6 Months Into CMMC: What We’re Seeing in Real Assessments

That’s shifted our conversations with companies entirely.

Earlier in the process, many IT and GRC teams struggled to get leadership buy-in. There was still a lingering belief that CMMC either wouldn’t happen or would be pushed down the road again. Now, the pendulum has swung in the opposite direction. Leadership teams know CMMC is real, but many expect it to be completed in one or two months by a single internal resource.

Unfortunately, the reality in our experience is somewhere in the middle.

CMMC readiness takes real planning, coordination, technical implementation, documentation, and organizational support. There are still unrealistic expectations around how much work and investment are required, especially for companies pursuing Level 2 certification.

What’s become especially clear over the last six months is the gap between preparation on paper and readiness in practice.

“What’s changed since the rule went into effect?”

In the early stages, most organizations were focused on understanding scope, requirements, and timelines. Today, companies are actively trying to prepare for assessments, reserve time with a C3PAO, and figure out how quickly they can realistically get certified.

The companies reaching out now are all over the map. Some are small services firms handling limited amounts of digital CUI. Others are large manufacturers or construction companies dealing with physical products, operational environments, and much broader infrastructure concerns.

Many large primes are already certified or close to certification. What we’re seeing now is more activity from the supply chain - subcontractors and smaller defense contractors trying to understand where they fit into the process and how urgent their timelines actually are.

“Got it - so what’s the biggest misunderstanding now?”

One of the biggest drivers of confusion we see right now is the idea of a November 10 “deadline.”

November 10 is not a universal deadline. It marks the start of the second phase of the CMMC rollout. New DoD contracts involving CUI will be required to include the CMMC  Level 2 requirements, but whether those requirements involve self-assessment or certification depends entirely on the contract itself.

For many organizations, the actual timeline depends on:

• Which contracts they plan to pursue

• Whether certification is required at contract announcement or contract award

• The type of CUI involved

• The expectations flowing down from primes

As a result, there is often more flexibility than many companies we have talked to realize.

Unfortunately, many organizations are rushing into certification efforts before they are truly prepared, which creates a much higher risk of failing the assessment,triggering costly delays and reschedules, or overspending for technology and solutions that aren’t needed.

“Where else are companies running into CMMC issues then?”

There are a few patterns we continue to see across organizations at different stages of readiness:

Misunderstanding How Timing Works

Many teams still treat CMMC deadlines as fixed compliance dates rather than contract-driven requirements. In practice, timing is tied much more closely to upcoming contract obligations (including option years and new contracts) rather than to a single universal cutoff date.

Waiting Too Long to Engage a C3PAO

Some companies wait until they believe they are “fully ready” before contacting a C3PAO. That often creates scheduling challenges and compressed timelines tied to contract opportunities.

At the same time, engaging too early without the right preparation can also backfire. The organizations that tend to have the smoothest experiences are the ones that involve experienced CMMC professionals early enough to properly prepare before entering the assessment phase.

Treating Documentation as the Finish Line

A completed SSP is not the same thing as assessment readiness.

One of the biggest misconceptions we continue to see is companies believing that if the documentation exists, the hard part is over. In reality, assessments focus just as heavily on whether controls are currently implemented (not future state!), maintained, and consistently followed in practice. You have to be able to demonstrate you’re meeting the requirements with actual evidence.

Many SSPs are still poorly documented. Some are rushed through AI tools that generate vague or incomplete implementation statements. Others fail to address all assessment objectives or provide enough detail to demonstrate how controls are actually operating within the environment.

Under CA.L2-3.12.4, organizations are required to describe how each requirement is implemented. If the documentation does not clearly explain the implementation, assessors cannot validate that the control is functioning as intended.

That often leads to rework and delays before the assessment can even begin.

Scoping Challenges Continue to Cause Problems

Scoping remains one of the biggest trouble spots, particularly around cloud services and CUI access.

A common misunderstanding is the belief that if CUI remains inside a cloud environment, then only the cloud itself is in scope.

But CMMC defines processing, storing, and transmitting CUI broadly enough that simply accessing CUI brings systems into scope.

That means the devices used to access cloud-hosted CUI - laptops, desktops, VDIs, phones, tablets, and similar endpoints - are typically considered CUI Assets and become part of the assessment boundary.

When companies misunderstand that requirement, they often leave out major portions of their environment, especially within Configuration Management controls. The result is delays, scope corrections, or rescheduled assessments.

Third-Party Providers Are Still Creating Delays

External Service Providers (ESPs) and Cloud Service Providers (CSPs) continue to create major issues for organizations pursuing certification.

Whether a provider processes CUI directly, handles security related data, or just provides managed IT services affects how they must be evaluated under CMMC.

If a company relies on a provider that does not meet the required standards or can provide a body of evidence that they do, it can become impossible to pass the assessment until the issue is resolved.

“So what does the CMMC assessment process actually look like?”

For many organizations, the assessment process still feels abstract until they go through it firsthand.In practice, assessments involve significantly more coordination and validation than most teams expect.

Assessors are not simply checking whether policies exist. They are verifying that the documented processes align with what is actually happening inside the environment.

That means:

• Reviewing evidence

• Conducting interviews

• Watching live demonstrations and screenshares

• Validating technical implementations

• Confirming that documented processes are actually being followed

“OK - and what’s catching team’s off guard?”

One thing that surprises many organizations is that they may have implemented controls correctly but failed to document them adequately.

CMMC is very much a:

“Tell me what you’re supposed to be doing, and prove that you’re doing it.”

If organizations have not clearly defined, specified, identified, or documented required processes somewhere - whether in the SSP, policies, standards, or supporting procedures - assessors have nothing to validate against.

That disconnect is where many otherwise capable organizations run into trouble. So choose your word carefully in your SSP, policies, and procedures!

“Right, then what makes things go smoothly then?”

The assessments that tend to go smoothly usually have:

• Well-organized evidence repositories (think nested folder structure)

• Clear and detailed implementation statements

• Teams that understand their own environment

• Internal coordination and interview practice before the assessment begins

• Realistic expectations about the process

The difficult assessments are usually the opposite.Teams struggle to locate evidence, implementation details are vague or inconsistent, and personnel are unfamiliar with how controls operate across the environment.

“So what should our company focus on next for CMMC"?”

Right now, the organizations making the most progress are the ones approaching CMMC as an operational readiness effort - not just a documentation exercise. That means:

• Understanding the actual assessment objectives

• Taking scoping seriously

• Validating and organizing third-party providers early

• Building documentation that reflects reality

• Giving internal teams enough time to prepare properly

• Avoiding artificial rush timelines driven by misconceptions

There is still time for many organizations to get this right.

But the companies that succeed will be the ones that focus less on checking boxes and more on building an environment they can confidently explain, demonstrate, and defend during a real assessment.

“But how do we understand where we stand?”

Whether you're just starting your CMMC journey or preparing for a formal assessment, the right preparation makes a significant difference.

If you’re preparing for a Level 2 certification assessment, engaging with a C3PAO early can help you avoid common scheduling, scoping, and readiness issues before they impact contract timelines.

• Talk to a CMMC advisor

• Use a self-assessment tool

• Review readiness before scheduling an assessment

Follow us - stay ahead.