Most organizations treat CMMC implementation as a technical execution phase. John Christly, VP of Commercial Services & Chief Learning Officer at OneZero Solutions, a 3x CISO, ISO 27001 lead auditor, and CMMC lead assessor, explains why the decisions you make about scope, evidence, and policy ownership are the ones that determine whether your audit succeeds or fails.
John Christly has been helping organizations through compliance audits for over 30 years. Today he's VP of Commercial Services and Chief Learning Officer at OneZero Solutions, where he works as a virtual CISO for defense contractors and healthcare companies.
One thing he sees over and over is that the audits that go badly almost always trace back to the same place: decisions made early in implementation that nobody thought to question. How you define your scope, how you set up logging and evidence, whether your people actually know the policies they signed off on.
He's also a certified CMMC lead assessor and ISO 27001 lead auditor, not because he does auditing, but because he wanted to understand exactly how auditors think. That means he's lived both sides of the table.
Here's what he's learned about the three implementation decisions that matter most.
Of all the implementation decisions an organization makes, scoping is the one with the highest downstream impact. Get it right, and you reduce cost, complexity, and timeline. Get it wrong, and every control, every piece of evidence, and every dollar of remediation work is applied against a footprint that's larger than it needs to be.
The most common mistake John encounters is the assumption that compliance means putting the entire organization in scope. "People think it's all or nothing," he says. "Like I have to do this to my entire network, my entire company, and it couldn't be further from the truth."
The real question is simpler and more specific: where does the sensitive data actually flow? In the CMMC context, that's Controlled Unclassified Information. In healthcare, it's ePHI. In payments, it's cardholder data. The framework changes, but the scoping logic is the same: trace the data, define the boundary, and focus your controls there.
His approach is low-tech and conversational. Sit down with the right people and walk through:
"Put all the technology away. Grab your pencils and paper. They think I'm joking when I say it, but I'm like, it better be a pencil and not a pen, because we're gonna erase a lot of things." — John Christly
One area organizations consistently overlook: email. Nearly every company John works with has CUI in their email environment, and nearly every one tries to avoid admitting it early in the conversation.
The output is a defensible boundary that the organization can articulate and an auditor can validate. Not artificially minimized, but accurately defined so every dollar and hour of implementation work is applied where it counts.
Once scope is defined, the next decision is how you build your evidence infrastructure, starting with logging.
Most organizations have logging enabled, but few meet the standard auditors and investigators actually require. Default configurations often retain 30 days. Regulations typically want a year, with 90 days readily accessible. And logs that nobody watches are just data.
As John puts it, "Computers are very chatty and they can tell you when there's something wrong. Nancy from accounting logged in at 3:00 AM but she's on vacation on a cruise ship. The computers will tell you, if you listen."
The third decision is one John sees go wrong constantly: organizations write strong policies but never operationalize them.
The problem shows up during the audit itself. Assessors don't just ask for your policies. They interview your staff against them. If the person responsible for access control can't explain the policy they signed off on, that's a finding.
"They'll take your policies and then they'll go interview somebody in your company. 'Hey, do you know what the policy is on such and such?' And if the person has that look on their face, like they have no idea, you kind of fail that part of the audit." — John Christly
There's a common instinct in IT: don't tell the auditor too much. Just answer the question and stop talking. John takes the opposite approach.
"Don't forget, you asked them to come in. You're usually bringing in an auditor because you wanna get a certification that will advance your business and allow you to make more money and win more contracts." — John Christly
When John represents a client, he opens by walking the auditor through the scope, the rationale, and the evidence behind those decisions. Auditors don't want to pull teeth. They want an organization that owns its program and presents it with confidence. When that happens, they're "usually smiling and nodding their head yes," John says, "because they know it's been done right."
When these three decisions are treated as strategic rather than technical, the difference shows up on assessment day.
"I have seen customers come out of audits with a perfect score. In CMMC, that is a perfect 110 score. And there's no reason why you can't, if you've done your prep work the right way." — John Christly
BEMO builds these implementation decisions into the engagement from day one.
Talk to BEMO about CMMC readiness →
From scoping your CUI boundary to architecting audit-ready evidence to operationalizing policies across your organization, BEMO manages the full compliance process so the decisions that shape your assessment are made right the first time.
Trace where CUI actually flows: who handles it, which systems store it, where it enters and exits. If systems or departments never touch CUI, they likely don't need to be in scope. A proper scoping exercise can reduce your footprint by 60 percent or more.
John's advice is to lead with transparency. Present your scope, explain your rationale, and walk the auditor through your program proactively. The "say as little as possible" approach usually creates more friction than it prevents.
Yes. John has seen organizations of various sizes come out of assessments with perfect scores. The determining factor isn't size but preparation quality: whether scoping was done rigorously, evidence infrastructure meets retention standards, and policies are operationalized across the team.