StealthTech
Let’s be honest — when most defense contractors first heard about CMMC, the reaction was somewhere between confusion and mild panic. A new certification framework, new acronyms, new requirements, and the very real possibility that failing to comply means losing contract eligibility. That’s a lot to absorb on top of actually running a business.
The good news is that CMMC 2.0 is more manageable than it looks on paper. But there’s a catch: the contractors who struggle most aren’t the ones who don’t care about compliance. They’re the ones who think they’re further along than they actually are.
After working through CMMC readiness with dozens of defense contractors — prime contractors, subcontractors, small businesses, and mid-size firms — certain mistakes come up again and again. Some are honest misunderstandings of the rules. Some are the result of teams moving fast and skipping foundational steps. A few are genuinely risky assumptions that could create legal exposure down the road.
Here are the seven we see most often, and what to do instead.
Mistake #1: Underestimating How Much of Your Environment Handles CUI
This one catches more contractors off guard than anything else. A team does an initial scoping exercise, decides that CUI only lives in one shared drive and a couple of email inboxes, and then builds their compliance program around that assumption. Then an assessor comes in and finds CUI flowing through systems nobody thought to include — collaboration platforms, backup solutions, laptops employees take home, even printers.
The problem isn’t that contractors are being sloppy. It’s that CUI has a way of spreading quietly. Someone emails a contract document from a personal account. A proposal gets saved to a personal OneDrive folder. A subcontractor gets access to a shared project folder and now you have a third-party touching data you didn’t account for.
Why this matters: If your scoping is wrong, your entire compliance program is built on a shaky foundation. Controls applied to the wrong systems don’t count.
The fix here is to do a proper data flow mapping exercise before you do anything else. Walk through how contract information enters your organization, where it gets stored, who touches it, and how it moves. Talk to department heads, not just IT — the sales team, the project managers, and the ops staff often handle CUI in ways that never show up in a technical audit. Start by assuming your CUI footprint is bigger than you think, document what you find, and then narrow the scope with evidence. It’s a lot easier to prove you’ve contained something than to scramble mid-assessment when a gap surfaces.
Mistake #2: Treating the System Security Plan Like It’s the Last Thing You Write
The System Security Plan, or SSP, is essentially your compliance story. It describes what your environment looks like, what controls you’ve implemented, how those controls work, and who’s responsible for maintaining them. Assessors use it as their roadmap — it’s how they know what to look for and what to verify.
A surprisingly common approach is to build out all the technical controls first, then write the SSP at the end to document what was done. The intention is fine, but the execution creates a real problem: by the time the SSP gets written, details are fuzzy, implementation choices have been made without documentation, and the finished document often describes an idealized version of the environment rather than the real one. Assessors are good at spotting this. An SSP that doesn’t match what’s actually in place is a red flag — and it raises questions about what else might be misrepresented.
The better approach: Start the SSP on day one and treat it as a living document throughout the entire compliance process. Every control you implement, every policy you write, every configuration change you make — it all gets reflected in the SSP in real time.
It doesn’t have to be perfect from the start. It just has to be honest. An SSP that accurately describes a work-in-progress is far more credible than a polished document that doesn’t match reality.
Mistake #3: Thinking a SPRS Score Means You’re Certified
This one isn’t entirely the contractor’s fault. Under the old DFARS interim rule, self-assessing your NIST 800-171 compliance and submitting a score to the Supplier Performance Risk System (SPRS) was the required process. Many contractors did exactly that, updated their score, and moved on.
But CMMC 2.0 changes the picture significantly. For contracts that require Level 2 certification — which is any contract involving Controlled Unclassified Information — a self-assessment and SPRS score is no longer sufficient. Those contracts require a formal assessment conducted by a Certified Third-Party Assessment Organization, or C3PAO.
The danger zone is contractors who completed their SPRS submission a couple of years ago and haven’t revisited it since. They believe they’re compliant. They may even be winning contracts on that assumption. But if a new solicitation requires Level 2 certification and they haven’t gone through a C3PAO assessment, they don’t have it.
Important legal note: Falsely representing your compliance status on a federal contract can trigger liability under the False Claims Act. This isn’t a technical paperwork issue — it has real legal consequences.
Before bidding on any new DoD contract, read the solicitation carefully. If it specifies a CMMC level requirement, understand exactly what that requires — whether self-attestation is acceptable or whether a third-party assessment is mandatory. When in doubt, ask the contracting officer or work with a compliance advisor before submitting.
Mistake #4: Overlooking Physical Security Controls
Most contractors approach CMMC through the lens of cybersecurity tools. Firewalls, multi-factor authentication, endpoint detection, encryption — these are the controls that feel tangible and get the most attention. Meanwhile, the physical security requirements quietly sit in the background until an assessor starts asking about them.
The Physical Protection (PE) domain in NIST 800-171 includes requirements around controlling physical access to systems that store or process CUI. That means things like badge access to server rooms, visitor logs, screen privacy policies for employees working in open environments, and documented procedures for what happens when a device is lost or stolen.
For companies that have always thought of “security” as an IT function, these feel like a different category of problem. The facilities team handles physical access. IT handles the computers. Nobody’s managing the intersection of the two — which is exactly where the gap lives.
Remote and hybrid work environments make this more complicated. If an employee is accessing CUI from a home office, that home office is technically in scope. That doesn’t mean everyone needs a badge reader in their spare bedroom, but it does mean there need to be documented policies around screen visibility, device storage, and what happens if a work laptop gets left in a car. Walk your environment with physical security in mind, not just technical security. The controls are often straightforward to implement — they just require someone to actually own them.
Mistake #5: Using the POA&M as a Parking Lot
A Plan of Action and Milestones — the POA&M — is supposed to be a living management tool. It documents the gaps in your compliance posture, assigns ownership, sets realistic remediation timelines, and tracks progress. When it’s used correctly, it’s actually a sign of a mature compliance program. Assessors expect to see them.
The problem is how some contractors use them. The POA&M becomes a place to park issues that are politically difficult to fix, technically complex, or just expensive. Items get added with optimistic target dates and then never touched. The document grows longer over time while nothing actually gets resolved.
This approach has two serious problems. First, certain high-priority controls — particularly those related to access control, identification and authentication, and incident response — have limited or no POA&M allowances under CMMC 2.0. They have to be implemented before an assessment. A POA&M full of those controls isn’t a compliance strategy, it’s a list of reasons you’re not ready.
Second: A poorly maintained POA&M raises credibility questions with assessors. If items have been sitting open for 18 months with no progress, it’s hard to argue those are being actively managed.
Run a quarterly review on every open POA&M item. Assign a real owner, a real budget, and a real deadline. If something can’t be fixed by a certain date, document why and what the interim mitigation looks like. That’s the kind of active management that actually holds up under scrutiny.
Mistake #6: Not Accounting for Vendors and Third Parties
You can lock down your own environment completely and still have a significant compliance gap if vendors, managed service providers, or SaaS tools have access to systems that touch CUI — and you haven’t assessed or controlled that access.
This shows up in a few different ways. An IT managed service provider (MSP) has admin access to your servers. A cloud storage tool used by the project team automatically syncs files that include contract information. A subcontractor gets added to a shared project workspace and now has access to documents they technically shouldn’t. None of these situations are unusual. All of them are in scope for CMMC.
Many contractors have a vague understanding that their vendors “probably do security stuff” but haven’t actually verified it. That’s not a defensible position during an assessment. If a third party has access to your CUI environment, you need to know what security posture they maintain, and you need documentation to support it.
- Inventory every third-party vendor with access to systems that store, process, or transmit CUI.
- Ask vendors directly what their NIST 800-171 or CMMC compliance posture looks like, and get it in writing.
- Implement least-privilege access for all external parties — access should be scoped to what’s needed, reviewed regularly, and revoked when the engagement ends.
- If you’re using a managed service provider, make sure their role in your environment is explicitly described in your SSP and that they understand what that means for their own compliance obligations.
Third-party risk is one of the more commonly overlooked areas in initial CMMC readiness work, and it tends to surface late — when the relationships are already established and changing them is disruptive. Starting this conversation with vendors early makes everything easier.
Mistake #7: Waiting Until a Contract Forces Your Hand
This is probably the most consequential mistake on the list, because it’s the one that leaves the least room to recover.
The reasoning is understandable. CMMC compliance is expensive, time-consuming, and the requirements have evolved over the past few years in ways that made it tempting to wait and see. Some contractors have been holding off, assuming that enforcement would be delayed further, or that requirements might not apply to their specific contracts.
Here’s the reality: CMMC Level 2 requirements are now appearing in DoD solicitations, and that trend is accelerating. More importantly, getting from “we know we need to start” to “we have our C3PAO certification” takes 12 to 18 months for most organizations — and that’s assuming a reasonably smooth process. Organizations with significant gaps or complex environments often take longer.
If you wait until a contract requires certification and then start the process, you’re already behind. You may have to decline bids you would have otherwise won, or worse, win a contract with a compliance requirement you can’t yet meet.
The most cost-effective time to start: Now, before a deadline is forcing decisions that should be made deliberately.
Starting early means you have time to remediate gaps without rushing. You can choose your assessor thoughtfully rather than taking whoever is available. You can spread the cost of remediation across a longer timeline instead of absorbing it all at once. And you can use the preparation period to run mock assessments with a Registered Practitioner Organization (RPO) before going into a formal C3PAO assessment — which significantly improves your odds of a clean result.
Where to Go From Here
None of these mistakes are fatal if you catch them early. Most of them are recoverable with the right roadmap and the right partners. But the contractors who come out of this process in the best shape are the ones who start with an honest picture of where they actually stand — not where they hope they stand.
A gap assessment is the fastest way to get that picture. It doesn’t have to be a formal engagement — even an internal review mapped against the NIST 800-171 controls will surface the most significant issues and help you prioritize what needs to happen first.
If you’re not sure where to start, or if you’ve started and stalled, that’s a normal place to be. The CMMC journey is genuinely complex, and you don’t have to navigate it alone.
Ready to Get CMMC Certified? Let’s Talk.
Stealth Technology has helped dozens of DoD contractors navigate CMMC 2.0. Schedule your free CMMC readiness consultation today: Phone: (617) 903-5559 Email: info@stealthtech365.com.
