Most DIB organizations pursuing CMMC Level 2 certification approach it as a one-time project. There's a timeline, a consultant, a push to get across the finish line. What C3PAOs are finding is that this mindset is the root cause of the most expensive and damaging mistakes, both in first assessments and in the assessment cycles that follow.

At the Secureframe National Cybersecurity Summit 2026, C3PAOs and consultants described what they're actually seeing during the assessment or readiness stage. Below we’ve compiled the biggest CMMC implementation challenges and lessons learned they shared so you can stay on a straight, continuous path to certification.

1. Excluding security protection assets (SPAs) from scope

The most common misconception C3PAOs encounter is that CMMC scope is simply "wherever CUI lives." It isn't. The DoD’s CMMC Scoping Guide for Level 2 defines CUI Assets and four other categories.

The one most commonly overlooked is security protection assets (SPAs), according to C3PAOs. SPAs are systems and tools that don't directly store or process CUI but that protect the confidentiality of CUI, and they are fully in scope for CMMC.

As Koren Wise, certified CMMC Lead Assessor and CEO of Wise Technical Innovations, explained: "If something is helping you meet the CMMC requirements in a domain, it's very likely that it is a security protection asset, even if it is not processing, storing, or transmitting CUI."

The examples organizations miss most often include:

• identity infrastructure (Entra ID, Active Directory, Okta)
• endpoint protection and vulnerability scanners
• SIM solutions
• RMM tools
• VPN access paths
• ticketing and change management systems 

Wise highlighted the ticketing system specifically as a hidden SPA: these tools store Security Protection Data (logs, incident records, vulnerability data) that would be highly valuable to an adversary, even if they don't contain CUI directly.

Adam Glover, Senior Director of CMMC Services at Insight Assurance said that organizations that try to exclude SPAs from scope because they believe they don't belong there often cause more work for themselves. "We end up having to pull that stuff back in, and then that leads to delays and potentially issues with Phase 1."

The practical implication: if a tool is helping you meet any of the 110 NIST 800-171 controls, it probably belongs in your scope.

2. Buying into an enclave that doesn't fit how you actually work

CUI enclaves are a legitimate and often cost-effective approach to CMMC compliance, especially for small businesses. Instead of certifying the entire enterprise, organizations carve out the boundary where CUI lives and apply the 110 requirements to only that isolated environment and the devices that access it.

The problem C3PAOs are seeing is organizations purchasing overly restrictive enclave products that don't actually support how they do their work, and then processing CUI outside of that enclave because they have no other choice.

This is one of the most consequential scoping errors, because once CUI moves outside an assessed boundary, the certification no longer reflects reality. Wise called this "misrepresentation land” or “false claims land."

Her framing for evaluating an enclave solution: "We love our enclave, but it's because it suits all of our needs. We don't need to print, and it has SharePoint, productivity tools, Defender, Sentinel—everything's up there. But we would hate it if it only did two things and we couldn't do all that other stuff."

Travis Goldbach, cybersecurity and compliance leader at Coal Fire Federal, shared a concrete example: a C3PAO walked into a CMMC assessment to find a technically excellent enclave, and then discovered the organization needed to print. Printing hadn't been included in scope. The enclave couldn't support it. The organization had no compliant way to do something they needed to do every day.

The guidance from both assessors: before committing to any enclave architecture, map out everything your users will need to do with CUI. Include:

• how it arrives
• how it moves
• how it's used
• what systems touch it in the course of normal work

Then build the enclave around those actual workflows, not an idealized version of them.

Doug Barbin, President at Shellman, offered a practical starting point: "Start with the users. What do they need, and what services do they need access to? It has to start with an understanding of what the users need and where the data is going to be handled."

3. Misunderstanding shared responsibility versus inheritance

Organizations working with managed service providers (MSPs) or cloud service providers frequently misread how compliance responsibilities are shared, and this misunderstanding shows up in assessments.

Wise drew a critical distinction between inherited and shared responsibility:

• Inheritance applies when you have no ability to control a particular function. The classic example is physical security in a cloud provider's data center. You can't touch their badge readers or cameras, so you inherit those controls completely. 
• Shared responsibility with an MSP is different. The MSP may be performing a function in your environment, but that doesn't remove your obligation to demonstrate it's being done correctly.

Some organizations mistakenly think "because they did it in their house, that means they're doing it in my house," Wise explained. “It doesn't mean that necessarily, and the assessor's there to see if they're really doing it in your house."

In other words, many organizations assume that if their MSP is CMMC Level 2 certified, they've inherited all the controls that MSP performs on their behalf. But that's not how it works. A C3PAO will still assess those controls in your environment. The MSP's certification only means the assessor may spend less time going deep into the MSP's own house. Your house still requires its own inspection.

Goldbach added a nuance many organizations miss: scope doesn't just include what your cloud service provider does for you. Inheritance of cloud controls stops at the cloud boundary. A hybrid environment where some functions are on-prem means those on-prem functions don't automatically inherit cloud protections.

A related failure mode is organizations whose MSP wrote the SSP and whose own staff can't speak to what's in it.

Mike Gallagher, Senior Director of Federal and Advisory Services at A-LIGN, described what this looks like in assessment: "I want the organization to be able to tell me what they're doing to meet those obligations and minimize those risks, not the MSP." The MSP can help develop documentation and be present to support technical questions. 

But the authorizing official within the organization seeking certification (OSC) is ultimately responsible for the business's processes and controls. An authorizing official who signs an affirmation without understanding what they're signing is taking on liability they don't recognize.

"The MSP can't take ownership of that. The MSP can't sign off as an authorizing official for you," Gallagher said.

4. Writing an SSP that doesn’t match your environment

The most consistent finding across all three assessors: the system security plan (SSP) doesn't reflect reality. Organizations submit an SSP that was written to satisfy a requirement, not to describe how the environment actually works.

Gallagher described the tell: "When the organization talks through their CUI flow, and that doesn't match how it's represented in the system security plan—that is the biggest signal when we go look at whether an organization's ready."

Glover identified three specific SSP failure modes that come up repeatedly:

1. SSPs written to the requirement level only. CMMC assesses 320 requirement statements or assessment objectives, not just the 110 NIST 800-171 Rev 2 requirements, and the SSP needs to address that granularity.
2. Misalignment between documents. What's written in the SSP, what's in the standard operating procedures, and what's actually implemented are three different things, and they need to match.
3. Third, documents that don't stand on their own. Assessors shouldn't have to cross-reference multiple documents to understand a single control. "All of those documents should be independent of each other, so if we pick up any one of them, we'll be able to know what's going on in your environment."

Sammy Chowdhury, Co-founder and Chief Compliance Officer at Prescient Security, added a red flag that C3PAOs can spot immediately: an SSP that’s templated or boilerplate copy generated by AI. The problem isn't that AI was used; it's whether the AI-generated SSP reflects what's actually implemented. 

Chowdhury says during Phase 1 of a CMMC assessment, assessors are not only checking that you have the required documentation in place. They’re also looking at whether your SSP and policies “tell the truth” and reflect a true understanding of how your environment operates. 

In Phase 2, assessors will ask control owners to demonstrate what controls are in place and how they’re operating effectively. If the SSP was generated using disconnected AI tools or templates instead of real-time data from your environment, those demonstrations will fail.

5. Under-preparing for Phase 1 of the assessment 

A significant share of organizations enter Phase 1 of the CMMC assessment expecting a readiness review with remediation time built in. That's not what it is.

Glover was direct: "It's really not a readiness review or gap analysis. It's a readiness check." Phase 1 examines the core foundational documents:

• SSP
• Network diagram
• Data flow diagram
• Customer responsibility matrices

The purpose is to determine whether the organization is ready to enter Phase 2, not to help them get ready.

Gallagher explained the independence constraint that shapes this distinction: "We have to stay independent. If we are going in and telling you how to fix something, then we're assessing exactly what we told you to do, and we have left our independence at the door." 

Assessors can flag issues and indicate whether they're comfortable proceeding, but they cannot prescribe remediation.

The practical implication is that by the time an organization is in front of a C3PAO, the environment needs to be ready. Chowdhury put it plainly: "Phase 1 is a runway and Phase 2 is a takeoff. You don't want to build a plane in Phase 1. That's too late."

About one-third of organizations assessed by Prescient Security are not ready to enter Phase 2 after Phase 1, Chowdhury noted, a figure that should recalibrate how organizations think about assessment timelines.