4 Questions to Ask Any CMMC Advisory Firm Before You Sign

Most CMMC advisory firms pitch the same things: credentials, experience, a team that’s been through assessments. 

The sales decks look similar across all of them. 

You can’t tell from a proposal which firm will still be accountable six months in, when the scope gets complicated. Or which firm scoped your boundary wrong from day one and won’t find out until the C3PAO (CMMC Third-Party Assessor Organization) assessment.

Four questions cut through the standard claims and get to the detail that counts. 

Ask every firm you’re considering. The answers will tell you more than any proposal does.

Q1: Do you validate as you build, or review at the end?

What this reveals: Whether the firm’s process is designed to catch mistakes while they’re cheap to fix, or after months of work when they’re not.

The stakes: Most traditional CMMC programs implement controls first, then review. When the review finds gaps, which it almost always does, you pay to rework what you already paid for. Timelines slip by months. Unplanned spend can run five or six figures.

What to listen for: A clear explanation of where validation checkpoints sit inside the build process. “Continuous improvement” and “agile methodology” are not answers to this question. You want to know specifically, when your SSP (System Security Plan) is being written, whether someone is pressure-testing it against assessor criteria at the same time or after you’ve finished.

At Fellsway: We build validation into every phase. It’s how we work – Plan. Build. Run. The boundary hypothesis is developed before SSP development begins. Controls are reviewed as they’re operationalized. By the time you reach your C3PAO assessment, the program has been tested at every stage, not just before the assessor walks in.

Q2: Will your assessors sit with us during the C3PAO assessment?

What this reveals: Whether the firm is accountable through the certification outcome, or just through delivery.

The stakes: A C3PAO assessment isn’t a written exam you either pass or fail. It’s an evidence-driven process where how you explain and contextualize controls can shift findings. A firm that builds your program and then steps back at the assessment leaves you explaining your own controls to an assessor who’s never seen them before.

What to listen for: Whether the firm employs CCAs (Certified CMMC Assessors) or CCPs (Certified CMMC Professionals), and whether those people are available to attend the formal certification assessment on your side. Not conduct a pre-assessment and hand you a report. Sit with you on the day.

At Fellsway: When we conduct a Mock Assessment, the CCAs and CCPs running it become closely familiar with the program. They can then attend the formal C3PAO assessment on your side, speak to implementation decisions, and make sure the assessor has what they need to evaluate your program fairly.

Q3: What happens to our investment if the path changes mid-engagement?

What this reveals: Who absorbs the cost when early scope decisions turn out to be wrong.

The stakes: CMMC engagements almost always surface complexity that wasn’t visible at the start. An enclave boundary that needs to be redrawn. A control that was assumed to be MSP-owned but isn’t. An SSP written by someone who’s since left, that doesn’t reflect what’s actually deployed. When that happens, a loosely scoped T&M engagement can double in cost with no checkpoint between you and the overrun.

What to listen for: How the firm structures scope, and whether advisory and build phases are priced and committed to separately. You should know what you’re signing up for at each stage before you commit to the next one. Ask whether fixed-fee or T&M is available, and what determines which applies to your engagement.

At Fellsway: We offer fixed-fee options for advisory and build phase activities, depending on what fits the work. Either way, the advisory path and build-out are scoped separately, so you commit in stages with visibility into what follows. Our Readiness Workshop tells you which path is yours before you commit to anything beyond it.

Q4: Are you tied to one enclave provider, or do you match us to the right one?

What this reveals: Whether the firm’s recommendation is driven by your requirements or their existing commercial relationships.

The stakes: For many defense contractors, choosing a secure enclave is one of the biggest architectural decisions in the CMMC process. GCC vs. GCC High. What gets segmented. What stays in the existing environment. The wrong choice means a boundary strategy that doesn’t survive assessor scrutiny, and a rebuild after you’ve already spent the budget. A firm that steers every client toward one provider regardless of their environment is making your architecture decision based on their partnership, not your CUI (Controlled Unclassified Information) data flows.

What to listen for: A clear explanation of how the firm selects an enclave provider, including what factors they consider and what relationships they maintain. If the answer is one provider’s name without qualification, ask what happens if that provider isn’t the right fit for your environment.

At Fellsway: We maintain relationships with multiple enclave providers. The right one depends on your boundary, your CUI data flows, and your existing identity stack. That determination happens during the engagement, after the requirements are understood.

What you’re really evaluating

These aren’t gotcha questions. Most firms won’t stumble on all four. But the answers, taken together, show you whether a firm has built accountability into how they work, or just into how they pitch.

The CMMC Readiness Workshop is where you put Fellsway through the same questions. It’s free, 60 minutes, and designed to give you a clear direction before you commit to anything.

Schedule your CMMC Readiness Workshop here.