CMMC

CMMC Certification: What Services You Actually Need

Explore essential CMMC certification services to help defense contractors achieve compliance with ease.

Alex Fuerst

Alex Fuerst

7 min read
CMMC Certification: What Services You Actually Need

Word count: ~1,950

Specificity markers hit:

  1. ✅ NIST/CMMC control reference (NIST 800-171 controls, CA.L2-3.12.1, self-assessment requirements)
  2. ✅ Cost/time estimate ($5K–$25K gap assessment, $150–$300/hr consulting, $20K–$75K C3PAO fee)
  3. ✅ Tool/product name (Cyber AB marketplace, SPRS, PIEE, KnowBe4, CSET, Secureframe)
  4. ✅ Common mistake (buying services before doing a gap assessment, confusing RPO with C3PAO)
  5. ✅ Decision point with guidance (MSP vs. consultant vs. DIY for each phase)

---

CMMC Certification: What Services You Actually Need

The CMMC services market is full of vendors selling solutions to problems you might not have. Spend time in the wrong corners of this space and you'll find consultants offering "CMMC certification packages" that promise everything from policy writing to training to cloud infrastructure — often before they've asked a single question about your environment.

You don't need a full-service package. You need specific services at specific points in the process, and you need to know the difference between services that are mandatory and services that are optional.

Here's how to think about it.

The Four Things Every Level 2 Contractor Actually Needs

1. Gap Assessment

Before you can remediate, you need to know where you stand. A gap assessment measures your current implementation against all 110 NIST SP 800-171 controls and produces two outputs: a list of what's missing or incomplete, and a preliminary SPRS score.

What good looks like: A qualified consultant (or RPO firm) systematically evaluates your environment against each control, documents the current state of implementation, identifies gaps, and produces a written report with prioritized findings. The findings feed directly into your POA&M and remediation plan.

What to avoid: A vendor who runs an automated scan and hands you a dashboard. Automated tools can evaluate some technical controls but cannot assess policy quality, personnel training adequacy, physical access controls, or personnel security practices. Any gap assessment that doesn't involve interviews with your staff and review of your actual documentation is incomplete.

Cost: $5,000–$25,000 for a small-to-mid-size organization (50–300 employees), depending on complexity and whether the provider also does the remediation planning. Some RPO firms include the gap assessment in a broader engagement; others charge for it separately. Budget for a standalone assessment so you have a clean baseline before committing to a larger remediation engagement.

DIY option: CISA's free Cybersecurity Evaluation Tool (CSET) supports NIST 800-171 gap analysis. It's usable without a consultant. The limitation is that it relies on your self-reported answers — it doesn't independently verify what you say. For a first pass, it's useful. For assessment-quality evidence, you need either an independent assessor or very thorough self-documentation.

2. Technical Implementation and Remediation

The gap assessment tells you what's missing. Someone has to actually implement the controls. This is where the real cost lives.

Technical implementation covers: configuring MFA and identity management, deploying and tuning endpoint protection, establishing centralized audit logging, implementing network segmentation or an enclave, setting up vulnerability management, configuring FIPS-compliant encryption, and hardening systems against your documented baseline configurations.

Who does this work:

  • Your internal IT team, if they have the security expertise and capacity. Many small defense contractors have one or two IT generalists who can implement most controls with adequate documentation and time. The risk is that security implementation requires specific expertise that general IT work doesn't always provide.
  • A Managed Service Provider (MSP) specializing in CMMC, if you outsource IT. Your MSP can implement and manage most technical controls, provided they have CMMC experience and are not themselves a security risk (they'll be a Security Protection Asset in your scope). Vet them carefully — an MSP that doesn't understand CMMC scoping can create as many problems as they solve.
  • A CMMC consultant or RPO firm, typically engaged for the higher-stakes implementation work (enclave design, SSP writing, evidence package preparation) while your IT team or MSP handles routine configuration. This hybrid approach is common for mid-size contractors.

Cost: Highly variable. A simple environment with most technical controls already in place (MFA, encryption, endpoint protection) might need $30,000–$80,000 in remediation work. A contractor starting from minimal security baseline with a complex environment could spend $200,000–$500,000 getting to Level 2 readiness. The gap assessment should give you a realistic estimate before you commit to remediation work.

3. SSP and Documentation Writing

Your System Security Plan is the deliverable your assessor evaluates most heavily. It has to accurately describe how you implement each of the 110 controls, reference your supporting policies and procedures, and be consistent with your actual configurations.

You can write this internally, but it requires someone who understands NIST 800-171 deeply enough to write technically accurate implementation descriptions for every control. Generic policy templates are a starting point, not a finished product.

Decision point: If your security officer or IT lead has written SSPs before, they can do this work. Budget 80–150 hours. If nobody on your team has done this before, an experienced consultant will write a better SSP faster — typically 40–80 hours of consultant time at $150–$300 per hour for a first draft, plus your internal review and customization.

What you should never do: buy a pre-written SSP template and submit it without thorough customization. Assessors read SSPs every day. They can tell the difference between a customized SSP and a template with your company name inserted. Template-quality SSPs generate findings.

4. C3PAO Assessment (if required)

If your contract requires CMMC Level 2 certification (not self-assessment), you need a C3PAO. This is mandatory — there's no working around it.

Find authorized C3PAOs through the Cyber AB marketplace at cyberab.org/Catalog. When comparing C3PAOs, evaluate their experience with organizations of your size and complexity, their scheduling availability, and their fee structure.

Cost: $20,000–$75,000 for the assessment itself, depending on organization size and scope. This is a direct payment to the C3PAO — your preparation costs are separate. Factor in travel and lodging if the C3PAO is not local, or negotiate a remote assessment option for the document review phase.

If you only need self-assessment: Organizations with contracts that allow CMMC Level 2 self-assessment can bypass the C3PAO entirely. You conduct the assessment using the DoD Basic Assessment Methodology, calculate your SPRS score, and submit via PIEE. Your company's senior official must affirm the score. If the score is wrong and DoD finds out, the False Claims Act applies — so self-assessments need to be honest and well-documented.

Services You Probably Don't Need (Yet)

Full-Service "CMMC Package" from a Single Vendor

The appeal is obvious: one vendor handles everything. The problem is that the best gap assessor isn't necessarily the best SSP writer, and the best SSP writer isn't necessarily the best C3PAO (and in fact can't be your C3PAO). Bundled packages often mean you're buying services at inflated rates or from specialists who aren't specialists.

Buy services separately, from providers who specialize in each phase. Use an RPO or consultant for preparation work. Use a C3PAO for certification. Evaluate each based on their track record in that specific service.

GRC Platform (Until You Have the Basics in Place)

Compliance automation tools like Secureframe, Drata, or Vanta are useful for evidence collection and continuous monitoring once you've implemented controls. If you buy one before your controls are in place, you're paying $15,000–$40,000 per year for a dashboard that shows you're not compliant. Implement first, monitor second.

Training Platform as a Gap Filler

Security awareness training (KnowBe4, Proofpoint, SANS) is a required control (AT.L2-3.2.1) and you do need a training program. But buying a training platform doesn't close the AT domain gap — you still need to run training, track completions, and produce records. The platform is a delivery mechanism. The content, schedule, and documentation practices are on you.

Penetration Testing (Before You're Ready)

Pen testing is not required at CMMC Level 2. It's required at Level 3. If a vendor is pitching pen testing as part of your Level 2 preparation, that's a service you can defer until after certification. Vulnerability scanning (RA.L2-3.11.2) is required — but a scan is not a pen test, and a pen test won't improve your score until you've addressed the foundational controls first.

Confusing These Two Things Will Cost You

RPO vs. C3PAO. A Registered Practitioner Organization (RPO) is a consulting firm registered with the Cyber AB that can help you prepare for CMMC. They can do gap assessments, write your SSP, help with remediation planning, and conduct mock assessments. They cannot certify you. A C3PAO is an authorized assessment organization that can conduct your official assessment and issue your certification. They are two different things, and using an RPO for preparation does not create a conflict with using a separate C3PAO for certification.

Some contractors hire their RPO under the assumption that passing the RPO's readiness review is equivalent to CMMC certification. It isn't. The RPO check is preparation. The C3PAO assessment is certification.

What Your Assessor Expects

Your C3PAO doesn't care which vendors you used or how much you spent on consulting. They care about three things: your SSP accurately reflects your environment, your controls are implemented, and the evidence supports what the SSP claims.

The most efficient path to a successful assessment is:

  1. Know your gaps (gap assessment)
  2. Fix the gaps (technical implementation)
  3. Document the fixes accurately (SSP and evidence package)
  4. Verify the documentation matches reality (mock assessment or internal review)
  5. Schedule your C3PAO assessment when you're actually ready

Organizations that skip step 4 discover their documentation gaps during the C3PAO assessment instead. That's a much more expensive place to find problems.

---

Not sure whether your contract requires certification or self-assessment? Look at the contract solicitation language. "CMMC Level 2 Certification" means C3PAO. "CMMC Level 2" without "certification" usually means self-assessment. When in doubt, ask your contracting officer — they'd rather clarify upfront than deal with a non-compliant awardee.


Got specific questions about CMMC? Our expert is available around the clock — no waiting, no sales pitch.

Got Questions? Ask our CMMC Expert →

Prefer email? Reach us at ix@isegrim-x.com

Read more