Choosing a CMMC Advisory Partner: Questions to Ask Before You Hire

Not every firm that calls itself a CMMC advisor is set up to actually help you. Some identify gaps but cannot close them. Some send junior staff after the sales call. Some have never walked a client all the way through a Level 2 prep cycle. The questions below will help you tell the difference before you commit.

This post is written for defense contractors who are ready to hire a CMMC advisory partner and want a practical way to compare their options. Whether you are working toward Level 1 self-attestation or a full Level 2 third-party assessment, the questions are the same. The answers will vary, and that variation is what you are evaluating.

APT Security Management, based in North Charleston, South Carolina, works with defense contractors across both levels. We have written this post to give you a fair framework for vetting any advisor, including us.

Question 1: Are you an RP, an RPO, or something else?

The Cybersecurity Maturity Model Certification (CMMC) ecosystem has three distinct practitioner designations under the Cyber AB: Registered Practitioners (RPs), Registered Provider Organizations (RPOs), and Certified Third-Party Assessor Organizations (C3PAOs). They are not interchangeable.

An RP is an individual who has completed Cyber AB-approved training. An RPO is a company that employs RPs. A C3PAO is an organization authorized to conduct official CMMC assessments, which is a different function than advisory and prep work.

The advisor is transparent about their credential, who holds it, and what it means. They can explain the difference between advisory work and assessment work without prompting.

Vague claims like "we are CMMC certified" or language that implies they can certify you. No advisor can certify you. Only a C3PAO can conduct a CMMC Level 2 assessment, and C3PAOs must be authorized by the Cyber AB. If a firm blurs that line, they either do not understand the program or are trying to close a sale.

For a breakdown of how these roles differ, see our post on RP, RPO, and C3PAO explained.

Question 2: Have you walked clients through a full Level 2 prep cycle?

There is a meaningful difference between an advisor who has helped clients document policies and one who has taken a client from a gap assessment all the way to a successful C3PAO assessment. Level 2 prep involves 110 practices aligned to NIST SP 800-171, a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), evidence collection, and pre-assessment readiness work. It is a multi-phase engagement that takes months.

The advisor can describe the phases of a Level 2 engagement, name specific documents they have helped produce, and explain what happens during pre-assessment preparation without needing to look anything up.

They have only done Level 1 prep or gap assessments without follow-through. That is not disqualifying for a Level 1 engagement, but it is a problem if your contract requires Level 2.

Question 3: Can you help implement the fixes, or only identify the gaps?

A gap assessment is the starting point, not the finish line. Once you know where your gaps are, you still need to close them. That means deploying tools, hardening configurations, updating or creating documentation, and building evidence that your controls are actually working.

Some advisory firms stop at the report. If you hire one of those, you will need a second vendor to handle remediation, and the handoff rarely goes smoothly.

The advisor has a clear story for how gaps get closed, not just identified. They should be able to name specific tools and service capabilities they bring to remediation, including network controls, endpoint protection, email security, logging, and documentation.

Their engagement ends with a written deliverable and they hand you a list of vendors to call. That is not a full-service advisory relationship.

At APT, we work with partners including Fortinet for network segmentation and boundary protection, Sophos for endpoint and audit logging, and Proofpoint for email security. We do not just tell you what to fix. We can deploy the tools that fix it.

Question 4: What does your engagement model look like?

You need to understand what you are buying before you sign anything. Is this a fixed-scope project with a defined deliverable? A monthly retainer? An hourly arrangement? How does billing work if your environment is more complex than expected?

The advisor can explain their model clearly, including what is in scope, what triggers additional cost, and how engagement scales if your timeline or needs change. They should be able to give you a written scope.

Vague commitments like "we will be there when you need us" without a defined scope or billing structure. That benefits the advisor, not you.

APT uses a token-based model. You buy prepaid service credits that can be applied across any phase of your engagement, which means you are not locked into a long retainer when your workload is lighter. Contact us for token pricing scoped to your environment.

Question 5: Who actually does the work?

This is a common gap between what firms promise and what clients receive. A senior practitioner leads the sales conversation. A junior analyst runs the assessment. You do not find out until week three.

The advisor names the person or people who will actually work your engagement, describes their experience with CMMC specifically, and is clear about when senior staff are involved versus support staff.

They cannot give you a clear answer, or the engagement structure is described in terms of "our team" without specifics. You want to know who is on the other end of your calls and who is signing off on your deliverables.

Question 6: How do you handle evidence collection?

For Level 2, evidence collection is not a formality. It is the work. When a C3PAO assesses you, they will not take your word for it that a control is implemented. They want to see policies, configuration screenshots, system logs, access reviews, and other artifacts that prove your controls are operational.

An advisor who does not have a clear evidence collection process is setting you up for a failed assessment.

They can describe their evidence collection methodology, tell you what types of artifacts they help gather for each domain, and explain how they organize evidence into a format C3PAOs can work with efficiently.

They treat evidence collection as something you will figure out as you go. That means you will be scrambling before your assessment date.

If you want to get a head start before engaging an advisor, APT's free SSP Scaffolder generates a structured System Security Plan document pre-mapped to NIST 800-171 controls, and the POA&M Builder helps you organize your remediation tracking in the format assessors expect.

Question 7: What happens after the gap assessment?

A gap assessment tells you where you stand. It does not fix anything. The more important question is what your advisor plans to do with the findings.

Good advisors use the gap assessment to build a prioritized remediation roadmap with realistic timelines, effort estimates, and a clear sequence. Some gaps are documentation issues you can resolve in a week. Others require tool deployments, network changes, or organizational policy work that takes months.

They walk you through their post-assessment workflow. You should hear about prioritization, quick wins, phased remediation, and how they track progress toward a readiness state. They should also be clear about what their involvement looks like during that remediation phase.

The engagement effectively ends when the gap assessment report is delivered. That is the most common way contractors stall out midway through CMMC prep.

Question 8: Do you charge by retainer, by hour, or by deliverable?

CMMC prep does not progress at a steady pace. There are intensive stretches, particularly during the gap assessment, SSP development, and pre-assessment readiness phases, and slower stretches in between. A billing model that does not flex with that reality can create friction.

The advisor's pricing model is transparent, predictable, and aligns with how CMMC work actually unfolds. They should be willing to scope each phase separately so you know what you are committing to before each stage begins.

An open-ended retainer with no phase milestones, or hourly billing with no estimate of total hours. Both put all the financial risk on you.

Question 9: What is your SPRS score experience?

For Level 2 contractors, your NIST SP 800-171 self-assessment score gets posted to the Supplier Performance Risk System (SPRS). That score is not just a compliance checkbox. Under DFARS 252.204-7024, contracting officers use SPRS data during proposal evaluation, and a low score can affect your competitive position even if you technically meet the minimum threshold.

An advisor who treats the SPRS score as a bureaucratic formality rather than a business risk indicator may not be giving you the full picture.

They understand the relationship between control gaps, your SPRS score, and how that score appears in source selection. They can help you think through which gaps to prioritize from a score improvement standpoint, not just a compliance standpoint.

They have never helped a client calculate or improve their SPRS score, or they cannot explain how DFARS 252.204-7019 and 252.204-7020 govern posting versus how 252.204-7024 governs how the government uses that data in evaluation. These are distinct clauses with different implications.

APT's free SPRS Score Calculator lets you estimate your current score based on your control implementation status. It is a useful tool for understanding where you start before your first advisor conversation.

Question 10: Will you be available during our C3PAO assessment?

For Level 2 contractors, the C3PAO assessment is the finish line. Having your advisor available during that process, to clarify documentation, help locate evidence, and respond to assessor questions, can be the difference between a clean assessment and a significant delay.

Not every advisory firm plans for this. Some consider their job done once you submit your SSP. Others stay engaged through the assessment and provide direct support while the C3PAO is on site or conducting interviews.

The advisor describes their assessment-period engagement clearly, including whether they charge for it separately and what that support looks like in practice.

They have never been asked this question before, or they treat the assessment phase as outside their scope without any explanation of why.

One more thing to look for: Integration capability

Beyond the ten questions above, pay attention to whether the advisor can actually close the gaps they find. Some firms are strong on documentation and weak on technical implementation. Others are the reverse.

CMMC Level 2 requires both. You need policies and procedures that match your technical controls, and you need technical controls that are actually deployed and documented. An advisor who can only help with one side of that equation is a partial solution.

Ask them to describe a recent engagement where they both identified a gap and helped the client close it. Listen for specifics: what the gap was, what tool or configuration change closed it, and how they documented the remediation as evidence.

Where to start if you are ready to evaluate partners

Before your first advisor conversation, it helps to know where you stand. APT's free CMMC Readiness Quickcheck gives you a snapshot of your current posture against CMMC 2.0 requirements, so you walk into those conversations with a clearer picture of your gaps and priorities.


If you are still working out whether you handle Controlled Unclassified Information (CUI) and what level your contract requires, the CUI Identifier walks you through a decision tree that maps to the definitions under 32 CFR Part 2002.

For more on how the advisor landscape works, see our posts on RP, RPO, and C3PAO explained and the full guide to what CMMC 2.0 actually requires.

When you are ready to talk through your specific situation with an advisor, the next section has APT's details.

Talk Through Your Situation With APT

APT Security Management works with defense contractors at both Level 1 and Level 2. Our team includes an individual Registered Practitioner (RP), and we handle the full engagement from gap assessment through remediation and pre-assessment readiness. If you want a 30-minute conversation about where you stand and what prep looks like for your environment, we are happy to have it at no cost.

Book a Free Consultation