BEMO recently earned CMMC Level 2 certification. But behind that announcement was a team of people across security, IT, operations, data, and HR who made it happen. Here's what they learned.
We recently announced that BEMO is officially CMMC Level 2 certified.
And behind this milestone is a team that lived through the work. CMMC Level 2 isn't an IT project. It's a security project, and an operations project, and an HR project, and a data project, and a leadership project, all running in parallel under one deadline.
We asked seven people across the BEMO team what they learned going through it and what they'd tell another company about to start the same journey.
Key Takeaways
- CMMC Level 2 reaches across the whole organization, not just IT and security
- Scoping the CUI boundary correctly is the single most important decision you'll make
- Your SSP is the spine, and everything else has to align to it exactly
- Certification is the start of a continuous operating commitment, not the finish line
- Every BEMO team member named Teamwork as the value most demonstrated through the process
Table of Contents
- Start CMMC Earlier Than You Think You Need To
- Read the Full Assessment Guide Before You Begin
- Get Your Assessment Scope Right the First Time
- Build Your SSP First, Then Make Everything Match
- Treat CMMC as an Operating System
- Build for the Story You'll Have to Tell
- Plan for the Long Haul, Not the Finish Line
- One Value That Came Up Across Every Response
- Frequently Asked Questions
Start CMMC Earlier Than You Think You Need To
"Engage a CMMC consultant from day one. Expert guidance early changes everything." — Sylwia Chmielewska, Director of People & Digital Workers
One of the most consistent threads across the team was this: the people who joined the CMMC effort late wished they'd been in the room from the start.
Sylwia, who leads People & Digital Workers, joined the prep later than most because the team was being mindful of everyone's time. In hindsight, she felt the cost of catching up outweighed the time it would have saved.
CMMC reaches into parts of the business most companies don't expect. HR was deeply involved in user training. Operations carried much of the process and system redesign. Leadership had to actively approve policies and the SSP. Every one of those control owners has work to do, and the longer they're out of the conversation, the more the team that's been doing the prep has to backfill on context they don't have.
The shortest version: bring in the expertise early, bring in the people early, and assume CMMC will touch every department before it's done.
Read the Full Assessment Guide Before You Begin
"Don't start CMMC Level 2 without someone who's read the full assessment guide." — David Ducolon, Senior Delivery Consultant
If you've been through SOC 2, HIPAA, or ISO 27001, you might assume CMMC is going to feel familiar. According to David, it doesn't.
The CMMC Level 2 audit differs from other audits in ways most teams underestimate. Going in without someone on the team who's read the assessment guide means starting from a weaker foundation, and the time you save by skipping the read gets spent on rework later.
David's takeaway: find that person on your team or hire one.
Get Your Assessment Scope Right the First Time
"Define your assessment scope correctly. The entire audit centers on that boundary." — Shamiso Muza, Senior Security Administrator
If there's one decision that dictates everything else in a CMMC engagement, it's scoping. Specifically, defining the CUI boundary: which systems handle Controlled Unclassified Information, and which don't.
That boundary determines what's in your SSP, what evidence you need to collect, what controls apply, and how big the audit is. Get it wrong, and you'll either pull systems in that didn't need to be there (creating unnecessary work) or leave systems out that auditors will flag (creating unnecessary risk).
Bruno was direct about how often we got this wrong ourselves: "We changed our CUI boundary three times. We had to redo all the SSP and policies three times."
Spend the time upfront. Bring in someone who understands scoping deeply. The cost of redoing this work is one of the biggest sources of pain in a CMMC engagement.
Build Your SSP First, Then Make Everything Match
"Build your SSP first. Then make policies, procedures, and evidence match it." — Ademar Amorim, Senior Data Scientist
The System Security Plan is the spine of a CMMC engagement. Everything else hangs off it: policies, procedures, technical evidence, training records, ticket data, live demonstrations.
Ademar's point, echoed by Shamiso and Bruno, is that this can't be a parallel effort. The SSP has to exist first, and everything downstream has to align to it exactly. Not approximately. Exactly.
Any misalignment between policy, procedure, evidence, and live configuration risks a "not met" finding from assessors. The goal is to build the SSP first, then methodically work outward, making sure every piece of evidence and every procedure reflects what the SSP says it does.
Treat CMMC as an Operating System
"CMMC is an operating system. You design it, run it, and govern it." — Cindy Oliveto, Director of Operations
This was the framing shift Cindy kept coming back to.
If you approach CMMC as a project with a finish line, you'll under-resource it and end up surprised at how much it touches. If you approach it as an operating system, you'll structure your governance differently, allocate ownership across departments, and design for sustained operation from day one.
"We did not go into the process thinking we'd develop an operational system," Cindy said. "Though it soon became very clear we are designing one, running one, and governing one."
That reframing changes how leadership funds the effort, how teams structure ownership, and how the company thinks about what's actually being built. It's not a certificate. It's a way of operating.
Build for the Story You'll Have to Tell
"Don't ask 'are we compliant yet?' Ask 'can we explain this control in two minutes?'" — Catalin Alaci, Security and IT Administrator
Having controls in place isn't the same as proving them.
Catalin and the team mapped each CMMC control to what would need to be shown live versus what would be documented. The gap between "we do this" and "we can demonstrate this to an auditor in real time, on screen, in minutes" turned out to be wider than most teams expect.
His reframe is the gut-check every team should apply throughout the process: forget whether the control technically exists. Can someone walk an auditor through it, show the evidence on a single screen, and explain why it satisfies the objective, in under two minutes?
If not, the work isn't done.
Plan for the Long Haul, Not the Finish Line
"Once you start CMMC, you cannot stop. It's monthly maintenance, not a one-time achievement." — Bruno Lecocq, CEO & CISO
The last lesson is from Bruno, and it's the one most leaders underestimate before they begin.
CMMC isn't a project that ends on assessment day. It's a continuous operating commitment. Monthly log reviews, ongoing evidence collection, annual attestations, and reassessment every three years. Plus the underlying operating model that has to keep running every single day.
For Bruno, that's actually the point. CMMC is built on NIST 800-171, which he considers best practice for any IT company in this space. But it does mean leadership has to budget for the long haul, not just the runway to certification.
"You will first transform your company, then become CMMC compliant, and then have to maintain it monthly to remain compliant. Once you start, you cannot stop."
The Takeaway
If there's one thread that runs through every lesson above, it's this: CMMC Level 2 is a team sport.
Every department had work to do, and every department's work depended on someone else's. Scoping decisions affected documentation. Documentation decisions affected evidence. Evidence decisions affected what could be demonstrated on audit day. None of it could happen in isolation.
If your organization isn't built for that kind of cross-functional coordination, CMMC will surface that fast. If it is, the certification becomes a forcing function that makes the whole company stronger.
The biggest lesson we'd pass on: this isn't a security team's responsibility. It's the whole company's. The teams that succeed are the ones that recognize that from day one.
The team that lived CMMC Level 2 is the team that will guide you through yours.
BEMO doesn't just consult on CMMC. We've been through every part of the process: scoping, documentation, mock audits, live assessment days. The lessons in this post are the same ones we apply to every CMMC engagement we run for clients.
If you're starting your own Level 2 journey, we can help you avoid the rework, scope the audit correctly, and build for the story you'll have to tell.
Book a free consultation → 
Frequently Asked Questions
How long does it take to get CMMC Level 2 certified?
Most organizations should plan for 6 to 12 months from the start of their compliance journey to assessment readiness. Some teams can compress that timeline with the right partner, but rushing it creates risk. CMMC is a maturity model, which means assessors want to see evidence of sustained operation, not just a point-in-time snapshot.
What's the biggest mistake teams make in CMMC preparation?
Scoping the CUI boundary too quickly or without enough expert input. The boundary determines what's in your SSP, what evidence you need, and how big the audit is. Getting it wrong means redoing documentation, sometimes multiple times.
Why does CUI boundary scoping matter so much?
Because everything else flows from it. Your SSP is built to match the boundary. Your policies, procedures, and evidence all align to what's in scope. Change the boundary, and you change everything downstream. That's why teams that invest in scoping correctly upfront save weeks or months of rework later.
Do all departments need to be involved in CMMC, or just IT and security?
All of them. CMMC controls touch HR (training and personnel security), operations (process governance), data (configuration management), legal (policy approval), and leadership (oversight and accountability). The companies that succeed bring every control owner into the conversation from day one, not just IT.
We've got more resources for you to become a cyber-pro.
Leave us a comment!