I talk to a lot of organizations that are somewhere on their CMMC journey. Some are preparing to self-attest, others are getting ready for a full certification assessment. By the time we connect, many of them tell me they’re already working with a consultant or that they’ve been grinding through the requirements on their own.

That’s great to hear, but I always like to dig a little deeper.

Unfortunately, in many cases, it becomes clear that despite their time and effort, they’re not as far along as they think. The issue almost always comes down to a fundamental misunderstanding of how CMMC should be approached.

It’s Not Just About the 110 Practices

A lot of organizations begin with the right instinct: “Let’s assess ourselves against the 110 security practices in NIST SP 800-171 and close the gaps.”

That seems logical. After all, CMMC Level 2 is based on those 110 practices. They build a checklist, perform a gap analysis, create an action plan, and start implementing controls. Once they’ve made progress, they feel confident they’re in a good place.

But here’s the problem: CMMC doesn’t require you to implement 110 controls across your entire environment. It requires you to implement the 110 controls for systems that process Controlled Unclassified Information (CUI).

And that’s where many organizations go off track.

If You Haven’t Scoped, You Haven’t Started

To properly implement CMMC, you first need to define the systems, assets, and processes that are CUI-relevant.

CUI-relevant assets are any hardware, software, or procedures that process, store, or transmit CUI.

If your System Security Plan (SSP) doesn’t clearly define your CUI boundary, then your gap assessment is fundamentally flawed. You don’t need logs in your SIEM—you need logs for your CUI-relevant assets in your SIEM. You don’t need endpoint protection across the enterprise; you need controls applied to the systems that touch CUI.

That scoping decision affects everything:

• How you apply the 110 practices
• What your CMMC Third-Party Assessment Organization (C3PAO) will actually audit
• What systems require multi-factor authentication, logging, or configuration management
• How you define and justify enclave boundaries

The SSP Drives Everything

The SSP isn’t a documentation exercise. It’s the foundation of your CMMC program.  Without it, you’re guessing where to apply controls. And guesswork won’t survive a CMMC Level 2 certification assessment.

Even more critically, the CMMC Scoping Guide outlines multiple types of assets beyond just CUI-relevant ones:

• Security Protection Assets
• Contractor Risk Managed Assets
• Specialized Assets

Each of these asset types may require a specific subset of controls, depending on how you define and document them in your SSP. If your SSP doesn’t reflect that nuance, your CMMC program won’t hold up to scrutiny. There is a reason why your SSP is the first document the C3PAO will request.

Don’t Overlook CUI Specified Data

CMMC Level 2 is intended to cover basic CUI. But many organizations in the defense industrial base (DIB) handle data classified as “CUI Specified,” such as ITAR-controlled data. This type of data comes with additional security requirements beyond CMMC, such as export control obligations and possible requirements for U.S. Person access or ITAR-specific system segmentation.

If, during SSP preparation, you haven’t gone through all your contracts with a fine-tooth comb, you may end up with a flawed solution and a ton of rework.  Unfortunately, we have seen clients who migrated to Microsoft 365 Government Community Cloud have to migrate again to GCC High, with significant delay and expense. Measure twice, cut once.

Make Sure the Ladder Is Against the Right Wall

We often tell clients: “Make sure your ladder is leaning against the right wall before you begin to climb it.”

Rushing to implement security controls without first scoping your environment and documenting your SSP is like climbing a ladder without checking where it’s resting. You may be putting in a lot of effort, only to realize you’re not actually getting closer to your compliance goal.

The Bottom Line

Before you dive into control implementation or assessments:

1. Define your CUI-relevant assets
2. Build a current, accurate, and detailed System Security Plan
3. Conduct threat-informed scoping and risk assessments
4. Only then perform a targeted gap analysis tied to your defined boundary

Without these steps, you’re building on sand.

If your organization is pursuing CMMC Level 2 certification and you’re unsure whether your ladder is against the right wall, give us a call.