Podcast Summary: Sum IT Up – CMMC Level 2 Assessment: What to Expect (Insights from 100 Assessments)
Date: April 9, 2026
Host: Summit 7
Guest: Fernando Machado (Managing Principal at Cybersec Investments, master C3PAO, CMMC expert)
Notable Co-Host/Contributor: Jason
Episode Overview
This episode provides a rare, data-driven look into the realities of CMMC Level 2 certification assessments, based on Fernando Machado’s experience overseeing 100 successful C3PAO assessments. The conversation covers assessment costs, timelines, company readiness, common pitfalls, assessment capacity, green/red flags, and advice for companies preparing for CMMC certification. The discussion is rich with practical insights, puncturing myths frequently encountered online about the CMMC ecosystem.
Key Discussion Points & Insights
1. Profile of the First 100 Assessed Companies (00:46–03:11)
- Revenue & Size:
- 71% of companies: $0–50M annual revenue.
- 60% have 0–200 employees.
- Maturity:
- 74% used consultants or certified MSPs; most did not do it fully in-house.
- Contractor Types:
- 46% are subs (many also primes elsewhere).
- Defense Agencies:
- 68% Navy, 23% Air Force, 7% Army, 3% Marine Corps.
Fernando: “Most companies are between the 0 to 50 million in revenue... 0 to 200 employees... companies that used a consultant or a certified service provider accounted for 74%.” (01:52)
Insight: The composition reflects the broader Defense Industrial Base (DIB): small businesses, often with external support, and largely serving as subcontractors.
2. Assessment Costs: Myths vs. Reality (04:36–07:25)
- Baseline Cost:
Assessments typically start at ~$30k, scaling with complexity (multi-location, large primes may exceed $100k). - Common Cost Drivers:
- Organization size & complexity.
- Scope—careful scoping reduces cost.
- Use of non-statistical sampling (e.g., sampling a subset of similar sites).
- Misconceptions:
Online buzz inflates assessment costs ($100k+) by conflating them with implementation costs.
Fernando: “Costs start at around 30k and they go up from there... We could randomly select two sites at random and if those are good, we can say with reasonable assurance the others are good too.” (05:07)
Quote:
Host A: “Fernando's not charging you $200,000. CMMC is not costing you $200,000. Sorry, I say it every week.” (07:01)
3. Assessment Timelines & Triggers (07:39–09:44)
- Assessment duration:
- 90% finish in a week or less (Mon–Thu, Fri as needed).
- Can extend to two weeks for complex, multi-site organizations.
- What makes companies seek assessment?
- Main driver: pressure from prime contractors who mandate certification by certain dates (e.g., November 10).
- Not driven by DOD deadlines but by primes preparing proactively.
Fernando: “We tend to conduct small to medium size assessments... within about a week... The speed depends on how well prepared the customer is.” (07:39) Fernando: “The biggest thing is the prime contractors are starting to push the supply chain to get certified.” (08:59)
4. Assessment Ecosystem & Capacity (10:53–20:54)
- Assessment Volume:
- Fernando’s firm accounts for about 10% of the ecosystem's issued Level 2 certs.
- Capacity varies—some C3PAOs are booked out, others are looking for work.
- Assessment Teams:
- A single C3PAO may have multiple assessment teams (Fernando’s firm has 8, aiming for 10).
- Monthly assessment capacity: 15–18 assessments with 8 teams.
Fernando: “We ourselves make up for 10% of the overall certificates issued in the ecosystem.” (11:23)
Fernando: “At the moment with eight assessment teams... 15 to 18 assessments per month.” (20:51)
5. False Starts & Company Readiness (12:22–18:32)
- False Start Rate:
- ~30% of prospective assessments are "false starts" (company not ready, don’t even enter the assessment proper).
- Common False Start Triggers:
- Incomplete documentation (e.g., SSP in draft, not signed, with unresolved comments).
- Poor scoping (e.g., data flow diagrams don’t match environment).
- Misunderstanding on technical requirements (e.g., thinking encryption alone is sufficient; missing endpoint diagrams for FedRAMP).
- Not using NIST SP 800-171A for self-assessment.
- Financial Implications:
- Companies are not charged a full assessment fee if they false start; reassessment can be rescheduled.
Fernando: “I would probably say two or three [out of 10]… 30% false start rate, meaning these folks do not even get out of pre-assessment.” (12:22) Fernando: “SSP was still in draft… improper scoping… the use of FedRAMP moderate equivalent solutions…” (12:22)
6. Assessment Outcomes (Conditional, Failed, and Green/Red Flags) (14:55–27:01)
- Conditional Status:
- None issued so far by Fernando’s team—a mark of strong preparation among early adopters.
- Failures:
- None outright; pre-assessment phase screens out unready companies.
- The reevaluation process (before report submission) allows minor doc gaps to be remedied.
- Green Flags:
- Well-written, detailed System Security Plans (SSP).
- Thorough customer responsibility matrices (for service provider relationships).
- Working with certified MSPs/consultants.
- Red Flags:
- Unfinished or poorly documented SSPs.
- Evidence of only checkbox compliance (“implemented” checkmarks with no detail).
- Not using 800-171A methodology.
Fernando: “Well written, documented SSP statements… best piece of advice… write your SSP at a very detailed level.” (21:30) Fernando: “Not using 171A… the NIST gets them every time… I’ll see SSP document, and it’ll just be implemented. They'll just put a check mark on it…” (22:58)
7. Environment-Specific Challenges (23:53–24:49)
- Manufacturing environments:
- Hardest to assess and implement due to multiple locations, OT (operational tech), and complex physical segmentation.
Fernando: “Manufacturing environments… hardest time with implementing… specialized assets… becomes a nightmare for physical and logical segmentation.” (23:53)
8. Market “Push” and Early Movers’ Rewards (27:03–28:32)
- Prime-driven assessment:
- Majority seeking certification due to prime contractor demands.
- Early adopters:
- Gaining more business as primes look for certified subs.
- Notable: Elbit Systems actively seeking certified partners.
Fernando: “More of the customers are doing this because they're being pushed by a prime, but at the same exact time, they're also winning work out of it.” (27:34)
9. Significant Changes Triggering Reassessment (28:44–31:00)
- What triggers a fresh assessment?
- Any “significant architectural or boundary change” post-cert (per the rule).
- Examples: Adding new cloud services for CUI; changing capabilities (e.g., enabling printing or removable media after initially disabling it to pass assessment); mergers/acquisitions.
- No delta/partial assessments—must do the full assessment over again if a significant change triggers reassessment.
- Practical Guidance:
- “Do not change your MSP provider after assessment.”
- Plan all anticipated operational changes before seeking assessment to avoid unnecessary extra assessments.
Fernando: “If you open up capabilities that was initially not applicable or was met because it wasn't being done and you open it up later, we have to go through a full blown assessment all over again.” (30:24)
Notable Quotes & Memorable Moments
-
On assessment cost myths:
Host A: "Fernando's not charging you $200,000. CMMC is not costing you $200,000." (07:01) -
On non-statistical sampling to reduce cost:
Fernando: "We could select two sites at random. If those sites are good, we can say with reasonable assurance that the others are good to go as well." (05:07) -
On readiness and company failures:
Host A: "Clearly a hundred thousand companies aren't ready... just not the case." (13:30) Fernando: "It's insane... some folks fail to continue to keep using 800-171A." (13:26) -
On incentives:
Fernando: “Instead of entering what we like to call the five stages of grief and just get into acceptance, there’s a lot of work to be had here.” (28:17) -
On “significant change” gotchas:
Fernando: “There are no delta assessments... If you open up capabilities... we have to go through a full blown assessment all over again.” (30:24) -
On making life easier for primes and assessors:
Host A: "Don't be hard to do business with." (28:17)
Segment Timestamps for Reference
- Company Demographics & Landscape: 00:46–03:11
- Assessment Cost Breakdown: 04:36–07:25
- Assessment Duration: 07:39–08:12
- What Drives Certification Uptake?: 08:59–09:44
- Assessment Ecosystem Capacity & Teams: 10:53–20:54
- False Start Analysis: 12:22–13:26; 14:33–15:18
- Conditional & Failed Assessments: 14:55–18:20
- Green/Red Company Flags: 21:30–23:23
- Manufacturing & OT Challenges: 23:53–24:49
- Market Pushers & Early Movers: 27:03–28:32
- Significant Changes & Triggers for Reassessment: 28:44–31:00
Conclusions and Practical Takeaways
- Preparation is everything: Companies that thoroughly document, understand their scope, and leverage credible outside help have smooth assessments.
- Assessment cost is not prohibitive for small companies—but implementation costs are separate.
- Prime contractors, not the DOD alone, are the biggest immediate push for certification.
- Assessment failures are rare due to robust pre-assessment screening (but 30% never make it to the start line).
- Manufacturing environments are notably challenging.
- Significant architectural changes after certification will require a full reassessment—plan wisely.
- Early certification conveys business advantage, not just compliance.
Tone & Style
Conversational, practical, at times cheeky, grounded in data-driven reality, and slightly irreverent toward common industry myths.
Speaker Attributions
- Host A: Podcast host, facilitator, myth-buster, direct.
- Fernando Machado (B): C3PAO assessor, subject-matter expert, practical, occasionally self-deprecating.
- Jason (C): Co-host/contributor, brings up contrasting industry experiences and clarifies main points.
For listeners and practitioners aiming for CMMC Level 2: leverage certified MSPs/consultants, start early, and take scoping seriously. Avoid false starts by ensuring all documentation and boundary work is complete—there’s more assessment capacity than you may think, especially for those truly ready.
[End of Summary]