Sum IT Up: CMMC News Roundup

Episode: Lessons Learned from 25 CMMC Assessments

Date: June 12, 2025
Host: Summit 7
Guest: Fernando Machado, Managing Principal and CISO at CyberSec Investments (C3PAO)

Overview

This episode features insights from Fernando Machado, an experienced C3PAO, on lessons learned after performing 25 CMMC Level 2 assessments during the first six months of the CMMC program rollout. The discussion revolves around trends, pitfalls, best practices, and the practical realities for organizations navigating CMMC certification.

Key Discussion Points & Insights

The CMMC Assessment Landscape

• Demand and Backlogs: Demand for assessments is overwhelming. CyberSec Investments is already booked into March 2026, demonstrating the backlog faced industry-wide.
  "We're currently right now booking in the February and March of next year and we're starting to see that demand even grow." —Fernando (01:24)

• Assessed Organization Breakdown:

  • 40% External Service Providers (many managed service providers, MSPs)
  • 30% Professional Services (mostly small businesses <500 employees)
  • 10% Manufacturing
  • 10% Engineering
  • 10% Single construction company (approx. 50 employees)
    "25 is a very hard number to break up into 100 percentile." —Fernando (02:36)

• Trend Observations:

  • Surprisingly, many external and professional service providers have been early adopters, with fewer small sub-contractors rushing for assessment than initially expected.

Assessment Outcomes: “False Starts,” Conditional Status, and Failures

• False Starts (Early Disqualifications):

  • Two organizations were non-voluntarily rescheduled due to lack of readiness:
    • One had no incident response plan:
      "We asked them, hey, what do you guys have for the incident Response control family? … the answer … was, well, we just opened up a ticket. Yeah, so you're not ready for an assessment." —Fernando (04:47)
    • Another submitted documentation with open POAM (Plan of Actions and Milestones) items and couldn't provide subsequent required documents.

• Pushback on Rescheduling:

  • Initial resistance from clients, but most realize it's preferable to reschedule rather than fail outright (06:20).

• Conditional Statuses:

  • None issued. Well-prepared clients, supported by experienced consultants and providers, minimized the risk of conditional findings. "We haven't had a single conditional level 2 certification yet. And again, that's a testament to the good consultants and service providers that have been helping them." —Fernando (07:11)

• Assessment Failures:

  • No outright failures; only the two aforementioned false starts, caught during document review.

Traits of Successful (”Green Flag”) Assessments

• Common Success Factors:

  • Consistent, well-formatted documentation (especially tailored system security plans that map directly to each assessment objective). "When they document their things in their system security plan down to the assessment objective, that always makes, you know, an assessor's heart just warm." —Fernando (09:31)
  • Use of a shared responsibility matrix.
  • Ongoing partnerships with trusted providers who understand CMMC nuances.

• Assessment Duration:

  • One week is allocated per assessment, but “prepared” clients finish in 2-3 days, especially when documentation and evidence are in order. "Well prepared clients are seeing reduced assessment time … usually seeing two to three business days." —Fernando (11:11)

Persistent Issues & Problem Areas

• CAGE Code Alignments:

  • Misalignments cause administrative headaches and rework, especially in EMASS and SPRS. "The biggest thing is the cage codes … a contractor will tell us … these lists of cage codes … they don't go into sam.gov to make sure that the cage codes are all aligned to the hlo." —Fernando (11:48)
  • Service providers must obtain and properly register in SAM.gov before assessment.

• Technical Control Snags:

  • FIPS-validated cryptography remains a notorious tripping point, especially when patches break FIPS mode. "The biggest one … should be to no surprise … is the fips. Validated cryptography has been an issue that has caused a lot of pain." —Fernando (16:05)

• Unprepared Self-Starters:

  • Organizations attempting self-preparation often lack awareness of key requirements (e.g., use of non-FedRAMP cloud services, unawareness of NIST 800-171A). "They still don't know that 800-171-a exists … We tell them you're not ready for an assessment. … Go talk to [trusted SPs] and come see us in six months to a year." —Fernando (14:53)

Environment-Related Trends

• Manufacturing Environments:

  • Most challenging due to specialized assets and unique infrastructure. "The manufacturing environments are always the trickiest because of all of the specialized assets." —Fernando (15:19)

• Professional Services:

  • Generally easier due to standardization and fewer moving parts.

Motivations of Early Adopters

• Pressure from primes to provide proof of being “in-line” for CMMC assessment—even before official DoD contract rollout.
  "They're being instructed by their primes to provide proof that they're in line for a CMMC assessment." —Fernando (17:03)

• Competitive advantage perception—as a means to not be “priced out of the market” or lose opportunity when CMMC becomes contractually required. "We don't want to be priced out of the market, so we want to go ahead and get in front of this now to become early adopters." —Fernando (17:12)

• Some small businesses saw direct benefit during the JSVA early adoption phase, using DIBCAC high assessments as differentiators with primes (18:26).

Assessment Cost Realities and Drivers

• Price Range: $20K–$70K
  • DoD estimates a $76K cost for small businesses, though most C3PAOs currently charge less.
  • Key cost drivers:
    • Dual-assessor requirement (Lead CCA + CCA, plus QA)
    • Organizational complexity (multiple environments, use of MSPs, on-prem vs. cloud, multi-site) "The biggest factors … DoD decided … two assessors … and then … the third assessor to conduct the qa. … also … how complex are they? … these are all things that could potentially drive the cost up." —Fernando (19:29)

Notable Quotes & Memorable Moments

• On Prepared Clients:
  "Fortune favors the prepared mind, everybody." —Host (11:11)

• On organizations trying to go it alone:
  "They still don’t know that 800-171-a exists." —Fernando (14:20)

• Ballpark Pricing:
  "Things that I’ve seen out there ranges from like 20k, which I don’t think is sustainable, all the way up to like 70k." —Fernando (19:29)

• On FIPS Cryptography:
  "FIPS-validated cryptography has been an issue that has caused a lot of pain." —Fernando (16:05)

• Golf Humility:
  "I tried, uh, every. Every time. I tried, every time I connected with the ball ... I connected, I was like, all right, I hit it far right." —Fernando (21:43)

Timestamps for Important Segments

• Fernando’s Background & Current Demand: 01:24–01:53
• Breakdown of Assessed Companies: 02:36
• False Starts and Cancellations: 04:47–06:08
• Conditional Status and Failures: 07:11–08:45
• Assessment Success Factors (“Green Flags”): 09:31
• Assessment Duration: 10:35–11:11
• CAGE Code Admin Headaches: 11:48–12:58
• Spot Requirements Causing Snags: 16:05
• Early Adopter Motivations & Primes’ Pressure: 17:03–17:36
• Assessment Cost Discussion: 19:24–20:27

Takeaways

• Preparation and professional help are key: Organizations supported by experienced providers and good documentation are passing without major issue or delay.
• Biggest assessment obstacles are administrative (CAGE codes, proper documentation), and technical (FIPS cryptography compliance).
• Motivation is almost always external pressure (primes) or a desire for competitive edge, not contractual requirement (yet).
• Assessment costs vary, driven by DoD requirements and organizational complexity; $20K-$70K is typical for now.
• Manufacturers face the toughest road; professional services, the easiest.
• If you haven’t started CMMC preparations, get expert assistance early—most “do-it-yourselfers” are not assessment-ready.

Catch Fernando at assessment #50 later this year, and follow him on LinkedIn for real-time CMMC insights!