White Paper

Before You Hire a CMMC Consultant

A Contractor's Guide to Verifying CMMC Practitioner Credentials
David W. Koran · CyberAB Registered Practitioner Advanced

The Problem

The demand for CMMC consulting services is growing faster than the supply of credentialed practitioners. That imbalance has created an environment where it is difficult for a contractor to distinguish between a qualified consultant and one who is not what they claim to be. The consequences are not limited to wasted fees. The wrong engagement can result in documentation that does not survive assessment, technical configurations that must be reworked, delayed contract eligibility, or an assessment that is later invalidated due to conflict of interest violations.

This paper gives contractors the tools to verify that the person they are considering is who they say they are, holds the credential they claim, and is authorized to do what they are offering to do.

What the Paper Covers

Who This Paper Is For

Defense contractors evaluating CMMC consultants for the first time. The paper assumes no prior familiarity with the CMMC credentialing structure and is written for business decision-makers, compliance officers, and operations staff who need to make a hiring decision and want to verify what they are being told.

Why This Paper Exists

The CMMC ecosystem is still maturing. Credentialed practitioners are held to a Code of Professional Conduct with specific provisions on conflict of interest, scope of practice, and accuracy of representation. But the contractors who hire those practitioners often have no way of knowing what the rules are, which credentials are real, or what questions to ask. This paper closes that gap.

Every regulatory and policy claim in the paper is footnoted to the specific CFR section, Code of Professional Conduct provision, or official CyberAB communication that supports it. If someone challenges a claim, the source is at the bottom of the page.

Download the White Paper (PDF)
PDF, no registration required

New to CMMC?

If you are a defense contractor encountering CMMC for the first time and trying to understand the full picture, the resources below can help you get oriented before you start evaluating consultants.

References

CyberAB Code of Professional Conduct v2.0 · 32 CFR Part 170 (CMMC Program Final Rule) · 32 CFR 170.8 (Accreditation Body) · 32 CFR 170.9 (C3PAOs) · 32 CFR 170.11 (CCA) · 32 CFR 170.13 (CCP) · CyberAB Marketplace · CyberAB Town Hall, December 2025 · CAICO Ecosystem Notification, December 17, 2024 · ISC2 Member Directory · ISACA Credential Verification

David Koran & Associates

CMMC Readiness, Enablement, and Implementation

dkoran@davidkoran.com · (802) 335-2662

davidkoran.com