DEFENSE CONTRACTOR COMPLIANCE

Choosing a CMMC Compliance Consultant

What DoD contractors need to know about hiring a CMMC compliance consultant, when you need one, and how to choose the right one.

⏱ 7 min read

If your company is part of the DoD supply chain, delaying CMMC implementation is no longer an option. Many small and midsize defense contractors are discovering that they can’t obtain certification by themselves as the requirements of CMMC 2.0 enter into contracts. This is where a CMMC compliance consultant can help you. A great consultant makes a confusing, high-stakes process a clear roadmap: he/she will clearly tell you where you are, what you need to fix, and how you can show this to an assessor. This guide will tell you what a CMMC compliance consultant really does, when you need one, and the questions that will help you determine the difference between a great partner and an expensive one.

What is a CMMC Compliance Consultant?

A CMMC compliance consultant is a cybersecurity expert who aids your company in satisfying the Cybersecurity Maturity Model Certification (CMMC) requirements established by the DoD. CMMC is based upon NIST SP 800-171 and was created to safeguard the Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) throughout the defense industrial base.

The role of the consultant is to help you get to know what you need to do to move your security program from where it is to where it needs to be to pass a formal assessment. They break down the requirements in layman’s terms, provide technical and policy specific changes and get your team and documents ready for certification.

Another key distinction between the roles of a CMMC consultant and a C3PAO is that the C3PAO does not provide a rating.

Tweet

This is what causes many contractors to do wrong. A CMMC consultant helps you get ready. You are assessed at Level 2 by an official body, called a C3PAO (Certified Third-Party Assessment Organization). The organization that prepares you, in general, should not be the organization that certifies you, for independence and integrity. A good consultant lets you know this line and will also guide you in readying yourself for — not purchasing — a passing grade.

Need a CMMC Compliance Consultant?

Most small and mid-sized contractors have one; not all companies do. If you think you need help, consult a consultant if:

You are now dealing with CUI or FCI and your contracts (or prime contracts) now mention CMMC.
You don’t have a dedicated, in-house cybersecurity or compliance team.
You’ve read NIST 800-171 and don’t know how the 110 controls pertain to your environment.
You’ve initiated a System Security Plan (SSP) or POA&M but it is still partial or out of date.
The certification is required on a schedule that is related to a contract award or renewal.

If you have an established internal security team that already knows and understands NIST, you might just need a consultant to do a gap assessment or a second opinion. However, if you’re starting closer to zero, a consultant can save you months of trial and error – and a failed assessment.

The role of a CMMC Compliance Consultant

The top consultants take you along a well-defined journey, and avoid selling you a stack of tools. Here’s what that typically looks like.

1. Gap assessment

They take stock of your current environment and compare it with the CMMC level required — most contractors handling CUI should be at Level 2 — and provide you with a prioritized list of gaps.

2. SSP and scoping

They determine your assessment boundary – what systems, people and data are included – and detail how each control is addressed in your SSP, the foundation document that assessors review.

3. Remediation and POA&M

They assist you in closing the gap (or your IT team) by deploying multi-factor authentication, access control, logging, encryption, and other controls. Left out are placed in a Plan of Action & Milestones (POA&M).

4. Readiness of evidence and assessment

They gather the evidence that the assessors are looking for, conduct a mock assessment and prepare your staff to avoid any surprises on the day a C3PAO arrives.

Selecting the appropriate CMCM compliance consultant can be a challenging task.

Once you have determined that you need assistance, decision making is important. Use these criteria:

Strong background in the Deep NIST 800-171 and CMMC. Inquire about the number of assessments they have prepared for clients, and the level.
Defense-industry familiarity. CUI, DFARS 252.204-7012, and DoD contract language should be second nature.
A managed IT capability (or good partnership). Many controls are just day to day activities – monitoring, patching, backups. A consultant can also work within your environment and can close the gaps quicker as you stay compliant following certification.
Self-assessment independence from your assessor. They must be able to prepare you, not certify you.
References and outcomes. Discuss the experience with contractors who have worked with them in a real assessment.
Clear scope and pricing. Avoid ambiguous retainers that have no clear deliverables.

If you're considering hiring someone, here are questions to ask.

What is the actual CMMC level required and how did you arrive at that?
How do we scope our environment to reduce cost & complexity?
Will you present an SSP and POA&M, or will you be doing a report?
Who will put in place the technical remediation — you, us or a partner?
What do you do to keep us on course once we are certified?
If we are ready can you introduce us to a good C3PAO?

Consultant, C3PAO or Managed IT Provider — Who Does What?

Consider it to be 3 jobs. Managed IT provider manages and secures your day to day technology. CMMC consultant constructs your compliance path and paperwork. C3PAO certifies you on your own. For many small contractors, the most effective practice is having one partner that is both a managed IT and a CMMC consultant who then passes you off to an independent C3PAO for the assessment, which is reduced vendor, less finger pointing, and one team to manage security and compliance.

Frequently Asked Questions

What does a CMMC compliance consultant do?

A CMMC compliance consultant can evaluate your existing cybersecurity practices to see how they align with CMMC and NIST 800-171 requirements, document your System Security Plan, assist in remediating any gaps, and train your personnel and documentation for a formal assessment by a C3PAO. In short, they get you ready to pass.

What is the cost of a CMMC compliance consultant?

Prices can range quite a bit depending on the company’s size, scope and the amount of remediation required. The cost to small contractors ranges from a few thousand dollars for a gap assessment to tens of thousands of dollars for a full readiness evaluation for SSP, remediation, and a mock assessment. The best way to control cost is to have a clear scope at the beginning.

Do I need a CMMC consultant or a C3PAO?

Both – at various stages. You are prepared for certification by a consultant and the official Level 2 assessment is carried out by a consultant C3PAO. They should be separate organizations if they are to be independent.

When should I hire a CMMC compliance consultant?

As soon as possible, preferably before a contract needs to be certified. The time to become ready may be several months depending on your starting point so you don’t want to lose or delay any awards by waiting.

Can a managed IT provider help with CMMC compliance?

Yes. Additionally, a managed IT service provider experienced in CMMC can not only enforce the necessary security measures but also help navigate the compliance documentation process, potentially saving you time and money.

Conclusion

While CMMC certification is an increasing cost of doing business with DoD, it doesn’t need to stall your mission-critical workload. The proper CMMC compliance consultant provides you with a clear path, addresses the gaps which are significant, and accompanies you into the assessment.

The ideal time to create the roadmap is when you are starting or when you’re in the middle of an SSP, before a contract makes your hand jump out.

Ready to find out where you stand?

So, if you’re ready to find out where you stand, here are a few tips. Solvere One assists defense contractors throughout Virginia, DC, and Maryland in preparing for CMMC Level 2, which is a blend of hands-on managed IT and practical compliance guidance. Set up your CMMC readiness conversation today.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.