A photorealistic image of a businessperson in business casual attire reviewing a printed document at a conference table.

5 Mistakes Defense Contractors Make Before Their CMMC Assessment

June 22, 20266 min read

Introduction

CMMC Level 2 assessments expose preparation gaps that organizations were not aware they had, or were aware of and chose not to address. Some of those gaps are technical. Many of them are structural, the result of how leadership engaged with the compliance program, or did not engage with it, before the C3PAO arrived.

The five mistakes described here are not hypothetical failure modes. They are patterns that appear in organizations that have done real compliance work, spent real money, and still find themselves with significant findings when the assessment begins. Each one is avoidable. Each one requires a leadership decision to avoid it.


Mistake 1: Treating CMMC as an IT Project

The most consistent pattern in organizations that struggle with CMMC assessments is the assumption that the IT team can own the entire program. The technology layer is real and significant; CMMC Level 2 includes 110 practices spanning access control, configuration management, audit logging, incident response, media protection, and more, all of which require technical implementation. But technical implementation is one layer of what CMMC requires.

Policies must be written that reflect how the organization actually operates. Personnel must be trained on CUI handling requirements. Physical security controls must be implemented and documented. Incident response procedures must be established, tested, and demonstrably understood by the staff who would execute them. None of those decisions can be made by IT without organizational authority that IT does not have.

When executives disengage from the compliance program, the IT team makes policy decisions by default. Those decisions often do not survive assessor scrutiny because they are not grounded in how the business actually functions. Assessors reviewing Awareness and Training (AT) controls will ask who defined the training requirements, who delivered the training, and who verified completion. If the honest answer is that IT made all of those decisions without HR or leadership involvement, that surfaces as a governance gap with findings attached.


Mistake 2: Confusing a SPRS Score with Assessment Readiness

Defense contractors are required to self-assess their NIST SP 800-171 posture and submit a score to the Supplier Performance Risk System. That score is visible to DoD contracting officers. Some organizations treat a favorable SPRS score as evidence that their compliance program is working. It is not.

A C3PAO conducts an independent assessment of your environment against all 110 practices. They do not start from your SPRS score. If your self-assessment credited your organization for a control that is not implemented, or that is implemented but cannot be evidenced, the assessor will find it. In one recent engagement, an organization had submitted a SPRS score of 88. The independent assessment identified that several credited controls, including access review documentation under AC and log retention under AU, could not be supported with artifacts. The gap between the submitted score and the assessed score was significant, and the remediation required delayed the certification timeline by months.

More critically, submitting a SPRS score that overstates your actual posture is not a documentation error. It is a potential False Claims Act violation. That is legal exposure that ownership is carrying, not the IT team and not the compliance lead.


Mistake 3: Scoping the Assessment Environment Incorrectly

Scope defines which systems, people, locations, and technology are included in the CMMC assessment environment. Under 32 CFR 170.19, the scope of the assessment is determined by the organization's CUI boundary, where Controlled Unclassified Information is processed, stored, or transmitted. Scoping decisions have direct consequences for assessment complexity, remediation cost, and assessment timeline.

Organizations that scope too broadly bring systems into the assessment environment that could have been excluded through proper architectural segmentation. That increases the number of assets the C3PAO must evaluate and the number of controls that must be fully implemented and documented across all of them. Organizations that scope too narrowly leave real CUI outside the documented boundary, which assessors may detect during evidence review or staff interviews. Organizations that do not document their scoping rationale may be required to revisit the boundary definition during the assessment itself -- adding time and cost at the worst possible moment.

Scope is not an IT decision. It is a business architecture decision that requires leadership input about which parts of the organization perform contract work involving CUI, how that work is structured, and what the organization is willing to invest in segmentation and enclave design. Those are ownership-level questions.


Mistake 4: Using the POA&M as a Permanent Deferral Mechanism

A Plan of Action and Milestones is a required artifact for CMMC Level 2 assessments. It documents security deficiencies that have not yet been remediated, the planned remediation actions, and the target completion dates. It is a mechanism for showing a credible path to full compliance -- not a mechanism for listing known problems and leaving them open indefinitely.

C3PAOs review POA&Ms during assessments. They evaluate whether the documented remediation actions are credible, whether the timelines are realistic, and whether progress has been made since the POA&M was established. A POA&M that lists the same open items with extended due dates across multiple review cycles is not a compliance document. It is a record of deferred decisions, and assessors read it that way.

Closing POA&M items requires organizational decisions about resource allocation, system changes, and policy implementation that leadership must authorize. When those decisions are not made, open items accumulate. By the time a C3PAO reviews them, the pattern of deferral is documented in the POA&M itself.


Mistake 5: Assuming the MSP Owns CMMC Accountability

Managed service providers can implement and manage significant portions of the technical controls required for CMMC Level 2. Many defense contractors rely on MSPs for endpoint management, patch management, log monitoring, and other functions that map directly to required practices. That reliance is appropriate as far as it goes.

What MSPs do not do is write your organization's policies. They do not train your employees on CUI handling requirements under AT.2.057. They do not make decisions about your assessment scope. They do not define your incident response procedures or verify that your staff can execute them consistently. And they are not the organization of record in your CMMC assessment -- your company is.

When a C3PAO requests evidence of Access Control policy implementation under AC.1.001, or configuration management procedures under CM.2.061, the answer must come from your organization's documented policies and practices. An MSP's service agreement is not a substitute. The contractor, and contractor leadership, holds the accountability. Vendors can support the program. They cannot own it.


Conclusion

None of these mistakes require sophisticated failures to occur. They follow from predictable organizational dynamics: compliance programs that run below the executive level, self-assessments that favor optimistic interpretations, scope and accountability decisions that were never made at the right level of the organization, and remediation timelines that were managed by deferral rather than by decision.

An independent gap assessment that honestly evaluates all five of these areas is the right starting point before any remediation spending is authorized. Organizations that surface these issues early correct them on a planned timeline. Organizations that surface them on assessment day correct them under pressure -- and the certification delay is the cost of that difference.


Get the CMMC Business Risk Assessment Guide for Defense Contractor Executives

If your organization is preparing for a CMMC Level 2 assessment and leadership has not yet reviewed its actual risk exposure, the CMMC Business Risk Assessment Guide for Defense Contractor Executives is the right place to start. It walks through the questions every owner must be able to answer before any assessment is scheduled -- covering SPRS score accuracy, scope decisions, remediation budget, and internal accountability.

Download the Free Executive Guide →

Back to Blog