The most expensive assumption in CMMC compliance is that it's a technology problem. It's not. Technology is roughly half of it. The other half is how your organization operates, and that half is where most compliance programs stall.
CMMC Level 2 requires full implementation of all 110 NIST SP 800-171 controls. When most organizations hear "cybersecurity controls," they think firewalls, endpoint protection, encryption, multi-factor authentication. Those are real requirements, and they matter. But they represent approximately half of what a Certified Third-Party Assessment Organization (C3PAO) evaluates.
The other half? Written policies. Documented procedures. A functioning training program. An incident response plan that people have actually rehearsed. An asset management process. Change control. Budget governance for security. An insider threat program. Accountability structures that ensure people follow the policies you wrote.
None of that is an IT deliverable.
A C3PAO assessor doesn't just check whether a control is technically implemented. They check whether the organization can demonstrate that the control is operationally sustained. That means policies exist, procedures are documented, people are trained, and evidence shows the organization follows through consistently.
Take access control as an example. AC.L2-3.1.1 requires limiting system access to authorized users. The technical piece is straightforward: configure user accounts, enforce permissions, implement MFA. But the assessor also wants to see a written access control policy. A documented procedure for granting and revoking access. Evidence of periodic access reviews. Training records showing users understand their responsibilities. A process for handling access when someone leaves the organization.
The technology might take a week to configure. The organizational infrastructure around it takes months to build and operationalize, especially if the organization has never had formal security governance.
The pattern repeats across every engagement: an organization invests in technology (or hires an MSP to manage a secure enclave), assumes they're close to compliant, then discovers that the organizational half is entirely unbuilt. No policies. No documented procedures. No training program. No evidence that anyone follows a consistent process for anything security-related.
This isn't a criticism of those organizations. Most small and mid-size defense contractors don't have a dedicated compliance function. Security has historically been the IT department's responsibility, and IT departments are measured on uptime and functionality, not policy documentation and training completion rates.
But CMMC doesn't care about your org chart. The standard treats organizational controls with the same rigor as technical controls. An assessor who finds a perfectly configured Azure environment with no written policies and no training program will not pass that organization.
Building the organizational half of CMMC compliance means treating security as a business discipline, not a department. Specifically, it requires:
Written policies that are specific to your organization, approved by leadership, and accessible to staff. Not templates downloaded from the internet. Policies that reflect how your business actually operates and what your people are expected to do.
Documented procedures for every control family that requires operational action: how access is granted and revoked, how changes are managed, how incidents are reported and investigated, how assets are tracked, how configurations are baselined and monitored.
A training program that goes beyond annual awareness videos. Assessors want to see role-based training, CUI handling procedures specific to your environment, and records showing participation and comprehension.
Accountability structures that make compliance someone's job. Not in addition to their real job. Someone in the organization needs to own the compliance program, review policies on a defined schedule, manage the Plan of Action and Milestones (POA&M), and ensure the organization doesn't regress between assessments.
Treating CMMC as an IT project puts the compliance program in a box that's too small. It belongs at the leadership level because it requires organizational change: how people are trained, how decisions are documented, how processes are governed, how security is funded and prioritized.
The organizations that pass on the first attempt are the ones that recognized early that certification requires both halves. They invested in technology and in the organizational discipline to sustain it. That's not a popular message, because organizational change is slower and less visible than deploying a new tool. But it's the reality of what assessment day demands.
Take our 3-minute Readiness Check and get an instant gap summary based on your environment.
Start Readiness Check →
An independent firm focused exclusively on CMMC compliance for defense contractors and the DIB.