George Dunlop, Founding Partner of Dunlop Security Group and a lead CMMC assessor, explains why the most common mistake in CMMC readiness is treating it as a cybersecurity project, and what organizations should do instead.
When CMMC shows up on the compliance roadmap, it usually lands on IT's desk. Set up multifactor authentication, configure logging, deploy endpoint detection, check the boxes.
George Dunlop sees the result. As Founding Partner of Dunlop Security Group, an authorized C3PAO, and a lead CCA and CISSP, George reviews documentation and evaluates readiness for Level 2 certification. The pattern he encounters most often is organizations that handed the entire program to their system admins and expected them to handle it.
"The most common misconception we see organizations have in regards to the CMMC is that it's solely an IT or cybersecurity problem, When in fact the controls are far reaching. It's going to touch every part of your organization." - George Dunlop
Below, George walks through what organizations consistently get wrong, what it costs them in practice, and how to approach CMMC readiness as a business initiative rather than a technical project.
Key Takeaways
- The most common misconception in CMMC is treating it as just an IT or cybersecurity problem
- Awareness and training is a CMMC domain that requires cultural investment
- Policies need enough operational detail that a newer team member could read them and implement in practice
- Vague documentation creates month-long SSP rewrites before assessment
- Engage your C3PAO early and work with consultants who have CCAs on staff
Table of Contents
- The Cost of Treating CMMC as an Just an IT Problem
- George's Playbook for Business-Wide CMMC Readiness
- What Changes When You Get This Right
- Frequently Asked Questions
The Cost of Treating CMMC as an Just an IT Problem
When leaders here “Cybersecurity Maturity Model Certification,” they think about logging, antivirus, MFA, EDR. But the CMMC framework spans physical protections, background checks, visitor management, awareness and training, and policy ownership. When only IT is at the table, entire categories of requirements go unaddressed until assessment day.
"You can't just dump it on your system admins and expect them to get it all done for you in a couple months." — George Dunlop
George saw this firsthand as a system administrator at a Defense Industrial Base company. A marketing employee pulled a phishing email out of her spam folder, forwarded it to a VP, and the VP forwarded it to the team. The IT department spent 20 to 40 hours of overtime containing the incident: re-imaging machines, running network scans, checking logs.
"That one lapse in judgment, or maybe stemming from the lack of training for that individual, caused the IT department to spend 20, 30, 40 hours overtime," George says. "It's not just an IT issue."
George's approach to preventing these situations starts with rethinking how the program gets owned in the first place.
Four Steps to Business-Wide CMMC Readiness
Helping organizations prepare for CMMC starts with a fundamental shift in how they think about the program. Here are the four principles George applies.
1. Treat CMMC as a Business Initiative
CMMC touches HR through background checks and personnel security. It touches facilities through physical protections and visitor management. It touches operations through how CUI flows through the organization. And it touches leadership through policy ownership and enforcement.
When these domains are left to IT by default, the work either doesn't get done or gets done without the context and authority those functions require. The first step is recognizing that CMMC readiness requires cross-functional coordination with executive ownership, not a project plan that lives inside the IT department.
💡 CMMC readiness isn't something IT can solve alone. BEMO helps defense contractors build documentation, training, and implementation plans around the exact standards assessors evaluate, so nothing gets missed and nothing unnecessary slows you down.
Talk to BEMO about CMMC readiness → 
2. Build a Security Culture
The CMMC requires awareness and training across the organization. Most teams treat that as an annual slideshow, a phishing simulation, and a signed acknowledgment form. George says that approach doesn't create real behavioral change.
"It's not just a slideshow once a year or a phishing email that punishes employees for messing up. It's really a cultural shift to make sure your people understand why it's so important to keep your information safe." — George Dunlop
One approach George has used: tying cybersecurity awareness to employees' personal lives so the stakes feel real beyond the office. He shared an example of an older staff member who received a call from someone pretending to be her grandson claiming to need bail money in a foreign country. She did the right thing: she called her grandson's actual phone number, and he was fine.
"It's really important to show folks how this can be applied to their own lives and what they can do to make sure they're moving more safely in the digital age," George says.
People protect what they understand. A culture of awareness starts with making the stakes personal, not punitive.
3. Write Policies Your Assessor Can Actually Evaluate
George applies a straightforward standard when reviewing documentation: could a newer member of the IT or cybersecurity team read this policy and actually implement it?
"I don't wanna just see 'we keep logs,'" he says. "I wanna see 'we keep logs within Microsoft Sentinel,' for example. I wanna see procedures and step-by-step interpretations of the controls so that it's basically dead simple."
That means policies need to reflect how the organization actually operates, with specific tools, specific procedures, and specific interpretations of each control. Templates and generic language don't survive assessment scrutiny. The documentation has to be operational, not aspirational.
4. Engage Your Assessor Before Assessment Day
The CMMC program is still new. Interpretations vary across the ecosystem. George recommends that organizations actively engage with their C3PAO before the assessment itself, not for consulting advice, but to ask how specific implementations would be interpreted during evaluation.
He also recommends hiring consulting companies that have CCAs on staff for the pre-assessment phase. The people who know the requirements best are the ones who have to assess them.
"No one's gonna know the requirements like the people that have to assess them." — George Dunlop
The Takeaway
When organizations shift from treating CMMC as an IT project to treating it as a business initiative, the downstream effects are significant.
Documentation is built to assessor standards from the start, which eliminates the month-long SSP rewrites that derail certification timelines. Training creates real behavioral change instead of liability coverage, reducing the kind of incidents that cost IT departments dozens of overtime hours. Cross-functional ownership means no control domain goes unaddressed until an assessor flags it.
Organizations enter assessments with confidence. They know their policies reflect reality. They know their people understand the stakes. And they know their documentation will hold up under scrutiny because it was built with the assessor's standard in mind from day one.
BEMO helps organizations approach CMMC readiness as a business-wide initiative: aligning leadership, security, and operations around a defensible plan that is built to survive assessment, not just satisfy a checklist. Book a free consultation → 
Frequently Asked Questions
Is CMMC really more than a cybersecurity requirement?
Yes. While the name suggests a purely technical framework, CMMC controls span domains including awareness and training, physical protection, personnel security, and incident response. These require involvement from HR, operations, facilities, legal, and executive leadership. As George explains, even organizations operating within an enclave still need background checks, physical protections, and a formal training program.
What does an assessor actually want to see in a policy?
George applies a straightforward standard: could a newer member of the IT or cybersecurity team read this policy and actually implement it? That means specific tools, step-by-step procedures, and clear interpretations of each control. Vague statements like "we keep logs" are not sufficient. Assessors need to see how, where, and with what.
What happens if my documentation isn't detailed enough before assessment?
Gaps in policy detail can create month-long waiting periods where organizations must rewrite their SSP and supporting documentation before they can proceed. For teams on contract timelines, this delay can directly affect their ability to win or retain work.
Should I talk to my C3PAO before the assessment?
George recommends it. While a C3PAO cannot provide consulting advice and then conduct your certifying assessment, you can still ask questions about how they would interpret your implementation of various controls. This helps ensure alignment before assessment day, not after.
We've got more resources for you to become a cyber-pro.
Leave us a comment!