Most defense contractors discover their Cybersecurity Maturity Model Certification (CMMC) gaps the hard way, inside the audit room, facing 320 assessment objectives, with an assessor waiting for evidence that nobody prepared. The contract was won, the timeline was real, and someone handed the compliance project to the IT team, because it seemed like the logical choice. It never is. CMMC is not an IT problem. It is a compliance discipline with a specific evidence standard, a specific audit methodology, and a very small pool of people who actually know what assessors are looking for.
Tracy R. Reed, Director of Cybersecurity Practice at Unrisk, vCISO, and Lead CMMC Assessor, has sat across the table from organizations that thought they were ready. Most of them were not, and the mistakes that put them there were often made long before the assessor walked in. “There are not many people out there who actually understand the requirements and what the CMMC assessor will be looking for,” Reed states. “Giving the project to your local IT guy is never sufficient.”
What Happens Inside the Audit Room
The scale of a CMMC assessment surprises most companies the first time they encounter it. Every requirement has approximately half a dozen assessment objectives underneath it, and assessors are required by the federal government to go through every single one – all 320 of them – and evaluate adequate and sufficient evidence for each. The question Reed asks organizations to consider is whether their IT team could answer all 320 objectives and what constitutes adequate evidence for each. In most cases, they would not, because CMMC compliance is a specific niche that requires specific training and preparation, not general IT competency.
The most frequent shortcut Reed observes is hiring a Managed Service Provider with a Registered Practitioner (RP) or Registered Provider Organization (RPO) designation rather than a Certified CMMC Assessor. The RP certification requires an afternoon of online classes and a quiz. It is primarily a marketing designation, not a meaningful indicator of CMMC expertise. In contrast, becoming a Certified CMMC Assessor (CCA), and particularly a Lead CCA, involves a background investigation and verified years of experience in security and compliance. Organizations relying on RP-level support are often far less prepared than they realize when an assessor walks through the door.
Scope Is the Variable That Controls Everything Else
The timeline to CMMC compliance is not fixed: it is determined almost entirely by the scope of the assessment. Companies define their own scope by identifying where all Controlled Unclassified Information (CUI) is stored, processed, or transmitted within their organization. All 110 security controls then apply to everything within that defined boundary. For large companies with enterprise-wide scopes, where any machine in the organization could potentially handle CUI, implementation can take years. For companies that implement an enclave, restricting CUI to a small number of specific machines accessible only to specific people, compliance may be achievable in months.
Reed’s recommendation for larger organizations is to make the scope as small as defensibly possible. The fewer systems assessors must evaluate across all 320 assessment objectives, the faster and cleaner the compliance process becomes. Phase 2 third-party audits began in November 2025, and assessor slots at C3PAOs are already being booked months in advance. Companies that waited are discovering that compliance timelines can easily exceed the time available before contract performance must begin, and when government contracting timelines accelerate unexpectedly, under-prepared businesses miss opportunities entirely.
The Document That Sets the Tone for Everything
CMMC compliance is not purely a technical exercise. The documentation burden is substantial, and at its center is a single critical document: the System Security Plan. The SSP is the first thing handed to an assessor at the start of an assessment and functions as their roadmap to understanding the entire compliance program. It must be succinct, well-written, and directly address all requirements and assessment objectives. It references every supporting policy, procedure, and standard used in implementing the program, making those documents critical as well.
A well-constructed System Security Plan (SSP) signals to an assessor that the organization understands what compliance actually requires. A poorly constructed one signals the opposite before a single technical control has been evaluated. Given that the CMMC program took 15 years, from Executive Order 13556 to official implementation in November 2025, and that the government’s pace of change is historically slow, the standards Reed is describing today are unlikely to change significantly over the next five years. The best time to start building toward them was before the contract arrived. The second-best time is immediately.
Follow Tracy R. Reed on LinkedIn for more insights on CMMC audit preparation, cybersecurity compliance, and building the security programs that protect government contracts.
