Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: 75% of the CMMC Assessment Guide Isn’t Requirements

Host: Summit 7
Date: March 12, 2026

Overview

This episode addresses a widespread misconception among defense contractors and even some assessors: that everything in the CMMC Level 2 Assessment Guide is a requirement. The hosts break down the structure of the Assessment Guide, clarify what counts as an actual requirement versus explanatory guidance, and explain the practical implications for organizations trying to comply with CMMC. Their key message: 75% of the Assessment Guide is explanatory, not prescriptive. Misunderstanding this can lead to expensive, unnecessary, and time-wasting efforts in compliance.

Key Discussion Points & Insights

1. The Big Misconception: Not Everything Is a Requirement

• Many organizations and even some assessors think every section of the Assessment Guide is mandatory (00:00).
• Only 20-25% of the Guide contains actual requirements; the rest is explanatory text.
• “Misunderstanding that distinction leads to one of the most common and expensive mistakes that we see in CMMC preparation.” – Host A [00:25]

2. Structure of a CMMC Practice in the Assessment Guide

• Each security requirement is a “practice,” consisting of:
  • Practice Statement (the requirement itself, from NIST SP 800-171)
  • Assessment Objectives (what the assessor must verify, from NIST SP 800-171A)
  • Potential Assessment Methods and Objects (ways to gather evidence)
  • Discussion
  • Further Discussion
• Only the Practice Statement and Assessment Objectives are normative (must be met); the rest is for clarity and guidance (03:45).
• “These are the parts that determine compliance because they determine if the practice has been fully implemented.” – Host A [04:30]

3. Explanatory Text: What Is It and Why Does It Exist?

• The vast majority of the text (over 75%) in the Assessment Guide is explanation, context, and examples, not requirements (06:54).
• Discussion/Further Discussion sections help interpret controls, especially when the main requirement is brief or technical, but don’t create new obligations.
• “These sections are informative, they are not prescriptive.” – Host A [07:50]

4. Practical Example: Physical Access Control Requirement

• Requirement 3.10.1: “Limit physical access to organizational information systems, equipment, and their respective operating environments to authorized individuals.”
• Discussion section gives examples like badges, ID cards, and smart cards, but these are examples only.
• “That doesn't mean that you need those specific solutions and it also doesn’t mean you need all of them.” – Host A [09:11]
• Further discussion may list things like electronic locks or fax machines—still examples, not requirements.
• “If you take the discussion section and put that in your SSP, the assessor is going to go, ‘Where’s that fax machine at?’” – Host A [11:13]

5. Where Do Requirements and Verification Procedures Come From?

• Requirements: Derived from NIST SP 800-171 (currently Revision 2).
• Verification procedures: From NIST SP 800-171A (“assessment objectives” in CMMC language).
• Discussion sections are explicitly called informative/not normative in NIST.
• Key Quote: “The discussion section is informative, not normative. It is not intended to extend the scope of a requirement or to influence the solutions organizations may use…” – Host A [15:20, paraphrasing NIST]

6. Why This Matters: Risks and Costs

• Treating all guidance as requirements leads to over-engineering, higher costs, unnecessary documentation, and potential assessment confusion (22:51).
• “This causes organizations to implement unnecessary technical controls, buy unnecessary stuff, create unnecessary documentation… That will increase cost, it will increase complexity, and it won’t necessarily improve your assessment outcome.” – Host A [22:58]

7. Appreciating the Assessment Guide’s Benefits (But Use It Wisely!)

• Combining NIST’s requirements and assessment objectives into a single document (CMMC Assessment Guide) is a major usability improvement (20:33).
• Further Discussion sections are unique and meant to illustrate intent—not more rules.
• “These examples provide insight, but are not intended to be prescriptive of how the practice must be implemented…” – Host A reading from the Guide [21:30]

8. Recommendations for Organizations

• Always ask: “Is this something that an assessor has to verify, or is this just an explanation?”
• Focus your compliance on the Practice Statement and Assessment Objectives—don’t treat every example as gospel (24:44).
• “Understanding that distinction is going to make CMMC compliance a lot simpler, ... a lot cheaper, ... way less intimidating.” – Host A [25:12]

Memorable Quotes & Moments

• On redundant guidance:
  “Sometimes there is a lot of redundancies and sometimes those redundancies create confusion…” – Host B [03:08]

• On how assessment objectives relate to the requirement:
  “Assessment objectives are the observable conditions that demonstrate whether a requirement has been implemented. They don't create new controls.” – Host A [18:03]

• Analogies:

  • Power Rangers/Transformers: How assessment objectives combine to form the overall requirement, like individual Power Rangers forming Megazord (19:51).
  • Gym fitness: Compliance is not about doing every exercise listed, just meeting the baseline—examples are illustrative, not exhaustive (16:12–16:59).

• On practical risk:

  • “If it’s something the assessor must verify, ... and the awareness of what applies to you is very, very important.” – Host B [25:53]

Timestamps for Key Segments

• 00:00–02:10 – Introduction and Statement of the Problem
• 03:23–07:50 – How the Assessment Guide is Structured
• 07:54–10:47 – Discussion vs. Requirement: Practical Example
• 12:08–13:41 – Why Over-implementation Happens
• 15:20–19:16 – Source of Requirements and Verification Procedures
• 19:36–21:30 – Analogies and the Value of Combined Documents
• 22:51–24:44 – Real-World Impact & Why Knowing the Difference Saves Money
• 24:44–26:20 – Concluding Recommendations

Takeaways

• Read the CMMC Level 2 Assessment Guide critically:
  • Focus on the sections that determine pass/fail: Practice Statement + Assessment Objectives.
  • Treat guidance, examples, and further discussion as explanatory context only.
• Avoid unnecessary work:
  • Don’t implement every suggestion; tailor your controls to meet the objectives.
• Stay cost-effective and efficient:
  • Over-interpreting guidance leads to wasteful spending and documentation.

For further detail or document references, reread the beginning of the NIST and CMMC Assessment Guide documents—don’t just jump to the controls.

Let the hosts know if you want a future episode diving deeper into assessment methods and evidence collection!