5 min read

The Implementation Decisions That Make or Break Your CMMC Assessment

Picture of BEMO BEMO on Apr 16, 2026

Compliance CMMC CMMC Field Guideline
Featured Image

 Most organizations treat CMMC implementation as a technical execution phase. John Christly, VP of Commercial Services & Chief Learning Officer at OneZero Solutions, a 3x CISO, ISO 27001 lead auditor, and CMMC lead assessor, explains why the decisions you make about scope, evidence, and policy ownership are the ones that determine whether your audit succeeds or fails. 

John Christly has been helping organizations through compliance audits for over 30 years. Today he's VP of Commercial Services and Chief Learning Officer at OneZero Solutions, where he works as a virtual CISO for defense contractors and healthcare companies.

One thing he sees over and over is that the audits that go badly almost always trace back to the same place: decisions made early in implementation that nobody thought to question. How you define your scope, how you set up logging and evidence, whether your people actually know the policies they signed off on.

He's also a certified CMMC lead assessor and ISO 27001 lead auditor, not because he does auditing, but because he wanted to understand exactly how auditors think. That means he's lived both sides of the table.

Here's what he's learned about the three implementation decisions that matter most.

Key Takeaways

  • Scoping is the single most consequential implementation decision and most organizations get it wrong by defaulting to "everything in scope"
  • Proper boundary definition can reduce your assessment scope by 60 to 70 percent, cutting cost, complexity, and timeline proportionally
  • Logging and evidence infrastructure must be built for audit and forensic standards, not just default retention
  • Policies that aren't operationalized will fail under auditor interviews, even if the documentation looks perfect
  • Auditors reward preparation, transparency, and program ownership, not minimal disclosure

Table of Contents

  1. Scoping: The Decision That Shapes Everything Else
  2. Evidence and Logging: Building the Infrastructure Auditors Actually Need
  3. Policy Ownership: The Gap Between Documentation and Operations
  4. How to Work With Auditors, Not Against Them
  5. The Takeaway
  6. Frequently Asked Questions

Scoping: The Decision That Shapes Everything Else

Of all the implementation decisions an organization makes, scoping is the one with the highest downstream impact. Get it right, and you reduce cost, complexity, and timeline. Get it wrong, and every control, every piece of evidence, and every dollar of remediation work is applied against a footprint that's larger than it needs to be.

The most common mistake John encounters is the assumption that compliance means putting the entire organization in scope. "People think it's all or nothing," he says. "Like I have to do this to my entire network, my entire company, and it couldn't be further from the truth."

The real question is simpler and more specific: where does the sensitive data actually flow? In the CMMC context, that's Controlled Unclassified Information. In healthcare, it's ePHI. In payments, it's cardholder data. The framework changes, but the scoping logic is the same: trace the data, define the boundary, and focus your controls there.

How to Run a Scoping Exercise

His approach is low-tech and conversational. Sit down with the right people and walk through:

  • Where does sensitive information flow in? What channels, systems, and handoffs bring CUI into your environment?
  • Where does it flow out? Who sends it, and through what?
  • Who touches it? Which roles and people actually handle CUI day to day?
  • Where do you store it? Which systems, drives, and environments hold it at rest?

"Put all the technology away. Grab your pencils and paper. They think I'm joking when I say it, but I'm like, it better be a pencil and not a pen, because we're gonna erase a lot of things." — John Christly

One area organizations consistently overlook: email. Nearly every company John works with has CUI in their email environment, and nearly every one tries to avoid admitting it early in the conversation.

The output is a defensible boundary that the organization can articulate and an auditor can validate. Not artificially minimized, but accurately defined so every dollar and hour of implementation work is applied where it counts.

 

Evidence and Logging: Building the Infrastructure Auditors Actually Need

Once scope is defined, the next decision is how you build your evidence infrastructure, starting with logging.

Most organizations have logging enabled, but few meet the standard auditors and investigators actually require. Default configurations often retain 30 days. Regulations typically want a year, with 90 days readily accessible. And logs that nobody watches are just data.

As John puts it, "Computers are very chatty and they can tell you when there's something wrong. Nancy from accounting logged in at 3:00 AM but she's on vacation on a cruise ship. The computers will tell you, if you listen."

What Audit-Ready Logging Looks Like

  • Retention: At least one year of logs, with 90 days available for immediate review by investigators or auditors
  • Monitoring: Someone actively watching alerts, whether that's an internal team, an MSP, an MSSP, or a SIEM with automated alerting
  • Coverage: Logs from all in-scope systems, not just the ones that were easiest to configure
  • Accessibility: 90 days of logs that can be pulled quickly, not archived somewhere that takes days to restore

Policy Ownership: The Gap Between Documentation and Operations

The third decision is one John sees go wrong constantly: organizations write strong policies but never operationalize them.

The problem shows up during the audit itself. Assessors don't just ask for your policies. They interview your staff against them. If the person responsible for access control can't explain the policy they signed off on, that's a finding.

"They'll take your policies and then they'll go interview somebody in your company. 'Hey, do you know what the policy is on such and such?' And if the person has that look on their face, like they have no idea, you kind of fail that part of the audit." — John Christly

How to Make Policies Stick

  • Start with what you have: Even rough existing policies are better than a blank-slate template that doesn't reflect your operations
  • Build for audit readiness: Structure policies so they're mapped to regulatory requirements and easy for auditors to navigate
  • Send them back for review: Before anyone signs off, make sure the team has read the policy and flagged anything they can't actually comply with
  • Test it yourself: Ask your people the same questions an auditor would. If they can't answer, the policy isn't operationalized yet

How to Work With Auditors, Not Against Them

There's a common instinct in IT: don't tell the auditor too much. Just answer the question and stop talking. John takes the opposite approach.

"Don't forget, you asked them to come in. You're usually bringing in an auditor because you wanna get a certification that will advance your business and allow you to make more money and win more contracts." — John Christly

When John represents a client, he opens by walking the auditor through the scope, the rationale, and the evidence behind those decisions. Auditors don't want to pull teeth. They want an organization that owns its program and presents it with confidence. When that happens, they're "usually smiling and nodding their head yes," John says, "because they know it's been done right."

 

The Takeaway

When these three decisions are treated as strategic rather than technical, the difference shows up on assessment day.

"I have seen customers come out of audits with a perfect score. In CMMC, that is a perfect 110 score. And there's no reason why you can't, if you've done your prep work the right way." — John Christly

 

BEMO builds these implementation decisions into the engagement from day one.

Talk to BEMO about CMMC readiness → Speak with us

From scoping your CUI boundary to architecting audit-ready evidence to operationalizing policies across your organization, BEMO manages the full compliance process so the decisions that shape your assessment are made right the first time.

 

Frequently Asked Questions

How do I know if my CMMC scope is too broad?

Trace where CUI actually flows: who handles it, which systems store it, where it enters and exits. If systems or departments never touch CUI, they likely don't need to be in scope. A proper scoping exercise can reduce your footprint by 60 percent or more.

Should I be transparent with my auditor or keep answers minimal?

John's advice is to lead with transparency. Present your scope, explain your rationale, and walk the auditor through your program proactively. The "say as little as possible" approach usually creates more friction than it prevents.

Can a small company realistically achieve a perfect CMMC score?

Yes. John has seen organizations of various sizes come out of assessments with perfect scores. The determining factor isn't size but preparation quality: whether scoping was done rigorously, evidence infrastructure meets retention standards, and policies are operationalized across the team.

We've got more resources for you to become a cyber-pro.  

Go to BEMO's YouTube Channel
 

Top 10 Posts

  1. Google Workspace to Office 365 Migration: A Step-by-Step Guide
  2. Office 365 MFA Setup: Step-by-Step Instructions
  3. What is The CIA Triad?
  4. When Will CMMC 2.0 Be Required for DoD Contracts?
  5. What is Microsoft Purview ? Your A to Z Guide to Getting Secure Fast
  6. How to Set Up Office Message Encryption (OME)
  7. How to Migrate from GoDaddy to Office 365
  8. CMMC Compliance Timeline: Dates, Deadlines & Phases
  9. How to remove Office 365 from GoDaddy (tips and tricks)
  10. Migrate From Gmail to Office 365: 2024 Guide

Leave us a comment!