In a recent episode of our podcast, guest Jesse Miller from Power PSA Consulting shared crucial insights on qualifying clients for CMMC (Cybersecurity Maturity Model Certification) services. This guide distills his key criteria, as discussed on the show, to help us effectively assess potential CMMC clients and focus our efforts. Engaging with clients who aren't a true fit, either strategically or financially, doesn't benefit them or us.
Here are the critical questions, based on Jesse's advice, to evaluate potential CMMC clients:
1. The Financial Commitment: Are They Prepared for the Real Numbers?
Address the investment directly and early. Clients need to understand the figures Jesse outlined for a realistic engagement.
Initial Program Setup: Inform them: "Based on our experience and expert input, be prepared for an initial investment of $100,000 to $200,000, at a minimum, to establish the CMMC program foundation."
Ongoing Costs: Explain: "Beyond that, ongoing maintenance, advisory services, and program management will typically require an annual budget of six figures. These are standard figures Jesse discussed for serious CMMC efforts."
Their Reaction is Key: Observe their response to these figures. As Jesse highlighted on the podcast, if these costs are genuinely shocking to them, it's a strong indicator they aren't prepared for this level of engagement. Significant hesitation here often means they aren't a viable prospect at this time.
2. Strategic Alignment: Is CMMC a Core Business Need for Them?
Understand their fundamental reasons for pursuing CMMC. Jesse stressed the importance of this being a strategic priority.
Revenue Impact & Growth Potential: Ask directly: "What percentage of your current or projected revenue depends on CMMC compliance? Are you actively pursuing significant new business opportunities that require it?" As Jesse pointed out, if CMMC impacts only a small fraction of revenue for a mid-sized company with no clear growth plans in that specific sector, the required investment may not align with their business priorities.
Leadership Commitment: Determine: "Is your leadership team fully committed to CMMC as a strategic investment for growth and security, or is it viewed primarily as an unavoidable operational expense?" Jesse emphasized looking for clients who see CMMC as an enabler for achieving their broader business objectives – the ones who want to "hunt new business" with it.
3. Indicators of a Poor Fit: When to Reconsider Engagement
Be prepared to identify situations where pursuing a CMMC engagement is unlikely to be successful, drawing on the red flags Jesse discussed.
Low Strategic Value, Minimal Growth Intent: If CMMC secures only a minor part of their business and there’s no strong, articulated commitment to expand in CMMC-dependent areas, the significant investment is difficult to justify. It's often better to advise them of this directly, as Jesse would.
Focus on Minimal Cost Over Program Integrity: If their primary concern is finding the "cheapest" or "easiest" path to a certificate, without understanding the necessary depth of process integration and program development, they are not prepared for what's genuinely required.
Persistent Budget Resistance: If initial cost discussions lead to ongoing, significant resistance to budgeting for foundational elements, it suggests they haven't accepted the true scope and value of the investment.
Lack of Partnership Approach: CMMC implementation is a deeply collaborative effort. If a client expects it to be a purely outsourced task without their own team's significant involvement and commitment to internal changes, success is improbable.
Apply these questions to guide your initial client conversations. Our objective is to partner with organizations that are strategically and financially prepared for the CMMC journey, enabling us to deliver substantial value.