Skip to content

About Concura

Concura.AI is a senior-assessor CMMC compliance platform built by Consultant Works, LLC. We package the expertise of working CMMC assessors into a subscription product DIB contractors can actually use — and back it up with direct access to those assessors when the tool isn't enough.

What we do

Department of Defense Industrial Base contractors who handle Controlled Unclassified Information are being assessed against the Cybersecurity Maturity Model Certification — Level 2. That's 320 NIST 800-171A assessment objectives to document, defend, and prove during a C3PAO assessment.

The standard path is to hire a consulting firm at $25,000 to $75,000 and wait six to twelve months for an SSP you didn't write. Concura is the alternative — senior-assessor expertise on every one of those 320 objectives, packaged in a guided authoring workflow, available as an annual subscription at a fraction of that cost.

Concura is built around three convictions:

  • The 320 objectives are the same 320 objectives for every customer. The expertise belongs in the platform once, not in a fresh consulting engagement every time.
  • DIB contractors deserve the same compliance posture they're being assessed against. Customer SSP content lives in Microsoft Azure Government — GCC High — the cloud environment certified for DoD Impact Level 5 data.
  • Validity is paramount. Everything we publish under the Concura name is grounded in source documents (NIST SP 800-171A, the CMMC Assessment Guide L2 v2.13, Microsoft's GCC High Customer Responsibility Matrix). We do not paraphrase compliance expertise; we cite it.

Who's behind it

Concura's reference content is authored and maintained by our senior assessors — credentialed Lead CCAs and Instructors with years of Defense Industrial Base contracting experience and dozens of conducted assessments behind them. They author and review every page of Concura's reference content and are the assessors you book directly through Concura Consult.

When Concura's reference content needs to evolve — new CMMC PMO guidance, refined assessor interpretation, updated vendor implementation steps — our senior assessors are the people updating it. The content reflects how working assessors actually evaluate CUI environments, not generic compliance theory.

The Consultant Works connection

Concura is a product of Consultant Works, LLC, a Florida-registered company based in St. Petersburg, FL. Consultant Works has provided CMMC and cybersecurity consulting to DIB contractors for years; Concura is how we package that operational expertise into a product anyone can subscribe to.

Practically, this means:

  • Billing: subscription charges appear on your credit card statement as Consultant Works, LLC.
  • Legal entity: contracts, terms of service, privacy policy, and tax forms are all in Consultant Works, LLC's name.
  • Parent brand: see consultant.works for our broader assessor practice.

Concura is the product. Consultant Works is the company.

How we built Concura

We made deliberate architectural decisions that reflect the audience we serve.

Customer SSP content lives in GCC High. When you author SSP narratives in Concura Voice, that content is stored in Microsoft Azure Government's GCC High environment — the same cloud certified for DoD Controlled Unclassified Information and Impact Level 5 data. Concura does not store Voice customer content on commercial cloud. Most CMMC-adjacent tools were built for SOC 2 / ISO 27001 audiences; we built Concura for DFARS 7012 contractors, and the infrastructure choice reflects that.

The reference content is human-authored, not AI-generated. The senior-assessor analysis on every objective page is written and reviewed by working assessors. Concura Voice does use AI to clean up your spoken or typed narrative input (transcript polish, sentence-structure refinement) — but the underlying control-by-control expertise is human-validated.

Verbatim NIST and CMMC source text is reproduced exactly. When Concura shows you NIST SP 800-171A or the CMMC Assessment Guide L2 v2.13, it shows you the source. We do not "improve" the source. We do not silently paraphrase. If a citation says it's verbatim, it's verbatim.

Verifiable infrastructure choices. When your C3PAO assessor asks where your SSP authoring data lives, we want the answer to hold up in writing. Microsoft Azure GCC High is a fact you can cite. The public marketing surface and the surface that holds Voice customer content are separated at the routing layer. See Security & Trust for the full posture.

What we are not

To be clear about scope:

  • Concura is not a CMMC assessment. Subscribing to Concura does not certify your organization at any CMMC level. Only an authorized C3PAO can perform a Level 2 certification assessment.
  • Concura is not a GRC platform. We don't manage your tickets, evidence collection, or audit trails. We provide reference content, AI-assisted SSP authoring, and human assessor time.
  • Concura is not legal or compliance advice for your specific organization. The content is reference material from a senior assessor's perspective. Your implementation, evidence, and assessor relationship are yours to manage.
  • Concura does not guarantee a particular assessment outcome. Each engagement is unique. We provide the structure, the assessor-perspective starting content, and the authoring tools — your environment, your evidence, and your relationship with your C3PAO determine the outcome.

How to get in touch

Three direct paths:

You can also request the prospectus for a 9-page overview of Concura's value, pricing, and approach — or browse the products page for tier details.

Concura.AI is a product of Consultant Works, LLC · St. Petersburg, Florida, USA.