We’ve walked through CMMC prep with defense subcontractors across Hampton Roads, Northern Virginia, and the I-95 corridor. The pattern repeats: leadership believes they’re “basically NIST 800-171 compliant” because IT ran a gap assessment eighteen months ago. Then the C3PAO engagement starts, someone asks for evidence from the last 90 days, and the room gets quiet.
CMMC Level 2 isn’t a paperwork exercise. It’s proof that your organization operates security controls — not just documents them. If you handle Controlled Unclassified Information (CUI) on DoD contracts, this is the bar you need to clear. Here’s where teams stumble, and what actually moves the needle before your assessment date.
The gap between policy and practice
The most common failure mode is a beautiful policy library that nobody follows. You have an acceptable use policy, an incident response plan, and a configuration management standard. Ask a developer what the process is for spinning up a staging environment with CUI-like test data, though, and you get a shrug.
Assessors don’t award points for PDFs. They sample systems, interview staff, and trace a control from written procedure to logged evidence. If your SSP says multi-factor authentication is enforced on all privileged accounts, they will pull a admin account list and test it.
Fix it: Run tabletop exercises with the people who do the work — not just the compliance lead. Record what actually happens. Update policies to match reality, or change reality to match policy. Pick one.
Scope creep you didn't know you had
Many contractors assume CMMC scope equals “the file server where we store contract deliverables.” In practice, scope includes any system that stores, processes, or transmits CUI — and often the systems connected to those systems in ways that matter for security.
We regularly find CUI in:
- Email threads with PDF attachments on commercial M365 tenants without GCC High
- Contractor laptops syncing to personal OneDrive accounts
- Legacy ERP modules that export CUI to shared drives with open permissions
- Dev/test environments seeded with production data “just for debugging”
Until you map data flows, you can’t draw an accurate boundary. And an inaccurate boundary means you’re either over-scoping (wasting money) or under-scoping (failing the assessment).
Fix it: Build a CUI data flow diagram with your contracts team, engineering, and IT. Mark every ingress and egress point. Segregate what you can; document compensating controls where you can’t.
Access control is where assessments go to die
NIST 800-171 access control requirements sound straightforward until you inherit fifteen years of Active Directory sprawl. Service accounts with passwords that never rotate. Shared credentials on shop floor terminals. Vendors with permanent VPN access because “they’re always fixing something.”
Level 2 expects least privilege, separation of duties where feasible, and session lock/timeout on systems in scope. MFA for privileged users isn’t optional — it’s table stakes.
Fix it: Prioritize identity cleanup before buying another security tool. Disable stale accounts, kill shared logins, enforce MFA on every admin path, and implement just-in-time access for vendors. Log it all in a SIEM or centralized logging platform assessors can query.
Logging and monitoring nobody reads
Teams buy logging tools, turn them on, and assume the box is checked. Assessors ask: “Show me an alert from the last quarter that led to a ticket, investigation, and closure.” Silence again.
You need retained audit logs, time synchronization across systems, and a defined review cadence with named owners. For incident response, you need tested playbooks — not a document that lives in SharePoint untouched since 2022.
Fix it: Define minimum log sources for in-scope assets (authentication, privilege changes, boundary devices, AV/EDR). Set retention to meet NIST requirements. Run a simulated phishing or unauthorized access drill and produce the ticket trail.
Configuration management on custom software
Defense contractors increasingly ship custom web apps, internal portals, and integration middleware — not just Office files on a share. That software becomes part of your assessment surface.
Common issues we see on code-driven systems:
- No baseline hardening standard for cloud VMs and containers
- Secrets committed to Git history from years ago
- Production deployments triggered manually with no change record
- Missing vulnerability scanning on application dependencies
If your dev team ships weekly but your change control board meets monthly, assessors will notice the mismatch.
Fix it: Treat application infrastructure like production defense equipment. Version control, CI/CD with approval gates, automated dependency scanning, and environment separation (dev/test/prod) aren’t luxuries — they’re evidence.
Supply chain and subcontractor flow-down
Prime contractors are pushing CMMC requirements down the chain. If you’re a sub, your customer’s flow-down clauses may require you to maintain Level 2 certification before award — not “sometime after.”
You also need to manage your own subs: DFARS 7012 obligations, incident reporting timelines (72 hours to DIBNET), and encryption requirements for CUI at rest and in transit.
Fix it: Inventory every subcontractor that touches CUI. Verify their compliance posture in writing. Build incident notification into MSAs so you’re not scrambling at 2 a.m. when their breach becomes your problem.
A realistic 90-day prep sequence
If you have roughly one quarter before assessment, sequence matters:
- Weeks 1–2: CUI scoping, data flow mapping, asset inventory in boundary.
- Weeks 3–4: Identity hygiene, MFA enforcement, privileged access review.
- Weeks 5–6: Logging baseline, SIEM alert tuning, first incident drill.
- Weeks 7–8: Policy/procedure alignment with observed practices; POA&M for true gaps.
- Weeks 9–10: Internal mock assessment with an external partner; collect evidence pack.
- Weeks 11–12: Remediate findings, freeze risky changes, brief leadership on interview prep.
This isn’t a guarantee — org size and starting maturity vary — but teams that follow a sequence like this arrive at the C3PAO with fewer surprises than those who spent three months on policy formatting alone.
What "ready" actually looks like
Ready means an assessor can pick a control at random — say, SI.L2-3.14.7 — and you can show the standard, the system configuration, the log extract, and the person who reviewed it last month. Ready means your engineers know not to paste CUI into Slack. Ready means your executives can explain how security supports contract delivery, not just how much it costs.
CMMC Level 2 is achievable for mid-size contractors. The ones who fail usually didn’t fail on technology. They failed on consistency — the boring, repeated work of operating controls every week, not just before an audit.
If you’re building or modernizing the systems inside your CMMC boundary — portals, integration layers, internal tooling — build compliance into the architecture from sprint one. Retrofitting security onto a live production app three weeks before assessment is how good teams miss their window.