t ask which exact status your contract requires is a consultant or MSP that’s about to misprice your engagement. The work to support Level 2 (Self) is different from the work to support Level 2 (C3PAO) — different evidence depth, different rehearsal, different cost, different timeline. Bring the contract clause to the first scoping call and require the provider to scope against the exact status named.

Phase 1 through Phase 4: what’s required when, and what that means for hiring timing

CMMC requirements are being phased into DoD contracts over a four-year rollout that began November 10, 2025 (Phase 1) and reaches full implementation beginning November 10, 2028 (Phase 4). Whether your contract path requires Self or C3PAO assessment determines how early you need to start consulting.

PhaseWindowWhat gets included in solicitations
Phase 1Nov 10, 2025 – Nov 9, 2026DoD intends to include Level 1 (Self) or Level 2 (Self) for applicable solicitations and contracts as a condition of award; DoD may, at its discretion, require Level 2 (C3PAO) for specific procurements
Phase 2Nov 10, 2026 – Nov 9, 2027Phase 1 requirements plus DoD intends to include Level 2 (C3PAO) as a condition of award for applicable solicitations
Phase 3Nov 10, 2027 – Nov 9, 2028Phase 2 requirements plus Level 3 (DIBCAC) for applicable solicitations
Phase 4Begins Nov 10, 2028The CMMC clause must appear in all applicable solicitations, contracts, and orders that require contractor systems to process, store, or transmit FCI or CUI, except solicitations and contracts solely for commercially available off-the-shelf (COTS) items

Source: 32 CFR § 170.3(e); DFARS final rule, Federal Register, September 10, 2025.

What this means for your hiring decision

The market reality, drawn from publicly reported Cyber AB Town Hall figures: roughly 103 organizations are authorized as C3PAOs as of early 2026, supported by approximately 759 Certified CMMC Assessors (CCAs), against an estimated 80,000+ DIB contractors expected to need Level 2 certification. Around 1% of that population has achieved Level 2 certification to date. This snapshot moves quickly — verify against the live Cyber AB Marketplace and most recent Town Hall before acting on the exact numbers. The DCR conclusion from the verified capacity data: today’s constraint appears to be contractor readiness as much as assessor availability. C3PAOs are taking bookings; most contractors aren’t yet ready to use the slots.

How long CMMC Level 2 readiness actually takes

Many Level 2 readiness efforts are scoped at 6–18 months, with 9–15 months common for small and mid-sized contractors in our provider-review framework. Treat this as a DCR planning range, not a regulatory timeline or guaranteed delivery schedule. The drivers are starting maturity, scope, environment complexity, documentation status, and remediation depth.

Starting pointPlanning rangeWhat usually dominates the timeline
Mature security program, clean CUI scope, existing SSP8–16 weeksEvidence packaging, documentation polish, mock assessment
Some NIST 800-171 work, MSP already CMMC-capable4–9 monthsGap remediation, evidence buildup, control operationalization
Weak documentation, unclear CUI scope, no evidence system6–12 monthsScope, SSP authorship, operating-cadence buildup
Major cloud/enclave/MSP migration required9–18 monthsArchitecture changes dominate; everything else waits

Fast is good only when the scope is real, the controls operate, and the evidence exists. We’ve reviewed contractors who pushed for a 90-day timeline, scheduled a C3PAO too early, failed readiness validation, and ended up paying more — sometimes substantially more — than if they’d taken 12 months. Per CAP v2.0, if a C3PAO determines you’re not ready during the assessment, they can’t tell you how to fix it and continue the assessment. You’d start over, with a new firm or new scope.

That’s not a reason to delay. It’s a reason to sequence right: scope → SSP → gap → remediation → evidence → mock assessment → C3PAO.

How CUI scope, cloud, MSPs, and enclaves change the provider you need

Scope is the single biggest cost lever in Level 2. 32 CFR Part 170 requires you to define your Level 2 scope before either self-assessment or certification assessment, organized by asset category: CUI assets, security protection assets, contractor risk managed assets, specialized assets, and out-of-scope assets. If your CUI scope is everywhere, your assessment is everywhere. If your CUI scope is bounded, the assessment follows the boundary.

Enterprise scope vs. enclave scope

For most small and mid-sized contractors, the practical choice is: do you make your whole company CMMC-compliant, or do you isolate CUI into an enclave and make a smaller environment compliant? The enclave path is usually cheaper to assess and cheaper to maintain over time. The whole-company path can be necessary when CUI is genuinely diffuse — engineering files reference CUI, ERP records reference CUI, support tickets contain CUI — and you can’t reasonably consolidate.

This decision should be made early, with a consultant who can model both paths against your operations. It often saves more money than every other optimization combined.

Cloud and CSP requirements

For Level 2 (C3PAO), a cloud service offering that processes, stores, or transmits CUI must be FedRAMP Moderate authorized or meet FedRAMP Moderate equivalency under DoD policy. “Equivalent” has specific meaning — DoD has issued guidance on what equivalency requires, and ad-hoc claims of equivalency don’t count. If your consultant or MSP is comfortable letting CUI sit in a commercial cloud without that authorization or equivalency package, get a second opinion.

External Service Providers (ESPs)

If you use an ESP to meet any of your CMMC requirements — and most contractors do, often without realizing it (MSPs, MSSPs, cloud security platforms, SIEM-as-a-service, identity providers) — the ESP must be documented in your SSP with a service description and a CRM. Services used to meet your CMMC requirements are assessed within your scope. The CRM names which control responsibilities the ESP performs and which you retain. Include a Customer Implementation Statement (CIS) where the CSP/FedRAMP-equivalency package requires it.

The trap: many MSPs are not CMMC-aware and have not produced a CRM for their service. Hiring them as an ESP without that documentation puts you in front of a C3PAO without a defensible answer for half your controls.

How to verify any CMMC Level 2 provider before you sign

Every legitimate RPO, RP, RPA, CCP, CCA, and C3PAO is named on the official Cyber AB Marketplace at cyberab.org. If a provider cannot point you to their Marketplace listing in 30 seconds, that’s a hard stop until they can.

The five-minute verification

  1. Go to the Cyber AB Marketplace. Search by company name. Match the credential the provider claims (RPO, RP, RPA, CCP, CCA, or Authorized C3PAO).
  2. For C3PAOs, confirm “Authorized” status. “Candidate C3PAO” is not the same as Authorized — a Candidate has applied and is in the assessment pipeline but cannot perform certification assessments yet. Some vendors blur this in marketing. Check the actual listing.
  3. Cross-check named individuals. If a provider tells you a specific consultant will work your engagement, look them up by name. CCPs and CCAs are listed individually.
  4. Check independence boundaries.Ask, in writing: “Has anyone on the proposed C3PAO assessment team, or this C3PAO organization, provided consulting to prepare our company for CMMC within the last three years?” The correct answer, per the Cyber AB Code of Professional Conduct, is no. If yes, that C3PAO should not perform your Level 2 certification.
  5. Verify scope assumptions in the proposal. A scoping diagram you can read should be in any proposal at this price point.

What it actually takes to become a C3PAO

Per the Cyber AB’s C3PAO Detail page, authorization is a multi-step burden: an application, agreement to the Cyber AB’s Code of Professional Conduct, organizational background checks, a DCSA FOCI review, a DIBCAC Level 2 assessment of the C3PAO’s own environment, a CAGE code, qualified staffing (Lead CCAs, CCAs, QA personnel), professional liability insurance, and progress toward ISO/IEC 17020 accreditation as an inspection body. This is intentionally hard. It’s also why the C3PAO count is in the low triple digits.

Independence at the individual level

The Cyber AB’s assessor role definitions and the CoPC are strict. A CCA who participated in any capacity in preparing an organization for CMMC within the prior three years cannot serve on the assessment team for that same organization. This applies to individuals, not just firms. If your readiness consultant was a named CCP or CCA who later joins a C3PAO that’s quoting your assessment, that needs to be flagged.

The Cyber AB Marketplace snapshot we built for this article

We pulled the most recent publicly reported Cyber AB ecosystem figures from the Cyber AB Town Hall data and assembled them into one table. Verify against the live Marketplace on the day you act:

Source: publicly reported Cyber AB Town Hall figures, early 2026. Verify against the live Cyber AB Marketplace and most recent Town Hall before acting.
MetricValueImplication
Authorized C3PAOs~103 (early 2026)The total assessor-firm population
Certified CMMC Assessors (CCAs)~759Total credentialed individual assessors
Level 2 certifications issued to date~1,000 cumulativeRoughly 1% of the expected DIB Level 2 population
Approximate new Level 2 certifications per month~150–180Throughput is increasing as Phase 2 approaches
Estimated DIB contractors needing Level 280,000+The demand side

This isn’t FUD. It’s two facts you can use: (1) the supply side will tighten as Phase 2 demand builds, and (2) the contractor side of the market is far from ready, which means you have less competition for slots than the marketing copy suggests — if you start now.

Request quotes only from providers whose role, status, and independence boundaries match your CMMC path

Match your path and request quotes

How do you compare CMMC Level 2 consulting quotes?

Compare quotes only after every provider prices the same scope, assessment path, CUI users, CAGE codes, ESPs, cloud assumptions, remediation exclusions, evidence ownership, and independence boundary. A cheaper quote that excludes remediation, MSP support, evidence packaging, or assessment readiness isn’t cheaper — it’s incomplete. The most expensive thing you can do with three vendor proposals is compare them on price before you’ve normalized scope.

The apples-to-apples comparison framework

Before you send an RFP or RFQ, draft a one-page scope brief with these elements. Then require every provider to quote against that exact brief. If a provider changes assumptions, they explain why in writing.

Comparison dimensionWhat to specify in your briefWhy it matters
Assessment pathLevel 2 (Self) or Level 2 (C3PAO)Different evidence depth, different rehearsal, different cost
CUI scopeSystems, users, CAGE codes, facilities, ESPs, CSPsThe biggest single cost lever — if it’s not specified, quotes drift
EnvironmentMicrosoft 365 GCC vs. GCC High vs. AWS GovCloud vs. on-prem vs. hybridMigration assumptions account for huge cost swings
Starting maturityExisting SSP, prior SPRS score, prior NIST 800-171 implementation under DFARS 252.204-7012Federal Register cost estimates assume implementation already exists
Deliverables in scopeCUI flow map, asset inventory, SSP, gap, POA&M, evidence plan, mock assessmentWithout a deliverable list, “readiness” means whatever each vendor wants it to mean
Remediation included vs. excludedWhich controls the provider remediates vs. which you handleThe single most common source of post-quote disputes
MSP/MSSP responsibilityWho operates the controls after designA design without operations is not assessment-ready
Evidence ownershipYou own the artifacts, no vendor lock-inPrevents being held hostage to renew
Independence representationProvider attests to no three-year consulting conflict if they’re a C3PAORequired under CoPC; surface it before signing
Timeline assumptionsBuyer access, interviews, tool availability, leadership signoff cadenceDrives schedule slippage attribution
Acceptance criteriaWhat “done” looks like for each deliverablePrevents “ready” from being subjective
Exit deliverablesA package you can take to another provider or to a C3PAO without reworkProtects continuity if you change providers

If a vendor refuses to quote against your brief, they’re telling you they want to control the assumptions. That’s not partnership; that’s exposure.

Use the same scope assumptions to request apples-to-apples CMMC Level 2 quotes

Start matched quote request

What should be in a CMMC Level 2 consulting statement of work

A Level 2 consulting SOW should define scope, deliverables, assumptions, evidence ownership, data handling, excluded remediation, provider role, independence boundaries, and acceptance criteria. The SOW should make it impossible for “consulting,” “implementation,” “managed services,” and “assessment” to be blurred. If you can’t tell from the SOW exactly which role the provider is playing, you’re going to argue about it later.

SOW elementWhat it should contain
Assessment pathLevel 2 (Self), Level 2 (C3PAO), or unsure/discovery-only
CUI scopeSystems, users, CAGE codes, facilities, ESPs, CSPs
Standards referencedNIST SP 800-171 Revision 2, NIST SP 800-171A objectives, CMMC Level 2 Assessment Guide, 32 CFR Part 170
DeliverablesCUI data-flow map, asset inventory by category, SSP, gap report, POA&M, evidence matrix
Technical workExplicit list of what’s included vs. excluded
MSP/MSSP responsibilitiesWho operates the controls after design — named, in writing
Evidence ownershipBuyer owns artifacts and documentation; no vendor lock-in
Data handlingCUI/FCI/evidence access, NDAs, citizenship requirements if applicable
Independence languageIf the provider is or will become a C3PAO, an acknowledgment of the CoPC’s three-year consulting conflict rule and the implications for this engagement
No-guarantee clauseProvider does not guarantee certification outcome (CAP prohibits this for C3PAOs anyway)
Timeline assumptionsBuyer access, interview availability, tool availability, leadership signoff timing
Exit deliverablesA package you can take to another provider or to a C3PAO without rework

Per CAP v2.0, C3PAO assessment agreements cannot include guarantees or promises related to results, and cannot include incentive or bonus payments contingent on certificate issuance. If you see either in any CMMC-related contract — readiness or assessment — strike it.

The biggest red flags in CMMC Level 2 consulting

The most expensive Level 2 mistakes are buying before defining scope, hiring one firm to do both readiness and assessment, treating software as compliance, and chasing “guaranteed certification.” A good provider tells you what they don’t do; a bad provider tells you they do everything.

Red flag language to disqualify on sight:

Vendor claim you might hearWhy it fails
“Guaranteed CMMC certification”CAP v2.0 prohibits C3PAOs from guaranteeing results or accepting incentive payments contingent on a certificate
“We do both readiness and your official assessment on the same engagement”CoPC three-year consulting conflict; C3PAO organization and team are barred from assessing OSCs they helped prepare within that window
“Software makes you compliant”Software supports compliance; people and processes implement it
“You don’t need to map your CUI”Asset categorization is required by 32 CFR Part 170; without it, every quote is unstable
“Your MSP can figure it out”ESPs that touch your CMMC requirements are in scope; without a CRM, you have undocumented control responsibility
“Fixed price, no scoping required”A fixed price without explicit scoping assumptions is a fictional price
“We use NIST 800-171 Rev. 3 — it’s newer”32 CFR Part 170 uses Revision 2 for CMMC Level 2; DoD said future amendments will incorporate later NIST versions
“You don’t need evidence until the assessment”NIST SP 800-171A assessment objectives are what the C3PAO checks; you need evidence the whole way through
“We can ignore cloud shared responsibility”CSP offerings handling CUI must be FedRAMP Moderate or equivalent; CRM is required for ESPs
“We don’t need to see the contract clause”DFARS 252.204-7021 and 252.204-7025 tell you Self vs. C3PAO — the entire scoping decision starts there

The Rev. 2 vs. Rev. 3 trap, in particular

NIST SP 800-171 Revision 3 exists, but it is not the controlling CMMC Level 2 baseline today. 32 CFR Part 170 uses NIST SP 800-171 Revision 2 for Level 2, and DoD has said future amendments will be issued to incorporate later NIST versions. Any consulting work scoped only to Rev. 3 today won’t produce evidence that maps cleanly to your Level 2 assessment.

What happens during a Level 2 C3PAO assessment

A Level 2 C3PAO assessment is a structured, multi-phase process, not a coaching session. CAP v2.0 lays out preliminary proceedings, Phase 1 pre-assessment, Phase 2 conformity assessment, Phase 3 reporting, and certificate or POA&M closeout. If the C3PAO determines the OSC isn’t ready, the C3PAO cannot pivot into remediation advice and continue the same assessment — independence rules require either pausing or terminating.

PhaseWhat happensWhy it matters
Preliminary proceedingsThe OSC contacts an authorized C3PAO; entity, CAGE codes, and scope framing beginConfirms who and what will be assessed
Phase 1 pre-assessmentC3PAO reviews SSP completeness and validates scopePrevents an invalid assessment from starting
Phase 2 conformity assessmentC3PAO assesses implementation against NIST SP 800-171A assessment objectivesDrives MET / NOT MET determinations per objective
Phase 3 reportingFindings reported through CMMC eMASS, which transmits to SPRSCreates the official assessment record
Certificate or POA&M closeoutFinal or Conditional status issued; POA&M closeout within 180 days if applicableDetermines contract eligibility

The practical takeaway: schedule a C3PAO only when your readiness consultant has signed off, you’ve completed a mock assessment, and you have documented evidence ready for every objective. Anything less and you’re paying assessor rates to find gaps a readiness firm could have found at a fraction of the cost.

How small subs, mid-size DIB companies, primes, and global multi-site contractors should choose differently

Provider fit isn’t one-size-fits-all. CUI volume, contract role, environment, internal IT maturity, and whether you can reasonably reduce scope all change which provider you should hire first.

Small DIB subcontractor (under ~50 employees, simple environment)

Most likely path: a scoping-first RPO/RP, a CMMC-capable MSP/MSSP if your current MSP can’t support Level 2 operations, then evidence packaging and either Self assessment or readiness for C3PAO. Cost will hurt — that’s the honest truth — but the enclave plus a focused RPO is usually the right combination. Don’t buy a GRC platform until your scope is set.

Mid-size manufacturer or services contractor (~50–500 employees)

Most likely path: enclave decision first (you’ll save more here than anywhere else), then MSP/MSSP for operations, then RPO for documentation and readiness, then a C3PAO when ready. Build the SOW around scope reduction before anything else.

Prime contractor

Most likely path: internal governance program, flow-down matrix, subcontractor tracking, CUI boundaries by program. Multiple provider categories used in parallel. Independence becomes especially important — a prime evaluating sub compliance shouldn’t be in a position where its own consultants have CoPC conflicts with how it scores sub C3PAO selections.

Global company with multiple offices

Most likely path: CAGE-code and entity scoping before anything else. International offices may be out of scope; they may not. The cost shock data we’ve seen (one r/CMMC report of ~$100K consulting quotes for a 20-user global scope) usually reflects unresolved scope, not unreasonable pricing.

What to do in the next 7 days

Don’t start by buying tools or booking a C3PAO. Start by confirming the contract requirement, identifying CUI, defining scope, and figuring out which provider category fits your next bottleneck.

This is the action plan we’d give a sibling company.

DayAction
1Pull every active solicitation, contract, and prime flow-down. Look for DFARS 252.204-7021 and DFARS 252.204-7025 references. Note the exact CMMC level and assessment type.
2Confirm whether you handle FCI only or CUI. The classification drives everything.
3Sketch the CUI data-flow: where it enters, where it lives, where it moves, where it leaves.
4List the systems, users, MSPs, MSSPs, CSPs, ESPs, and CAGE codes in scope.
5Inventory what you already have: SSP, SPRS score, POA&M, evidence. Most contractors will find partial pieces from DFARS 252.204-7012 work since 2017.
6Decide your next provider category: scoping RPO, MSP/MSSP, enclave, GRC platform, or C3PAO. (If you’re not sure, use the matching form below.)
7Request scoped quotes from two or three providers in the same category, using the same scoping assumptions. Apples to apples.

Turn your 7-day checklist into a matched provider request

We route based on your specific scope, environment, assessment path, and timeline — independent, no exclusivity.

Start matched provider request

Frequently asked questions

What are CMMC Level 2 consulting services?
CMMC Level 2 consulting services help a defense contractor prepare to meet Level 2 requirements by scoping Controlled Unclassified Information (CUI), mapping systems, building or improving the System Security Plan, assessing gaps against NIST SP 800-171 Revision 2, planning remediation, and organizing evidence for the applicable assessment path.
Does a CMMC Level 2 consultant certify my company?
No. A consultant prepares you for assessment. An authorized C3PAO (CMMC Third-Party Assessment Organization) performs the official Level 2 certification assessment when the contract requires Level 2 (C3PAO). RPOs (Registered Provider Organizations) provide advisory services and explicitly do not conduct certified CMMC assessments under the Cyber AB’s role definitions.
Do all Level 2 contracts require a C3PAO?
No. Level 2 has two assessment paths. Some contracts allow Level 2 (Self) — a self-assessment posted to SPRS with affirming-official affirmations at assessment and annually thereafter. Others require Level 2 (C3PAO) — a certification assessment performed by an authorized C3PAO, valid for three years with annual affirmations. The DoD CIO’s CMMC Level 2 Assessment Guide describes both paths.
What is the difference between CMMC Level 2 (Self) and Level 2 (C3PAO)?
The 110 security requirements are identical. The difference is who performs the assessment. Per DoD’s published guidance, Level 2 self-assessment and Level 2 certification assessment evaluate the same baseline; only the assessor changes. Self is conducted by the Organization Seeking Assessment with affirming-official affirmation; C3PAO is conducted by an independent authorized C3PAO whose results flow through CMMC eMASS into SPRS. Both paths require an annual affirmation to keep status current.
How much does CMMC Level 2 consulting cost?
DoD’s 32 CFR Part 170 cost analysis estimates assessment support costs of $34,277–$48,827 three-year for Level 2 (Self) and $104,670–$117,768 three-year for Level 2 (C3PAO), depending on entity size. Those estimates assume the contractor has already implemented NIST SP 800-171 Revision 2 — readiness, remediation, tooling, and ongoing operations cost extra. Public provider examples and observed market commentary suggest typical full readiness engagements between $50,000 and $300,000+ depending on scope and environment. See the full CMMC Level 2 cost guide.
Can my MSP handle CMMC Level 2 by themselves?
Usually not, unless the MSP is CMMC-capable, can operate the specific Level 2 controls and evidence requirements, and has produced a documented Customer Responsibility Matrix. Many contractors need both a CMMC-aware MSP/MSSP and a separate readiness consultant. If your MSP touches CUI, the MSP is in your assessment scope as an External Service Provider under 32 CFR Part 170.
Should I hire a C3PAO first?
Usually no, unless you are close to ready for the official assessment. CAP v2.0 limits what a C3PAO can do if you are not prepared — they cannot provide remedial advice and continue the same assessment. Most contractors should engage readiness support first, complete a mock assessment, and then engage the C3PAO.
Is NIST SP 800-171 Revision 3 used for CMMC Level 2?
Not under the current rule. 32 CFR Part 170 references NIST SP 800-171 Revision 2 as the controlling baseline for CMMC Level 2. DoD has stated that future amendments will be issued to incorporate later NIST versions. Until that amendment, scope your work to Revision 2.
What is the Cyber AB Marketplace, and how do I use it?
The Cyber AB Marketplace at cyberab.org is the official directory of CMMC ecosystem credentials — RPO, RP, RPA, CCP, CCA, and C3PAO. Use it to verify any provider’s claim. CAP v2.0 specifies that the registry of Authorized and Accredited C3PAOs in good standing is maintained in the Marketplace, and that the Cyber AB and DoD do not recommend or introduce specific C3PAOs.
What is the most common mistake when buying CMMC Level 2 consulting?
Buying before defining CUI scope and the contract’s assessment path. Without scope and path, every quote is unstable, and providers will (reasonably) build conservative assumptions that inflate the bid.
Can a provider guarantee CMMC certification?
No. CAP v2.0 specifies that C3PAO assessment agreements cannot include guarantees or promises related to results, and cannot include incentive payments contingent on certificate issuance. Any provider — readiness or assessment — that “guarantees certification” is a disqualifying signal.
What is the best next step if I’m unsure?
Pull the contract clause first to confirm whether you need Level 2 (Self) or Level 2 (C3PAO). Then use a provider-matching form or the 7-day checklist above to identify the right provider category before requesting quotes. That sequence — clause first, scope second, category third, quotes fourth — is the one that consistently produces defensible spend.

Our methodology, our independence, and how to fact-check us

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, or any U.S. government agency. We do not perform CMMC consulting or assessments. We don’t take payment for editorial coverage. We do, in the interest of full disclosure, receive routing compensation when our independent matching form results in qualified engagements with providers — providers we verify against the Cyber AB Marketplace before introducing.

The regulatory and ecosystem claims on this page are sourced to primary documents:

We update this page on a quarterly cadence and re-verify each cited element on a published schedule. Cost figures, ecosystem counts, and phase timing all carry “Last verified” dates because they will move. If you find an error, send it to corrections and we’ll fix it on the next cycle or sooner if the fix is regulatory.

See also: Methodology · Editorial & Advertising Policy · Privacy Policy

When you’re ready

If you’ve read this far, you have the framework. The remaining decision is what to do next.

Need help deciding what type of CMMC provider you need?

Get matched with verified providers in 60 seconds — independent matching by level, scope, environment, assessment path, and timeline. No exclusivity. No spam. We review urgent requests for priority routing, and we verify Cyber AB Marketplace status, role fit, and independence posture before introducing any provider.

Get matched with verified providers

The form takes about a minute. Do not submit CUI, contract numbers, vulnerability details, or controlled technical information.

If you’d rather self-serve first, two alternatives that route nowhere except to your own desk:

If your contract is at risk this quarter and you need urgent guidance, the matching form is the fastest path. If your timeline is longer, the checklist plus the 7-day action plan above will give you a defensible starting position before you talk to any vendor.

The Defense Compliance Report — an independent trade publication on CMMC 2.0 and DIB compliance. Last verified: .

Corrections policy · Editorial & Advertising policy · Privacy policy