For the better part of the last six years, CMMC has been a constant presence in my professional life.
I started paying attention to it in 2019 when the Department of Defense first began discussing what would eventually become the Cybersecurity Maturity Model Certification framework. At the time, I was still operating my MSP and spending a significant amount of time helping organizations navigate compliance requirements, security programs, and risk management initiatives. Like many people, I watched the framework evolve through multiple revisions, industry debates, delays, and eventually the transition from CMMC 1.0 to CMMC 2.0.
In 2020, I became a CMMC Registered Practitioner. Since then, I’ve spent years helping organizations understand NIST 800-171, develop policies and procedures, perform risk assessments, run tabletop exercises, and build vulnerability management programs. Over that time, I’ve seen organizations take every possible approach to compliance. Some attempted to solve everything with technology. Others focused entirely on documentation. Most eventually discovered that success required both.
This year, all of that preparation culminated in a successful CMMC Level 2 assessment.
As the ISSO, I was responsible for preparing the organization, coordinating evidence collection, facilitating the assessment process, participating in the assessment interviews, and ultimately ensuring we were ready when the assessor arrived. Passing the assessment was a significant milestone, but perhaps more valuable were the lessons learned along the way.
Preparation Starts Long Before the Assessment
One of the biggest misconceptions I continue to see is the belief that organizations prepare for a CMMC assessment in the months leading up to the audit.
In reality, the assessment is the final validation of work that should have been happening for years.
By the time an assessor begins reviewing evidence, your policies should already be established. Your vulnerability management process should already be operating. Your incident response procedures should already have been tested. Risk assessments should already be occurring on a recurring basis. The assessment isn’t the time to build a security program. It’s the time to demonstrate that one already exists.
For us, preparation involved years of continuous improvement. Policies were revised repeatedly as the organization matured. Procedures evolved as technology changed. Risk assessments became more refined. Tabletop exercises became more realistic. Vulnerability management became more disciplined.
When the assessment finally arrived, very little of the effort was about creating something new. Most of it was about demonstrating what was already in place.
Policies Matter More Than People Want to Admit
Every few months I encounter someone looking for the perfect CMMC policy template.
Templates have their place. They provide structure and can help organizations understand what a policy should contain. The problem arises when organizations treat templates as finished documentation.
Assessors become very good at identifying policies that were downloaded, minimally modified, and never integrated into the organization’s actual operations.
Good policies reflect how an organization functions. They reference technologies that actually exist. They describe processes that employees actually follow. They align with the organization’s size, complexity, and operational realities.
We spent considerable time tailoring policies to match the environment rather than forcing the environment to match generic policy language. That effort paid dividends during the assessment because documentation aligned naturally with the evidence being presented.
The policies supported the environment rather than existing separately from it.
Scope Is Your Friend
Another lesson reinforced during the assessment was the importance of thoughtful scoping.
Every system included within scope creates additional evidence requirements, additional review effort, and additional opportunities for confusion.
Organizations often make compliance harder than necessary by bringing systems into scope that do not need to be there.
A well-defined enclave and clearly documented boundaries make life easier for everyone involved, including assessors.
Keeping scope manageable does not mean cutting corners. It means understanding exactly where Controlled Unclassified Information exists, where it flows, and which systems are responsible for protecting it.
The more clearly those boundaries are defined, the easier the assessment becomes.
Write for the Assessor
One lesson that became apparent during preparation was that documentation should be organized for the person reading it, not the person writing it. Over the years, security programs accumulate policies, procedures, screenshots, reports, and evidence from dozens of different sources. It all makes sense to the people who work with it every day, but an assessor is seeing it for the first time. As we prepared for the assessment, I continually put myself in that position. Could I find what I was looking for quickly? Could I follow the trail from a control to a policy and from a policy to supporting evidence? If something required explanation, there was usually an opportunity to improve the documentation. By the time the assessment began, we weren’t spending time explaining where things were located because the documentation itself was doing most of that work.
The Assessment Itself
The assessment itself was probably less dramatic than many organizations imagine. By the time we reached that point, most of the hard work had already been done. The days were spent walking through documentation, answering questions, demonstrating controls, and occasionally providing additional context where something wasn’t immediately obvious. There were certainly moments where a question led to a deeper discussion than expected, but that never felt unusual. Assessors are trying to understand how a control operates within your environment, and sometimes that requires more than a screenshot or a policy statement. One thing I learned quickly was that it’s perfectly acceptable to ask questions when something isn’t clear. I’d much rather spend a few minutes clarifying a request than make assumptions about what an assessor is looking for. In many ways, the assessment felt less like an interrogation and more like a structured review of years of preparation.
Evidence Preservation and Hashing
One thing I didn’t spend much time thinking about before the assessment was what happened to all of the evidence afterward. By the end of the process, we had accumulated a substantial collection of policies, screenshots, reports, exports, meeting records, and supporting documentation. Once everything was submitted and reviewed, I found myself thinking about how we would preserve that material if we ever needed to reference it in the future. That led us to implement a simple evidence archive that included cryptographic hashes for the collected artifacts. The goal wasn’t to satisfy a specific requirement so much as to preserve a snapshot of what was actually presented during the assessment. If we ever need to revisit that evidence months or years from now, we’ll know exactly what was submitted and whether it has changed since then. It was a relatively small effort, but one that made sense given the amount of work that went into preparing for the assessment.
The Little Things Matter
As we got closer to the assessment date, I found myself spending less time focused on major technical controls and more time validating the smaller pieces that support them. The vulnerability management process might be in place, but was the latest report available? The incident response plan might be documented, but had the most recent tabletop exercise been completed and recorded? POA&Ms might exist, but were they current and accurately reflecting the state of remediation efforts? None of these items were particularly difficult to address individually, yet they were often the details that required the most attention in the final stages of preparation. By that point, the question was no longer whether a security program existed. The question was whether the organization could demonstrate that it was operating consistently over time.
A Long Road to Certification
Looking back, the timeline tells an interesting story.
In 2019, I began learning about CMMC and following the framework’s development.
In 2020, I became a CMMC Registered Practitioner and started helping organizations prepare for what was clearly becoming a major shift in the defense contracting landscape.
When CMMC 2.0 was introduced in 2021, the framework became more closely aligned with NIST 800-171 and shifted focus toward practical implementation rather than process maturity. That change reinforced something many practitioners already understood: successful compliance depends on operating effective security controls, not producing excessive documentation.
From 2021 through 2024, much of the work centered around preparation. Policies were written and refined. Risk assessments were performed. Vulnerability management programs matured. Incident response exercises were conducted. Documentation improved.
In 2025, we navigated the release of the final rule and conducted mock assessment activities to identify remaining gaps.
And in 2026, after years of preparation, we successfully completed the assessment.
Final Thoughts
Looking back, what stands out most isn’t the certification itself. It’s everything that happened before it. By the time the assessment concluded, years had been invested in building policies, refining procedures, conducting risk assessments, running tabletop exercises, addressing findings, and continuously improving the environment. The certification was simply the final validation of that work. For me personally, it also represented the culmination of a long professional investment in CMMC. I first started following the framework in 2019, became a Registered Practitioner in 2020, and spent the years that followed helping organizations navigate compliance and assessment readiness. This assessment was different because I wasn’t advising from the sidelines. I was responsible for preparing the organization, facilitating the assessment, presenting evidence, and answering questions throughout the process. When the final result arrived, there was certainly a sense of accomplishment, but there was also a sense of confirmation that the preparation had been worth the effort.
Sources
- Cybersecurity Maturity Model Certification (CMMC)
- NIST Special Publication 800-171 Rev. 2
- The Cyber AB Marketplace
- CMMC Assessment Process (CAP)
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.28 · Moderate AI Influence
Summary
The article discusses the author's experience with the Cybersecurity Maturity Model Certification (CMMC) framework, including preparation for a CMMC Level 2 assessment. The author emphasizes the importance of continuous improvement, thoughtful scoping, and clear documentation in achieving compliance.
Related Posts
Setting up Ollama on macOS
Recently, after some bad experiences with OpenAI's ChatGPT and CODEX, I decided to look into and learn more about running local AI models. On its face it was intimidating, but I had seen a lot of people in the MacAdmins community posting examples of macOS setups, which really helped lower the bar for me both in terms of approachability and just making me more aware of the local AI community that exists out there today.
AI Agent Constraints and Security
I really feel like in this era of AI it's essential to write about and share experiences for others who are leveraging AI, especially now that AI usage seems almost ubiquitous. Specifically, when it comes to AI in development and the rapid growth of AI-driven automations in the IT landscape, I believe there's a need for open discussion and exploration.
Vibe Coding with Codex: From Fun to Frustration
So there I was, a typically day, a typical weekend. As a ChatGPT customer, I had heard good things about Codex and had not yet tried the platform. To date my experience with agentic coding was simply snippit based support with ChatGPT and Gemeni where I would ask questions, get explanations and support with squashing bugs in a few apps that I work on, for fun, on the side. There were a few core features in one of the apps I built that I wanted to try implementing but the...
Turn Jamf Compliance Output into Real Audit Evidence
Most teams use Apple’s macOS Security Compliance Project (mSCP) baselines because they scale and they’re repeatable. Jamf’s tooling makes deployment straightforward and the Extension Attribute (EA) output is a convenient place to capture drift. What you don’t automatically get is the artifact an auditor will accept on a specific date—an actual document you can file that shows which endpoints are failing which items, plus a concise roll-up of failure counts you can act on. Smart Groups answer scope; they don’t produce evidence.
Secure Software, Secure Career: How I Passed the CSSLP
After passing the CISSP earlier this year, I decided to follow it up with the **Certified Secure Software Lifecycle Professional (CSSLP)** certification. For those unfamiliar, CSSLP is an ISC2 certification that focuses specifically on secure software development practices across the full SDLC—from requirements and design to coding, testing, deployment, and maintenance. My goal in pursuing this certification was to further develop my skills in ensuring the security of software throughout its entire lifecycle.
Good Cybersecurity policies, procedures, guidelines take time. They're not rushed and aren't rubber stamped
Cybersecurity is no longer a luxury or an afterthought—it's an absolute necessity. But how can you tell if the company you work for, as a security professional, truly values cybersecurity? Let's explore some clear indicators that demonstrate a company's commitment to implementing robust security practices in-house. A genuine commitment will be reflected in the organization's policies and procedures, which should be regularly reviewed and updated to address emerging threats.
Managing Bring Your Own Device (BYOD) for Android with Microsoft Intune
Alright, so today we're going to be talking about the management of bring your own device BYOD for Android devices. There's a lot of information out there for the management of iOS devices and you can do that with pretty much any Apple MDM on the market. We just happen to use Jamf where I work, but you could use anything from Braavos to SimpleMDM to Kanji or JumpCloud. Mosyle is also a great option.
BYO with me in 2025: iOS with User Enrollment in JAMF Pro
It really depends on your company's needs. For example, many companies need to hire 1099 contractors and in such a case they come with their own devices but not the correct security settings or enforcements. Remember BYOD is a security construct. The idea here is that you should be securing the company's sensitive data in all forms. This may involve implementing policies for contractor-owned devices, ensuring that all devices accessing company data meet minimum security standards, and regularly reviewing and updating these standards to stay ahead of emerging threats.
Securing BYOD Email Access: Exploring Strategies in Microsoft 365
In today’s mobile-first world, organizations increasingly rely on Bring Your Own Device (BYOD) programs to empower employees while optimizing costs. However, this flexibility introduces unique challenges, particularly around securing email access. To mitigate risks, we are implementing a comprehensive strategy to block email access on non-company devices by default and ensure only sanctioned apps can access organizational email accounts. This approach will help prevent unauthorized access and data breaches, aligning with our commitment to maintaining the security and integrity of company communications.
How I Conquered the CISSP Exam: 9 Months, Top Resources, and Proven Strategies
Passing the CISSP (Certified Information Systems Security Professional) exam is no small feat. It’s known for its breadth, depth, and ability to test not just your knowledge but your practical understanding of cybersecurity. After nine months of intense preparation, I’m thrilled to say I’ve joined the ranks of CISSP-certified professionals! Here's a detailed account of my experience, including the resources I used, some tips that helped me along the way, and what I learned from the process itself.
