CorpInfoTech Blog | Resources and education regarding the latest in cybersecurity and compliance!

The 5 Things I Didn't Know Before Going Into a CMMC Assessment

Written by Lawrence Cruciana | Feb 14, 2025 10:06:22 PM

CMMC, like cybersecurity itself, is not a one-and-done exercise. It’s a continuous process that requires ongoing commitment from every level of the company. It’s not something that can be delegated to IT and then forgotten about. It affects how business gets done—often in unexpected ways. There is no finish line. Achieving compliance isn’t just about passing an assessment—it’s about sustaining compliance day in and day out. If anyone on the team thinks of this as a one-time project, they’re in for a rude awakening. It’s a shift in how security is approached, requiring continuous monitoring, refinement, and adherence to a set of practices that don’t allow for shortcuts.

Going into our assessment, we had to take an already well-organized and accredited IT service provider—one that was an accredited CIS Controls practitioner—and reshape it to fit within the rigid structure of NIST 800-171. That was no small task.

Looking back, there were five things I wish I had known before starting this process:

1.  It's Not Just an IT Problem

Many organizations make the mistake of treating CMMC like an IT-driven initiative. It’s not. Compliance touches HR, finance, procurement, legal, and leadership. Policies, processes, and documentation must align across the entire business. IT can’t do this alone, and attempting to silo CMMC compliance will result in failure. This starts at the top of the organization. This isn’t something that you just ‘do’. This is something you commit to with your heart, soul, and throughout every dark and forgotten recess of your organization.

2.  CMMC Changes How You Do Business

Even for a company that already takes security seriously, the shift to CMMC compliance can introduce operational changes that weren’t anticipated. Things that worked well before—trusted workflows, vendor relationships, even internal communications—get upended. Some of those changes are small; others require fundamental restructuring. Expect disruption. Expect it in the most unexpected places and at the most inopportune times. It will happen.

3.  It Forces People Out of Their Comfort Zones

Every organization has highly skilled professionals who are exceptional in their domains of practice. CMMC doesn’t care. It demands extensive documentation, policy creation, and rigid adherence to defined processes. This means engineers, analysts, and technical staff who thrive in problem-solving environments suddenly find themselves spending hours writing policies and documenting procedures. It’s uncomfortable, but it’s necessary. Then translate that to marketing, sales, and administration. Has anyone ever seen a marketing department react to a data spillage procedure that requires strict compliance with? It’s not pretty. How about an office manager that finds themselves responsible for managing compliance between internal and external personnel screening process for the cleaning company? The list goes on.

4.  It Makes Everything Shake

A well-oiled IT operation does not naturally conform to NIST 800-171. The framework is built with strict guidelines that dictate exactly how (and when) things should be done. For an organization used to agility and efficiency, this can feel like trying to shove a square peg into a round hole. The transformation is painful. Systems that once worked smoothly now have to be reconfigured to meet requirements that often feel overly prescriptive. The service of rigid documentation requirements does not align with the customer-first methodology that is prevalent in my organization. The first time a customer-facing resource has to say ‘no’ to a client because the proverbial paperwork isn’t in order is a big deal. It’s a big deal to the individual, the client, and potentially the culture of the organization.

5.  Culture Is King
CMMC isn’t just a compliance framework—it’s a cultural shift. It forces an organization to reexamine how it operates at every level, from leadership to frontline staff. This is not an initiative that can be delegated downward or treated as a box-checking exercise. It must be led from the top, with clear commitment and alignment across the entire company. I didn’t expect this to be a delegated task. I expected to be “in it” as well. What I didn’t expect were the number of conversations about ‘why’. We’re not a government contractor; we serve government contractors. I did a poor job of communicating the why at every possible turn, and that was manifest in a conversation and possibly some of the team questioning my sanity.
 
This process changes how you speak internally and externally. It alters how you sell, how you interact with customers, and how you deliver services. If security isn’t already ingrained in the company’s DNA, CMMC can feel like an unwelcome intrusion— something foreign that disrupts the way things have always been done. That kind of culture shock can lead to resistance, frustration, and burnout if it isn’t managed properly. We didn’t experience this as severely as some companies, but even for us, the journey tested our resolve. There were moments where the friction of change made it tempting to push back against the process. The weight of documentation, the scrutiny of every control, the forced adjustments to workflows—these weren’t just technical hurdles, they were cultural ones.
 
Preserving company culture through this transformation takes effort. It requires leadership to not only enforce compliance but also inspire the team to understand why it matters. If cybersecurity isn’t truly a core value—beyond just words on a mission
statement—then the journey to CMMC compliance will be far more painful. Culture drives execution, and without cultural alignment, compliance will always feel like an uphill battle.
 
For us, this journey reinforced the importance of staying committed. It reminded me that real security isn’t just about technology, policies, or assessments. It’s about people. And bringing them along for the journey is just as critical as any control we implement.
 

The Two Biggest Takeaways

Everyone has to learn how to operate inside a rigidly structured system

CMMC compliance requires patience, communication, and buy-in across the company. The way people are used to working must change, and that change doesn’t come easily.

Take it Seriously from Day One

The purpose of CMMC is to protect national security data. Along the way, I’ve met too many people who see it as just another
revenue stream, a box to check. That’s not how I see it. Every detail matters. Every process matters. Filtering out the noise and focusing on those who are truly committed to doing this right is critical. If this is something that you or your company are considering, especially as an MSP (or ESP in CMMC parlance), keep in mind that there are often literally American lives that are at risk. The adversaries that CMMC intends to deter are less pesky ransomware operators (that are frankly quite easy to detect) and more nation state threat actors. The threats that lurk quietly and aim to surreptitiously siphon information and know-
how. The real boogeyman of the Internet.

Next Steps for CorpInfoTech

Our next step? Assessment. The documentation is done. The implementation is done. We’ve operationalized our system security plan. Now, it’s time to go through the process and prove that what we’ve built holds up. Onward!

 
View full post