For the better part of the last six years, CMMC has been a constant presence in my professional life.
I started paying attention to it in 2019 when the Department of Defense first began discussing what would eventually become the Cybersecurity Maturity Model Certification framework. At the time, I was still operating my MSP and spending a significant amount of time helping organizations navigate compliance requirements, security programs, and risk management initiatives. Like many people, I watched the framework evolve through multiple revisions, industry debates, delays, and eventually the transition from CMMC 1.0 to CMMC 2.0.
In 2020, I became a CMMC Registered Practitioner. Since then, I’ve spent years helping organizations understand NIST 800-171, develop policies and procedures, perform risk assessments, run tabletop exercises, and build vulnerability management programs. Over that time, I’ve seen organizations take every possible approach to compliance. Some attempted to solve everything with technology. Others focused entirely on documentation. Most eventually discovered that success required both.
This year, all of that preparation culminated in a successful CMMC Level 2 assessment.
As the ISSO, I was responsible for preparing the organization, coordinating evidence collection, facilitating the assessment process, participating in the assessment interviews, and ultimately ensuring we were ready when the assessor arrived. Passing the assessment was a significant milestone, but perhaps more valuable were the lessons learned along the way.
Preparation Starts Long Before the Assessment
One of the biggest misconceptions I continue to see is the belief that organizations prepare for a CMMC assessment in the months leading up to the audit.
In reality, the assessment is the final validation of work that should have been happening for years.
By the time an assessor begins reviewing evidence, your policies should already be established. Your vulnerability management process should already be operating. Your incident response procedures should already have been tested. Risk assessments should already be occurring on a recurring basis. The assessment isn’t the time to build a security program. It’s the time to demonstrate that one already exists.
For us, preparation involved years of continuous improvement. Policies were revised repeatedly as the organization matured. Procedures evolved as technology changed. Risk assessments became more refined. Tabletop exercises became more realistic. Vulnerability management became more disciplined.
When the assessment finally arrived, very little of the effort was about creating something new. Most of it was about demonstrating what was already in place.
Policies Matter More Than People Want to Admit
Every few months I encounter someone looking for the perfect CMMC policy template.
Templates have their place. They provide structure and can help organizations understand what a policy should contain. The problem arises when organizations treat templates as finished documentation.
Assessors become very good at identifying policies that were downloaded, minimally modified, and never integrated into the organization’s actual operations.
Good policies reflect how an organization functions. They reference technologies that actually exist. They describe processes that employees actually follow. They align with the organization’s size, complexity, and operational realities.
We spent considerable time tailoring policies to match the environment rather than forcing the environment to match generic policy language. That effort paid dividends during the assessment because documentation aligned naturally with the evidence being presented.
The policies supported the environment rather than existing separately from it.
Scope Is Your Friend
Another lesson reinforced during the assessment was the importance of thoughtful scoping.
Every system included within scope creates additional evidence requirements, additional review effort, and additional opportunities for confusion.
Organizations often make compliance harder than necessary by bringing systems into scope that do not need to be there.
A well-defined enclave and clearly documented boundaries make life easier for everyone involved, including assessors.
Keeping scope manageable does not mean cutting corners. It means understanding exactly where Controlled Unclassified Information exists, where it flows, and which systems are responsible for protecting it.
The more clearly those boundaries are defined, the easier the assessment becomes.
Write for the Assessor
One lesson that became apparent during preparation was that documentation should be organized for the person reading it, not the person writing it. Over the years, security programs accumulate policies, procedures, screenshots, reports, and evidence from dozens of different sources. It all makes sense to the people who work with it every day, but an assessor is seeing it for the first time. As we prepared for the assessment, I continually put myself in that position. Could I find what I was looking for quickly? Could I follow the trail from a control to a policy and from a policy to supporting evidence? If something required explanation, there was usually an opportunity to improve the documentation. By the time the assessment began, we weren’t spending time explaining where things were located because the documentation itself was doing most of that work.
The Assessment Itself
The assessment itself was probably less dramatic than many organizations imagine. By the time we reached that point, most of the hard work had already been done. The days were spent walking through documentation, answering questions, demonstrating controls, and occasionally providing additional context where something wasn’t immediately obvious. There were certainly moments where a question led to a deeper discussion than expected, but that never felt unusual. Assessors are trying to understand how a control operates within your environment, and sometimes that requires more than a screenshot or a policy statement. One thing I learned quickly was that it’s perfectly acceptable to ask questions when something isn’t clear. I’d much rather spend a few minutes clarifying a request than make assumptions about what an assessor is looking for. In many ways, the assessment felt less like an interrogation and more like a structured review of years of preparation.
Evidence Preservation and Hashing
One thing I didn’t spend much time thinking about before the assessment was what happened to all of the evidence afterward. By the end of the process, we had accumulated a substantial collection of policies, screenshots, reports, exports, meeting records, and supporting documentation. Once everything was submitted and reviewed, I found myself thinking about how we would preserve that material if we ever needed to reference it in the future. That led us to implement a simple evidence archive that included cryptographic hashes for the collected artifacts. The goal wasn’t to satisfy a specific requirement so much as to preserve a snapshot of what was actually presented during the assessment. If we ever need to revisit that evidence months or years from now, we’ll know exactly what was submitted and whether it has changed since then. It was a relatively small effort, but one that made sense given the amount of work that went into preparing for the assessment.
The Little Things Matter
As we got closer to the assessment date, I found myself spending less time focused on major technical controls and more time validating the smaller pieces that support them. The vulnerability management process might be in place, but was the latest report available? The incident response plan might be documented, but had the most recent tabletop exercise been completed and recorded? POA&Ms might exist, but were they current and accurately reflecting the state of remediation efforts? None of these items were particularly difficult to address individually, yet they were often the details that required the most attention in the final stages of preparation. By that point, the question was no longer whether a security program existed. The question was whether the organization could demonstrate that it was operating consistently over time.
A Long Road to Certification
Looking back, the timeline tells an interesting story.
In 2019, I began learning about CMMC and following the framework’s development.
In 2020, I became a CMMC Registered Practitioner and started helping organizations prepare for what was clearly becoming a major shift in the defense contracting landscape.
When CMMC 2.0 was introduced in 2021, the framework became more closely aligned with NIST 800-171 and shifted focus toward practical implementation rather than process maturity. That change reinforced something many practitioners already understood: successful compliance depends on operating effective security controls, not producing excessive documentation.
From 2021 through 2024, much of the work centered around preparation. Policies were written and refined. Risk assessments were performed. Vulnerability management programs matured. Incident response exercises were conducted. Documentation improved.
In 2025, we navigated the release of the final rule and conducted mock assessment activities to identify remaining gaps.
And in 2026, after years of preparation, we successfully completed the assessment.
Final Thoughts
Looking back, what stands out most isn’t the certification itself. It’s everything that happened before it. By the time the assessment concluded, years had been invested in building policies, refining procedures, conducting risk assessments, running tabletop exercises, addressing findings, and continuously improving the environment. The certification was simply the final validation of that work. For me personally, it also represented the culmination of a long professional investment in CMMC. I first started following the framework in 2019, became a Registered Practitioner in 2020, and spent the years that followed helping organizations navigate compliance and assessment readiness. This assessment was different because I wasn’t advising from the sidelines. I was responsible for preparing the organization, facilitating the assessment, presenting evidence, and answering questions throughout the process. When the final result arrived, there was certainly a sense of accomplishment, but there was also a sense of confirmation that the preparation had been worth the effort.
Sources
- Cybersecurity Maturity Model Certification (CMMC)
- NIST Special Publication 800-171 Rev. 2
- The Cyber AB Marketplace
- CMMC Assessment Process (CAP)
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.28 · Moderate AI Influence
Summary
The article discusses the author's experience with the Cybersecurity Maturity Model Certification (CMMC) framework, including preparation for a CMMC Level 2 assessment. The author emphasizes the importance of continuous improvement, thoughtful scoping, and clear documentation in achieving compliance.
Related Posts
Secure Storage Isn't Enough: Using Secrets Safely in Admin Automation
Secret managers protect stored credentials. They don't automatically protect how your automation uses them. Here's the review process I use before workflows reach production.
How I Keep Up With ISC2 CPE Credits Without Making It a Second Job
Keeping up with ISC2 CPE credits is easier when you treat it like a normal professional habit instead of a renewal emergency. Here is the system I use across CISSP, CCSP, SSCP, and CSSLP, with free and low-friction sources for webinars, books, training, and work-based credits.
When AI Agents Trust the Wrong Tool Description
Microsoft's MCP tool-poisoning research shows why AI agent security has to treat tool descriptions, schemas, and metadata as part of the control plane instead of harmless documentation.
Jamf Was My Mac Evidence Layer for CMMC
How Jamf Compliance helped support the Mac portion of a CMMC assessment, and why I added a small read-only CSV summary script for auditor-ready failed-result evidence.
Updating Jamf Pro Compliance Baselines from the macOS Security Compliance Project
How to update an existing Jamf Pro Compliance benchmark when new macOS Security Compliance Project baseline content becomes available.
The CMMC Evidence Collection Guide I Wish I Had Before My Assessment
When I started preparing for a CMMC assessment, I expected to spend most of my time focused on policies, procedures, and the System Security Plan. Those things are certainly important, but what surprised me was how much of the assessment ultimately came down to evidence.
Setting up Ollama on macOS
Recently, after some bad experiences with OpenAI's ChatGPT and CODEX, I decided to look into and learn more about running local AI models. On its face it was intimidating, but I had seen a lot of people in the MacAdmins community posting examples of macOS setups, which really helped lower the bar for me both in terms of approachability and just making me more aware of the local AI community that exists out there today.
AI Agent Constraints and Security
I really feel like in this era of AI it's essential to write about and share experiences for others who are leveraging AI, especially now that AI usage seems almost ubiquitous. Specifically, when it comes to AI in development and the rapid growth of AI-driven automations in the IT landscape, I believe there's a need for open discussion and exploration.
Vibe Coding with Codex: From Fun to Frustration
So there I was, a typically day, a typical weekend. As a ChatGPT customer, I had heard good things about Codex and had not yet tried the platform. To date my experience with agentic coding was simply snippit based support with ChatGPT and Gemeni where I would ask questions, get explanations and support with squashing bugs in a few apps that I work on, for fun, on the side. There were a few core features in one of the apps I built that I wanted to try implementing but the...
Turn Jamf Compliance Output into Real Audit Evidence
Most teams use Apple’s macOS Security Compliance Project (mSCP) baselines because they scale and they’re repeatable. Jamf’s tooling makes deployment straightforward and the Extension Attribute (EA) output is a convenient place to capture drift. What you don’t automatically get is the artifact an auditor will accept on a specific date—an actual document you can file that shows which endpoints are failing which items, plus a concise roll-up of failure counts you can act on. Smart Groups answer scope; they don’t produce evidence.