Thoughts/Lessons Learned from Our First CMMC Client Assessments

CMMC assessments only began in January, and it’s already clear that companies who think they have their act together may not fully grasp the scope of what’s required. This isn’t a SOC audit, where there’s room for interpretation or a roadmap for remediation. With CMMC, it’s binary: you either meet the requirement or you don’t. There’s no middle ground, no guidance from the assessor, and no second chances without costs. Speaking of, these audits are also extremely expensive—so getting it right the first time is critical. So, here are some general notes, in no particular order, but I'm also looking forward to your thoughts/experiences.

The Assessor Is Not Your Friend

They will not guide you, they will not help you, and they will not suggest how to fix things. Their job is simple: pass or fail. If you don’t have the right evidence, you fail. Period. Don’t expect a mulligan; it’s their job not to give an inch.

You Need Meticulously Documented Proof for Everything

Achieving CMMC means meeting 110 controls, encompassing 320 assessment objectives – all of which require evidence. Lots of it. If you're presenting less than hundreds of pages, you're missing something. Every policy must have supporting documentation, every technical control must have proof, and if you can’t show it, it doesn’t exist—and you don’t pass.

Everyone Speaking to the Assessor Must Be Laser Focused

Every person who interacts with the assessor must:

• Have the authority to speak in their assigned area.

• Only answer what is asked—no volunteering extra details.

• Know exactly where to find every piece of required documentation.

Loose lips sink ships. Create a guide, train your people and practice before it's real or it will cost you.

If You Score an 88/110, You Can Avoid Immediate Failure. Possibly.

To pass, you need at least 88 out of 110. If you fall short but don’t have any 3-point or 5-point deductions, you can submit a Plan of Action and Milestones (PoAM) and get six months to remediate the issues—allowing you to avoid outright failure. But if you’re missing controls that include major security gaps? You’re out of luck.

Passing Once Means Nothing If You Can’t Sustain It

Just because you passed today doesn’t mean you’ll pass in three years. CMMC is an ongoing process, not a one-and-done event. You're setting yourself up for failure if you don’t continuously update and maintain your security controls and the associated documentation the assessor is looking for.

Procedures, Procedures, Procedures

Every control must be backed by a clear, documented process that is scrupulously detailed. It’s not enough to just say, “Yeah, we do that.” You need to explain exactly how you do it, where the proof is, and who is responsible. Without detailed, repeatable procedures, you will fail (seeing a pattern here?).

Lack of Readiness Can Cost You 50% - Or More

Assessments are not a one-price-fits-all model, and the cost we've seen so far varies wildly. We’ve found that being prepared goes a long way and can save you as much as half on your assessment. But remember, if you’re not completely ready and can prove it, it’s still lighting money on fire if you fail.

Most companies think they’re ready. They are not. CMMC is brutal, and the sooner businesses accept that, the better chance they have of passing their first real assessment.