The answer in 60 words
Hire a CMMC consultant when your CUI scope is complex, an enclave has to be designed, a contract specifically demands a certified assessment, or you have no IT function. Skip one if you handle only FCI: that is Level 1, a self assessment of 15 requirements with no assessor and no score. Level 2 readiness consulting runs $35,000 to $150,000 over 6 to 12 months.
What a CMMC consultant actually does
“CMMC consulting” is not a regulated term. Anybody can print the business card. What the good ones sell is a sequence of six deliverables, and knowing the sequence is how you tell a real proposal from an expensive slide deck.
Scoping and boundary definition
Deciding which people, systems, and locations touch the covered information, and drawing the line around them. This is the highest leverage thing a good consultant does, because scope drives every other cost downstream.
Gap assessment
Walking your environment against the requirements and writing down what is met, what is not, and what is unclear. At Level 1 that is 15 safeguarding requirements. At Level 2 it is 110 requirements from NIST SP 800-171 Rev 2.
Remediation design
Deciding how each gap gets closed: a tenant setting, a new tool, a policy, a process change, or in serious CUI cases an isolated enclave. Some consultants design only, some implement, and the difference is usually tens of thousands of dollars.
SSP and policy authorship
Writing the System Security Plan and the supporting policies. Ask who owns and maintains this document after the invoice is paid. If the answer is vague, that is the single most expensive kind of vague in this industry.
POA&M construction
At Level 2 only, a Plan of Action and Milestones for requirements not yet met. There is no POA&M at Level 1: it is binary MET or NOT MET on all 15. A consultant proposing Level 1 POA&Ms does not know the model.
Evidence packaging and a mock assessment
Collecting screenshots, exports, and configuration records into something an assessor can follow, then dry running the assessment. This is real work and it is the part most contractors underestimate on their own.
What they charge
For Level 2 readiness, traditional consulting engagements commonly run $35,000 to $150,000 over 6 to 12 months. That range usually excludes licensing, enclave tooling, migration labor, and the assessment itself. For Level 1, engagements commonly quote $10,000 to $20,000 across four to eight weeks. Hourly advisory rates in the niche often run $250 to $400. If a contract genuinely requires certification, an authorized C3PAO assessment is a separate paid engagement on top, commonly $20,000 to $60,000 or more for a small scope.
Those are big numbers, and for the right company they are worth every dollar. The problem is that the same numbers get quoted to companies whose entire obligation is 15 self assessed requirements. Sorting out which company you are is the most valuable thing on this page. Our full breakdown by level and path lives on the CMMC cost page.
When you genuinely need a CMMC consultant
These are real. If you are in one of these situations, hire someone experienced and do not let a $400/month tool talk you out of it.
Your CUI scope is genuinely complex
Multiple entities, engineering data flowing between systems, a manufacturing floor, contractors on personal devices, or CUI already sprayed across a general purpose network. Untangling that is architecture work, and architecture work is what experienced people are actually worth paying for.
You need an enclave designed
If the honest answer is that CUI has to live somewhere isolated, someone has to design that enclave, migrate into it, and prove the boundary holds. That is a project, not a checklist.
A contract specifically demands C3PAO certification
If a live contract or a prime flowdown requires a certified Level 2 assessment on your scope, the stakes justify outside help. Note that your readiness consultant cannot also be your assessor on the same scope. See the independence rule below.
You have no IT function at all
No admin, no MSP, nobody who can log into the tenant and change a setting. Software that tells you what to do is worth very little if nobody can do it. Either hire the capability or buy a path that includes a human.
You are remediating a real problem
A failed government led assessment, a prime escalating on you, a disputed SPRS score, or a False Claims Act question on the table. That is not a self service moment. Get experienced help and probably a lawyer.
When you genuinely do not
This is the part the rest of the industry will not put on a page. Most small defense subcontractors handle Federal Contract Information only, not CUI. FCI is defined at FAR 4.1901. It is not marked, and it is not CUI. If that is you, your obligation is CMMC Level 1: a self assessment against 15 safeguarding requirements, binary MET or NOT MET, no numerical score, no POA&Ms, and no third party assessor anywhere in the process.
You handle FCI only, so you are a Level 1 company
Level 1 is a self assessment against 15 safeguarding requirements at FAR 52.204-21(b)(1)(i) through (xv). There is no assessor, no numerical score, no POA&Ms, and no C3PAO. Paying a consultant $10,000 to $20,000 to walk you through 15 requirements you affirm yourself is buying reassurance, not capability.
You are already on Microsoft 365 or Google Workspace
A small shop on a modern tenant usually has most Level 1 requirements one setting away. The work is finding the settings, turning them on, and capturing evidence. That is guided software work, not a six week engagement.
You have an IT person or an MSP already
If somebody can already administer your tenant, you are paying a consultant mostly for the checklist and the confidence. Both are available far cheaper.
You are exploring, not obligated
If no contract or clause in front of you requires anything yet, do not buy a project. Find out what your actual level is first. That question is free to answer and it is worth a lot of money.
Someone is selling you urgency
Deadline panic sells engagements. Right now, with DoD Phase 2 suspended, the deadline pressure is genuinely lower than it was. That is a reason to do this properly, not a reason to sign a rushed six figure statement of work.
None of that means Level 1 is trivial. You still have to actually do the 15 requirements, write a defensible System Security Plan, and have a senior official affirm it. That affirmation carries False Claims Act exposure if it is not true. It means the work does not need a six figure engagement wrapped around it. Our deep dive on this exact question is at do you need a consultant for Level 1.
The three paths, compared honestly
There are exactly three ways to get CMMC done. Every vendor in this market is selling one of them. All three end at the same place: a defensible assessment, an SSP, and an affirmation you can stand behind.
| DIY | Platform + officer | Traditional consultant | |
|---|---|---|---|
| Level 1 cost | $0 plus 20 to 40 hours | $249 to $397/mo | $10,000 to $20,000 |
| Level 2 cost | Your time, and a lot of it | $1,499 to $2,499/mo | $35,000 to $150,000 |
| Time to filed | Depends entirely on you | About 30 days at L1, 180 days at L2 | 4 to 8 weeks at L1, 6 to 12 months at L2 |
| Who writes the SSP | You, from a template | Generated, you review and own it | Them, ask who owns it after |
| Evidence reviewed by a human | No | Yes, on officer plans | Yes, during the engagement |
| Annual affirmation | Start over each year | Tracked and prompted for you | Re-engage and re-pay |
| Complex enclave design | No | Guided, escalates to the officer | Yes, this is their strength |
| Right for | Technical founders with time | Small teams who want it done and maintained | Complex CUI, enclaves, remediation |
The DIY route is real and we document it for free at the DIY guide. The official DoD guides cost nothing. If you have the time and somebody technical, take that path with our blessing.
How to vet a CMMC consultant
If you have decided you want one, good. Ask these six questions on the first call. The answers sort the field fast.
Question 1
What level does my contract actually require, and which clause tells you that?
Why it works: A competent consultant reads your clauses and answers from them. FAR 52.204-21 points at Level 1 and FCI. DFARS 252.204-7012 and CUI markings point higher. If they cannot name your level from your paperwork, they are guessing with your money.
Question 2
Who writes the SSP, and who owns it after you leave?
Why it works: The SSP is a living document you have to maintain and re-affirm annually. If the consultant hands you a locked PDF and walks away, you own an artifact you cannot update. Ask for the editable source and the maintenance plan.
Question 3
Are you affiliated with a C3PAO, and how do you handle independence?
Why it works: Conflict of interest rules prevent an organization from assessing work it was paid to prepare. If a vendor offers to both get you ready and certify you on the same scope, that is a problem you want surfaced now rather than at the assessment.
Question 4
What is excluded from this fixed fee?
Why it works: Licensing, enclave tooling, migration labor, the assessment itself, and remediation are frequently outside the number on the proposal. Get the exclusions in writing before you compare quotes.
Question 5
What happens at annual affirmation time?
Why it works: CMMC is a cycle, not a project. Somebody has to re-assess and re-affirm every year. Ask whether year two is included, discounted, or a whole new engagement at full price.
Question 6
Will you sign my affirmation?
Why it works: The correct answer is no, and a good consultant will say so plainly. A senior official at your company affirms, and that official carries the accountability. Anyone implying they can carry that for you does not understand the exposure.
Red flags
- Anyone who guarantees you will pass. No consultant controls an assessment outcome, and the promise itself signals they are selling comfort.
- Anyone who cannot name your level after reading your contract clauses.
- Anyone quoting Level 2 pricing for an FCI only scope. This is the most common overcharge in the market.
- Anyone vague about who writes, owns, and maintains the SSP.
- Anyone selling you GCC High, an enclave, or a tool stack before they have scoped you.
- Anyone citing a hard CMMC deadline right now without mentioning that DoD suspended Phase 2 on July 13, 2026.
- Anyone offering to both prepare you and assess you on the same scope.
- Anyone who bills your annual affirmation as a brand new project every year.
The guarantee one is worth dwelling on. Nobody controls an assessment outcome, so nobody can promise the result. The honest phrasing is assessment ready: your package is complete, your evidence supports every claim, and your SSP matches reality. That is the only thing any vendor, including us, can actually deliver.
Consultant vs C3PAO: the independence rule
These get confused constantly, and the confusion is expensive. A consultant prepares you. A C3PAO assesses you, and it is the only kind of organization authorized to conduct an official certification assessment.
The part that matters commercially: conflict of interest rules prevent an organization from assessing work it was paid to prepare. Your readiness consultant cannotalso be your assessor on the same scope. When a vendor pitches you an end to end “we get you ready and we certify you” package, that is the moment to ask exactly how the two engagements are separated and which entity signs what. Getting this wrong can invalidate an assessment you already paid for.
Worth repeating, because it saves people real money: there is no C3PAO at Level 1 at all. If you are FCI only, the entire assessor economy is simply not part of your life.
Current as of July 2026
The Phase 2 suspension changed the math
A lot of consulting engagements got signed under deadline panic. C3PAO capacity was scarce, certification prices were climbing, and November 10, 2026 loomed. On July 13, 2026, DoD suspended CMMC Phase 2 and opened a 60 day top to bottom review. November 10 is no longer an operative deadline, and no C3PAO certification is required by a date right now. The Level 2 self assessment is the current path for CUI contractors.
What did not change: Phase 1 CMMC self assessment on applicable contracts, DFARS 252.204-7012, the NIST SP 800-171 Rev 2 baseline, government led assessments, and False Claims Act exposure for a false affirmation. Paused, not cancelled. The suspension removed the deadline pressure, not the requirement.
For anyone shopping consultants, the practical read is this: the urgency premium is off the table for the moment. That is an argument for doing this properly and affordably, not for panic buying a statement of work. It is also an argument against any vendor still selling you the old deadline.
Read the full explainer on the suspension →Where we fit
Having laid out the comparison honestly, here is our pitch, and you can weigh it against everything above.
The reason people hire consultants is almost never the checklist. It is wanting a credentialed human to look at their work and say “yes, that holds up.” That is worth paying for. What is not worth paying for is buying that human as a one time $35,000 project when compliance is an annual cycle that never ends.
So we included the officer in the software. $397/month gets Level 1 guided end to end with a credentialed compliance officer reviewing your package the way an assessor would, year round, not for six weeks. The Level 2 Accelerator is $1,499/month, or $2,499/month with a year round officer, against $35,000 to $150,000 for the traditional engagement. Level 2 is filed in 180 days or we work free until it is. Every plan starts with a 7 day free trial, no credit card.
Custodia never stores CUI on the platform. And if you read the “when you genuinely need a consultant” section and saw yourself in it, go hire one. We would rather lose the sale than sell you the wrong shape of help.
Start where you actually are
FCI only
You are Level 1
15 requirements, self assessed, no assessor, no score. A consultant is usually overkill. Guided software finishes this in about 30 days.
You handle CUI
You are Level 2
110 requirements from NIST SP 800-171 Rev 2, self assessed and filed in SPRS with an annual affirmation. This is where consultants earn their fee, and where our Accelerator competes on price and permanence.
Not sure
Find out first
Do not buy anything until you know your level. This is the two minute question that decides whether your number has four digits or six. It is free.
CMMC consulting: FAQ
What does a CMMC consultant cost?
It depends entirely on your level. For Level 2 readiness, traditional consulting engagements commonly run $35,000 to $150,000 over 6 to 12 months, and that usually excludes licensing, enclave tooling, and the assessment itself. For Level 1, engagements commonly quote $10,000 to $20,000 over four to eight weeks. Hourly advisory rates in the niche often run $250 to $400. If certification is actually required, a C3PAO assessment is a separate paid engagement, commonly $20,000 to $60,000 or more for a small scope.
Do I need a CMMC consultant?
Often no. You genuinely need one when your CUI scope is complex, when an enclave has to be designed and migrated into, when a contract specifically demands a C3PAO certified assessment, when you have no IT function at all, or when you are remediating a failed assessment or a False Claims Act question. You usually do not need one if you handle Federal Contract Information only, which puts you at Level 1: that is a self assessment of 15 requirements with no assessor, no score, and no POA&Ms. Most small subcontractors are in that FCI only group.
Can I do CMMC myself?
At Level 1, yes, and the government designed it that way. Level 1 is self assessed and self affirmed against the 15 safeguarding requirements in FAR 52.204-21, using official DoD guides that cost nothing. Plan on 20 to 40 hours if you DIY from scratch. At Level 2, self assessment is the current path for CUI contractors, and it is a real 110 requirement lift against NIST SP 800-171 Rev 2, filed in SPRS with an annual affirmation. Self assessment is legally your own attestation either way, so the accuracy of what you affirm is your exposure, not your vendor's.
What should I ask a CMMC consultant?
Six questions. What level does my contract actually require, and which clause tells you that? Who writes the SSP, and who owns and maintains it after you leave? Are you affiliated with a C3PAO, and how do you handle independence? What is excluded from this fixed fee? What happens at annual affirmation time, is year two included or a new engagement? And will you sign my affirmation? The correct answer to the last one is no: a senior official at your company affirms and carries the accountability.
What is the difference between a CMMC consultant and a C3PAO?
A consultant prepares you. A C3PAO assesses you. A Certified Third Party Assessment Organization is authorized to conduct the official certification assessment, and conflict of interest rules prevent an organization from assessing work it was paid to prepare. That means the firm that does your readiness consulting cannot also be your assessor on the same scope. If one vendor offers you both, ask exactly how they separate the engagements, because getting this wrong can invalidate the assessment you paid for.
Is a CMMC consultant worth it for Level 1?
For most FCI only shops, no. Level 1 is 15 safeguarding requirements, self assessed, binary MET or NOT MET, with no numerical score, no POA&Ms, and no third party assessor. A company already on Microsoft 365 or Google Workspace typically has most of it one setting away. Paying $10,000 to $20,000 for that is paying consultant rates for a checklist. A guided platform, optionally with a credentialed compliance officer reviewing your package, gets you to the same defensible affirmation for a fraction of the cost.
Is there still a CMMC deadline I need a consultant to hit?
Not the one you probably read about. On July 13, 2026 the DoD CIO suspended CMMC Phase 2 and opened a 60 day top to bottom review, so November 10, 2026 is no longer an operative deadline and no C3PAO certification is required by a date right now. What remains fully in force: Phase 1 CMMC self assessment on applicable contracts, DFARS 252.204-7012, the NIST SP 800-171 Rev 2 baseline, government led assessments, and False Claims Act exposure for a false affirmation. Paused, not cancelled. The suspension removed the deadline pressure, not the requirement.
Keep reading
Get the officer without the consulting invoice
A credentialed compliance officer included in the platform, year round, reviewing your evidence the way an assessor would. $397/month at Level 1. $1,499/month for the Level 2 Accelerator. Start free for 7 days, no credit card.