The tech is rarely what trips teams up during a CMMC assessment. Documentation gaps, missing evidence, and late stakeholder involvement are what make things painful. Sam Baker, VP of IT at Global Com, Inc. and CMMC assessor, breaks down the implementation playbook that separates smooth assessments from stressful ones.
Here's what catches most defense contractors off guard about CMMC: the technology usually comes together fine. Documentation, evidence gathering, and stakeholder alignment are where the real gaps live. And those gaps are exactly what assessors are trained to find.
Sam Baker is the Vice President of Information Technology at Global Com, Inc. and serves as the company's Information System Security Officer (ISSO). He's also a CMMC assessor, registered practitioner, and RPO consultant who's spent 14 years in IT and cybersecurity within the defense industrial base. At Global Com, he owns the full scope of implementation: assessing CUI flow, selecting the technology stack, and sitting on the change and configuration board. Outside of that, he helps small businesses in the DIB get assessment-ready through his RPO services.
That dual perspective (implementer and assessor) gives him an unusually clear view of where things break down. He knows what assessors want to see, and he knows what most teams miss along the way.
Below, Sam walks through some common areas where teams fall short, the implementation sequence that he's used to support organizations preparing for CMMC, and what's at stake when getting this wrong.
Key Takeaways
- Documentation and evidence gaps are a common cause of assessment failures
- Your SSP needs to map down to the objective level, ensure the answer to each objective is up front and center for the assessor.
- Plan for 6-12 months to reach L2 assessment readiness.
- Primes are beginning to pressure DIB contractors for their certification status.
Table of Contents
- The Documentation Gap That Makes Assessments Painful
- Implementation Playbook for Assessment-Ready Execution
- The Downstream Impact: Timeline, Stress, and Missed Awards
The Documentation Gap That Makes Assessments Painful
If you ask Sam what he expects to find when walking into a new engagement, the answer might surprise you. The firewalls are usually fine. The endpoints are patched. What's missing? The documentation.
"The technology is there, but the documentation is where you find most of the gaps - whether that's in their policies and procedures, or their SSP either not being detailed enough or being to detailed and not presenting the answer to the objectives in a clear in concise manner." - Sam Baker
The CMMC assessment guide evaluates controls at the objective level. That means your System Security Plan (SSP) needs to map to that same depth. A high-level SSP that checks the box on paper but doesn't get granular enough is one of the most common reasons assessments get stressful, slow, and inefficient.
The second recurring gap? Evidence gathering. Teams configure their systems correctly but don't capture evidence of those configurations as they go. When assessment time comes, they're scrambling to recreate screenshots, logs, and reports they should have been collecting from day one.
And here's the deeper issue: This is a recurring trend because organizations tend to treat CMMC as solely an IT responsibility when this framework far surpasses just secure baselines, whitelisting techniques, golden images, etc. Your stakeholders need to have a clear understanding of the impact of the business processes and must stay engaged throughout the compliance journey to ensure gaps are identified early and re-work is minimized.
"It's primarily looked at as an IT compliance framework, but the majority of it is really focused on business processes. To an extent, CMMC provides you with the freedom to define how you will implement the controls, ensure your policies and procedures are structured in way that you can live up to actually doing what you say you do." - Sam Baker
Implementation Playbook for Assessment-Ready Execution
Based on Sam's work across multiple organizations, he follows a consistent implementation sequence. Here's the playbook he recommends, and why the order matters.
1. Map CUI Flow and Define Your Boundaries
Everything starts with understanding where Controlled Unclassified Information (CUI) enters, moves through, and exits your organization. This scoping exercise determines who's involved, what systems are in play, and how large your assessment boundary will be.
This step also drives a critical architectural decision: whether you need to implement CMMC controls across your entire environment or whether you can use a secure enclave approach to contain CUI in a smaller, more manageable boundary. Sam notes that the enclave approach is by far the most common path for smaller contractors in the DIB. Solutions like PreVeil or ATX Defense create a secure environment for storing, transmitting, and processing CUI without requiring every endpoint in the organization to meet the full control set.
2. Identify Stakeholders Early and Run a Committee
Once you know where CUI lives, you know who your stakeholders are. And they're almost never limited to IT. Depending on your CUI flow, you'll likely need buy-in from HR (background checks, training), facilities (physical security, visitor escorts), leadership (budget, risk tolerance), and operations (business process changes).
Sam recommends forming a cross-functional committee with these stakeholders and making sure everyone understands not just the technical requirements, but the business implications, including the risks of non-compliance.
”Stakeholders are commonly not engaged to the extent necessary to have the proper understanding of the impact CMMC will have on their organization until the point of preparing for the assessment or unfortunately at the point when they receive their no-go decision during phase 1 from the C3PAO." - Sam Baker
Without early stakeholder engagement, Sam says the pattern is almost always the same: a lot of work gets done, documentation gets developed, technology gets implemented... and then stakeholders get involved. That's when they start finding holes, and rework becomes inevitable.
3. Align Business Processes, Then Align Documentation to the Objective Level
Before writing a single policy, Sam recommends taking a hard look at your existing business processes. You may have policies and procedures on paper, but they might be outdated or they might not reflect recent operational changes.
Get your documentation current first. Then, map that documentation down to the objective level of the CMMC assessment guide. This is the critical step, and it's where most SSPs fall short. They address the practice, but they don't address each objective under that practice.
4. Capture Evidence as You Configure Systems
This is the step that gets skipped most often. Teams implement controls, configure systems, and move on without documenting what they did or collecting evidence that the configuration is in place and operating as intended.
CMMC is a maturity model. Assessors aren't just looking at whether controls exist today. They want to see that they've been operating over time. That means incident tracking logs, system configuration evidence, access reviews, and training records need to show consistent, sustained operation.
If you rush through implementation without building a track record of evidence, you'll have a tough time in assessment, even if everything is technically configured correctly today. Start collecting evidence from day one.
5. Make Architecture Decisions Early: Enclave vs. Broader Scope
Technology decisions should come after you've mapped your CUI flow, identified stakeholders, and understood your boundary. Not before. Once that groundwork is in place, you can make an informed choice about your architecture.
Sam sees three common approaches for small businesses in the DIB:
GCC High offers maximum customization and granular configuration, but it's the most expensive option and often overkill for smaller teams.
VDI-based enclave solutions are great for teams who are handling system media and do not have physical CUI in their scope. Often times they can offer a shorter timeline to certification. The trade-off is that traditional VDI environments can be limiting for certain types of users, like engineers who need multiple windows and applications running simultaneously.
Cloud enclave solutions (like PreVeil) sit in between. They provide a secure enclave for CUI storage, transmission, and processing with end-to-end encryption, while offering more flexibility than a VDI approach.
The right answers depends on your organizations expertise, volume of CUI, user workflows, and budget. The wrong answer is picking a technology before you understand your scope. Global Com maintains partnerships with industry leaders and can assist organizations no matter where they are in their journey to CMMC certification.
💡 You don't have to figure this out alone.
BEMO coordinates the entire CMMC compliance process, from gap assessment to audit day, so you can focus on running your business.
Talk to BEMO about CMMC readiness → 
The Downstream Impact: Timeline, Stress, and Missed Awards
Every gap in the playbook above has a downstream cost. And for defense contractors, that cost is measured in real dollars.
CMMC Level 2 certification is required at the point of award for Department of Defense contracts. You can't pursue it after you've won. You need it before you can perform. And the timeline isn't short. Sam estimates roughly a year to get assessment-ready, or six to eight months if you're moving fast with significant effort.
That means organizations that haven't started their compliance journey are already behind. And the opportunity cost is real: Sam notes that at the time of recording, over 40 opportunities on SAM.gov had CMMC Level 2 requirements, and that number continues to grow.
“By the time the RFP hits, it's already too late." — Sam Baker
And there's another layer of urgency that many smaller contractors don't see coming: flow-down requirements from prime contractors. Even if a specific contract hasn't yet required CMMC Level 2, the larger primes are already evaluating which subcontractors are making the investment and which ones they'll be able to rely on when new opportunities drop.
"The primes right now — they want to see who's making the investment, who they're going to be able to rely on as these opportunities come out." — Sam Baker
If you're a small contractor without at least a plan and a timeline for certification, you're not just missing out on direct contract awards. You're potentially being passed over by the primes you depend on for work.
💡 BEMO is the managed compliance provider built for this.
From gap assessment to implementation to audit day, BEMO coordinates pen testing, manages auditors, handles remediation, and keeps you compliant year-round.
Frequently Asked Questions
How long does it take to get CMMC Level 2 certified?
Most organizations should plan for roughly 6 to 12 months from the start of their compliance journey to assessment readiness. Some teams can compress that timeline with the right support in place, but moving too fast creates its own risk. CMMC is a maturity model, which means assessors want to see evidence of sustained operation over time, not just a point-in-time snapshot.
What's the biggest mistake organizations make in CMMC implementation?
Treating CMMC as a technology-only problem. Most teams can get the technical controls in place without too much trouble. Where things fall apart is documentation that doesn't reach the objective level, evidence that wasn't collected during configuration, and stakeholders across the business (not just IT) who got pulled in too late.
Is CMMC certification required right now?
Yes, and enforcement is accelerating. Phase 1 went into effect on November 10, 2025, meaning CMMC self-assessment requirements are already appearing in new DoD solicitations as a condition of award. Phase 2 begins November 2026, when mandatory third-party Level 2 certification (via a C3PAO) kicks in for contracts involving CUI. Beyond direct contract requirements, prime contractors are already evaluating subcontractors based on their CMMC readiness. If you don't have at least a plan and timeline in place, you're at risk of being passed over.
We've got more resources for you to become a cyber-pro.
Leave us a comment!