Captain’s Log — June 2026
Readiness vs. Certification: What a CMMC Consultant Can and Can’t Do for You
“Ready” and “certified” are not the same word, and under CMMC the firm that gets you ready legally cannot be the firm that certifies you. If a provider blurs that line, that is not a convenience, it is a red flag. Here is exactly what each role is allowed to do, why they are kept separate, and how to vet a CMMC provider before you sign anything.
The rule in one sentence: a CMMC Third-Party Assessment Organization (C3PAO) cannot assess a company it has provided consulting to, generally for three years. The firm that prepares you and the firm that grades you have to be different. That separation is not a loophole to work around, it is the thing that makes the assessment mean anything.
Two Roles, Two Different Firms
CMMC compliance involves two distinct kinds of provider, and understanding the split is the single most useful thing a small contractor can learn before spending a dollar.
- The C3PAO (the assessor) — a firm authorized by the Cyber AB to perform official CMMC Level 2 certification assessments. They are the grader. Their entire value depends on independence, so they are barred from helping you prepare for the assessment they conduct.
- The consultant / RPO (the preparer) — a Registered Provider Organization or an independent consultant who gets you ready: scoping your boundary, building your System Security Plan, remediating gaps, and standing up the systems you need. They prepare you. They do not, and cannot, certify you.
Why they can’t be the same firm
An assessor who helped build your security program cannot impartially grade it, they would be checking their own homework. So the CMMC ecosystem enforces a hard separation: a C3PAO is prohibited from assessing any organization it (or a related entity, or shared personnel) provided consulting to, with a multi-year cooling-off period. The result is healthy. The people preparing you are incentivized to get you genuinely ready, and the people grading you have no stake in the outcome. A provider offering to both prepare you and certify you is either misunderstanding the rules or ignoring them, and you do not want either one near your contract.
What an Honest Consultant Will and Won’t Say
Scope your CUI boundary, assess all 110 controls, write your SSP and POA&M, remediate gaps, stand up a compliant enclave, and get you genuinely assessment-ready. “We prepare you for the assessment” is the honest promise.
“We certify you.” “We guarantee a passing score.” “We’ll handle your SPRS affirmation for you.” None of these are things a consultant can legitimately promise, and a passing assessment is never something a preparer controls.
You Are the One Who Signs
Here is the part that small contractors most often miss, and the part that carries the most risk. Your SPRS score is submitted under an affirmation, and you are the affiant. Not your consultant. A good readiness provider never logs into your SPRS and never files on your behalf, because the representation about your systems’ security is yours to make and yours to stand behind.
That matters because a score you cannot support is a False Claims Act exposure, and it is your name on the affirmation, not the consultant’s. Any provider who offers to “just submit it for you” is offering to put you on the hook for a representation they made. Walk away.
How to vet a CMMC provider
Five questions to ask before you sign. The right answers are not subtle.
A consultant prepares. Only a C3PAO certifies. If one firm claims both, stop there.
No honest provider can. Readiness is something they control; the assessment outcome is not.
The correct answer is “you do.” If they offer to file it for you, that is a liability they are handing to you.
They can’t be, under the conflict-of-interest rule. A provider who doesn’t know that doesn’t know the rules.
A provider who hosts your CUI may pull themselves, and you, into a wider assessment scope. Build-and-handoff keeps the boundary clean.
Where BrandShyp Sits
We are a readiness provider, not a C3PAO. We prepare you for assessment, we do not certify you, and you remain the affiant for your own SPRS score. When we build a CUI enclave, it runs on your hardware and we hand you the keys, we never host or hold your CUI. That is the honest lane, and it is the only one we operate in. (This article is educational, not legal advice. Verify against the Cyber AB, the current CMMC rule, and your specific contract.)
The Bottom Line
The line between readiness and certification is not bureaucratic noise, it is the structure that keeps assessments honest and keeps your affirmation defensible. A provider who respects it will tell you plainly that they prepare you and you certify. A provider who blurs it, who promises a score, who offers to sign for you, is the one to walk away from.
Get ready with someone who knows exactly where their lane ends. That clarity is worth more than any guarantee a consultant has no business making.
Readiness done right
BrandShyp prepares small IT and defense contractors for NIST 800-171 and CMMC, the standard we hold our own systems to. We prepare you; you certify. Start with a free self-check or book a readiness call.