And what I learned while sitting across from an assessment team.
There’s a difference between knowing something and experiencing it. I thought I had a pretty solid understanding of what a CMMC assessment entailed. After all, I’ve been in this world for a long time—long enough to remember when “CMMC” was a collection of PowerPoint slides and working group debates before Version 1.0 was even released. I’ve helped clients prepare. I’ve built hundreds of compliance programs from scratch. I’ve been in the trenches of cybersecurity for regulated industries for over two decades. In preparation for CMMC, I attended formal classes, gained formal certification and recognition as a CMMC Certified Professional (CCP), and even completed the required coursework as a CMMC Certified Assessor (CCA) prior to our assessment.
But there’s nothing quite like being on the other side of the audit table.
This isn’t going to be a technical breakdown of the CMMC assessment process. If you want to read about scoring methodologies or what constitutes an objective evidence artifact, there are plenty of documents and training materials that cover that. This is about the human experience—the messy, challenging, sometimes frustrating but ultimately transformative journey of moving from theory to practice. This is about my experience.
And if you’re a business leader, especially in a small to mid-sized organization, and you think your team can simply “handle” CMMC compliance through IT alone, buckle up. You’re in for a ride.
These are my candid experiences of transforming a highly functioning, cybersecurity-led, decades old managed IT services firm into a NIST 800-171 compliant organization. There were mistakes made, (very expensive) lessons learned, and along the way I developed an unsettling ability to disrupt our proverbial apple cart seemingly on a daily basis and a taste for humble pie.
I’ve structured this into five sections that roughly parallel a blog that I wrote prior to our audit (The 5 Things I Didn’t Know Before Going Into a CMMC Assessment). This blog detailed the lessons I learned preparing for our CMMC Assessment. I recall writing that blog feeling a little smug about just how ready we were. Feeling that through all of the change and evolution there was little else left to learn. I was wrong.
I wrote this in a blog a while back, and it’s still true “treating CMMC as a purely IT-driven initiative is a fast path to failure”. The assessment we went through reinforced that tenfold.
What surprised me most during the audit wasn’t the technical controls. We’ve been a security-first Managed Services Provider (MSP) for a long time, and from a tools-and-tech perspective, we were in solid shape. For the technologists out there, our full security stack was FedRAMP certified, our processes were ITIL-based, and our services team had enough certification related acronyms after their names to rewrite your favorite Orwellian novel. The friction came from business processes—the hand-offs between departments, the language in HR policies, the structure of vendor management, and how we communicated risk (and the required treatment of that risk) internally. It came from the mundane and routine daily operations and how those must conform with NIST 800-171 and the broader CMMC program overall.
Before we even get into what the assessment team was looking for, it’s worth pausing to understand who they were because, to me, that shaped everything about the experience.
These weren’t green MBAs or compliance generalists learning cybersecurity on the fly. Our assessment team was made up of deeply experienced, credentialed professionals who met the stringent qualification criteria outlined in DoDI 8440.01—the Department of Defense Instruction governing the roles, standards, and qualifications for cybersecurity workforce members involved in assessments and evaluations across DoD systems.
This instruction doesn’t just set a baseline for technical capability, it defines clear, experience-based expectations for assessors operating in environments that range from enterprise IT to national security systems. The individuals assigned to our CMMC assessment had previously worked in environments governed by NIST 800-53 at the most sensitive classification levels. These weren’t just assessors, they were practitioners who understood the implications of every control, every process, and every deviation. They brought that same scrutiny and discipline to my little corner of the MSP world as they would to a National Security asset.
That level of qualification matters. Let me say that again. That. Level. Of. Qualification Matters! (read that as choose your assessment team and C3PAO wisely).
Why does that level of qualification matter? Because CMMC assessments aren’t just about compliance—they’re about validating whether your organization can actually secure Controlled Unclassified Information (CUI) against real-world threats. An assessor who has operated in classified environments, who understands how adversaries think and how organizations fail under pressure, brings a level of rigor and clarity that a paper-based checklist never could.
These folks didn’t just skim our documentation. They read every single page—more than 4,000 in total—including policies, procedures, diagrams, risk decisions, and practice-based evidence. They spent a full week preparing for our assessment, reading our documentation, and formulating questions. They cross-referenced our processes against the requirements. Once the audit was underway, they not once asked us what system did what. They knew our systems cold. Similarly, they didn’t ask us questions that could be read from a policy or Standard Operating Procedure (SOP). Rather, they asked probing questions that were practice based. Thinks like how procurement vets subcontractors, how HR handles onboarding, and for evidence showing the risk review that (by policy) should have happened on or around the second week of February - a time period that was in-scope but prior to the commencement of our assessment.
It wasn’t a technical audit. It was a full-spectrum operational evaluation.
Frankly, as an experienced and formally credentialed CIS Controls, NERC CIP, and NIST CSF assessor myself, it was impressive.
This team was as comfortable assessing us—a small, agile, security-first MSP—as they would be walking into a hardened federal enclave. And that made the experience all the more validating. We weren’t being “checked.” We were being evaluated by people who knew what they were doing. People who held themselves to the same standards they expected from us.
It elevated the process. It raised the bar for what I now expect from any assessment—not just in cybersecurity, but in any compliance framework.
I Thought I Knew: We’d Already Disrupted Our Business Enough
I knew CMMC would force us to tighten things up. What I didn’t realize was how deeply it would touch things that had nothing to do with IT—at least on the surface.
Internal workflows we’d used for years suddenly didn’t align with documentation standards. Our long-time office cleaning company? They now needed to undergo formal screening and background checks because they have after-hours access to areas where CUI might reside. We had to overhaul how we documented authorized personnel’s access to the office. And we had to prove it. That meant tightening policies, adjusting contracts, and documenting everything down to a badge-swipe and biometric-access level. Our Marketing team had to review procedures on how incident communications are structured. Our administrative team had to change how they managed and documented physical media (paper) disposal. None of this was hard—individually. But in aggregate, it forced us to rethink a whole lot about how we operate.
Then there were our data center partners. These weren’t small-time colocation facilities—they were Tier IV, SSAE 18-audited facilities with SOC 2 and 3, HIPAA, and PCI-DSS certifications. But CMMC doesn’t stop at "already secure." There is no reciprocity. We had to dig deep with their compliance teams to validate screening procedures for their personnel, understand their physical access control systems, and ensure every policy mapped to 800-171 expectations.
Their certifications helped—but CMMC demanded those controls be re-examined through the lens of protecting CUI and the infrastructure that supports it.
None of this was hard in isolation. But in aggregate? It forced us to unwind years of operational muscle memory. The assessment didn’t just challenge our compliance—it challenged the way we’d always done things. That kind of change comes with friction, even when it’s the right thing to do.
I Thought I Knew: This Would Be a Management Exercise
Spoiler: it wasn’t.
I thought my role as the leader would be to support the team, reinforce priorities, author some policies, and maybe review some risk documentation. I expected that I would have to be available if the assessors wanted an executive interview. What actually happened? I was in the thick of it. Not because I had to be, but because this is what leadership looks like in a CMMC environment.
The assessors didn’t just want to see that policies existed. They wanted to know that leadership was engaged, that I understood the System Security Plan (SSP), and that I could articulate—confidently and coherently—the risk decisions we’d made. They didn’t expect me to rattle off control numbers from memory, but they absolutely expected me to own the outcomes. That distinction matters.
Oh, and let’s not forget: as the executive responsible for certifying the accuracy of our implementation, I’m also potentially liable if something in the SSP is found to be materially false or misleading. Not a typo, not a formatting error—but a material misstatement? Yeah, that can turn into a False Claims Act (FCA) problem faster than you can say “SPRS submission.” To be clear, we’re not a federal contractor. We don’t hold contracts with the DoD or Federal government. We’re a Managed Service Provider (MSP) or an External Service Provider (ESP) in CMMC parlance that supports contractors—companies that are subject to DFARS clauses like 252.204-7012, 7019, and 7020. But here’s the catch: if you’re an External Service Provider (ESP) who touches systems within scope of a contractor’s SSP—and let’s be honest, if you’re an MSP, you do—you’re in scope too. That’s not theory. That’s doctrine. Which brings us back to the FCA. This statute is not just some obscure legal footnote - it’s a primary mechanism the government uses to prosecute misrepresentations related to government work, including cybersecurity compliance. The DOJ has made it very clear that inaccurate SPRS submissions, inflated NIST 800-171 scores, or rubber-stamped SSPs can all trigger enforcement actions. The penalties? Civil fines, treble damages, loss of contracts, and yes, potential criminal liability. So when I attested to the contents of our SSP it’s not a ceremonial exercise. It’s a statement, made with full knowledge that DOJ (and, increasingly, third parties) are paying attention.
The wisdom I wish to share here is simply that I’m not a lawyer but what I learned leading up to and through our assessment is that MSPs are “special”. Special in that we enjoy a “special privileged relationship” with our clients and that relationship has some profound risk in terms of CMMC. If you’re reading this and are an MSP supporting federal contractors, know that (a) you are very likely in their scope, and (b) the FCA absolutely applies to you. If you’re supporting systems, users, infrastructure, or services that are included in a client’s (they, a federal contractor) boundary, your fingerprints are on their compliance posture. If that posture is misrepresented, you don’t just have a business risk—you’ve got a legal one that doesn’t have a corporate veil to protect you.
What I learned was that I really didn’t want to have to try to explain what “knowing misrepresentation of material facts” to my kids, my leadership team, our board of advisors, or a federal judge.
I Thought I Knew: We’d Already Solved the Culture Problem
Culture is the hardest part of security, and I say that as someone who lives and breathes threat-informed defense models. You can implement controls, write policies, and develop incident response procedures all day long—but if your team doesn’t believe in why it matters, you’ll end up with surface-level compliance and deep-seated resistance. We had a solid culture before the audit. But the assessment process exposed little fault lines—places where we hadn’t explained the “why” well enough. Where someone knew what to do, but not why they were doing it that way. Where people complied with a policy or a cultural norm, but hadn’t internalized (or been made aware of) the reasoning behind it. Those moments weren’t failures, rather they were opportunities. But they reminded me that building a security culture isn’t a destination. It’s a continual exercise in alignment, communication, and reinforcement. Often it starts on my desk but really needs to be understood at every level of the organization. Not so much the technical. Not the etymological reasoning behind why we configure something we way we do but that every setting, every documentation standard, and everything – even those that seem pedantic – in each SOP matters.
I Thought I Knew: Our Documentation Was Good Enough
We had policies. We had procedures. We had SOPs coming out of our ears. Our documentation standards for as-built drawings were the thing of MSP-conference legend. We had an SSP that was updated, complete, and matched our environment. But when you’re in an assessment, “good enough” documentation quickly gets put to the test.
Our assessment team asked for evidence. Not hypotheticals. Not “we usually do it this way.” They want proof—verifiable, traceable, attributable proof—that your documentation isn’t just living in a binder somewhere collecting digital dust. It has to match what you’re actually doing, operationally, every single day.
We had to produce evidence for all 320 CMMC assessment objectives, covering all 110 NIST SP 800-171 rev 2 controls. That’s the full spectrum. But here’s the result of a fun experiment we ran. Importantly, you have to know that I love data. Not for data’s sake but for application and consideration to improve things in the future. As we prepared for our assessment in collecting evidence, I asked our team to track internal time and effort on 97 of those 320 controls, because I hypothesized those particular practices to be more nuanced in the evidence collection process. Things like personnel screening, (virtual) media sanitization, incident response, system change tracking. Let’s just say, the hypothesis was validated.
Over 170 hours of focused effort went into just those 97 practices. This wasn’t just gathering screenshots and pasting them into a Word doc. This was a methodical, line-by-line traceability exercise. From control to policy, from policy to procedure, from procedure to practice—and then back again, with receipts. Evidence. Artifacts. Context. Owner. Explanation. Lather, Rinse, and Repeat.
Earlier, I said that the assessors wanted detail, I mean granular detail. Let me give you one of my favorite (read: exhausting) examples.
We run a quarterly tabletop incident response exercise. We elected to use this TTX as a supporting piece of evidence of our Incident Response capabilities. The assessors asked for proof that a level 1, front-line technician—yes, the lucky individual handling inbound customer calls that happened to answer that TTX call—followed our incident response protocol when presented with a simulated security event. Not management. Not the SOC lead. The first point of contact. And they didn’t want to just hear that he did it. They wanted evidence that he did it per the documented policy and SOP.
What did that evidence look like?
It looked like a timestamped service ticket, logged during the tabletop. In that ticket, our technician had documented—in his own words—that the issue being reported by the mock customer “appears to be a potential security incident.” He referenced the IRP. He noted his escalation steps. And he followed our protocol to the letter. He did all of this not because someone told him to in the moment, but because our policy requires it, and our training reinforces it, and our procedures walk it out.
The assessors saw that, noted the information, and moved on.
But that’s the level of scrutiny we’re talking about here. That’s what “practice-based evidence” means in the CMMC context. It means that your entry-level staff, not just your CISSPs, can demonstrate adherence to policy in a way that’s observable, attributable, and repeatable. It means your meeting minutes aren’t just meeting minutes - they’re source artifacts. Your helpdesk tickets? Evidence. Your audit logs? Evidence. Your training confirmations? Evidence.
This level of scrutiny isn’t limited to security incidents. It applies across the board. Media disposal? Show the form. Physical access reviews? Let’s see the log. Subcontractor due diligence? Where’s the procurement checklist and decision record?
This process forced us to evaluate every part of our environment—not just for whether it was secure, but whether it was provably secure. It’s not about how many words are in your SSP. It’s not about policy density. It’s about alignment. Alignment between what your documentation says, what your staff does, and what the evidence proves. And if your team can’t explain, clearly and concisely, how your documentation reflects your real-world practices? You’re going to be in for a long week.
Going into our assessment, I knew that we weren’t perfect – we are a team comprised of humans (and that’s OK), but we were prepared. And that made all the difference.
So What Did I Learn?
I learned that assessments are equal parts technical validation and organizational stress test. I learned that the assessor (or assessment team in our case) isn’t your adversary, but they’re also not going to overlook sloppy evidence or unclear ownership. I learned that no matter how mature your environment is, the CMMC assessment will test your assumptions.
I also learned something else: it is unequivocally worth it.
This process made our business better. It made our systems stronger. It made our team more aware, more disciplined, and more aligned. It created a shared understanding of what “secure” really means, not just for us, but for the clients who trust us to support their missions.
Yes, it was hard. Yes, it required an unreal and seemingly unending amount of time and energy, It required no small amount of patience. In the end it also gave us clarity. Clarity about where we stood, what we needed to improve, and how we could communicate the value of security—not just as a requirement, but as a differentiator.
The results of just over 3 years of planning, evolving, adapting, adopting, and implementing? A perfect “110” on the first pass, no POA&Ms, no Limited Practice Deficiencies (LPDs), and a tremendous amount of respect for the entire CorpInfoTech team that made those results possible.
For Those Getting Ready: Here’s My Advice
Start early. This isn’t a sprint—it’s a transformation. Treat it like one.
Bring leadership to the table from the beginning. No, executives don’t need to become cybersecurity experts. But they do need to understand the business impact, the risk implications, and their responsibility to lead—visibly and vocally. Silence at the top breeds uncertainty everywhere else.
Be honest. Brutally honest. Map your processes as they actually are—not how you hope they’ll look next quarter. Because an assessment won’t measure your intentions. It will measure your execution.
Talk about culture. Talk about it constantly. Explain the “why” until you’re hoarse. And then explain it again. Because if people don’t understand why this matters, they won’t endure the discomfort of change.
Make no mistake—this does matter.
What I’ve realized through this process and working with clients in this space is that it isn’t about passing an audit or securing another contract. It’s about protecting national security information. It’s about shielding the supply chain that underpins our military, our economy, and our future. It’s about safeguarding American lives—maybe even your or my own kids’ lives. And if that sounds dramatic, it’s because it is.
I have long said that we are already in the midst of an undeclared cyber war. The wholesale theft of American innovation, of defense technologies, of advanced manufacturing techniques—it’s been happening for years, in plain sight. Our adversaries aren’t approaching the proverbial gates. They’re behind them. The battleground isn’t in some distant server farm. It’s here, in our offices and on our plant floors. In our networks. Inside the information systems of American small businesses. These same systems that are being used as unwitting conduits for strategic compromise of our national security and national resiliency.
If you’re an executive, a founder, a leader—this is your fight. You may not have asked for it, but it’s here. You don’t need to be perfect. But you do need to show up. You need to lead. You need to defend what you’ve built and protect the people who trust you to provide their livelihood andkeep them safe. In the end, this isn’t just about compliance. It’s about integrity, It’s about resilience, It’s about doing the right thing—especially when it’s hard.
CMMC is something worth getting ready for and pursuing. It will strengthen your business in ways that are not immediately obvious. It will almost certainly not be fun.
One Final Thought
There are a lot of loud voices in the CMMC space right now. A lot of hype, a lot of marketing, a lot of checkbox compliance masquerading as strategy. It’s easy to get distracted. It’s easy to lose focus. Don’t.
Focus on doing it right. Focus on getting better. Focus on building systems that are defensible, not just documentable. Because at the end of the day, what matters isn’t just whether you passed an audit. What matters is whether you and your organization’s systems are secure—and whether you can prove it when it counts.
Achieve seamless CMMC compliance with CorpInfoTech's expert guidance. We are dedicated to not just helping your organization achieve CMMC compliance, but also ensuring you maintain it seamlessly. With CorpInfoTech, you can confidently maintain compliance, safeguard sensitive information, and focus on your core business objectives.
CorpInfoTech has been through the CMMC certification process, we are a CMMC Level 2 (C3PAO) MSP, making us one of the first MSPs to achieve level 2 compliance.
Start Your Path to CMMC Compliance Today - Reach Out to CorpInfoTech