The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path →
Not sure which type of provider you need?Get Matched →

Questions to Ask a CMMC Consultant Before You Hire One

By The Defense Compliance Report Editorial TeamThe Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance.

Last verified: June 13, 2026

The most useful questions to ask a CMMC consultant are the ones that force them to prove four things beforeyou sign anything: the right role, the right scope, real Level 2 evidence experience, and a statement of work tied to your actual contract deadline. A readiness consultant, a Registered Provider Organization, a managed service provider, a compliance-software vendor, and a C3PAO assessor do not do the same job—and confusing them is how six-figure engagements go sideways.

Here’s the bottom line. If a provider can’t clearly answer the role-separation, CUI-scoping, evidence, cost, and statement-of-work questions in this guide, don’t buy the quote. The most expensive mistake in CMMC almost always happens beforethe work starts—it isn’t the price. It’s hiring a firm to prepare you when you were quietly hoping they’d also certify you. They can’t. Under federal rule 32 CFR 170.8(b)(17)(ii)(G), a firm that helps you prepare is locked out of your Level 2 certification assessment for three years.

We built this page because the existing “questions to ask” articles hand you a list and stop. None of them tell you what a good answer sounds like, what a red-flaganswer sounds like, or how to verify the claims in five minutes. We read the rule, the Cyber AB’s Code of Professional Conduct, and the federal cost estimates ourselves, and turned them into a scorecard you can use on your next call. Use the whole thing, or skip to the 25-question scorecard and run it live.

Not sure whether you need a readiness consultant, an RPO, an MSP/MSSP, compliance software, or a C3PAO assessor? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Get Matched →

What does a CMMC consultant actually do—and what can’t they do?

A CMMC consultant helps you prepare: scoping your environment, finding gaps against NIST SP 800-171 Revision 2, writing your System Security Plan (SSP) and Plan of Action and Milestones (POA&M), and getting you assessment-ready. What no consultant can do is issue your certification—only a Cyber AB–authorized C3PAO (CMMC Third-Party Assessment Organization) can conduct a Level 2 certification assessment under 32 CFR Part 170. Knowing that line is the foundation of every question below.

Let’s define the players, because the words get thrown around loosely and the loose usage is exactly where buyers get burned.

  • CMMC—the Cybersecurity Maturity Model Certification, the Department of Defense (DoD) program that verifies contractors in the Defense Industrial Base (DIB) protect sensitive government information. The program rule (32 CFR Part 170) became effective December 16, 2024, and the DFARS acquisition rule that lets contracting officers put CMMC in contracts became effective November 10, 2025.
  • FCI—Federal Contract Information, the lower-sensitivity tier that maps to CMMC Level 1.
  • CUI—Controlled Unclassified Information, the data type that generally drives CMMC Level 2. Level 3 applies only when a contract specifically requires that path—it isn’t triggered automatically just because you handle sensitive CUI.
  • The Cyber AB—the accreditation body the DoD contracts with to run the assessor ecosystem and the public Marketplace.
  • C3PAO—the only kind of organization authorized to perform a Level 2 certification assessment and issue a Certificate of CMMC Status.
  • RPO / RP / RPA—a Registered Provider Organization and its Registered Practitioners (and the advanced tier, RPA). These are the Cyber AB’s advisory roles. They consult and implement; they do not assess.
  • CCP / CCA—a Certified CMMC Professional and a Certified CMMC Assessor; the individuals who staff a C3PAO’s assessment team.

Here’s the part the listicles skip: “CMMC consultant” is not a regulated title. Anyone can use it. There is no license to revoke. And you are not legally required to hire a Registeredprovider at all. Nothing in 32 CFR Part 170 says your consultant must be an RPO. Registration means a firm signed an agreement with the Cyber AB, passed an organizational background check, and agreed to the Code of Professional Conduct. That’s a trust signal. It isn’t a guarantee of Level 2 competence.

Cyber AB ecosystem roles at a glance

Cyber AB RoleWhat it isCan advise & implement?Can assess & certify?
RP (Registered Practitioner)Trained advisor; solo or in an RPOYesNo
RPA (Registered Practitioner Advanced)RP with deeper NIST 800-171 training and experienceYesNo
RPO (Registered Provider Organization)Advisory firm or MSP employing at least one RPYesNo
CCP (Certified CMMC Professional)Passed the Cyber AB/CAICO exam; an assessment-track credentialMay advise, but the credential is not an implementation qualificationSupports a Level 2 assessment team; does not make final determinations
CCA (Certified CMMC Assessor)Certified to conduct Level 2 assessments on a C3PAO teamOnly outside a conflicted relationship; an assessor credential is not proof of implementation-prep skillYes—and cannot assess a client it helped prepare (three-year rule)
C3PAOThe organization authorized to run Level 2 assessmentsNo—not for an org it then assessesYes—the only entity that can

Source: Cyber AB, Ecosystem Roles; 32 CFR 170.9, 170.11, 170.13. CMMC Level 2 is built on the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families.

The one rule that decides everything: can the same firm prepare you and assess you?

No—and this is the most expensive misunderstanding in CMMC. Under 32 CFR 170.8(b)(17)(ii)(G), a CMMC ecosystem member cannot participate in a Level 2 certification assessment for an organization it previously served as a consultant to prepare for any CMMC assessment within the prior three years. The Cyber AB’s Code of Professional Conduct (CoPC) v2.0 confirms that prohibition applies to the C3PAO as an organization and to every member of its assessment team. A firm that helps you build your program is locked out of certifying it for three years.

The logic is simple: an assessor who graded the homework they helped you write isn’t an independent assessor. That’s also why 32 CFR 170.9(b)(2) requires C3PAOs to follow the Cyber AB’s Conflict of Interest, Code of Professional Conduct, and Ethics policies andto meet ISO/IEC 17020:2012—the international standard built to keep inspection bodies structurally impartial.

Source map—verify it yourself

SourceWhat it establishes
32 CFR 170.8(b)(17)(ii)(G)Prohibits ecosystem members from participating in the Level 2 certification process for an assessment in which they previously served as a consultant to prepare that organization for any CMMC assessment within 3 years
Cyber AB CoPC v2.0Confirms the 3-year prohibition applies to the C3PAO as an organization and every assessment-team member, and covers any preparatory, advisory, or consulting work for any CMMC assessment
32 CFR 170.9(b)(2)Requires C3PAOs to comply with the Cyber AB’s Conflict of Interest, Code of Professional Conduct, and Ethics policies and to meet ISO/IEC 17020:2012
CMMC Assessment Process (CAP)Requires the C3PAO to identify conflicts with the organization, document mitigation, and not proceed if a conflict can’t be sufficiently resolved
The question this creates“If you help us prepare, you’re locked out of our assessment for three years—so who would you hand the assessment to, and how do you keep that clean?”

The practical sequence: (1) Readiness and remediation→ an RPO, a CMMC-focused MSP/MSSP, a vCISO, or a documentation/enclave provider; (2) The formal certification assessment → a different, Cyber AB–authorized C3PAO.

One nuance: the prohibition is about a firm that prepared you then trying to assess that same preparation.It doesn’t mean you’re forbidden from using an RPO, and it doesn’t mean a C3PAO can never speak to you. It means the firm that builds your program can’t be the firm that certifies it.

Here’s something most consultant pages won’t tell you: very few firms have a longtrack record of taking clients all the way through a Level 2 C3PAO certification assessment—because that part of the ecosystem only opened at scale recently. The certification machinery is young. That means “years of CMMC certification experience” is often hard to verify and is sometimes overstated. We’re not telling you that to make you cynical. We’re telling you because the right response is to ask for specifics: how many organizations, what size, what environment, and what were the outcomes, including conditional results and closeouts.

Want to skip the guesswork on provider type and conflict-of-interest sequencing? Tell us your level, scope, and timeline and we’ll match you with source-checked options—and we keep readiness and assessment cleanly separated, so you never accidentally hire a firm that can’t finish the job.

Get Matched →

The 25 questions to ask a CMMC consultant

(with the strong answer vs. the red-flag answer)

Use these on your next call. For each question we’ve written what a strong answer sounds like, what a red-flag answer sounds like, and what evidence to request. Score each answer as you go. The goal isn’t to find the smoothest talker—it’s to identify who can produce assessment-ready work without role confusion, scope gaps, or statement-of-work surprises.

How to score each answer (0–3):

  • 0—evasive, generic, or pure sales pitch
  • 1—plausible but unsupported
  • 2—source-aware and specific
  • 3—source-aware, artifact-backed, and ready to put in the statement of work
  • 🛑 Stop sign—a disqualifier; resolve it in writing before you proceed, regardless of the rest of the score

Two rules: Send the first five questions (Section A) beforethe discovery call. Ask the full set only after a provider clears those role-and-independence questions. And never send CUI, contract numbers, network diagrams, or vulnerability details through an unsecured intake form or email while you’re still shopping.

A. Role, authority, and independence

#Ask thisStrong answerRed-flag answerEvidence to request
1“Which CMMC level and assessment type applies to us, and what are you basing that on?”They ask for your contract clause, FCI/CUI handling, and prime flow-down before answering Level 1, Level 2 (Self), Level 2 (C3PAO), or Level 3.“Everyone needs Level 2 certification” / “just buy our package.”A written assumptions memo
2“Are you a readiness consultant, RPO, MSP/MSSP, software vendor, or C3PAO?”A clear, single answer and a plain statement of what they can’t do.“We do everything, including the certification.” 🛑Role disclosure in writing
3“Are you listed on the Cyber AB Marketplace, and in exactly what role?”They name the listing and role and invite you to verify it.“We’re Cyber AB certified” with no role detail.A dated Marketplace screenshot
4“If you help us implement controls, can you also assess us—yes or no?”“No—that conflicts us out of your assessment for three years; here’s how the separation works.”“Sure, we can prep you and certify you.” 🛑A conflict-of-interest statement
5“Have you taken organizations through a Level 2 C3PAO assessment, and what happened—including POA&Ms?”Specific numbers by company size and environment, with candor about conditional results and closeouts.“Hundreds certified” / “everyone passes,” no specifics.References or anonymized case notes

B. Scope, CUI/FCI, and your SSP

#Ask thisStrong answerRed-flag answerEvidence to request
6“How will you determine our assessment scope before recommending any tools?”They map CUI/FCI flows, systems, users, facilities, and external providers first.A tool recommendation before any scoping.A scope worksheet
7“How will you find and map our CUI and FCI?”They trace who creates it, who receives it, and whether it touches email, file shares, Teams/SharePoint, the shop floor, and subcontractors.They skip data types and jump to products.A data-flow questionnaire
8“How will you categorize our assets—CUI, Security Protection, Contractor Risk Managed, Specialized, and Out-of-Scope?”They tie each asset category to the SSP, inventory, and diagrams.“Everything’s in scope” or “GCC High makes it all compliant.”An asset-categorization matrix
9“Who builds and maintains our SSP—and do we own it?”“You own it; it’s yours to keep, export, and maintain.”A consultant-hosted portal with no export terms.The ownership clause in the SOW
10“What will you deliberately keep out of scope, and how?”They can explain out-of-scope assets without magical scope-shrinking.They can’t articulate any scope boundary.A documented scope boundary

C. Evidence, remediation, and validation

#Ask thisStrong answerRed-flag answerEvidence to request
11“What evidence artifacts do you produce, and how do they map to NIST SP 800-171A assessment objectives?”They name artifact types and map evidence to specific objectives, not just policies.“We’ll write you policies and you’ll be fine.”A sample evidence matrix
12“Are you advisory-only, or do you perform hands-on technical remediation?”They separate advising from configuring identity, logging, endpoints, backups, and incident response.They promise remediation but quietly exclude the technical work later.An implementation-responsibility table
13“How do you test that a control is operating, not just documented?”They describe validation, evidence review, interviews, and observation.“Documentation is enough.”A validation plan
14“How do you handle POA&Ms and the 180-day conditional closeout?”They know POA&Ms are limited and that a Conditional Level 2 must be closed out within 180 days.“You can POA&M anything.”A POA&M policy
15“Can you show sanitized examples of an SSP, POA&M, asset inventory, and evidence tracker?”They share redacted real examples.They show only sales slides, or refuse.Sanitized templates

D. External providers and cloud

#Ask thisStrong answerRed-flag answerEvidence to request
16“Is our current MSP an External Service Provider under CMMC, and how does that change our scope?”They ask whether the MSP processes, stores, or transmits CUI or security-protection data, and how it appears in the SSP.They treat the MSP as irrelevant.An ESP inventory
17“What will our Customer/Shared Responsibility Matrix say—who owns which control?”They map provider, customer, and shared responsibilities and who produces which artifact at assessment time.No responsibility matrix at all.A Customer Responsibility Matrix
18“If a cloud service stores, processes, or transmits CUI, how will you verify FedRAMP Moderate or equivalent?”They cite the FedRAMP Moderate (or equivalent) requirement and ask for authorization evidence.“Commercial cloud is fine.”CSP authorization / equivalency evidence

E. Cost, timeline, and the statement of work

#Ask thisStrong answerRed-flag answerEvidence to request
19“Will you itemize the quote—discovery, gap, remediation, tools, enclave, C3PAO, and annual support—separately?”They split one-time from recurring costs and label assumptions.One vague “CMMC readiness” line.A line-item quote
20“What’s excluded, and what triggers a change order?”They disclose exclusions and change-order triggers up front.“We’ll know after kickoff.”Written change-order triggers
21“What timeline assumptions could blow up this plan?”They name dependencies: CUI sprawl, MSP cooperation, licensing, evidence readiness, and C3PAO scheduling.“Guaranteed in 30/60/90 days.”A timeline-assumptions page
22“What deliverables will exist at the end, and who owns each one?”A concrete deliverable list, all customer-owned.A portal you lose access to when the contract ends.A deliverables + ownership list
23“Does your contract promise or imply a certification outcome?”“No one can guarantee a pass—the C3PAO decides; we maximize your readiness.”“Yes, we guarantee you’ll pass.” 🛑Confirmation in writing

F. Flow-down, SPRS, and life after the assessment

#Ask thisStrong answerRed-flag answerEvidence to request
24“Who handles SPRS, our CMMC unique identifier, and the annual affirmation—and where does your responsibility end?”They define your internal affirming official’s role and their own support boundary, and they explain ongoing affirmations.“We’ll submit everything for you,” with no owner clarity.A responsibility matrix
25“What would make you tell us we’re not ready to hire you yet?”They’ll disqualify an unready buyer and recommend scoping or data cleanup first.They never disqualify anyone.Written readiness criteria

A provider who scores 2s and 3s across Section A and Section B, names individuals (not just “our team”), and is willing to disqualify you when appropriate is the profile you want. A single 🛑 in the role-and-independence rows outweighs a great score everywhere else.

One thing you can do in the next five minutes:copy the five Section A questions into your calendar invite for the next vendor call. They’re the fastest way to separate a real CMMC partner from a reseller, and sending them ahead of time tells a good provider you know what you’re doing.

Run the whole call through the scorecard.

Open the CMMC Readiness Checklist →

How do you verify a CMMC consultant’s credentials and Cyber AB status?

Don’t take credentials on faith—verify them on the day you engage. The Cyber AB Marketplace is the authoritative public list; you can filter by Ecosystem Role (RPO, C3PAO, and so on) and confirm a provider’s role, status, and scope of services. Two cautions: a listing proves registration or authorization, not competence, and no provider is “preferred by” or “affiliated with” the DoD or the Cyber AB. If a firm claims to be “DoD-approved” or “Cyber AB endorsed,” that’s a red flag, not a credential.

The five-minute check

  1. 1Go to the Cyber AB Marketplace and search the firm's legal name.
  2. 2Confirm the role shown — RPO, C3PAO, or individual practitioner. Organizational status and individual credentials are different things; "we have RPs on staff" is not the same as "we are an authorized C3PAO."
  3. 3If they'll be your assessor, confirm the C3PAO shows as authorized or accredited — not "candidate," not "in process."
  4. 4Screenshot it with the date. Status changes; your screenshot is your record.
  5. 5Ask whether the same entity is proposing to do both your readiness and your assessment. If so, return to the conflict-of-interest rule above.

Why this verification step is not optional: the DoD’s own watchdog flagged the gaps

This isn’t paranoia. In January 2025, the DoD Office of Inspector General published an audit (Report No. DODIG-2025-056) of the process for authorizing C3PAOs and concluded the DoD did not effectively implement that process. Reviewing 11 of the 48 C3PAOs authorized as of September 2023, the OIG reported that the Cyber AB had authorized some C3PAOs without a signed C3PAO Agreement and Code of Professional Conduct on file, and others without verifying the certification of their quality-control leads—and issued recommendations to tighten the process.

Read that the right way. The takeaway is not“all C3PAOs are risky.” Most are legitimate, and the program has matured since 2023. The narrow, practical lesson is this:

Verify current status on the day you sign. Don’t rely on a sales claim, an old screenshot, or an assumed credential.

Source: DoD OIG, Report No. DODIG-2025-056, January 10, 2025 (dodig.mil).

Want us to do the status check for you? When we match you, we verify each provider’s role and Cyber AB status as of the match date, so you start from documented facts.

Get Matched →

What should you ask before sending CUI or sensitive details to a consultant?

Be careful what you hand over while you’re still shopping. You should not send Controlled Unclassified Information, contract numbers, network diagrams, vulnerability scans, or system details through an unsecured intake form, a generic web form, or ordinary email—including during a sales process. A consultant who asks you to email sensitive material before any agreement is in place is showing you how they’ll treat your data later. Use sanitized facts to get quotes, and require a secure channel before anything sensitive moves.

Three quick protections

Describe, don’t disclose. “We’re a 40-person machine shop, CUI lives in email and a file share, we think Level 2 (C3PAO)” is enough to scope a quote. You don’t need to send the actual CUI to get a proposal.

Ask how they intake sensitive material. A serious provider has a secure method and a confidentiality agreement, and they’ll tell you about both without being prompted.

Watch for the casual ask. “Just forward us your network diagram and a few CUI examples”—over email, before a contract—is a data-handling red flag in a field whose entire purpose is data handling.

Want options without exposing anything sensitive? Use our match form—level, scope, and timeline only, no CUI required—and we’ll route you to the right provider category.

Get Matched (no CUI required) →

RPO, MSP/MSSP, compliance software, or C3PAO—which do you actually need?

Many bad CMMC buying decisions happen before the first quote, because the buyer hires the wrong typeof provider. RPOs and readiness consultants help you prepare. MSPs and MSSPs may operate parts of your environment. Compliance software organizes evidence—it does not make you compliant by itself. C3PAOs perform the formal Level 2 certification assessment and must stay independent. Match the provider type to where you actually are, then verify role and status before you talk price.

Your situationProvider category to start withWhat to askDon’t confuse it with
“We don’t even know our level or scope.”Readiness consultant / RPO / RP“How will you determine level and scope?”A C3PAO assessment
“We need to build and operate controls.”CMMC-focused MSP / MSSP / vCISO“Which controls do you operate vs. advise on?”A policy-only consultant
“We need evidence and workflow organized.”GRC / SSP / POA&M software“Who owns the evidence and the control work?”A compliance outcome
“We have CUI in email and file-sharing.”CUI enclave / secure-collaboration provider“How will you isolate CUI and document it?”A full compliance program
“We’re documented and want a dry run.”Readiness partner (mock assessment)“Do you run a mock against the real method?”The official assessment
“We’re ready to certify.”Authorized/accredited C3PAO“What’s your current Cyber AB status?”Readiness or remediation
“We think we need Level 3.”DCMA DIBCAC path, after a Final Level 2 (C3PAO)“Are we actually Level 3, and why?”A standard Level 2 project

The honest routing rule: if you need readiness, remediation, an SSP/POA&M, scoping, or managed compliance, start with the RPO/MSP/MSSP category. If your question is about Microsoft GCC High, secure cloud, or a CUI enclave, start with an MSP/MSSP/enclave provider. Treat GRC software as a supporting layer, not the whole solution. And engage a C3PAO only when you’re assessment-ready.

Not sure whether you need readiness help, software, or an assessor? That’s the most common place to overspend.

Compare provider categories →Get Matched →

What CMMC level and contract clauses should you pin down first?

Before you buy consulting, make the provider identify the requirement that actually applies to you. Level 1, Level 2 (Self), Level 2 (C3PAO), and Level 3 have different assessment paths and obligations. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 under 32 CFR Part 170—not Revision 3—unless and until the DoD amends the rule. Level 3 layers on a subset of NIST SP 800-172 and requires a Final Level 2 (C3PAO) status first.

Start by finding the clause that triggers your requirement, and ask the consultant to walk you through it:

  • FAR 52.204-21—basic safeguarding of FCI; the Level 1 baseline (15 requirements).
  • DFARS 252.204-7012—safeguarding covered defense information and cyber-incident reporting. Its presence is a strong signal you handle covered defense information (a form of CUI).
  • DFARS 252.204-7019 / -7020—the NIST SP 800-171 DoD assessment requirements, including posting a current assessment score in SPRS.
  • DFARS 252.204-7021—the CMMC clause itself: which CMMC level and status the contract requires, plus your CMMC unique identifier and annual affirmation obligations in SPRS.
If your environment handlesMinimum path to investigateSource-backed note
FCI onlyLevel 1 (Self)15 safeguarding requirements from FAR 52.204-21; annual self-assessment and affirmation
CUI, contract requires Level 2 (Self)Level 2 (Self)All 110 NIST SP 800-171 Rev. 2 requirements; results posted in SPRS
CUI, contract requires Level 2 (C3PAO)Level 2 (C3PAO)Authorized/accredited C3PAO assessment; results posted by the C3PAO into eMASS and on to SPRS
Critical CUI requiring Level 3Level 3 (DIBCAC)Subset of NIST SP 800-172; requires a Final Level 2 (C3PAO) first

Source: 32 CFR Part 170; NIST SP 800-171 Revision 2.

Why the timing matters right now. CMMC is phasing in over three years. Phase 1 began November 10, 2025, and runs through November 9, 2026, with DoD discretion to require Level 1 or Level 2 self-assessments (and, at its discretion, Level 2 C3PAO). Phase 2 begins November 10, 2026, adding Level 2 (C3PAO) requirements for applicable solicitations. A C3PAO assessment isn’t something you schedule the week your proposal is due—capacity is finite and the readiness work in front of it takes months. That’s real scarcity, not a sales tactic.

What to ask about scope, CUI, and your SSP before signing

CMMC scoping is where engagements quietly succeed or fail. A serious provider identifies where FCI and CUI are processed, stored, or transmitted, categorizes your assets correctly, and ties the scope to your SSP, asset inventory, and network diagram before recommending tools. 32 CFR Part 170 requires the CMMC Assessment Scope to be specified prior to assessment, and 32 CFR 170.19 defines distinct asset categories you must document.

Make them earn it with specifics. “How will you find our CUI?” should produce questions back at you: Who creates it? Who receives it from the prime, and is it marked correctly? Does it live in email, Teams, SharePoint, or a file share? Does an engineering system or the shop floor touch it? Do subcontractors receive it?

Asset categories (32 CFR 170.19)

Asset categoryAsk the consultantEvidence to requestWhy the assessor cares
CUI Assets“How do you confirm which assets store, process, or transmit CUI?”Data-flow map + inventoryThese must meet the Level 2 requirements
Security Protection Assets“Which assets provide security functions for our CUI, and how are they covered?”SPA list + how they’re assessedThey protect the CUI environment and are in scope
Contractor Risk Managed Assets“How will you handle assets we manage by policy rather than full control?”Risk treatment + policyMust be documented and consistent with your SSP
Specialized Assets“How do you treat IoT/OT, government-furnished equipment, or test systems?”Specialized-asset list + handlingDocumented and managed per the rule
Out-of-Scope Assets“What will you keep out of scope, and how do you justify it?”Boundary rationaleImproper scope-out is an assessment risk

The strongest signal here is a provider who can explain what they’ll keep outof scope—without resorting to magical scope-shrinking that won’t survive an assessor’s scrutiny. NIST SP 800-171 Revision 2 applies to the components that store, process, or transmit CUI, or that protect those components—so the boundary you draw drives both your cost and your odds of passing.

What to ask about evidence, artifacts, and assessment readiness

A consultant who only sells policies isn’t enough for most Level 2 buyers. You need to know which artifacts the provider produces, who owns them, how the evidence maps to the NIST SP 800-171A assessment objectives, and whether a future assessor will be able to examine, interview, and test your implementation. Level 2 certification assessments are conducted against NIST SP 800-171A, so evidence that isn’t mapped to objectives is evidence that won’t hold up.

Ask what evidence they actually help you create. A complete answer covers the SSP and POA&M, asset inventory, network diagrams, and artifacts for access control, multifactor authentication and identity, vulnerability management, audit logging, incident response, backups, media protection, training, and supplier/ESP management—plus the implementation screenshots, ticket history, and configuration exports that prove controls operate.

Two follow-ups protect you from the most common traps:

  • “Can we export everything?”Your SSP, POA&M, and evidence library are yours. If they live only in the consultant’s portal with no export terms, you’ve bought lock-in, not readiness.
  • “What happens if a C3PAO says we’re not ready?”The CMMC Assessment Process includes an early phase where the C3PAO validates scope and reviews your SSP and evidence availability before going deeper. A good readiness partner runs a mock against that same method so the surprises happen on your timeline, not the assessor’s.

What to ask about MSPs, cloud, GCC High, and FedRAMP Moderate

If an MSP, MSSP, cloud platform, enclave, or SaaS tool touches your CUI or your security-protection data, your consultant has to understand how that provider affects your scope, your SSP language, and your responsibility split. “We use GCC High” or “our MSP handles it” is not a complete CMMC answer. Under 32 CFR 170.19, External Service Provider relationships must be documented in the SSP and a Customer Responsibility Matrix, and cloud services that handle CUI must meet FedRAMP Moderate (or equivalent) requirements.

If the external provider…What must be documentedWhat to ask
Is a cloud service provider (CSP) that processes, stores, or transmits CUIFedRAMP Moderate authorization (or FedRAMP Moderate equivalency, per DoD policy)“Show me the CSP’s FedRAMP Moderate authorization or the equivalency evidence.”
Is a non-CSP External Service Provider (e.g., your MSP) handling CUI or security-protection dataThe ESP relationship, services, and a Customer Responsibility Matrix in your SSP; the ESP’s services fall inside your assessment scope“How will our MSP’s work show up in the SSP and CRM, and what’s in our assessment scope?”
Doesn’t touch CUI or security-protection dataA documented reason it’s out of scope“How did you determine this provider is out of scope?”
The most common myth, directly addressed: GCC High does not, by itself, make you CMMC compliant. Microsoft 365 GCC High can be part of a sound environment strategy, but it doesn’t replace scoping, your SSP, policies, evidence, endpoint controls, user practices, incident response, or your shared-responsibility documentation. A consultant who pitches a cloud tenant as the whole answer is selling you a tenant, not compliance.

What should a CMMC consultant cost—and what do the DoD’s numbers leave out?

The DoD’s own published estimates are the honest anchor, but read them carefully. For a small entity, DoD estimates a Level 2 (C3PAO) certification at about $104,670 over three years, a Level 2 (Self) path at about $37,196 over three years, and a Level 1 self-assessment at $5,977 a year. Here’s the catch nearly every buyer misses—those figures deliberately exclude the cost of implementing the security requirements and remediation, because the DoD assumed contractors have been meeting NIST SP 800-171 since 2017. So your consultant and remediation spend sits on top of those numbers, and that’s where quotes diverge wildly.

PathDoD published estimate (small entity)What the figure includesWhat it excludes—your consultant’s scope
Level 1 (Self)$5,977 / yearSelf-assessment + annual affirmationImplementing the 15 FAR 52.204-21 safeguards
Level 2 (Self)$34,277 initial; $37,196 over 3 yearsAssessment + affirmationsGap remediation, SSP/POA&M, tooling, enclave
Level 2 (C3PAO)$101,752 initial; $104,670 over 3 yearsAssessment, certification, affirmationsAll implementation, remediation, and readiness
Level 3 (DIBCAC)Level 2 cost plus Level 3 implementation and assessment supportGovernment-led DIBCAC assessmentExtensive NIST SP 800-172 implementation

Source: DoD Regulatory Impact Analysis and the Federal Register notice for 32 CFR Part 170 (CMMC Program rule). These figures assume NIST SP 800-171 Revision 2 is already implemented—they are not “from scratch” market prices.

This is exactly why two quotes for “the same thing” can differ by 5x: scope (one enclave versus your whole network), your starting maturity, whether the fee is fixed or time-and-materials, and whether ongoing compliance is bundled. So make the quote legible. Ask the provider to itemize discovery, gap assessment, SSP and POA&M, policies, technical remediation, tool licenses, managed operations, cloud or enclave work, evidence management, training, a mock assessment, the C3PAO fee, and annual sustainment—as separate lines, with assumptions and exclusions named. Then ask the one question the DoD’s number forces: “Your quote covers readiness—the federal estimate covers only the assessment that comes after. Where does your scope end and the C3PAO’s bill begin?”

For more on what CMMC costs, see our CMMC certification cost guide.

Need comparable quotes instead of a pile of incomparable PDFs? Tell us your level, scope, environment, and timeline, and we’ll route you to the right provider category so you can request scoped quotes that actually compare.

Request scoped quotes from matched provider categories →

The statement-of-work questions that prevent expensive surprises

The statement of work (SOW) is where a consultant’s promises become enforceable—or vanish. Before you sign, require named deliverables, explicit ownership, written assumptions and exclusions, timeline dependencies, evidence-export rights, a responsibility matrix, data-handling limits, and change-order triggers. The single non-negotiable: the contract must not promise or imply a certification outcome.

Ask what concrete deliverables will exist when the engagement ends. A serious SOW produces, at minimum, a written scope memo, a CUI/FCI data-flow map, an asset inventory, a system-boundary diagram, your SSP, your POA&M, an evidence matrix, a policy and procedure set, an implementation plan, a responsibility matrix, affirmation support, and a sustainment plan—all of it customer-owned and exportable.

Then pin down what happens when things slip: milestone acceptance criteria, your dependencies and theirs, an escalation path, termination rights, and data-return and evidence-export terms on the way out.

And confirm, in writing, that the contract makes no certification guarantee. No consultant and no C3PAO can promise you’ll pass—the assessment determines the result, and the Cyber AB’s ethics rules require assessor objectivity and bar tying assessment work to a guaranteed certificate. A “guaranteed certification” clause isn’t reassurance. It’s a reason to walk.

Red flags that should make you walk away

The biggest red flags aren’t high prices—they’re role confusion, vague scope, guaranteed outcomes, tool-first advice, no evidence plan, unclear ownership, and a refusal to document assumptions. If a provider can’t explain what they do, what they don’t do, and how their work maps to your CMMC path, pause the engagement until it’s resolved in writing.

Red flagWhy it mattersWhat to do
“We can prep and certify you.”A three-year conflict-of-interest bar under 32 CFR 170.8(b)(17)(ii)(G).Verify role separation immediately. 🛑
“Guaranteed pass.”No one can guarantee a certification outcome.Walk away unless corrected in writing. 🛑
“GCC High solves CMMC.”A cloud tenant is not your whole scope.Ask for the SSP, scope, and evidence plan.
“We don’t need to see your CUI flow.”Scope can’t be guessed.Stop the discovery.
“Policies first, tools later, you’re covered.”Policies without working controls are weak evidence.Ask for the evidence-to-objective map.
“One flat price, no assumptions.”Hidden change-order risk.Require a line-item SOW.
“You can POA&M anything.”POA&M use is limited and closeout is time-boxed.Ask for their POA&M policy.
“Your MSP is irrelevant.”Your MSP may be an in-scope ESP.Require a Customer Responsibility Matrix.
“Email us your diagrams and CUI.”A data-handling failure during sales.Use secure intake or sanitized facts.
“Rev. 3 is the CMMC Level 2 standard.” (no caveat)Level 2 currently maps to Rev. 2 unless DoD amends the rule.Make them explain the source.

A couple of judgment calls, stated plainly.A low price isn’t the red flag—a low price with no scope, assumptions, deliverables, or exclusions is. And confidence isn’t the problem—a provider should be confident in their process. Confidence in the outcome is the problem.

One honest limitation worth saying out loud:a great cybersecurity firm is not automatically a great CMMC firm. General NIST 800-171 skill is necessary but not sufficient; assessment-objective fluency, scoping discipline, and evidence craft are their own skill set. Weigh the CMMC-specific track record, not just the security résumé.

And if you only handle FCI: you likely need Level 1, an annual self-assessment, and very little outside help—most of this page is overkill for you. Don’t let anyone upsell you into a Level 2 program you don’t need. Start with our CMMC Level 1 vs. Level 2 guide and the readiness checklist instead.

If a quote or a claim feels off, get a second set of source-checked options before you commit.

Get Matched →

For primes and subs: what to ask before you accept or flow down a CMMC requirement

Flow-down isn’t a forwarding exercise. Before a prime flows a requirement down—or a sub accepts one—both sides should confirm what information is actually being processed, whether it’s FCI or CUI, and what CMMC status the subcontract requires. Under 32 CFR 170.23, the level a subcontractor needs depends on the data it handles and the prime’s own obligation.

Your subcontract involves…Minimum CMMC level for the subcontractor
FCI onlyLevel 1 (Self)
CUI, and the prime’s requirement is Level 2 (Self)Level 2 (Self)
CUI, and the prime’s requirement is Level 2 (C3PAO)Level 2 (C3PAO)
CUI, and the prime carries a Level 3 obligationAt least Level 2 (C3PAO)

Source: 32 CFR 170.23. DoD-specific guidance on a given contract can require more, so confirm the actual flow-down language.

If you’re a subcontractor, ask your prime:

  • Are you flowing FCI, CUI, or both?
  • Which clause drives the requirement?
  • What CMMC level and status does the subcontract require?
  • Will we receive proper CUI markings?
  • Which of our systems are expected to handle the information?
  • What’s the timing for award, option, or renewal?

If you’re a prime, ask your subs:

  • Do you have a current NIST SP 800-171 assessment posted in SPRS?
  • Which CAGE codes and systems are in scope?
  • What’s your current assessment score and path to all 110 requirements?
  • Who’s your affirming official?
  • Are you using External Service Providers or cloud service providers?
  • Do you have CUI-handling procedures?

Source: DFARS 252.204-7019 and -7020.

How to score and compare your finalists

Don’t compare CMMC consultants by how smooth the pitch was. Compare them on role fit and independence, scoping discipline, evidence and SSP/POA&M method, technical remediation capability, SOW transparency, and willingness to disqualify you when you’re not ready. Weight the first two most heavily, because a failure there can cost you a contract.

100-point scoring model

CategoryPointsAutomatic fail if it collapses?
Role fit and independence20Yes
Scope and CUI/FCI discovery20Yes
Evidence and SSP/POA&M method20No
Technical remediation capability15No
Cost and SOW transparency15No
Flow-down and sustainment10No

How to read the score:

  • 85–100 Strong candidate; request the final scoped quote.
  • 70–84 Promising; clarify the weak areas before you sign.
  • 50–69 High risk unless you limit the engagement.
  • Under 50 Don’t proceed.
  • Any 🛑 Pause regardless of the total.

If one provider is clearly highest, ask for the final SOW, deliverables, assumptions and exclusions, data-handling instructions, ownership terms, a conflict-of-interest disclosure, and references that match your size, environment, and assessment path. If two are close, break the tie on provider-category fit, not personality. And if every provider seems vague, that’s a signal too—you may need a short scoping engagement before you commit to readiness or remediation at all.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Get Matched →

What we verified before publishing this guide

This guide is built from primary sources, not vendor claims. We read the current CMMC rule framework, the DFARS implementation timing, the NIST publication mapping, the Cyber AB ecosystem roles and the Code of Professional Conduct, the SPRS and affirmation obligations, the federal cost estimates, and the DoD Inspector General’s audit of the C3PAO authorization process—then turned them into questions you can use on a call.

Claim areaSource we checkedWhat it means for you
CMMC program ruleFederal Register / eCFR, 32 CFR Part 170The program is real and effective December 16, 2024
DFARS implementationFederal Register, DFARS final rule (Case 2019-D041)CMMC clauses began entering applicable contracts on November 10, 2025
Level 2 control basiseCFR / NIST SP 800-171 Rev. 2CMMC Level 2 maps to NIST SP 800-171 Revision 2 (110 requirements, 14 families) under the current rule
Assessment pathseCFR, 32 CFR 170.15–170.17Level 2 (Self) posts to SPRS; Level 2 (C3PAO) is posted by the C3PAO via eMASS to SPRS
Conflict of interest32 CFR 170.8(b)(17)(ii)(G); 170.9(b)(2); Cyber AB CoPC v2.0A firm that prepares you is barred from your Level 2 assessment for three years
ScopeeCFR, 32 CFR 170.19Scope must be specified before assessment; the five asset categories must be documented
Cloud / ESPeCFR, 32 CFR 170.19CSPs handling CUI need FedRAMP Moderate or equivalent; ESPs must be in the SSP and CRM
CostFederal Register / DoD Regulatory Impact AnalysisDoD’s figures are useful anchors but exclude implementation and remediation
Assessor verificationDoD OIG, Report No. DODIG-2025-056 (Jan 10, 2025)The OIG found gaps in C3PAO authorization—verify status yourself, on the day you sign

If you removed every call to action on this page, the scorecard, the verification steps, and the cost reality would still stand on their own. That’s the test we hold ourselves to.

Frequently asked questions

The most common questions about hiring a CMMC consultant come down to role, credentials, cost, evidence, certification authority, and scope. Short, sourced answers below.

What is the first question to ask a CMMC consultant?
Ask: “Which CMMC level and assessment type applies to us, and what facts are you basing that on?” It forces the provider to start with your contract requirement, your FCI/CUI handling, your scope, and your assessment path—instead of jumping to tools or a package.
Can a CMMC consultant certify us?
No. A readiness consultant or RPO can help you prepare, but Level 2 certification assessments are performed only by Cyber AB-authorized or accredited C3PAOs, and Level 3 assessments are performed by DCMA DIBCAC after a Final Level 2 (C3PAO) status. (Source: 32 CFR Part 170.)
What's the difference between a CMMC consultant and a C3PAO?
A consultant helps you prepare, remediate, document, and organize evidence. A C3PAO performs the formal Level 2 certification assessment and must manage impartiality and conflicts of interest under the Cyber AB’s rules—including the bar on assessing a client it helped prepare within the prior three years. (Source: 32 CFR 170.8(b)(17)(ii)(G), 170.9.)
Should we hire a CMMC consultant or an MSP?
It depends on your gap. A consultant may handle scoping, the SSP, the POA&M, and readiness; an MSP or MSSP may operate technical controls; many Level 2 projects need both. The key question is who owns each control, artifact, system, and recurring task.
What should a CMMC consulting statement of work include?
Scope assumptions, named deliverables, ownership, exclusions, timeline dependencies, evidence responsibilities, External Service Provider responsibilities, change-order triggers, and a clear statement of whether the work is advisory, implementation, validation, or assessment preparation—with no certification guarantee.
How much does a CMMC consultant cost?
There’s no universal price; it depends on scope, maturity, environment, tooling, remediation, and assessment path. The DoD’s estimates (about $37,196 for a Level 2 self-assessment and about $104,670 for a Level 2 C3PAO certification, both over three years for a small entity) are useful anchors, but they assume NIST SP 800-171 Revision 2 is already implemented, so they aren’t “from scratch” market pricing. (Source: Federal Register / DoD Regulatory Impact Analysis.)
Is NIST SP 800-171 Revision 3 the current CMMC Level 2 standard?
No. Revision 3 exists, but the current 32 CFR Part 170 maps CMMC Level 2 to NIST SP 800-171 Revision 2 unless and until the DoD amends the rule. Be cautious of any consultant who states Rev. 3 is the requirement without that caveat. (Source: 32 CFR Part 170; NIST CSRC.)
What's the biggest red flag when hiring a CMMC consultant?
A provider that can’t separate role, scope, evidence, and assessment authority. “We can prep and certify you,” a guaranteed pass, tool-first answers, and vague all-in-one pricing should all stop the process until they’re resolved in writing.
Should we ask for references?
Yes—but ask for references that match your level, company size, environment, and assessment path. A reference from a large enterprise with a mature security team won’t tell you much if you’re a small contractor with CUI in email and no SSP yet.
Should we send CUI during consultant discovery?
No. Don’t send CUI, sensitive diagrams, vulnerabilities, or contract-sensitive details through unsecured intake forms or email. Use sanitized facts during sales and ask the provider for secure-intake procedures before sharing anything sensitive.

Related reading

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We publish primary-sourced analysis to help defense contractors make expensive compliance decisions with less confusion and less risk. Corrections policy. Last verified: June 13, 2026.