BEMO is now CMMC Level 2 certified! Here's what we learned going through it, and what it means for the companies counting on us to help them get there.
After months of preparation, audits, and documentation refinement, we're proud to announce that BEMO is officially CMMC Level 2 certified!
For our team, this was a milestone worth celebrating. For the defense contractors and DIB organizations we serve, it's confirmation that the partner managing their IT is held to the same standard they're being asked to meet.
For us, CMMC Level 2 isn't just a checkbox. It's how every IT company protecting sensitive data should already be operating.
"At the end of the day, I know I will sleep much better as a CISO. And I know I protect my customer better.” — Bruno Lecocq, CEO and CISO, BEMO
Getting certified taught us a lot, and below we’re sharing we'd tell any company starting the same journey.
A few takeaways from going through this ourselves:
Our IT environment passed with a 100% score. Where we got tripped up? Documentation. During our mock audit, we found five documentation errors that would have cost us at the official assessment.
The reason: Documentation requires a different muscle than engineering. Our engineers are used to building, configuring, and troubleshooting. Translating that work into the specific language assessors need, mapping every objective to evidence and writing it out clearly, is its own skill.
"We had a 100% pass on our IT. The audit firm was like, 'Wow, your IT is very good.' Our issue was documentation. The engineers had to give the data that goes into the documentation, and I think they were not used to that." — Bruno Lecocq, CEO and CISO, BEMO
The lesson: make sure documentation is part of your Level 2 prep from day one.
The single most valuable thing we did during this process was run a mock audit before the official one.
"Doing a mock is like taking an exam, but you've never done a practice test before. If we hadn't done the mock, we would have failed. Not on IT, but on documentation." — — Bruno Lecocq, CEO and CISO, BEMO
By the time we walked into the official assessment, we knew what to expect. The team had been through it and there weren’t any surprises.
Companies that skip the mock and go straight to the official assessment are betting they won't have any of the documentation gaps that nearly tripped us up. That's a risky bet, and failing the assessment means rework, delay, and another round of preparation before you can try again.
Two things every company on the path to certification should know:
Your MSP's IT environment is part of your audit. If your MSP isn't CMMC Level 2 certified, an assessor has to evaluate their environment alongside yours. Which means you could do everything right on your end and still fail because of something on theirs.
"You could have your IT all good, but if your MSP has something wrong, you will fail the audit. If I was a customer, I'd go pick someone with CMMC Level 2 already certified. You will remove a lot of headache and risk." — Bruno Lecocq, CEO and CISO, BEMO
There are roughly 50 MSPs in the US with CMMC Level 2 certification today. If you're a defense contractor preparing for your own audit, your shortlist should start there.
Book a free consultation →
CMMC Phase 2 enforcement begins in November 2026. That's when mandatory third-party Level 2 certification (via a C3PAO) becomes a requirement for DoD contracts involving CUI.
That sounds like plenty of time. It isn't.
Documentation discipline takes months to build, not weeks. Mock audits need to be scheduled. Gaps need to be identified and remediated. And if your MSP isn't certified, you may need to find a new one, which is its own project.
The companies that start now will have leverage when contracts come up for renewal. The ones that wait will be scrambling.
CMMC (Cybersecurity Maturity Model Certification) Level 2 is the DoD's standard for organizations that handle Controlled Unclassified Information (CUI). It's built on NIST 800-171 and requires third-party assessment for most contractors. If your business holds or processes CUI as part of a DoD contract, you'll need Level 2 certification to remain eligible.
CMMC enforcement is rolling out in phases. Phase 1 began November 10, 2025, with self-assessment requirements appearing in new DoD solicitations. Phase 2 begins November 2026, when mandatory third-party Level 2 certification becomes required for contracts involving CUI. Prime contractors are already evaluating subcontractors on CMMC readiness, so the practical deadline for many companies is sooner than the official one.
Your MSP manages your IT environment, which means their systems and processes are part of what an assessor evaluates during your audit. If your MSP isn't CMMC Level 2 certified, you could pass on everything you control and still fail the audit because of gaps on their side. Choosing a certified MSP removes that risk entirely.
Most organizations should plan for 6 to 12 months from the start of their compliance journey to assessment readiness. Some teams can compress that timeline with the right partner, but rushing it creates risk. CMMC is a maturity model, which means assessors want to see evidence of sustained operation over time, not just a point-in-time snapshot.