Executive Summary:
In January 2025, ISI successfully completed a five-day Cybersecurity Maturity Model Certification (CMMC) Level 2 assessment and received its Certificate of Status in March. Since then, we have supported nearly 20 defense contractors through Level 2 assessments, all with successful outcomes across different environments and Certified Third-Party Assessor Organizations (C3PAOs).
For organizations preparing for their own assessments, the most common gaps are not philosophical or strategic. They are technical, procedural, and organizational. CMMC Level 2 demands clear alignment between implementation, documentation, and demonstrated outcomes.
Below are the most important lessons we learned from being assessed ourselves and from guiding others through the process.
CMMC is deeply technical by design
Unlike higher-level frameworks such as ISO 27001, CMMC Level 2 is prescriptive. Assessors expect organizations to demonstrate exactly how National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) controls are implemented, how they function in practice, and how they protect Controlled Unclassified Information (CUI). High-level intent is insufficient. Evidence must show real, operational outcomes.
Documentation must precisely match reality
One of the most common failure points we observe is misalignment between policies, the System Security Plan (SSP), and the actual technical environment. During an assessment, discrepancies are quickly identified. Policies, procedures, SSP narratives, and system configurations must all reflect the same implementation approach.
Organizations must prepare for three assessment methods
CMMC assessments rely on “Examine,” “Interview,” and “Test” methodologies. Teams often prepare documentation but underestimate the importance of interviews and live testing. Personnel must be able to explain processes clearly, demonstrate tools in real time, and show that training and procedures are consistently followed.
A Practical Preparation Framework
While every environment is different, successful organizations tend to follow a similar preparation path.
- First, determine which CMMC level aligns with your current and future contracts. Level 2 applies broadly across the defense industrial base and is a prerequisite for Level 3. Understanding contractual drivers early prevents unnecessary rework.
- Next, assess internal IT and compliance capabilities honestly. Many small and mid-sized contractors discover they lack sufficient staff or defense-specific experience to manage Level 2 requirements independently and choose to consult outside expertise. Identifying these gaps early is critical.
- A formal gap assessment against NIST SP 800-171 should follow. Each control and objective must be evaluated carefully. If any objective within a control is unmet, the control should be marked unmet.
- From there, develop a detailed Plan of Action and Milestones (POA&M). While POA&Ms are permitted for conditional Level 2 certification, they are limited, and higher-weighted controls cannot be deferred. Budgeting should reflect both labor and technology costs, not just tooling.
- Finally, organizations should conduct mock audits before scheduling an official assessment. These exercises test more than configurations. They evaluate staff readiness, evidence organization, and the ability to respond to assessor inquiries under real conditions.
The Big Picture: CMMC Level 2 is achievable, but it is not lightweight. Organizations that succeed treat preparation as an operational discipline, not a documentation exercise. The assessment rewards consistency, technical rigor, and organizational readiness.
For defense contractors that approach CMMC with clarity and discipline, Level 2 certification becomes less of a hurdle and more of a durable business capability.
Resources that support CMMC compliance:
