The tech is rarely what trips teams up during a CMMC assessment. Documentation gaps, missing evidence, and late stakeholder involvement are what make things painful. Sam Baker, VP of IT at Global Comm and CMMC assessor, breaks down the implementation playbook that separates smooth assessments from stressful ones.
Here's what catches most defense contractors off guard about CMMC: the technology usually comes together fine. Documentation, evidence gathering, and stakeholder alignment are where the real gaps live. And those gaps are exactly what assessors are trained to find.
Sam Baker is the Vice President of Information Technology at Global Comm, Inc and serves as the company's Information System Security Officer (ISSO). He's also a CMMC assessor, registered practitioner, and RPO consultant who's spent 14 years in IT and cybersecurity within the defense industrial base. At Global Comm, he owns the full scope of implementation: assessing CUI flow, selecting the technology stack, and sitting on the change and configuration board. Outside of that, he helps small businesses in the DIB get assessment-ready through his RPO services.
That dual perspective (implementer and assessor) gives him an unusually clear view of where things break down. He knows what assessors want to see, and he knows what most teams miss along the way.
Below, Sam walks through where teams consistently fall short, the implementation sequence that actually works, and the cost of getting this wrong.
If you ask Sam what he expects to find when walking into a new engagement, the answer might surprise you. The firewalls are usually fine. The endpoints are patched. What's missing? The documentation.
"The technology is there, but the documentation is where you find most of the gaps — whether that's in their policies and procedures, in their SSPs, their SSP not going down to the objective level." — Sam Baker
The CMMC assessment guide evaluates controls at the objective level. That means your System Security Plan (SSP) needs to map to that same depth. A high-level SSP that checks the box on paper but doesn't get granular enough is one of the most common reasons assessments get stressful, slow, and inefficient.
The second recurring gap? Evidence gathering. Teams configure their systems correctly but don't capture evidence of those configurations as they go. When assessment time comes, they're scrambling to recreate screenshots, logs, and reports they should have been collecting from day one.
And here's the deeper issue: this keeps happening because organizations treat CMMC as an IT project instead of a business-wide initiative. CMMC touches training and awareness, physical controls, visitor management, background checks, and the flow of CUI throughout the organization. When stakeholders outside IT aren't engaged early, the gaps compound. Fixing them later means rework.
"It's primarily looked at as an IT compliance framework, but the majority of it is really business processes. If it doesn't align with your business processes, that's where you'll find a lot of your gaps." — Sam Baker
Based on Sam's work across multiple organizations, hefollows a consistent implementation sequence. Here's the playbook he recommends, and why the order matters.
Everything starts with understanding where Controlled Unclassified Information (CUI) enters, moves through, and exits your organization. This scoping exercise determines who's involved, what systems are in play, and how large your assessment boundary will be.
This step also drives a critical architectural decision: whether you need to implement CMMC controls across your entire environment or whether you can use a secure enclave approach to contain CUI in a smaller, more manageable boundary. Sam notes that the enclave approach is by far the most common path for smaller contractors in the DIB. Solutions like PreVeil or ATX Defense create a secure environment for storing, transmitting, and processing CUI without requiring every endpoint in the organization to meet the full control set.
Once you know where CUI lives, you know who your stakeholders are. And they're almost never limited to IT. Depending on your CUI flow, you'll likely need buy-in from HR (background checks, training), facilities (physical security, visitor escorts), leadership (budget, risk tolerance), and operations (business process changes).
Sam recommends forming a cross-functional committee with these stakeholders and making sure everyone understands not just the technical requirements, but the business implications, including the risks of non-compliance.
"Stakeholders not being bought in to the degree they should, or not understanding that this is going to impact far more than your security baseline on your endpoints — that's where organizations struggle." — Sam Baker
Without early stakeholder engagement, Sam says the pattern is almost always the same: a lot of work gets done, documentation gets developed, technology gets implemented... and then stakeholders get involved. That's when they start finding holes, and rework becomes inevitable.
Before writing a single policy, Sam recommends taking a hard look at your existing business processes. You may have policies and procedures on paper, but they might be outdated or they might not reflect recent operational changes.
Get your documentation current first. Then, map that documentation down to the objective level of the CMMC assessment guide. This is the critical step, and it's where most SSPs fall short. They address the practice, but they don't address each objective under that practice.
Will an incomplete SSP automatically fail you? Not necessarily. But as Sam puts it: it's going to be stressful, and it's not going to be efficient. Do the work up front and you'll save yourself significant pain during the assessment.
This is the step that gets skipped most often. Teams implement controls, configure systems, and move on without documenting what they did or collecting evidence that the configuration is in place and operating as intended.
CMMC is a maturity model. Assessors aren't just looking at whether controls exist today. They want to see that they've been operating over time. That means incident tracking logs, system configuration evidence, access reviews, and training records need to show consistent, sustained operation.
If you rush through implementation without building a track record of evidence, you'll have a tough time in assessment, even if everything is technically configured correctly today. Start collecting evidence from day one.
Technology decisions should come after you've mapped your CUI flow, identified stakeholders, and understood your boundary. Not before. Once that groundwork is in place, you can make an informed choice about your architecture.
Sam sees three common approaches for small businesses in the DIB:
GCC High offers maximum customization and granular configuration, but it's the most expensive option and often overkill for smaller teams.
VDI-based enclave solutions (like ATX Defense) are great for small teams with four to five users handling digital CUI only, and they can offer fast time to certification. The trade-off is that VDI environments can be limiting for engineers who need multiple applications running simultaneously.
Cloud enclave solutions (like PreVeil) sit in between. They provide a secure enclave for CUI storage, transmission, and processing with end-to-end encryption, while offering more flexibility than a VDI approach.
The right answer depends on your organization's size, CUI volume, user workflows, and budget. The wrong answer is picking a technology before you understand your scope.
💡 You don't have to figure this out alone.
BEMO coordinates the entire CMMC compliance process, from gap assessment to audit day, so you can focus on running your business.
Talk to BEMO about CMMC readiness →
Every gap in the playbook above has a downstream cost. And for defense contractors, that cost is measured in real dollars.
CMMC Level 2 certification is required at the point of award for Department of Defense contracts. You can't pursue it after you've won. You need it before you can perform. And the timeline isn't short. Sam estimates roughly a year to get assessment-ready, or six to eight months if you're moving fast with significant effort.
That means organizations that haven't started their compliance journey are already behind. And the opportunity cost is real: Sam notes that at the time of recording, over 40 opportunities on SAM.gov had CMMC Level 2 requirements, and that number continues to grow.
"If you can't bid on it, you can't win it. Well — you can bid on it, but you won't be able to perform." — Sam Baker
And there's another layer of urgency that many smaller contractors don't see coming: flow-down requirements from prime contractors. Even if a specific contract hasn't yet required CMMC Level 2, the larger primes are already evaluating which subcontractors are making the investment and which ones they'll be able to rely on when new opportunities drop.
"The primes right now — they want to see who's making the investment, who they're going to be able to rely on as these opportunities come out." — Sam Baker
If you're a small contractor without at least a plan and a timeline for certification, you're not just missing out on direct contract awards. You're potentially being passed over by the primes you depend on for work.
💡 BEMO is the managed compliance provider built for this.
From gap assessment to implementation to audit day, BEMO coordinates pen testing, manages auditors, handles remediation, and keeps you compliant year-round.
How long does it take to get CMMC Level 2 certified?
Most organizations should plan for roughly 6 to 12 months from the start of their compliance journey to assessment readiness. Some teams can compress that timeline with the right support in place, but moving too fast creates its own risk. CMMC is a maturity model, which means assessors want to see evidence of sustained operation over time, not just a point-in-time snapshot.
What's the biggest mistake organizations make in CMMC implementation?
Treating CMMC as a technology-only problem. Most teams can get the technical controls in place without too much trouble. Where things fall apart is documentation that doesn't reach the objective level, evidence that wasn't collected during configuration, and stakeholders across the business (not just IT) who got pulled in too late.
Is CMMC certification required right now?
Yes, and enforcement is accelerating. Phase 1 went into effect on November 10, 2025, meaning CMMC self-assessment requirements are already appearing in new DoD solicitations as a condition of award. Phase 2 begins November 2026, when mandatory third-party Level 2 certification (via a C3PAO) kicks in for contracts involving CUI. Beyond direct contract requirements, prime contractors are already evaluating subcontractors based on their CMMC readiness. If you don't have at least a plan and timeline in place, you're at risk of being passed over.