CMMC, like cybersecurity itself, is not a one-and-done exercise. It’s a continuous process that requires ongoing commitment from every level of the company. It’s not something that can be delegated to IT and then forgotten about. It affects how business gets done—often in unexpected ways. There is no finish line. Achieving compliance isn’t just about passing an assessment—it’s about sustaining compliance day in and day out. If anyone on the team thinks of this as a one-time project, they’re in for a rude awakening. It’s a shift in how security is approached, requiring continuous monitoring, refinement, and adherence to a set of practices that don’t allow for shortcuts.
Going into our assessment, we had to take an already well-organized and accredited IT service provider—one that was an accredited CIS Controls practitioner—and reshape it to fit within the rigid structure of NIST 800-171. That was no small task.
Looking back, there were five things I wish I had known before starting this process:
1. It's Not Just an IT Problem
Many organizations make the mistake of treating CMMC like an IT-driven initiative. It’s not. Compliance touches HR, finance, procurement, legal, and leadership. Policies, processes, and documentation must align across the entire business. IT can’t do this alone, and attempting to silo CMMC compliance will result in failure. This starts at the top of the organization. This isn’t something that you just ‘do’. This is something you commit to with your heart, soul, and throughout every dark and forgotten recess of your organization.
2. CMMC Changes How You Do Business
Even for a company that already takes security seriously, the shift to CMMC compliance can introduce operational changes that weren’t anticipated. Things that worked well before—trusted workflows, vendor relationships, even internal communications—get upended. Some of those changes are small; others require fundamental restructuring. Expect disruption. Expect it in the most unexpected places and at the most inopportune times. It will happen.
3. It Forces People Out of Their Comfort Zones
Every organization has highly skilled professionals who are exceptional in their domains of practice. CMMC doesn’t care. It demands extensive documentation, policy creation, and rigid adherence to defined processes. This means engineers, analysts, and technical staff who thrive in problem-solving environments suddenly find themselves spending hours writing policies and documenting procedures. It’s uncomfortable, but it’s necessary. Then translate that to marketing, sales, and administration. Has anyone ever seen a marketing department react to a data spillage procedure that requires strict compliance with? It’s not pretty. How about an office manager that finds themselves responsible for managing compliance between internal and external personnel screening process for the cleaning company? The list goes on.
4. It Makes Everything Shake
A well-oiled IT operation does not naturally conform to NIST 800-171. The framework is built with strict guidelines that dictate exactly how (and when) things should be done. For an organization used to agility and efficiency, this can feel like trying to shove a square peg into a round hole. The transformation is painful. Systems that once worked smoothly now have to be reconfigured to meet requirements that often feel overly prescriptive. The service of rigid documentation requirements does not align with the customer-first methodology that is prevalent in my organization. The first time a customer-facing resource has to say ‘no’ to a client because the proverbial paperwork isn’t in order is a big deal. It’s a big deal to the individual, the client, and potentially the culture of the organization.
5. Culture Is King
statement—then the journey to CMMC compliance will be far more painful. Culture drives execution, and without cultural alignment, compliance will always feel like an uphill battle.
The Two Biggest Takeaways
Everyone has to learn how to operate inside a rigidly structured system
CMMC compliance requires patience, communication, and buy-in across the company. The way people are used to working must change, and that change doesn’t come easily.
Take it Seriously from Day One
The purpose of CMMC is to protect national security data. Along the way, I’ve met too many people who see it as just another
revenue stream, a box to check. That’s not how I see it. Every detail matters. Every process matters. Filtering out the noise and focusing on those who are truly committed to doing this right is critical. If this is something that you or your company are considering, especially as an MSP (or ESP in CMMC parlance), keep in mind that there are often literally American lives that are at risk. The adversaries that CMMC intends to deter are less pesky ransomware operators (that are frankly quite easy to detect) and more nation state threat actors. The threats that lurk quietly and aim to surreptitiously siphon information and know-
how. The real boogeyman of the Internet.
Next Steps for CorpInfoTech
Our next step? Assessment. The documentation is done. The implementation is done. We’ve operationalized our system security plan. Now, it’s time to go through the process and prove that what we’ve built holds up. Onward!
