Five Pitfalls on the Road to CMMC

CMMC Phase 1 has been live since November 10, 2025. Phase 2 may require mandatory Level 2 C3PAO certification assessments and could possibly begin on November 10, 2026. That is five months from now.

Most companies starting their CMMC journey this year will encounter the same five problems. Not because they are careless, but because the program is structured in a way that rewards preparation and punishes assumptions. Assumptions are rarely a good thing. So here are 5 points to watch for.

PITFALL 1 "This will be quicker than we think"

It rarely is a quick exercise. The most consistent planning error in CMMC preparation is underestimating the timeline. Companies assume they can move from gap assessment to certification in weeks. The reality is months and the further behind you start, the longer each step takes.

What the data says:

Level 1 preparation takes approximately 2 to 4 months. Level 2 takes approximately 6 to 18 months depending on baseline security posture (Summit 7, CISPOINT, ISI Defense, 2025/2026 industry surveys).

Recent industry surveys point to a persistent readiness gap: Redspin found that 58% of defense supply chain respondents did not feel ready for the finalized CMMC rule, while Kiteworks/Coalfire’s March 2025 DIB preparedness report found significant gaps in Level 2 readiness, including incomplete gap analyses, documentation gaps, and uneven security-control maturity.

Some estimates suggest that roughly 100 authorized C3PAOs currently serve an estimated 118,000 organizations that need Level 2 certification but other estimates are much lower, and many are already booked through the end of 2026. That makes assessor availability a planning risk well before Phase 2 is scheduled to begin on November 10, 2026.

The bottleneck is not just your internal readiness; it could also be your assessor availability. If you have not engaged a C3PAO by now, you are competing for a shrinking number of assessment slots before Phase 2 is scheduled to begin on November 10, 2026

PITFALL 2 "We already have everything in order and we just need to document it"

This is the most expensive assumption in the CMMC process. Companies believe their controls are in place and that the work is simply writing them down. The documentation exercise then reveals that what they thought existed does not or does not work the way they described it.

What the data says:

Practitioner guidance suggested in May 2026 that an inadequate or missing System Security Plan (SSP) can result in a No Score, meaning the assessment produces no usable outcome, not a low score.

The SSP is not a summary of what you plan to do. It is a description of what is currently implemented, how it works, and where it applies. If it does not match the actual environment, the assessment fails.

SPRS score accuracy carries legal exposure under the False Claims Act. An inflated score, one that claims controls are in place when they are not, is not an assessment risk, it is a legal risk (32 CFR § 170).

Documentation is not the last step. It is the step that shows whether the previous steps were done correctly. You should treat it as a discovery exercise, not a formality.

PITFALL 3 "I thought I knew where my data was"

You probably don’t or not completely. The scoping phase of CMMC preparation consistently surfaces data flows that companies did not know existed. CUI moves through systems, vendors, subcontractors, cloud tenants, and manual processes in ways that are invisible until someone maps them.

What the data says:

Poor scoping is one of the most common practitioner-reported failure patterns in CMMC readiness work. Organizations that skip ahead to control implementation before scoping is confirmed routinely discover that their evidence does not map to the correct assessment boundary (MAD Security, Mirai Security, Netwrix, 2026 practitioner guidance).

Many organizations are surprised by how far sensitive data travels once it is fully mapped. CUI often moves across tenants, subcontractors, suppliers, external partners, and manual processes that were not included in the original scope definition (Virtru, May 2026).

External service providers such as MSPs, MSSPs, and managed security providers may affect assessment scope even if they do not directly receive CUI (DoD CMMC FAQ, May 2026).

Over-scoping increases cost and complexity dramatically. Under-scoping creates audit failure risk. Both start with the same problem: not knowing where CUI actually is.

Map the data first, every system it touches, every person who accesses it, every vendor it flows through. The boundary you define in scoping determines the controls you implement, the evidence you collect, and the score you report.

PITFALL 4 "I thought this was just an IT exercise and that my controls were more mature than they are"

CMMC is not an IT project, it is a governance program that touches IT, operations, human resources, physical security, and executive leadership. Companies that delegate it entirely to the IT function discover during the assessment that the controls they assumed were mature do not meet the standard because nobody outside IT was involved in building or validating them.

What the data says:

NIST SP 800-171 Rev 2 — the 110-requirement standard underlying CMMC Level 2 covers 14 control families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

At least five of those families (training, personnel security, physical protection, incident response, risk assessment) require participation from functions outside IT. A gap assessment conducted only by IT will miss gaps in those domains.

The annual affirmation requirement under CMMC requires an Affirming Official at a senior-level representative with authority to affirm continuing compliance to attest to compliance accuracy. If that official does not understand what they are attesting to, the affirmation is a liability rather than a governance act (32 CFR § 170).

The gap between perceived maturity and actual maturity is where CMMC assessments fail. An honest internal assessment conducted across functions, not just by IT potentially closes that gap before the C3PAO arrives.

PITFALL 5 "I don't have a great way to store and retrieve all of this and I just realized this is ongoing"

CMMC is not a one-time certification, it is a continuous compliance obligation with annual affirmations, triennial assessments, and ongoing evidence requirements. Companies that build their documentation in spreadsheets and shared drives during the initial push discover that they cannot retrieve, update, or present that evidence when the cycle resets.

What the data says:

CMMC Level 2 certification is valid for three years from the CMMC Status Date. Annual affirmation is required and failure to affirm annually causes the assessment to lapse (32 CFR § 170).

POA&M items (where permitted at Level 2 and Level 3) must be closed within 180 days of the Conditional CMMC Status Date. Tracking open items, remediation timelines, and closeout evidence requires a system, not a folder.

The environment changes. Acquisitions, new subcontractors, cloud migrations, personnel changes, and site expansions all affect the assessment boundary and the accuracy of existing documentation. If your evidence repository cannot be updated and version controlled as the environment evolves, your next assessment starts from a deficit.

Approximate and may be changed: CMMC Phase 3 begins November 10, 2027. Phase 4: full implementation begins November 10, 2028. The program is accelerating but dates may change, not concluding.

The companies that treat CMMC as a program rather than a project are the ones that pass their second assessment without a sprint. Build the evidence management system now, It could be a GRC platform, a structured repository, or a managed service and then maintain it continuously. The cost of rebuilding your documentation every three years is higher than the cost of maintaining it.

The common thread across all five pitfalls is the same: assumptions made early in the process that prove wrong under assessment pressure.

The timeline is longer than you think. The documentation reveals gaps you did not expect. The data lives in places you did not know about. The program is further than IT, and it does not end when you pass.

The companies that avoid these pitfalls are the ones that start with an honest assessment of where they are not where they believe they are.

Sturnella advises defense contractors, mining, energy, and critical infrastructure companies on CMMC readiness, SEC cybersecurity disclosure, and board-level cyber governance.

If your company is beginning its CMMC journey and wants to avoid the five pitfalls above, the conversation starts with scoping and it starts now.

contact@sturnellahq.com | sturnellahq.com | news.sturnellahq.com

Disclaimer: This article appeared on the Sturnella website at sturnellahq.com and is provided for informational purposes only. It does not constitute investment advice, financial advice, legal advice, or a solicitation to buy or sell any security or financial instrument. The information contained herein is based on publicly available sources and is believed to be accurate at the time of publication but is not guaranteed. Sturnella LLC is a capital markets cybersecurity and governance advisory firm and is not a registered investment adviser, broker-dealer, or financial institution. Always consult a qualified financial, legal, or investment professional before making any investment decision.

Contact

Reach out for discreet advisory support

Email

contact@Sturnellahq.com

Sturnella LLC © 2026 All rights reserved.

• Independence

• Governance Precision

• Discretion

• Capital Markets Alignment

• Accountability

Our Values