Most teams preparing for CMMC believe their documentation proves they're ready. Karen Connor, a CMMC assessor and consultant with decades of federal cyber experience, explains the self-validation playbook that separates real readiness from paper confidence.
When Karen Connor walks into a new engagement, she often see’s the same thing: the SSP looks solid, the policies are written, and leadership feels good about where they stand.
Then she asks someone to demonstrate an access control live, and they can't. Or she pulls on the CUI boundary and finds out someone emailed sensitive data outside the enclave last month. Or the people who handle CUI daily can't explain the protection requirements they're supposed to follow.
The documentation checks out. The environment doesn't.
Karen has spent her career in federal cyber, across military service, federal contracting, and federal government roles. She works both sides of the CMMC table: as a consultant helping organizations build toward certification, and as an assessor evaluating whether they actually got there. That combination means she knows what assessors look for, and she knows where teams trick themselves into thinking they're ready.
Key Takeaways
- A polished SSP does not equal assessment readiness. Assessors verify execution, not documentation.
- CUI boundary confusion is one of the most common and costly gaps organizations miss before assessment.
- Assessments can be halted immediately at Level 2 with no option to defer a fix, leading to months of rework.
- The strongest preparation you can do is examine, test, and interview your own environment the way an assessor would.
- CMMC readiness is cross-functional. IT alone cannot get you through an assessment.
Table of Contents
- The CMMC Readiness Illusion and What It Costs
- Think Like an Assessor Before One Arrives
- A Self-Validation Playbook for CMMC Readiness
- What Changes When You Get This Right
- Frequently Asked Questions
The CMMC Readiness Illusion and What It Costs
The most common mistake Karen sees is straightforward: teams assume that having a solid SSP indicates readiness.
"Teams assume that having a very solid SSP indicates their readiness. But it doesn't go beyond the SSP. They don't have the controls in place, they don't have the narrative, they don't have an understanding of how these controls work, but they do have a really pretty SSP." — Karen Connor
The SSP looks complete. But when the actual environment is examined, the controls described on paper haven't been consistently implemented. The gap between what's documented and what's operational is where assessments fall apart.
The second layer of this problem is CUI boundary confusion. Organizations define an enclave for Controlled Unclassified Information, but they don't fully understand where that CUI actually lives and moves.
Karen describes a scenario she encounters repeatedly: an organization claims all CUI is contained in a secure enclave. But then it turns out someone emailed CUI on regular email to a colleague in a different area. Now that CUI exists in a space outside the assessment scope, and the controls around it are undefined.
When these gaps surface during an assessment, the consequences are immediate.
"If I find something that invalidates the SSP and the procedures and policies that we're reviewing in support of a CMMC assessment, oftentimes it will halt the assessment and have to be restarted at a future date. If you fail certain objectives, there is not a way to defer the fix in many cases within Level 2." — Karen Connor
That means an immediate failure during the assessment itself. The organization's options narrow fast: cancel and restart later, or face a formal failure. Either path is expensive.
Small issues, like an unsigned policy, can be resolved in a week with minimal cost. But the bigger problems, like discovering CUI has been flowing outside the defined boundary, can mean migrating to a GCC environment, re-architecting the enclave, and separating CUI from non-CUI data. That kind of rework runs into tens of thousands of dollars and months of effort.
Think Like an Assessor Before One Arrives
The core reframe Karen teaches is simple: stop evaluating your readiness through the lens of what you've documented. Start evaluating it through the lens of what an assessor will actually verify.
"Assessors are not there to reward your effort. They are there to verify the implementation. So if you're calling an assessor, please know it is based on your implementation, not your effort." — Karen Connor
An assessor isn't reviewing your intent, your plan, or how hard your team worked. They're verifying that the controls you described are actually operating in your environment, consistently, with evidence to prove it.
Karen's approach flips the preparation model. Instead of building toward a documentation milestone and then hoping it holds up, she teaches teams to stress-test their own environment the same way an assessor would, well before assessment day.
That means understanding exactly what the assessment guide requires at the objective level, not just at the title level. It means knowing whether each control calls for an examination, a test, or an interview, and then running that evaluation internally.
The Steps to Validating CMMC Readiness
Karen's approach to pre-assessment validation follows a consistent sequence. Here's the playbook she walks organizations through, whether she's consulting or preparing them to face a third-party assessor.
1. Download the Control Objectives and Map Every Requirement
The starting point is free and publicly available. Download the full list of control objectives from the Cyber AB (soon to be ISACA) and review against every single one.
Karen's method is to build a simple spreadsheet and determine, for each control: what type of evidence is required? Is it a document? A list? A screen share? A live walkthrough?
"If I can't put something in every box of that spreadsheet, then I'm not ready. Or I need to call in somebody to help me." — Karen Connor
This step alone reveals where the real gaps are. Many organizations have never mapped their evidence against the full objective list, and the gaps are often larger than expected.
2. Examine, Test, and Interview Against Each Objective
The assessment guide specifies three methods assessors use: examine, test, and interview. Karen teaches teams to run all three internally before an assessor arrives.
"If it says ‘examine,’ you can bet I'm looking for a show and tell, a walkthrough, a screen share of something that you can show me, whether that's a policy document or an access control list. If it says ‘test,’ I'm going to want a real test. I don't want you to tell me 'oh, it works.' It always works until somebody's looking at it and it doesn't work." — Karen Connor
For interview-based objectives, Karen recommends rehearsing with the people who will actually be in the room during assessment. Do they understand the policy? Can they walk through the steps? Are their answers consistent with what the documentation says?
If the answers don't match the documentation, or if the people who will be interviewed can't explain the controls they're responsible for, that's a gap that needs to be closed before assessment day.
3. Challenge Your Scope Assumptions
This is the step Karen believes most teams skip entirely. You've defined your boundary. You've determined where CUI lives. Now challenge it.
"Challenge your scope assumptions. You set out your boundary, you've determined where your CUI lives. Let's challenge that. Is that true? Has anybody sent it in an email? Is your policy allowing you to send it through email?" — Karen Connor
Karen also flags a gap she sees consistently: boundary diagrams that account for technology but not people.
"Do you know what CUI is? Do you know why you're protecting it and where it lives? That seems so basic. But CUI is not just people, it is also technology. It is process. I can't tell you the number of times I have gotten a boundary diagram, but no people were identified." — Karen Connor
If the people who touch CUI aren't identified in your boundary, your scope is incomplete. And if your scope is incomplete, your evidence won't hold up.
4. Confirm Evidence Applies to In-Scope Items Only
Once the boundary is validated, make sure that the evidence you've collected actually applies to the systems, people, and processes that are in scope.
Your entire network may not be in scope. Only the enclave or space that houses CUI is. If you're gathering evidence from systems outside that boundary, it won't satisfy the assessor, and it can actually create confusion about what's being protected and what isn't.
If a one-off incident is discovered, like CUI uploaded to the wrong drive, that triggers a different conversation entirely: the boundary may need to change, and the evidence base needs to expand to cover the new scope.
5. Close Gaps Cross-Functionally
CMMC readiness is not something an IT department can deliver alone.
"You cannot do this as an IT department. You're gonna need legal, you're going to need compliance, you're going to need other teams to help articulate what their role in protecting and accessing CUI is." — Karen Connor
Any gaps identified through the self-validation process need to be understood by the full team. That means bringing in stakeholders who may not have been involved in the initial preparation: legal, compliance, HR, training, and operations.
The goal is to make sure that when assessment day arrives, every person who will be interviewed, every system that will be tested, and every document that will be examined reflects a coordinated, organization-wide effort, not an IT-only initiative.
The Takeaway
When organizations follow this self-validation playbook before engaging a C3PAO, the outcomes shift meaningfully.
First, the data itself is more secure. The controls aren't just documented. They're operating, monitored, and understood by the people responsible for them.
"The positive impact to CMMC is that your data is more secure than it was prior to achieving this milestone. Because you put controls in place that are designed to protect data and create boundaries around that data." — Karen Connor
Second, the organization can contract in the federal marketplace. Without a passing CMMC assessment, defense contractors cannot move forward with Department of Defense contracts. That's not a future risk. It's the current requirement.
And third, when an organization works with a consultant who understands the full landscape, the complexity of managing multiple frameworks (CMMC, FedRAMP, and other risk management frameworks) becomes more manageable.
"It makes it easier to have someone who understands multiple frameworks within the federal government so that we can figure out the best path forward, especially if you're meeting more than one." — Karen Connor
The difference between organizations that struggle through assessment and those that move through it with confidence almost always comes down to the same thing: whether they validated their own readiness before someone else did.
You don't have to run this validation alone.
BEMO coordinates the full CMMC compliance process, from mapping your CUI boundary and closing evidence gaps to managing the assessment itself, so your team enters assessment day with confidence instead of anxiety.
Talk to BEMO about CMMC readiness → 
Frequently Asked Questions
What's the difference between an assessor and a consultant in CMMC?
An assessor evaluates whether your organization meets CMMC requirements during a formal assessment. They can mark controls as met or not met, but they cannot advise you on how to fix issues during the assessment itself. A consultant works with you before the assessment to identify gaps, build controls, and prepare your team. As Karen explains, the same person can hold both roles, but never for the same engagement. The dynamic is fundamentally different: a consultant helps you build readiness, while an assessor verifies it.
Can my assessment be halted if issues are found during the evaluation?
Yes. At Level 2, if an assessor finds something that invalidates the SSP or the supporting policies and procedures, the assessment can be halted and must be restarted at a future date. In many cases, there is no option to defer a fix and continue. This is why self-validation before engaging a C3PAO is critical. Discovering gaps during the assessment itself is the most expensive and disruptive time to find them.
How do I know if my CUI boundary is accurate?
Karen recommends actively challenging your scope assumptions. Start with where you've defined CUI to live, then ask hard questions: has anyone emailed CUI outside the enclave? Does your policy allow CUI to be transmitted via regular email? Are all the people who touch CUI identified in your boundary diagram? If the answers reveal CUI outside your defined scope, the boundary needs to be updated before assessment, and evidence needs to cover the expanded scope.
Should I use AI to help with CMMC preparation?
AI can be useful for understanding requirements. If you download the control objectives and don't know where to start, using AI to explain what a specific control means in plain language is a reasonable approach. However, Karen cautions against using AI to make the connection between a control requirement and the evidence that satisfies it. If you need AI to make that determination, it may indicate that the person making those decisions needs deeper expertise, or that it's time to bring in a specialist. She also emphasizes checking with your organization's legal and compliance teams before putting any sensitive artifacts or evidence into AI tools.
We've got more resources for you to become a cyber-pro.
Leave us a comment!