CMMC 2.0: A Practical Path to Readiness

 Who is in scope for CMMC 2.0? 

This is the first question most organizations ask. The answer starts with your contracts and the type of data you handle. 

If your work involves Federal Contract Information (FCI), data generated or provided under a government contract that isn't intended for public release, you're likely looking at Level 1. That means 15 foundational security practices, an annual self-assessment, and a self-attestation filed through the Supplier Performance Risk System (SPURS). No third-party assessor required. 

But here's where it gets serious: that attestation carries legal weight. Signing off on compliance you haven't achieved creates real False Claims Act exposure. The Department of Justice has already opened investigations and reached public settlements against contractors who certified compliance they couldn't back up. This isn't a theoretical risk. It's happening. 

If your environment handles Controlled Unclassified Information (CUI), data the government has designated sensitive but unclassified, you're in Level 2 territory. That means full alignment to all 110 controls in NIST SP 800-171, assessed every three years by a certified third-party assessment organization (C3PAO). 

What catches most organizations off guard: those 110 controls break down into 320 individual assessment objectives. Your assessor evaluates every single one. Preparing at the control level but missing the underlying objectives is one of the most common reasons organizations fall short on their first assessment. 

Scope also extends beyond your contract language to the actual flow of data through your organization. Where does CUI live? Who can access it? Which systems store or transmit it? Can it be printed, pasted into a different app, or moved to a USB drive? Each of those vectors is a boundary that needs to be defined and controlled. Get this wrong and you either pull unnecessary systems into scope, inflating cost and complexity, or leave real exposure points outside your compliance program. 

Your subcontractors and vendors matter here too. If you're passing CUI downstream to a supplier or managed service provider, that organization may itself be subject to CMMC requirements. Understanding where your shared responsibility begins and ends isn't optional, assessors will ask. 

How do you start building toward compliance? 

The answer isn't to tackle everything at once, but to follow a structured, prioritized path that connects your current state to audit readiness in a way your team can actually execute. 

Start by mapping your current controls to NIST 800-171. A gap assessment against all 110 controls, and ideally all 320 underlying objectives, tells you exactly where you stand. From there, separate the work into two categories: quick wins and long-lead items. Treating those differently is what makes a 90-day plan realistic. 

Quick wins are the things you're already doing but haven't documented, policies that reflect actual practice with minor updates, or monitoring features already available in tools you own. These build momentum without heavy lift. 

Long-lead items are the ones that require planning cycles, procurement, or organizational coordination, like deploying a SIEM, migrating to a compliant cloud environment like GCC High, implementing multi-factor authentication across all in-scope systems. These cannot be compressed. Starting them late is one of the most avoidable reasons organizations miss their target assessment window. 

 From there, build a focused plan that balances risk reduction with audit readiness. 

 A practical 90-day roadmap often includes: 

• Developing or updating your System Security Plan (SSP): Your SSP is the foundational document that describes how each control is implemented. It needs to be written at the objective level, not just the control level, and it needs to match what's actually in place. Assessors compare your SSP against your evidence and your technical configurations. Gaps between what you say and what they see become not-met findings.
• Building a realistic Plan of Action & Milestones (POA&M): Your POA&M documents what hasn’t been fully addressed yet, who owns it, and when it will be resolved. A well-maintained POA&M signals you understand your gaps and are managing them intentionally. A missing or outdated one signals the opposite.
• Establishing consistent evidence collection: Evidence isn't something you pull together the week before your assessment. Configuration exports, access logs, training records, vulnerability scan results, change management documentation; assessors want to see controls operating consistently over time, not just on the day they look.
• Strengthening policies and procedures: Policies that say what you do without explaining how you do it are a recurring gap. Documentation needs to be specific enough that an outside assessor can understand exactly how each control is implemented and maintained.
• Managing third-party and vendor risk: Review your vendor relationships against your CUI data flows. For any third party with access to CUI, or systems that protect it, confirm their compliance posture, clarify shared responsibility, and make sure your contracts reflect the right security requirements. 

One more thing before you engage a C3PAO: make sure your CAGE codes are accurate and your SAM.gov organizational hierarchy is current. Certification outcomes tie directly to that structure, and misalignments can mean separate certifications for different parts of your organization or delays in how your results are recognized. 

What are the most common mistakes to avoid? 

 Across organizations preparing for CMMC, a few pitfalls show up repeatedly, and most are avoidable with early attention: 

• Unclear scope: Organizations that rush or skip the scoping exercise either pull in systems that don't need to be there, inflating cost, or define boundaries too narrowly and leave real exposure outside their program. Tight, defensible scoping from the start controls both problems.
• Weak or missing evidence: This is the most common reason assessments produce not-met findings on controls organizations believe they've implemented. Saying a control is in place is not the same as demonstrating it. Assessors will ask to see it everywhere, from your configurations, your logs, and your documentation.
• Disconnected teams: CMMC assessments require technical demonstrations. System administrators and engineers need to be available during fieldwork, not just compliance or GRC staff. Assessors will ask to log into systems, review configurations, and observe processes in real time. Teams that haven't practiced this together before the formal assessment tend to struggle under pressure.
• Unmanaged third parties: Vendors and subcontractors with access to your CUI environment are part of your compliance scope, whether or not you've formally acknowledged it.  

These mistakes slow certification, increase cost, and delay contract eligibility. 

Organizations that succeed treat compliance as an ongoing operational discipline, not a one-time project.