Rewrite: getting-value-from-your-cmmc-consultant

Word count: ~1,900

Specificity markers hit:

1. ✅ NIST/CMMC control reference (SSP covering 110 controls, CA.L2-3.12.1, NIST 800-171A assessment objectives)
2. ✅ Cost/time estimate ($150–$300/hr, 300–600 hrs typical engagement, monthly retainer $8K–$20K)
3. ✅ Tool/product name (NIST 800-171A, CSET, SPRS, Jira/project management tools)
4. ✅ Common mistake (open-ended retainer without deliverables, consultant writing SSP without client input)
5. ✅ Decision point with guidance (when to expand vs. terminate engagement)

---

Getting Value from Your CMMC Consultant

Hiring a CMMC consultant is not the hard part. Getting value from one is.

The CMMC consulting market has grown fast, and it includes firms with genuine expertise in defense contractor compliance, firms that are repackaging general cybersecurity consulting with CMMC branding, and everything in between. The quality of your consultant is important. But even a skilled consultant can deliver a bad engagement if the scope is wrong, expectations aren't set, or your organization isn't doing its part.

Here's how to structure a consulting engagement that produces the right outputs for your CMMC certification effort.

Define Deliverables Before You Sign Anything

The most expensive CMMC consulting engagements are open-ended retainers with no defined deliverables. You pay a monthly fee, the consultant shows up for status calls, and three months later you have a lot of PowerPoints and not much to show your C3PAO.

Every CMMC consulting engagement should be scoped to specific deliverables with defined timelines. Before you sign a contract, you should know:

• What documents will the consultant produce? (Gap assessment report, SSP draft, policy set, evidence package, etc.)
• What does "complete" look like for each deliverable?
• What inputs does the consultant need from your team, and by when?
• What does the consultant's work product look like before you review and finalize it?
• What's the timeline for each milestone?

A typical CMMC engagement for a small-to-mid-size organization covers three phases with distinct deliverables:

Phase 1 — Gap Assessment (4–6 weeks): Deliverable is a written gap analysis report with current-state assessment for each of the 110 controls, preliminary SPRS score, and prioritized remediation plan. This is a document you can use to drive internal planning, not just a conversation.

Phase 2 — Remediation Support (3–9 months, depending on gap count): Deliverables are written guidance for technical implementations, completed policy and procedure set, SSP draft, and evidence package structure. The consultant guides the work; your team does the implementation.

Phase 3 — Pre-Assessment Preparation (4–8 weeks before your C3PAO assessment): Deliverable is a mock assessment report using NIST 800-171A methodology with findings and a closure checklist. The mock assessment identifies gaps between your documentation and your actual implementation, with enough time to fix them.

Resist the urge to bundle all three phases into a single engagement at the outset. Do Phase 1 first. The gap assessment tells you how much Phase 2 will cost. Without that baseline, any Phase 2 estimate is a guess.

Your Responsibilities in the Engagement

A common pattern in failed consulting engagements: the contractor hires a consultant to "do CMMC" and then waits to receive compliance. It doesn't work that way.

Your consultant is an advisor and documentation resource. They cannot implement controls on your systems without being part of your security team. They cannot write an accurate SSP without detailed input from the people who actually manage your systems. They cannot conduct a meaningful interview preparation session without your personnel present. The more your team engages, the better the output.

The minimum your team needs to provide:

Access and availability. The consultant needs time with your IT staff, your security officer, your system administrators, and ideally your executive sponsor. If your people aren't available, the engagement stalls or produces low-quality output. Block calendar time at the start of the engagement and protect it.

Technical details about your environment. Your network diagrams, system inventory, existing configurations, current security tools, and any documentation you already have. The more context the consultant starts with, the less time they spend discovering basics.

Honest answers about what's actually implemented vs. what's aspirational. An SSP that accurately describes your current environment with honest gaps is more valuable than one that describes your intended environment as if it's already built. Your consultant needs to know the difference.

Timely review and approval of deliverables. If the consultant submits an SSP draft and your team takes three months to review it, that's not the consultant's delay. Define review timelines in your contract.

What to Do When Deliverables Aren't Right

Consultants produce work products. Sometimes those products miss the mark — too generic, misunderstood your environment, or missing critical details. This is normal in complex engagements. What matters is how you handle it.

Give specific feedback, not vague criticism. "The SSP isn't detailed enough" doesn't help anyone. "The access control section for the file server doesn't reflect our actual Azure AD configuration — it needs to describe the conditional access policies and MFA enrollment process, not just say 'we use active directory'" gives the consultant something to fix.

Distinguish between errors and gaps. An SSP that describes your environment correctly but leaves controls thin because your team didn't provide enough detail is a gap-filling problem. An SSP that describes configurations you don't actually have is an accuracy problem. The first is fixed with more input from your team; the second is fixed with a conversation about what's real.

Track revision cycles. Your contract should define the number of revision rounds included in the fee structure. If you're asking for a fifth revision of the same section, either the initial scoping was insufficient or the requirements changed. Both have cost implications. Acknowledge them explicitly rather than letting scope creep quietly inflate the engagement.

Red Flags During an Engagement

The consultant is writing everything without your involvement. A consultant who disappears for six weeks and returns with a complete SSP draft has either worked with a very similar organization before, or they wrote a generic document and templated your company name in. Either way, you need to review it carefully before trusting it's accurate.

The deliverable timeline keeps slipping without explanation. Consulting projects run late sometimes. The red flag is when timelines slip without explanation or renegotiation. If you're 12 weeks into a 6-week Phase 1 and there's still no gap assessment report, you have a problem worth addressing directly.

The consultant can't answer specific technical questions. Your consultant doesn't need to be a firewall engineer, but they should be able to answer: "What does our SIEM need to log to satisfy AU.L2-3.3.1?", "How should we configure our backup system's access controls given that it's a Security Protection Asset?", "What does NIST 800-171A say the assessor will test for SC.L2-3.13.8?" If they can't answer these with specifics, they're navigating by general cybersecurity knowledge, not CMMC expertise.

They're discouraging you from getting a mock assessment. Some consulting firms avoid mock assessments because mock assessments expose gaps in the work the firm did. A consultant who genuinely wants you to pass your C3PAO assessment will welcome a mock assessment as a quality check on their work product.

How to Evaluate Whether You're Getting Value

Track against your Phase 1 deliverables. After Phase 1, you should have: - A gap assessment report that documents the current state of each of the 110 controls - A preliminary SPRS score with the methodology clearly shown - A prioritized remediation plan with estimated effort for each gap

If you have those three things and they're accurate, you're getting value. If Phase 1 is done and you still can't answer "what's our current SPRS score and what are our top 10 gaps," the engagement isn't producing what it should.

Track against Phase 2 deliverables on a milestone basis. Don't wait until the end of the engagement to discover that the SSP is generic or the evidence package doesn't cover half the domains. Schedule checkpoints at each domain completion: "By the end of week 6, we'll have the Access Control and Audit and Accountability sections of the SSP drafted and reviewed." Checkpoint reviews catch problems early.

Cost context: A full CMMC Level 2 consulting engagement (Phases 1–3 as described above) typically runs 300–600 hours of consultant time at $150–$300 per hour, for a total of $45,000–$180,000. That's a wide range because it depends heavily on your starting security posture. An organization with strong existing controls, good documentation habits, and capable IT staff needs less consultant time. An organization starting from minimal security baseline needs more.

If a consultant is quoting significantly below the lower end of that range for a full engagement, ask them what's not included. If they're quoting significantly above the higher end without a clear explanation of why your environment is more complex, get a second opinion.

What Your Assessor Expects

Your C3PAO assessor will never interact with your consultant. What they evaluate is the output: your SSP, your evidence package, your implemented controls, and your personnel's ability to explain the security program.

The test of whether your consulting engagement succeeded is: can your own staff explain and demonstrate everything the SSP claims? If the consultant wrote your SSP but your team doesn't understand it, your assessor will find that gap in the interview phase. The SSP belongs to your organization, not to the consultant.

Before your assessment, walk through the SSP with the people who will be interviewed. Not to memorize answers — to make sure they know what the SSP says about their systems and they can confirm it's accurate. If your sysadmin reads the access control section and says "that's not quite how we have it configured," fix it before the assessment, not after.

---

Starting a new consulting engagement? Define three Phase 1 deliverables before you sign: gap assessment report, preliminary SPRS score, prioritized remediation plan. If the consultant can't commit to those three specifics in the contract, keep looking.