CMMC Level 2 reaches well beyond email encryption and passwords. Jacob Anderson, Founder at Beyond Ordinary Software Solutions, walks through the areas that catch teams off guard, and what it actually takes to be assessment-ready.
CMMC Level 2 self-certification used to be a spreadsheet and a score. That’s not the case anymore. The process has changed, the requirements reach further than most teams expect, and the consequences of getting it wrong are big.
Jacob Anderson is the Founder at Beyond Ordinary Software Solutions, an RPO that helps defense contractors navigate CMMC implementation. He’s a CISSP, certified Registered Practitioner, and CMMC Certified Professional with over 40 years in software and cybersecurity.
Below, he shares what’s changed in recent years, what’s at stake if you do it CMMC the wrong way, and the five things you need to get right before the assessor shows up.
Contractors used to fill out a spreadsheet, get a SPRS score, upload it, and move on. Now the process requires stepping through each control individually, certifying you understand it, confirming you’ve implemented it, and attesting that it’s true.
“It’s the old adage of, it’s been working fine, I haven’t had an issue, so it must be fine. So I’m gonna check the box.” — Jacob Anderson
That mindset doesn’t survive the new process. And the standard itself goes further than most teams realize. It’s not just about electronic security. Physical access, encryption compatibility, personnel accountability, and evidence documentation are all in scope.
“Your cyber starts with the people. And physical access to all the stuff that the people have access to. So you need to start there and secure that.” — Jacob Anderson
The consequences of misrepresenting your compliance status go beyond rework. The government is actively pursuing fraud enforcement against contractors who certify controls they haven’t actually implemented.
“They can remove you from a contract and debar you. That means you can’t compete on new task orders or contracts. You’re going to essentially disappear.” — Jacob Anderson
In Jacob’s words, the outcome of getting this right is simple: staying in business.
💡 You don’t have to figure this out alone.
BEMO coordinates the entire CMMC compliance process, from gap assessment to audit day, so you can focus on running your business.
Talk to BEMO about CMMC readiness →
These are the areas Jacob’s team works through with every contractor. They’re the gaps that make the biggest difference in how smoothly the assessment goes.
CMMC requires that the physical spaces where people access controlled data are secured and documented. That means key fob access control, entry logs, controlled access hours, and ongoing auditing. For Jacob’s own office, this meant upgrading from basic lock-and-key. It’s not wildly expensive, but it’s an added layer most teams haven’t planned for.
Handling CUI requires FIPs (Federal Information Processing Standards) compliance. On Windows, that means toggling FIPs mode on. Jacob has seen applications crash when it’s enabled, and the fallout can ripple across daily operations.
Many companies try to solve this by paying for secure enclaves like GC High. But if CUI touches your local machine, even in transit, FIPs mode still applies. The enclave doesn’t eliminate the requirement. It just moves it.
Multi-factor authentication is a core requirement and one of the most common sources of friction. Teams get tangled up in authenticator apps, pass keys, and FIDO standards. Windows Hello satisfies the requirement for local access, but remote access via VPN requires additional token-based authentication. Some applications charge extra for MFA configuration, adding cost teams don’t anticipate.
Self-certification now requires documented evidence for every control. You have to certify that you actually did the things, not that you intend to. This is where an RPO adds the most value: helping you build the evidence packet before the assessor arrives so the assessment moves quickly.
“If you educate them on how to collect the evidence and prepare the evidence packet, the assessor will get in there and move really fast instead of spinning wheels on the boring stuff.” — Jacob Anderson
CMMC requires a specific person identified as responsible for security, trained and accountable, with a documented training matrix that’s actively maintained. This is the step that ties everything together. The physical controls, encryption settings, MFA, and evidence packets all need a person behind them.
“Once you get all those things in place, then everything else is just easy.” — Jacob Anderson
CMMC Level 2 certification isn’t about checking boxes anymore. The process has changed, the stakes are real, and the gaps that catch contractors are the ones they haven’t mapped yet: physical access, FIPs compatibility, MFA, evidence documentation, and the people accountable for all of it.
The organizations that move through assessment smoothly address these areas early with the right support, rather than discovering them on audit day.
💡 BEMO is the managed compliance provider built for this.
From gap assessment to implementation to audit day, BEMO coordinates pen testing, manages auditors, handles remediation, and keeps you compliant year-round.
What's changed about CMMC Level 2 self-certification?
It's no longer a spreadsheet exercise. Contractors must now step through each control individually, certify they understand it, confirm it's implemented, and attest that it's true. Documented evidence is required for every control, not just a SPRS score upload.
Does using a secure enclave like GCC High eliminate FIPs requirements?
No. If CUI touches your local machine, even in transit, FIPs mode still applies. A secure enclave moves where CUI is stored and processed, but it doesn't remove the encryption requirements on endpoints that interact with that data.
Do I need a dedicated security lead for CMMC Level 2?
Yes. CMMC requires a specific person identified as responsible for security, with documented training and an actively maintained training matrix. This role is what ties physical controls, encryption, MFA, and evidence documentation together across the organization.