CMMC Resources
March 2, 20264 min read

Did Your CMMC Consultant Assess Themselves First?

There is a question that almost no contractor thinks to ask their CMMC consultant, and it's the one that reveals the most about how the compliance industry actually works.

The question is: did you run your own compliance assessment, on your own systems, using your own framework, before you started assessing others?

Most consultants in the CMMC space are selling a service: they evaluate your environment, identify gaps, produce documentation, and guide you through self-assessment. The deliverable is a package that allows you to sign your attestation with some degree of confidence.

But the consultant's own systems (the ones they use to store your data, communicate with your team, and manage your project) are often not held to the same standard they're assessing you against. In many cases, the consultant is operating an open system while telling you that your systems need to meet specific control requirements.

This is not an oversight. It's a business model. A consultant who operates under the same constraints they're assessing you against has demonstrated that compliance is achievable without ongoing advisory. A consultant who hasn't has preserved the information asymmetry that justifies their fee. There's a reason the question doesn't get asked, and it's not because the answer doesn't matter. The question isn't whether the consultant needs certification. The question is whether they have a financial incentive to make compliance seem harder than it is, and whether their own systems reveal the answer.

A consultant who hasn't gone through the process of implementing the 15 practices on their own systems is assessing your implementation of something they've never implemented. They know the documentation requirements. They may not know the implementation gaps that only become visible when you actually operate under the controls.

The contractor groups that have started cross-verifying their compliance have found that the quality of the original consultant assessment is the single strongest predictor of whether the contractor actually passes when checked properly. Contractors whose consultants had done their own assessment first consistently had fewer gaps than contractors whose consultants were working from theory.

The industry doesn't track this. There is no public database of consultant self-assessment status. There is no requirement for a CMMC consultant to demonstrate their own compliance before assessing yours. The market runs on reputation and referrals, not on verified competence.

This creates a situation where the person whose signature carries the legal liability is relying on an assessment produced by someone with no obligation to have done it themselves.

The question is worth asking. Watch how they answer.

cmmcconsultantsassessment-qualitycompliance-industryverification

More from the Index

Why Continuous Verification Keeps Breaking

Achieving CMMC compliance is the part the consulting industry addresses. Maintaining it is the part that keeps breaking, and the proposed fixes introduce their own uncertainties.

Locked Compliance Systems and the Documentation Question

A distinction is emerging between documentation-based compliance and locked compliance systems. What that distinction means in practice is less settled than either side suggests.

Why Point-in-Time CMMC Assessments Don't Work

A point-in-time CMMC assessment tells you whether you were compliant on the day it was conducted. It cannot tell you whether you're compliant today.