Rewrite: how-to-choose-a-cmmc-consultant

Word count: ~1,950

Specificity markers hit:

1. ✅ NIST/CMMC control reference (NIST 800-171 110 controls, Cyber AB certification tiers, CMMC RP/CCP/CCA)
2. ✅ Cost/time estimate ($150–$300/hr for experienced CMMC consultants, $100–$180/hr for general IT with CMMC add-on)
3. ✅ Tool/product name (Cyber AB Marketplace, CMMC RP, CCP, CCA designations, RPO designation)
4. ✅ Common mistake (hiring on credentials alone without checking relevant C3PAO assessment experience, conflating general cybersecurity expertise with CMMC expertise)
5. ✅ Decision point with guidance (RPO vs. independent consultant, solo practitioner vs. firm)

---

How to Choose a CMMC Consultant

The CMMC consulting market includes some of the most qualified defense cybersecurity practitioners in the country and a meaningful number of people who got a Registered Practitioner (RP) credential, updated their LinkedIn, and now offer "CMMC compliance services."

The credential structure is confusing enough that it's easy to hire someone who looks qualified and discover three months in that their CMMC experience is thin. Here's how to tell the difference.

The Credential Landscape

The Cyber AB (the CMMC Accreditation Body) administers four credentials relevant to CMMC consulting. Understanding what each one means helps you evaluate who you're talking to.

Registered Practitioner (RP) — Entry-level credential. Requires passing an online training course and exam. Demonstrates basic familiarity with the CMMC program. Does not require demonstrated experience implementing CMMC controls or supporting contractors through assessments. An RP credential is the floor, not the ceiling. Many RPs are genuinely skilled consultants with deep CMMC experience. Many are not. The credential alone tells you very little.

Certified CMMC Professional (CCP) — Mid-level credential. Requires completing an instructor-led training course and passing a more rigorous exam. Demonstrates more thorough knowledge of the CMMC framework, assessment methodology, and NIST 800-171. Better signal than RP, but still doesn't require demonstrated hands-on experience with actual CMMC implementations.

Certified CMMC Assessor (CCA) — The assessor credential. Required for individuals who conduct C3PAO assessments. Requires passing the CCP exam and an additional assessor-specific training and exam. CCAs have been trained specifically in NIST 800-171A assessment methodology. A consultant with CCA credentials has been through the assessment training — that's meaningful context for helping you prepare for an assessment.

Registered Practitioner Organization (RPO) — Firm-level designation. A company that employs certified practitioners and has registered with the Cyber AB. RPOs are listed in the Cyber AB Marketplace. The RPO designation indicates the firm has made a commitment to the CMMC ecosystem, but it does not guarantee the quality of individual consultants.

The key point: Credentials are a starting filter, not a selection criterion. Two CCPs can have dramatically different levels of actual CMMC implementation experience. Your evaluation doesn't end at credential verification.

The Four Questions That Matter

"How many CMMC Level 2 C3PAO assessments have your clients completed, and can I speak with one?"

This is the most important question in your evaluation. Everything else is preparatory.

A consultant who has supported multiple contractors through completed C3PAO assessments understands what assessors actually look for, what evidence actually satisfies specific controls, and what SSP language works versus what generates findings. That's different from a consultant who has helped clients prepare for assessments, or who has conducted internal readiness reviews, or who "specializes in NIST 800-171."

As of 2025, the number of organizations that have completed CMMC Level 2 C3PAO assessments is still relatively small. A consultant who can name three clients that passed Level 2 assessments in the past 18 months has genuine currency. A consultant who has been "CMMC-focused since 2020" but can't name a client who completed a C3PAO assessment is selling preparation experience, not certification experience. That's not useless — but it's a different product.

Ask to speak with a client reference who is comparable to your organization in size and industry. What did the assessment actually look like? What went well? What did the consultant struggle with? How close was the mock assessment to the real one?

"Walk me through how you'd approach our gap assessment."

A consultant with genuine CMMC expertise will describe a structured methodology: reviewing your asset inventory and data flows to establish scope, evaluating each of the 110 controls against your current environment using specific assessment techniques, calculating a preliminary SPRS score using the DoD Basic Assessment Methodology, and producing a written report with current-state documentation for each control.

A consultant without that expertise will describe a general cybersecurity review: "we'd look at your security controls and identify gaps relative to NIST 800-171." That's accurate as far as it goes, but it lacks the specificity that tells you they've done this before.

Ask a follow-up: "For access control, how would you verify whether AC.L2-3.1.1 and AC.L2-3.1.2 are implemented?" A good answer describes reviewing Active Directory settings, interviewing the system admin, checking for shared accounts and service accounts, and verifying that access restrictions match documented role definitions. A vague answer suggests they're reasoning through it rather than drawing on direct experience.

"What do you produce at the end of Phase 1, and can I see a sanitized example?"

This tells you two things: how they structure their work, and whether they've done it enough times to have a sample to show you.

A gap assessment report should be a written document with current-state assessment for each of the 110 controls, methodology notes, a calculated SPRS score, and a prioritized gap list. If a consultant can't show you what that looks like (even sanitized), either they've never produced one or they produce work they're not proud to show.

The same logic applies to SSPs. Ask to see a sanitized section — the access control domain or the audit and accountability domain — from a past engagement. The specificity of the implementation descriptions tells you whether the SSP is real or templated.

"Are you or your firm a C3PAO, or affiliated with a C3PAO?"

A consultant cannot both prepare you for a CMMC assessment and conduct that assessment. The Cyber AB prohibits C3PAOs from having financial relationships with the organizations they assess. If the consulting firm is also a C3PAO, or has a referral relationship with a specific C3PAO, you need to understand how that affects their advice.

This isn't necessarily disqualifying — but you should know about it. A firm that earns more money from referrals to a specific C3PAO has an incentive to recommend that C3PAO whether or not it's the best fit for your organization.

RPO vs. Independent Consultant vs. General IT Firm

RPO firm: Registered with the Cyber AB, typically employs multiple CCPs or CCAs, has institutional experience with CMMC engagements. Best for organizations that want structured methodology, defined deliverables, and accountability of a firm rather than an individual. Larger RPO firms may have less bandwidth for smaller clients; smaller RPOs may have more senior attention on your engagement.

Independent consultant: An individual CCP or CCA who operates independently. Can offer more direct access to senior expertise and may be more flexible on scope and pricing. The risk: no bench depth. If your consultant gets sick or has a personal emergency mid-engagement, your timeline slips. Ask about their backup plan.

General IT consulting firm with a "CMMC practice": Many IT services firms have added CMMC to their service catalog. This can work if the individuals assigned to your engagement have genuine CMMC expertise — but verify that. "Our firm does CMMC" means nothing if the person assigned to your project just took the RP course. Ask specifically who will be doing the work and verify their credentials and experience individually.

The cost difference: Experienced CMMC consultants with CCA credentials at established RPO firms typically charge $200–$300 per hour. Independent CCPs with solid track records charge $150–$250. General IT firms with a CMMC practice may charge $100–$180, but the lower rate may reflect thinner expertise. You're not necessarily saving money if the lower-cost consultant takes twice as long or produces work that requires significant rework.

Evaluating Proposals

When comparing proposals from multiple consultants, look beyond the fee structure:

Scope specificity. Does the proposal reference your specific environment — the systems you described in your intake, the controls most relevant to your industry? Or is it a generic CMMC proposal with your name on it?

Deliverable definition. Are the deliverables described in concrete terms — "gap assessment report covering all 110 NIST 800-171 controls with preliminary SPRS score" — or vague terms — "comprehensive compliance review"?

Timeline realism. A gap assessment that takes four weeks is realistic. A full CMMC engagement that promises Level 2 readiness in six weeks for an organization starting from scratch is not. Proposals with aggressive timelines for complex work are either misunderstanding your scope or promising what they can't deliver.

Communication plan. How will the consultant keep you informed of progress? Weekly calls, written status reports, milestone reviews? The engagement should have defined checkpoints, not just a final deliverable.

Common Mistakes in Consultant Selection

Hiring based on certifications without verifying experience. An RP with two years of hands-on CMMC implementation experience is more useful than a CCP who has spent the last three years in general GRC consulting and recently added CMMC to their bio. Credentials are a starting filter. Experience is the real selection criterion.

Skipping the reference check. Most contractors don't call references. The ones who do learn things the proposal doesn't mention — how the consultant handled unexpected scope expansions, whether their SSP quality held up under assessor scrutiny, how they communicated when things went off track.

Selecting based on price alone. At $150–$300 per hour, a consultant who produces work requiring significant rework is more expensive than a higher-priced consultant who gets it right the first time. CMMC consulting is not a commodity service. Quality varies enough that the cheapest option carries real risk.

What Your Assessor Expects

Your C3PAO assessor won't know who your consultant was or what they charged. What the assessor evaluates is whether your SSP accurately describes your environment, your controls work as documented, and your people understand the security program they're operating.

A good consultant makes that outcome more likely by giving you accurate gap analysis, helping you implement the right controls, and producing SSP documentation that's specific enough to satisfy an experienced assessor's scrutiny. A bad one gives you false confidence heading into an assessment you're not ready for.

The way to protect yourself is to require specific deliverables, check references, and test the consultant's expertise in your initial conversations. The four questions above will tell you more than any credential listing.

---

Searching for a CMMC consultant? Start with the Cyber AB Marketplace at cyberab.org/Catalog — it lists RPOs and practitioners by region and credential. Use it as a starting list, not a definitive recommendation. Then run the evaluation described above.