Beyond Compliance Theater: How to Make Your CMMC Level 2 Assessment a Reality Show – Not a Dress Rehearsal

This article was featured on i95Business, July 31st, 2025 

First – believe me when I tell you that we, as C3PAOs, want to take you at your word when you say you’re ready. Afterall, official CMMC Level 2 assessments are new for everyone: they just started in January 2025. Sure, requirements based on NIST SP 800-171 have been in place since 2017; that part is not new. What is new is the requirement under the CMMC program to show proof that you, the contractors, have the operational and cyber maturity to (for real) protect CUI. 

We’ve talked a few times now; it’s obvious your team is committed to your employees, and your business has been nurtured with care and intelligence. We have met a few members of your staff who are committed to your mission – we are impressed. Often as this point, I pinch myself; meeting your team reminds me how lucky I am to work with the people who keep my family – and the nation – safe.

Then, during the first phase of your CMMC Level 2 assessment, you proudly submit a 25-page System Security Plan (SSP). Having lived in southeastern Virginia, I mutter – lovingly but honestly, “Well, bless their heart.” 

The Myth of "Good Enough"

There is a myth that, as long as some effort is expended and most of the "things" on a spreadsheet are completed – some tech tools are purchased, or there are a few hours invested with a compliance expert – that’s enough to warrant the award of a CMMC Level 2 certificate. Yeah, no. Unfortunately, six months into the CMMC assessments, our assessment team has observed insubstantial SSPs. 

Once 48 CFR is finalized, likely in October, CMMC will soon appear in every DoD contract. There is still (a little) time to do more than put on a show of security and compliance – there is time to get it RIGHT.

Compliance: Behind the Scenes

In many boardrooms and back offices, leaders are struggling. CMMC is not the only compliance requirement that defense contractors need to complete, but it is growing quickly to be the one most fretted over. The CMMC program touches virtually every part of an organization: technical configurations, human resources and finance, as well as the office, factory floor or job site.

To set the scene with a small backdrop: a company may ask for the assistance of their in-house IT department, thinking that this will uncover a few check boxes that need ticking. It doesn’t take long before they report back that they can't answer the HR, finance and physical security questions. 

What happens next makes the difference between companies who are interested in performative compliance, or real compliance.

Directing to the Last Scene in Mind

CMMC isn’t paperwork; it’s national security. Leaders who keep this in mind will set the next scene of their action with care and diligence. A proper gap analysis will spotlight the holes in the scenery: the missing policies, the absent processes or workflows, and maybe the need for a government-cloud move, or enclave or security applications. Perhaps consultants should be involved in the effort, too. Leaders would do well to keep in mind that buying tools or services and “turning them on” isn’t the climax; it’s an early scene.  

In fact, in our conversations with leaders over the last several years, it is not unusual for them to have engaged multiple service providers, purchased several tools or applications, worked with more than one consulting or advising businesses – still to arrive at the opening week of an assessment not quite ready to open the curtains.

Assemble (and Train) the Crew

The truth is that most business leaders rely on others to interpret NIST SP 800-171 and translate it for their business. This can be a great idea, if the advisors or resources are credentialed with proof that they not only talk the talk, but also walk the walk – and they plan to stick around. A person or a team within your organization should be charged with compliance oversight. The organization as a whole needs to inform each team member of the important part they play in security.

Make sure your company is not setting the scene for disaster – no one should be acting the day of the assessment. It will be apparent to a CMMC assessor if the staff member does not demonstrate the muscle memory of following the processes listed in the policy or SSP. One example: when HR is asked to demonstrate how off-boarding employees is accomplished, and they are not able to locate the checklist in SharePoint or don’t know how the process works for the technical part of the offboarding.

Another example regarding physical security: if an assessor comes on-site and is not asked to sign in and wear a badge – being otherwise allowed to access the entire facility because a member of your staff was unaware, it will show.

Any External Service Providers (ESPs) that support you will need to have their own house in order; during your assessment they will be questioned by assessors about their shared responsibilities with your business. And be warned – if an ESP provides or administers a substantial amount of your information system, and you want to change providers in the future, you may need a new assessment. Choose your support crew wisely, checking contract terms, and then schedule your assessment appropriately.

Adjust your Lighting

Templates for SSPs can only take you so far. Plan to build the SSP to speak to each objective, and be specific. Saying you DO something without explaining HOW you do it by identifying a specific process is not sufficient. The SSP will be the single most examined document of all the documents in your assessment package that you submit to us as C3PAOs. Anyone chosen for interviews should be on a first-name basis with that document. 

There are a ton of apps and tools on the market to meet the requirement to monitor, log and respond to data. Which tools are you confident your staff will adopt as part of their everyday workflow, and not try to avoid or work around in a non-compliant fashion if the tool is clunky or difficult to use? Keep in mind that if the tool is in the cloud and will process, store or transmit CUI, it must be verified at FedRAMP moderate or higher. 

What Assessors See

Think of your CMMC assessors not as adversaries, but as an informed audience members who have read the script – and know how the story is supposed to go. They don’t just want to hear that the right things are “being done.” They want to see evidence that the right actions are being done consistently, by the identified people in the documented way.

Assessors are trained to look past the props and see how well the production has been rehearsed. This means:

• Evidence of implementation: A policy alone without corresponding logs, screenshots, process documentation or interview support will raise questions.
• Process alignment: Your SSP, policies and day-to-day operations must be coherent. A process described one way in the SSP, another way in a policy and a third way by an employee will not satisfy the requirements.
• Team members must know their roles: If staff doesn’t know what’s expected of them – or how to demonstrate what’s described in your documentation – that’s a sign the controls exist only on paper.

Ultimately, CMMC is not about passing a test – it’s about proving that your business can consistently and securely handle CUI and FCI. You’re not just putting on a one-night-only show. You are running an internal program that you will need to affirm is running with your signature yearly and being maintained until the 3-year C3PAO reassessment. This is a long-running production where everyone should know their part.

Shining Under Scrutiny

So how do you transition from “compliance theater” to real cybersecurity maturity? First, you accept that shortcuts and staged performances don’t work and won’t hold up under an assessor’s scrutiny. Next, you commit to upholding your end of the (literal) contract where you accepted money from the DoD while also promising that you will protect the data entrusted to you. It is important to mention here that there is a precedent that a whistle-blower land center stage and point out incongruities in your compliance program, receiving money in return as part of the False Claims Act. Our advice: get to work building a security program that functions whether someone is watching or not.

Here’s how to do it:

1. Start with a script you wrote yourself.Your System Security Plan (SSP) should be a bespoke reflection of your environment, operations and approach to security. Your environment, users and policies are unique to your organization. Assessors recognize when an SSP is written by someone unfamiliar with your environment.
2. Rehearse your controls until they become muscle memory. Ensure every stakeholder – HR, finance, IT, operations – understands how their role fits into the security and compliance mission. This includes understanding the control objectives and the practical application of them.
3. Invest in security tools that integrate seamlessly into workflow. Just as no one likes a clunky set change mid-performance, employees won’t engage with tools that make their jobs harder. Prioritize security tools and platforms that people actually use, and that support – not hinder – daily operations.
4. Assign a director for your production.Every good performance needs someone managing the big picture. Whether it’s your internal compliance lead along with an external MSP/MSSP partner, or an advisor – you need someone watching for gaps, coordinating actors and keeping the show running.

Opening Night or Ongoing Excellence?

The most successful assessments feel almost anticlimactic. Why? Because the work has already been done. The team knows their lines. The stage is set. The lights are ready. Everyone performs their role, not out of stress or rehearsal, but because it’s second nature.

In contrast, sometimes we see:

• Midnight panic-patching.
• Employees hearing about “the policy” for the first time during interviews.
• Logs that were never enabled, MFA never enforced and offboarding lists MIA.

These are not rare scenarios – they’re common enough that assessors are trained to approach assessments with care, compassion and professionalism. But make no mistake – they are also trained to identify when what’s being presented is a performance, not a reality.

If you’re truly ready, you won’t need to “act” during your assessment. Your policies will reflect your operations. Your team will show evidence without hesitation. Your business will stand confidently behind its controls, not scramble to make them look good.

Performance to Protection

As an early C3PAO, I want to root for your success. I want to validate your maturity and issue your certificate. But my responsibility – and yours – is to ensure that our nation’s defense supply chain is actually secure. It’s not theater. It’s not optics. It’s national security.

The good news? You don’t need to go it alone. Mature MSPs and CMMC-focused MSSPs can help you build real, operationalized compliance programs that align with your mission, scale with your business and serve your people well. 

Reach out to our Experts today for a consultation