Stuck In the Middle of CMMC? Here’s How to Get Unstuck
- Todd Heinz, HBS Governance Risk and Compliance Practice Manager
- Read Time: 3 mins
In this article...
- Why so many companies stall out during the CMMC process
- The six most common roadblocks to certification—and how to overcome them
- How a trusted partner can help you scope, document, and implement correctly
- Why it’s not too late to get back on track and earn your CMMC Level 2 certification
You started strong. You read the guidance. You scoped your environment. You might’ve even spun up a few policies.
But now? You’re stuck.
If your team started the CMMC certification process and quickly found yourselves overwhelmed, confused, or simply out of time—you’re not alone.
Thousands of businesses in the Defense Industrial Base (DIB) are in the same boat. The Department of Defense estimates that more than 80,000 companies will need to achieve CMMC Level 2 certification. And with just over 70 Certified Third-Party Assessment Organizations (C3PAOs) available to do final assessments, the bottleneck is real—and growing.
Most organizations don’t fall short on CMMC because they’re careless. They fall short because CMMC is hard—and it’s easy to underestimate just how much goes into doing it right.
Common Reasons Companies Get Stuck in the CMMC Process
The intent to comply is there. The follow-through? That’s where most companies hit roadblocks. Here are the most common places teams lose momentum:
1. Scoping the Environment Incorrectly
Scoping is where everything begins. If it’s wrong, everything else is too. Over-scoping leads to unnecessary complexity. Under-scoping risks noncompliance.
How a partner helps: A qualified partner can guide you through boundary definition, network segmentation strategies, and help isolate Controlled Unclassified Information (CUI)—reducing both cost and risk.
2. Underestimating Policy & Documentation Requirements
CMMC is documentation-heavy. You’re expected not only to implement the practices, but also prove they’re institutionalized—with policies, procedures, and evidence of use.
How a partner helps: An expert partner brings template libraries, helps tailor policies to your environment, and ensures they map cleanly to CMMC requirements.
3. Lack of Internal Resources or Expertise
Many teams assign CMMC readiness to a single IT person, or tack it on as “just another project.” But CMMC requires cross-functional coordination across many departments.
How a partner helps: A CMMC Registered Practitioner (RP) can act as a force multiplier, aligning stakeholders, translating requirements into plain language, and doing much of the heavy lifting to move the process forward.
4. Confusing Technical Controls
Encryption. Access control. Logging. MFA. It’s not enough to have these in place—you need to configure them according to CMMC standards, which often differs from default setups.
How a partner helps: A partner fluent in CMMC can assess your tools, identify configuration gaps, and help implement or optimize controls for compliance.
5. Failing to Perform a Self-Assessment
CMMC Level 2 requires a full assessment by a C3PAO, but before that happens, you need a realistic self-assessment—complete with supporting evidence and a Plan of Action & Milestones (POA&M) for any gaps.
How a partner helps: We help organizations run mock assessments, review evidence, document gaps, and prepare clear remediation steps—so you don’t walk into your official assessment blind.
6. Misinterpreting the Requirements
CMMC 2.0 Level 2 is built on NIST 800-171, but requirements are non-prescriptive—meaning there is not an absolute, single way to achieve those requirements. Ambiguity in implementation can lead to inconsistent applications—or worse, unintentional noncompliance.
How a partner helps: An experienced partner knows how assessors interpret the requirements and can help you avoid costly missteps or unnecessary work.
It’s Not Too Late to Get CMMC Help
CMMC compliance is tough. But you don’t need to be an expert—you just need to know one.
Whether you’ve hit a wall in scoping, documentation, technical implementation, or just don’t know what to do next, we’ll meet you where you are and get you moving again. Our team includes CMMC Registered Practitioners and experienced compliance engineers who specialize in turning confusion into clarity—and intention into certification.
Let’s finish what you started.
Related Content
CMMC Compliance: An Overview for Your Business
Is your business part of the defense supply chain? Learn what CMMC compliance is, why it matters for contractors and subcontractors, and how to get certified.
CMMC
Secure your future DoD contracts with HBS’s CMMC certification guidance. Our experienced professionals help you navigate through CMMC requirements efficiently.
10 Questions with a CMMC Registered Practitioner
Learn how changes in CMMC 2.0 affect you in this conversation with a CMMC Registered Practitioner.