Essex Junction, VT802-335-2662dkoran@davidkoran.com
DK
David Koran& Associates
CMMC Executive Series · Part 5 of 6

Do it in-house, hire it out, or something in between.

Every contractor facing Level 2 makes this decision, and most make it by default: whoever showed up first, or whatever the IT provider proposed, becomes the plan. This installment gives you the honest version: what your own team can genuinely carry, where in-house programs typically fail, the middle path most companies should consider, and how to evaluate a practitioner before you sign anything.

Home CMMC Executive Series The Consultant Decision

Before anything else, one disclosure, because this installment is different from the others in the series.

I sell consulting services. A page about whether to hire a consultant, written by a consultant, deserves your skepticism. So here is my commitment for this installment: everything below is the advice I would give a friend who could never hire me, including the parts of a Level 2 program your own people can carry, and the ways to check up on people like me before signing anything. Judge it on that standard.

What You Can Carry

The honest case for doing it yourself

Companies do complete Level 2 programs largely in-house, and some are well suited to it. The profile that succeeds usually has three things: an IT lead with genuine security background rather than only administration experience, someone with the organizational authority and the hours to run a long cross-department program, and leadership patient enough to let evidence accumulate rather than declaring victory at the paperwork stage.

Even for companies that bring in help, large parts of the work belong in-house no matter what, because they cannot be outsourced well. Your people know where the files actually go, which procedures are real and which are aspirational, and how the shop actually runs at 6 a.m. on a Saturday deadline. Evidence collection, day to day control operation, training delivery, and the ongoing maintenance that follows certification are all work your own organization has to own eventually. A consultant who proposes to do everything forever is describing a dependency, not a service.

And if your contracts involve only FCI and Level 1's fifteen practices, the honest answer is that most companies can and should handle it internally. The self-assessment is annual, the requirements are basic hygiene, and the money is better spent elsewhere. If you are not sure which level applies, that is Part 2 of this series, and it comes before this decision, not after.

Where It Breaks

Where in-house programs typically fail

The failures I see are consistent, and they are rarely about competence. They are about experience with this specific process.

Scoping without a map. The boundary decision is the highest leverage choice in the entire program, and it is also the one your team has never made before. Scope too wide and every downstream cost multiplies. Scope too narrow, in a way an assessor will not accept, and the program gets rebuilt late. Most internal teams have deep knowledge of their environment and zero experience translating it into a defensible assessment boundary, which is exactly the wrong combination for this one decision.

Reading the requirements instead of the objectives. The 110 requirements break into several hundred assessment objectives, and assessors test the objectives. Internal self-assessments scored against the requirement titles run high, sometimes dramatically, which is how companies arrive at the SPRS gap covered in the SPRS explainer. Knowing what an assessor will actually accept as evidence is experience that only comes from having watched assessments succeed and fail.

The homework grading problem. The person who implemented a control is the wrong person to judge whether it would survive scrutiny, for the same reason authors need editors. Internal reviews consistently pass things an outside eye catches in minutes, not because the reviewer is careless but because familiarity hides gaps.

The hours are real. A Level 2 program consumes hundreds of internal hours even with help, and substantially more without it. Those hours come out of people who have full time jobs, and the program stalls precisely when the business gets busy, which is precisely when nobody notices it stalled. The most common in-house failure is not a bad decision. It is eighteen quiet months of almost no motion.

In-house programs rarely fail loudly. They fail by drifting, and the drift is invisible until a contract or a flowdown letter makes the calendar real.
The Middle Path

Outside help is a dial, not a switch

The framing of "do it ourselves or hire it out" is false, and vendors on both sides benefit from it staying false. The practical question is which specific pieces need outside experience, and the answer is usually a short list rather than everything. Three configurations cover most companies.

Targeted

Buy the judgment, keep the work

Outside help for the experience-dependent decisions only: the scope and boundary design, the gap assessment against the real objectives, and a pre-assessment review before the C3PAO. Your team executes everything between. The least expensive configuration that still protects the three points where inexperience is most costly.

Guided

Outside structure, inside execution

A practitioner sequences the program, checks progress on a rhythm, and verifies controls and evidence as they land, while your people do the implementation. The common fit for companies with capable IT but no compliance program experience. This is how most of my own engagements run.

Carried

Outside help does the heavy lifting

For companies with thin internal capacity or a compressed timeline. Costs the most, and it carries a specific risk worth naming: if your team is not involved enough to operate the controls afterward, the program decays and the three year reassessment becomes a rebuild. Anyone selling this configuration should explain how they hand it off.

Where your dial points depends on the honest answers to three questions from earlier in this series: how big is the gap (Part 4), how much internal capacity actually exists once day jobs are subtracted, and how hard is your contract date. Companies commonly start targeted and turn the dial up when the calendar demands it, which is a fine strategy as long as the turning happens deliberately rather than in a panic.

Before You Sign

How to evaluate a practitioner

The CMMC market has attracted excellent practitioners and a remarkable amount of junk, often at similar prices, and the junk has better marketing. The good news is that the junk is easy to filter with a few verifiable checks and a handful of questions, and any practitioner worth hiring will welcome all of them.

Verify before you talk. Every legitimate Registered Practitioner and Registered Practitioner Advanced is listed in the CyberAB Marketplace, and the lookup takes one minute. A current credential does not guarantee quality, but no listing at all, for someone selling CMMC readiness, tells you everything you need. What the credential actually covers is worth two minutes of reading before the first call.

Walk away from anyone who promises the outcome. Guaranteed certification, compliance in days or weeks, a drop-in SSP, or a software purchase that "makes you compliant" are the four horsemen of CMMC junk. Nobody who understands how a C3PAO assessment works makes those promises, so the promise itself is the disqualification.

Then bring the checklist below to the first conversation.

Sample · Practitioner Evaluation Checklist
Are you listed in the CyberAB Marketplace, and under what credential?

Good answer A name, a credential, and an invitation to look it up. Hesitation or a story about why the listing is complicated is a walk-away.

Who exactly will do the work, and will they come to our facility?

Good answer Named people, and yes. Level 2 readiness involves physical controls, shop floor data flow, and staff interviews that cannot be evaluated remotely. If the person selling the engagement is not the person doing it, meet the person doing it before signing.

Have you taken contractors like us through this, and can we speak to one?

Good answer A reference in your industry and size class, offered without drama. New practitioners exist and some are good, but a new practitioner should be candid about being one and priced like one.

What do you not do?

Good answer A clear boundary, stated without prompting. Every honest practitioner has one: work they refer out, roles they will not mix, engagements they decline. The one who does everything for everyone is describing a sales territory, not a practice.

What will we own at the end of each phase?

Good answer Named deliverables: a scoping memorandum, a gap assessment with objective-level findings, a remediation plan, an SSP that describes your actual environment. Vague answers about "support" and "guidance" mean the invoice will be specific and the deliverables will not.

How will you keep our team involved enough to run this after you leave?

Good answer A real handoff plan: your people in the working sessions, procedures written with the staff who execute them, and a declining need for the practitioner over time. Certification is a three year cycle, and a program only you understand how to operate is a program you will pay to rebuild.

If we asked you where we should NOT spend money, what would you say?

Good answer A specific answer, immediately. Scope reduction before remediation, no enterprise cloud migration before the boundary decision, no tool purchases before the gap assessment. A practitioner with no opinion about where you should save money will have strong opinions about where you should spend it.

Bring these to every first call, including one with me. A practitioner's reaction to being evaluated is itself part of the evaluation.
Where This Fits

If the dial points to outside help, start with one conversation.

My practice runs on the guided and targeted configurations described above: onsite scoping and gap work, structured oversight while your team executes, and a pre-assessment review before the C3PAO. The first call is for figuring out where your dial actually points, including the possibility that the answer is mostly in-house, and it comes with no pitch. Bring the checklist.

← Previous · Part 4 Set the Budget and the Real Timeline
About the Author

David W. Koran is a CyberAB Registered Practitioner Advanced and the author of The CMMC Decision, now in its second edition. He works onsite with defense contractors and their counsel, from the first leadership briefing through the pre-assessment review. Reach him at 802-335-2662 or dkoran@davidkoran.com.