← Custodia

CMMC Consultant: When You Need One, When You Do Not

We sell CMMC software with a compliance officer attached, so we have an obvious bias. We are going to tell you when to hire a consultant anyway, because the fastest way to lose your trust is to pretend every company needs the same thing.

L2 readiness consulting: $35k to $150kTypical timeline: 6 to 12 monthsPlatform with an officer: $397 to $1,499/mo

The answer in 60 words

Hire a CMMC consultant when your CUI scope is complex, an enclave has to be designed, a contract specifically demands a certified assessment, or you have no IT function. Skip one if you handle only FCI: that is Level 1, a self assessment of 15 requirements with no assessor and no score. Level 2 readiness consulting runs $35,000 to $150,000 over 6 to 12 months.

What a CMMC consultant actually does

“CMMC consulting” is not a regulated term. Anybody can print the business card. What the good ones sell is a sequence of six deliverables, and knowing the sequence is how you tell a real proposal from an expensive slide deck.

Scoping and boundary definition

Deciding which people, systems, and locations touch the covered information, and drawing the line around them. This is the highest leverage thing a good consultant does, because scope drives every other cost downstream.

Gap assessment

Walking your environment against the requirements and writing down what is met, what is not, and what is unclear. At Level 1 that is 15 safeguarding requirements. At Level 2 it is 110 requirements from NIST SP 800-171 Rev 2.

Remediation design

Deciding how each gap gets closed: a tenant setting, a new tool, a policy, a process change, or in serious CUI cases an isolated enclave. Some consultants design only, some implement, and the difference is usually tens of thousands of dollars.

SSP and policy authorship

Writing the System Security Plan and the supporting policies. Ask who owns and maintains this document after the invoice is paid. If the answer is vague, that is the single most expensive kind of vague in this industry.

POA&M construction

At Level 2 only, a Plan of Action and Milestones for requirements not yet met. There is no POA&M at Level 1: it is binary MET or NOT MET on all 15. A consultant proposing Level 1 POA&Ms does not know the model.

Evidence packaging and a mock assessment

Collecting screenshots, exports, and configuration records into something an assessor can follow, then dry running the assessment. This is real work and it is the part most contractors underestimate on their own.

What they charge

For Level 2 readiness, traditional consulting engagements commonly run $35,000 to $150,000 over 6 to 12 months. That range usually excludes licensing, enclave tooling, migration labor, and the assessment itself. For Level 1, engagements commonly quote $10,000 to $20,000 across four to eight weeks. Hourly advisory rates in the niche often run $250 to $400. If a contract genuinely requires certification, an authorized C3PAO assessment is a separate paid engagement on top, commonly $20,000 to $60,000 or more for a small scope.

Those are big numbers, and for the right company they are worth every dollar. The problem is that the same numbers get quoted to companies whose entire obligation is 15 self assessed requirements. Sorting out which company you are is the most valuable thing on this page. Our full breakdown by level and path lives on the CMMC cost page.

When you genuinely need a CMMC consultant

These are real. If you are in one of these situations, hire someone experienced and do not let a $400/month tool talk you out of it.

Your CUI scope is genuinely complex

Multiple entities, engineering data flowing between systems, a manufacturing floor, contractors on personal devices, or CUI already sprayed across a general purpose network. Untangling that is architecture work, and architecture work is what experienced people are actually worth paying for.

You need an enclave designed

If the honest answer is that CUI has to live somewhere isolated, someone has to design that enclave, migrate into it, and prove the boundary holds. That is a project, not a checklist.

A contract specifically demands C3PAO certification

If a live contract or a prime flowdown requires a certified Level 2 assessment on your scope, the stakes justify outside help. Note that your readiness consultant cannot also be your assessor on the same scope. See the independence rule below.

You have no IT function at all

No admin, no MSP, nobody who can log into the tenant and change a setting. Software that tells you what to do is worth very little if nobody can do it. Either hire the capability or buy a path that includes a human.

You are remediating a real problem

A failed government led assessment, a prime escalating on you, a disputed SPRS score, or a False Claims Act question on the table. That is not a self service moment. Get experienced help and probably a lawyer.

When you genuinely do not

This is the part the rest of the industry will not put on a page. Most small defense subcontractors handle Federal Contract Information only, not CUI. FCI is defined at FAR 4.1901. It is not marked, and it is not CUI. If that is you, your obligation is CMMC Level 1: a self assessment against 15 safeguarding requirements, binary MET or NOT MET, no numerical score, no POA&Ms, and no third party assessor anywhere in the process.

You handle FCI only, so you are a Level 1 company

Level 1 is a self assessment against 15 safeguarding requirements at FAR 52.204-21(b)(1)(i) through (xv). There is no assessor, no numerical score, no POA&Ms, and no C3PAO. Paying a consultant $10,000 to $20,000 to walk you through 15 requirements you affirm yourself is buying reassurance, not capability.

You are already on Microsoft 365 or Google Workspace

A small shop on a modern tenant usually has most Level 1 requirements one setting away. The work is finding the settings, turning them on, and capturing evidence. That is guided software work, not a six week engagement.

You have an IT person or an MSP already

If somebody can already administer your tenant, you are paying a consultant mostly for the checklist and the confidence. Both are available far cheaper.

You are exploring, not obligated

If no contract or clause in front of you requires anything yet, do not buy a project. Find out what your actual level is first. That question is free to answer and it is worth a lot of money.

Someone is selling you urgency

Deadline panic sells engagements. Right now, with DoD Phase 2 suspended, the deadline pressure is genuinely lower than it was. That is a reason to do this properly, not a reason to sign a rushed six figure statement of work.

None of that means Level 1 is trivial. You still have to actually do the 15 requirements, write a defensible System Security Plan, and have a senior official affirm it. That affirmation carries False Claims Act exposure if it is not true. It means the work does not need a six figure engagement wrapped around it. Our deep dive on this exact question is at do you need a consultant for Level 1.

The three paths, compared honestly

There are exactly three ways to get CMMC done. Every vendor in this market is selling one of them. All three end at the same place: a defensible assessment, an SSP, and an affirmation you can stand behind.

 DIYPlatform + officerTraditional consultant
Level 1 cost$0 plus 20 to 40 hours$249 to $397/mo$10,000 to $20,000
Level 2 costYour time, and a lot of it$1,499 to $2,499/mo$35,000 to $150,000
Time to filedDepends entirely on youAbout 30 days at L1, 180 days at L24 to 8 weeks at L1, 6 to 12 months at L2
Who writes the SSPYou, from a templateGenerated, you review and own itThem, ask who owns it after
Evidence reviewed by a humanNoYes, on officer plansYes, during the engagement
Annual affirmationStart over each yearTracked and prompted for youRe-engage and re-pay
Complex enclave designNoGuided, escalates to the officerYes, this is their strength
Right forTechnical founders with timeSmall teams who want it done and maintainedComplex CUI, enclaves, remediation

The DIY route is real and we document it for free at the DIY guide. The official DoD guides cost nothing. If you have the time and somebody technical, take that path with our blessing.

How to vet a CMMC consultant

If you have decided you want one, good. Ask these six questions on the first call. The answers sort the field fast.

Question 1

What level does my contract actually require, and which clause tells you that?

Why it works: A competent consultant reads your clauses and answers from them. FAR 52.204-21 points at Level 1 and FCI. DFARS 252.204-7012 and CUI markings point higher. If they cannot name your level from your paperwork, they are guessing with your money.

Question 2

Who writes the SSP, and who owns it after you leave?

Why it works: The SSP is a living document you have to maintain and re-affirm annually. If the consultant hands you a locked PDF and walks away, you own an artifact you cannot update. Ask for the editable source and the maintenance plan.

Question 3

Are you affiliated with a C3PAO, and how do you handle independence?

Why it works: Conflict of interest rules prevent an organization from assessing work it was paid to prepare. If a vendor offers to both get you ready and certify you on the same scope, that is a problem you want surfaced now rather than at the assessment.

Question 4

What is excluded from this fixed fee?

Why it works: Licensing, enclave tooling, migration labor, the assessment itself, and remediation are frequently outside the number on the proposal. Get the exclusions in writing before you compare quotes.

Question 5

What happens at annual affirmation time?

Why it works: CMMC is a cycle, not a project. Somebody has to re-assess and re-affirm every year. Ask whether year two is included, discounted, or a whole new engagement at full price.

Question 6

Will you sign my affirmation?

Why it works: The correct answer is no, and a good consultant will say so plainly. A senior official at your company affirms, and that official carries the accountability. Anyone implying they can carry that for you does not understand the exposure.

Red flags

  • Anyone who guarantees you will pass. No consultant controls an assessment outcome, and the promise itself signals they are selling comfort.
  • Anyone who cannot name your level after reading your contract clauses.
  • Anyone quoting Level 2 pricing for an FCI only scope. This is the most common overcharge in the market.
  • Anyone vague about who writes, owns, and maintains the SSP.
  • Anyone selling you GCC High, an enclave, or a tool stack before they have scoped you.
  • Anyone citing a hard CMMC deadline right now without mentioning that DoD suspended Phase 2 on July 13, 2026.
  • Anyone offering to both prepare you and assess you on the same scope.
  • Anyone who bills your annual affirmation as a brand new project every year.

The guarantee one is worth dwelling on. Nobody controls an assessment outcome, so nobody can promise the result. The honest phrasing is assessment ready: your package is complete, your evidence supports every claim, and your SSP matches reality. That is the only thing any vendor, including us, can actually deliver.

Consultant vs C3PAO: the independence rule

These get confused constantly, and the confusion is expensive. A consultant prepares you. A C3PAO assesses you, and it is the only kind of organization authorized to conduct an official certification assessment.

The part that matters commercially: conflict of interest rules prevent an organization from assessing work it was paid to prepare. Your readiness consultant cannotalso be your assessor on the same scope. When a vendor pitches you an end to end “we get you ready and we certify you” package, that is the moment to ask exactly how the two engagements are separated and which entity signs what. Getting this wrong can invalidate an assessment you already paid for.

Worth repeating, because it saves people real money: there is no C3PAO at Level 1 at all. If you are FCI only, the entire assessor economy is simply not part of your life.

Current as of July 2026

The Phase 2 suspension changed the math

A lot of consulting engagements got signed under deadline panic. C3PAO capacity was scarce, certification prices were climbing, and November 10, 2026 loomed. On July 13, 2026, DoD suspended CMMC Phase 2 and opened a 60 day top to bottom review. November 10 is no longer an operative deadline, and no C3PAO certification is required by a date right now. The Level 2 self assessment is the current path for CUI contractors.

What did not change: Phase 1 CMMC self assessment on applicable contracts, DFARS 252.204-7012, the NIST SP 800-171 Rev 2 baseline, government led assessments, and False Claims Act exposure for a false affirmation. Paused, not cancelled. The suspension removed the deadline pressure, not the requirement.

For anyone shopping consultants, the practical read is this: the urgency premium is off the table for the moment. That is an argument for doing this properly and affordably, not for panic buying a statement of work. It is also an argument against any vendor still selling you the old deadline.

Read the full explainer on the suspension →

Where we fit

Having laid out the comparison honestly, here is our pitch, and you can weigh it against everything above.

The reason people hire consultants is almost never the checklist. It is wanting a credentialed human to look at their work and say “yes, that holds up.” That is worth paying for. What is not worth paying for is buying that human as a one time $35,000 project when compliance is an annual cycle that never ends.

So we included the officer in the software. $397/month gets Level 1 guided end to end with a credentialed compliance officer reviewing your package the way an assessor would, year round, not for six weeks. The Level 2 Accelerator is $1,499/month, or $2,499/month with a year round officer, against $35,000 to $150,000 for the traditional engagement. Level 2 is filed in 180 days or we work free until it is. Every plan starts with a 7 day free trial, no credit card.

Custodia never stores CUI on the platform. And if you read the “when you genuinely need a consultant” section and saw yourself in it, go hire one. We would rather lose the sale than sell you the wrong shape of help.

Start where you actually are

FCI only

You are Level 1

15 requirements, self assessed, no assessor, no score. A consultant is usually overkill. Guided software finishes this in about 30 days.

You handle CUI

You are Level 2

110 requirements from NIST SP 800-171 Rev 2, self assessed and filed in SPRS with an annual affirmation. This is where consultants earn their fee, and where our Accelerator competes on price and permanence.

Not sure

Find out first

Do not buy anything until you know your level. This is the two minute question that decides whether your number has four digits or six. It is free.

CMMC consulting: FAQ

What does a CMMC consultant cost?

It depends entirely on your level. For Level 2 readiness, traditional consulting engagements commonly run $35,000 to $150,000 over 6 to 12 months, and that usually excludes licensing, enclave tooling, and the assessment itself. For Level 1, engagements commonly quote $10,000 to $20,000 over four to eight weeks. Hourly advisory rates in the niche often run $250 to $400. If certification is actually required, a C3PAO assessment is a separate paid engagement, commonly $20,000 to $60,000 or more for a small scope.

Do I need a CMMC consultant?

Often no. You genuinely need one when your CUI scope is complex, when an enclave has to be designed and migrated into, when a contract specifically demands a C3PAO certified assessment, when you have no IT function at all, or when you are remediating a failed assessment or a False Claims Act question. You usually do not need one if you handle Federal Contract Information only, which puts you at Level 1: that is a self assessment of 15 requirements with no assessor, no score, and no POA&Ms. Most small subcontractors are in that FCI only group.

Can I do CMMC myself?

At Level 1, yes, and the government designed it that way. Level 1 is self assessed and self affirmed against the 15 safeguarding requirements in FAR 52.204-21, using official DoD guides that cost nothing. Plan on 20 to 40 hours if you DIY from scratch. At Level 2, self assessment is the current path for CUI contractors, and it is a real 110 requirement lift against NIST SP 800-171 Rev 2, filed in SPRS with an annual affirmation. Self assessment is legally your own attestation either way, so the accuracy of what you affirm is your exposure, not your vendor's.

What should I ask a CMMC consultant?

Six questions. What level does my contract actually require, and which clause tells you that? Who writes the SSP, and who owns and maintains it after you leave? Are you affiliated with a C3PAO, and how do you handle independence? What is excluded from this fixed fee? What happens at annual affirmation time, is year two included or a new engagement? And will you sign my affirmation? The correct answer to the last one is no: a senior official at your company affirms and carries the accountability.

What is the difference between a CMMC consultant and a C3PAO?

A consultant prepares you. A C3PAO assesses you. A Certified Third Party Assessment Organization is authorized to conduct the official certification assessment, and conflict of interest rules prevent an organization from assessing work it was paid to prepare. That means the firm that does your readiness consulting cannot also be your assessor on the same scope. If one vendor offers you both, ask exactly how they separate the engagements, because getting this wrong can invalidate the assessment you paid for.

Is a CMMC consultant worth it for Level 1?

For most FCI only shops, no. Level 1 is 15 safeguarding requirements, self assessed, binary MET or NOT MET, with no numerical score, no POA&Ms, and no third party assessor. A company already on Microsoft 365 or Google Workspace typically has most of it one setting away. Paying $10,000 to $20,000 for that is paying consultant rates for a checklist. A guided platform, optionally with a credentialed compliance officer reviewing your package, gets you to the same defensible affirmation for a fraction of the cost.

Is there still a CMMC deadline I need a consultant to hit?

Not the one you probably read about. On July 13, 2026 the DoD CIO suspended CMMC Phase 2 and opened a 60 day top to bottom review, so November 10, 2026 is no longer an operative deadline and no C3PAO certification is required by a date right now. What remains fully in force: Phase 1 CMMC self assessment on applicable contracts, DFARS 252.204-7012, the NIST SP 800-171 Rev 2 baseline, government led assessments, and False Claims Act exposure for a false affirmation. Paused, not cancelled. The suspension removed the deadline pressure, not the requirement.

Keep reading

Get the officer without the consulting invoice

A credentialed compliance officer included in the platform, year round, reviewing your evidence the way an assessor would. $397/month at Level 1. $1,499/month for the Level 2 Accelerator. Start free for 7 days, no credit card.

Free · Every Monday

Get the federal bids a small business can win, in your inbox.

The Monday Bid Digest: brand-new SAM.gov solicitations matched to your NAICS, pre-filtered to Level 1 fit, with the CMMC gate called out on every one. Two minutes, no spam.

Get the Monday Bid Digest
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)