Cybersecurity Maturity Model Certification (CMMC) assessments are no longer theoretical. For defense contractors across the Defense Industrial Base (DIB), assessments are happening now and the results are eye‑opening.
In a recent RKON‑hosted webinar with our partners, we unpacked what organizations are learning the hard way: there is often a significant gap between where companies think they are and what assessors actually validate. The conversation focused on real assessment experiences, common pitfalls, and what organizations should be doing now to prepare, not just to pass an audit, but to build long‑term security resilience.
Below are the key takeaways every contractor should understand.
Learning on the Fly: Why Self‑Assessments Fall Short
Many organizations entered CMMC confident in their self‑assessments. Once formal assessments began, reality set in.
CMMC third‑party assessors (C3PAOs) conduct rigorous, evidence‑driven evaluations. They ask questions and request proof that organizations doing self‑assessments often didn’t anticipate. The result? A widespread “reality check” moment where contractors discover meaningful gaps between documented intent and operational reality.
CMMC is not about checking boxes. It’s about proving that controls are implemented, operationalized, and working over time.
Scoping Is the Foundation—and the Most Common Failure Point
One of the earliest and most impactful challenges organizations face is scope definition.
Key scoping questions assessors expect clear answers to:
- What is your Controlled Unclassified Information (CUI)?
- What systems, users, and processes fall within your assessment boundary?
- How does information flow into, through, and out of the boundary?
Assessors also evaluate:
- Authoritative asset inventories
- Information flow diagrams
- Security and protection assets
- External Service Providers (ESPs)
These elements are all assessed differently and must be identified early. Poor scoping leads to scope creep, expanded evidence requests, delays, and failed assessments.
Your System Security Plan (SSP) becomes the blueprint for the assessment. If documentation, diagrams, and operational reality aren’t telling the same story, assessors will find the disconnect quickly.
What Assessors Are Consistently Flagging
Across industries, assessment teams are seeing the same patterns emerge.
1. Access Control Gaps
Common issues include:
- Incomplete least‑privilege enforcement
- MFA not applied consistently
- Weak configuration management
Tools alone aren’t enough. Assessors need to see process, enforcement, and review cadence.
2. Audit Logging & Monitoring
One of the biggest gaps for small and mid‑sized organizations:
- Logs exist but aren’t reviewed regularly
- Monitoring isn’t validated or documented
- No evidence of continuous review
Many organizations cannot demonstrate that their controls function consistently over time. Remember, it’s not about a one-time audit. It’s about having a resilient security posture.
3. Configuration Drift
Organizations often deploy security tooling but lack:
- Drift detection
- Change validation
- Ongoing review processes
By the time auditors arrive, environments are stale, undocumented, or misaligned with the SSP.
4. Incident Response That Isn’t Operationalized
Annual tabletop exercises aren’t enough. Assessors expect to see:
- Regular testing
- Documented outcomes
- Evidence that lessons learned were incorporated
Incident response must be alive, not theoretical.
5. Cryptography, PHI/PII, and End‑of‑Life Systems
Assessments are increasingly strict around:
- Validated cryptography
- Legacy or end‑of‑life systems
- Unsupported software still in scope
These areas have become particularly “touchy” in recent assessments.
The Assessment Lifecycle: What to Expect
A full CMMC Level 2 assessment typically unfolds in three phases:
Phase 1: Readiness & Scope Validation
- Boundary confirmation
- ESP identification
- Artifact review
- Gaps surfaced early
Phase 2: Fieldwork & Evidence Review
- Interviews and demonstrations
- Deep technical validation
- The most time‑intensive phase
Phase 3: QA & Determination
- Final review of all 110 controls
- eMASS workflow and submission
- Formal determination
Timelines vary, but organizations should expect 3–4 months end‑to‑end, with buffers for complexity and scope changes. With over 80,000 companies in the DIB and a limited number of C3PAOs, capacity is already a constraint.
Best practice: Engage 9 months ahead of your target date, minimum.
CMMC Is Not a Point‑in‑Time Event
One of the most dangerous mindsets we see is “pass the audit and move on.”
CMMC operates on a three‑year reassessment cycle, with ongoing obligations in between. Drift will happen. M&A will happen. Environments will change.
What matters is:
- Being honest about changes
- Documenting them
- Proving controls remain effective
Organizations that pause evidence collection after certification are setting themselves up for future failure.
The most successful teams are building continuous evidence collection, so audit readiness becomes business‑as‑usual, not a scramble.
Looking Ahead: How CMMC Will Evolve
Over the next 2–3 years, we expect:
- Broader adoption of CMMC‑like requirements beyond DoD
- Civilian agencies applying similar validation logic
- Increased supply‑chain enforcement
- More rigor around demonstrating control effectiveness
- A future Rev 3 transition requiring organizations to evaluate deltas and adapt quickly
CMMC isn’t shrinking. The spider web is expanding.
Why Pre‑Assessments Are Becoming Non‑Negotiable
Given assessor rigor and limited capacity, organizations are increasingly turning to pre‑assessments.
A pre‑assessment with RKON helps organizations:
- Validate scope before it expands
- Identify gaps assessors will flag
- Align documentation with reality
- Reduce surprises during the formal assessment
Think of it as risk reduction, not extra work. This ensures that by the time the auditor comes around, you are confident you can pass.
Many experts see CMMC expanding with civilian agencies beginning to adopt similar frameworks and CMMC-like requirements. It won’t be enough to simply attest to compliance, organizations will need to demonstrate and prove it. Organizations that invest early in strong foundations will have a measurable head start. Learn more in our in-depth whitepaper.
The End Goal Isn’t Passing the Audit
CMMC is ultimately an attestation to something you should already have.
The organizations that succeed aren’t chasing certification they’re building security‑resilient operations. This requires a cultural shift: away from one‑and‑done compliance and toward ongoing operational maturity.
That’s where RKON comes in. Not just to help you pass an assessment, but to help you operationalize security for the long haul. By November, CMMC requirements will begin showing up in contracts. Meaning if you’re not ready, you’re not just behind… you may be ineligible to win or renew DoD work.
If you’re racing the clock, now is the time to understand where you truly stand. Get a pre-assessment today.
