The Problem
The demand for CMMC consulting services is growing faster than the supply of credentialed practitioners. That imbalance has created an environment where it is difficult for a contractor to distinguish between a qualified consultant and one who is not what they claim to be. The consequences are not limited to wasted fees. The wrong engagement can result in documentation that does not survive assessment, technical configurations that must be reworked, delayed contract eligibility, or an assessment that is later invalidated due to conflict of interest violations.
This paper gives contractors the tools to verify that the person they are considering is who they say they are, holds the credential they claim, and is authorized to do what they are offering to do.
- The credentialed roles in the CMMC ecosystem: RP, RPA, CCA, CCP, and C3PAO
- The structural separation between enablement and assessment, and why it matters
- Why the CyberAB created the RP and RPA credentials specifically for consulting
- The CyberAB Marketplace as the single source of truth for credential verification
- Legitimate processing gaps: Tier 3 delays, delta training, and the ISACA transition
- The Code of Professional Conduct: conflict of interest, scope of practice, accuracy, and confidentiality
- C3PAO consulting and referral arrangements, the three-year prohibition, and disclosure requirements
- DoD oversight authority under 32 CFR 170.8, eMASS visibility, and six-year record retention
- Six verification steps any contractor can complete before signing an engagement
- Eight red flags that should prompt additional scrutiny
- What a credible engagement looks like
Who This Paper Is For
Defense contractors evaluating CMMC consultants for the first time. The paper assumes no prior familiarity with the CMMC credentialing structure and is written for business decision-makers, compliance officers, and operations staff who need to make a hiring decision and want to verify what they are being told.
Why This Paper Exists
The CMMC ecosystem is still maturing. Credentialed practitioners are held to a Code of Professional Conduct with specific provisions on conflict of interest, scope of practice, and accuracy of representation. But the contractors who hire those practitioners often have no way of knowing what the rules are, which credentials are real, or what questions to ask. This paper closes that gap.
Every regulatory and policy claim in the paper is footnoted to the specific CFR section, Code of Professional Conduct provision, or official CyberAB communication that supports it. If someone challenges a claim, the source is at the bottom of the page.
New to CMMC?
If you are a defense contractor encountering CMMC for the first time and trying to understand the full picture, the resources below can help you get oriented before you start evaluating consultants.
References
CyberAB Code of Professional Conduct v2.0 · 32 CFR Part 170 (CMMC Program Final Rule) · 32 CFR 170.8 (Accreditation Body) · 32 CFR 170.9 (C3PAOs) · 32 CFR 170.11 (CCA) · 32 CFR 170.13 (CCP) · CyberAB Marketplace · CyberAB Town Hall, December 2025 · CAICO Ecosystem Notification, December 17, 2024 · ISC2 Member Directory · ISACA Credential Verification