Not all CMMC compliance claims are created equal. Bryan Lee, Senior Cybersecurity Engineer at Riskcraft Citadel and CMMC Licensed Certified CMMC Assessor, explains what separates strong vendor support from surface-level promises, and what defense contractors should expect before committing.
Here's a scenario that plays out more often than it should: an organization purchases a compliance solution, gets reassured that a large number of CMMC controls are covered, and moves forward believing they're on track. Then someone maps the actual CUI data flow, compares it to the vendor documentation, and the picture changes fast.
Bryan Lee is a Senior Cybersecurity Engineer at Riskcraft Citadel, LLC and a CMMC Licensed Certified CMMC Assessor (LCCA) who consults with DIB companies on implementation, participates in Level 2 assessments for C3PAOs, and helps organizations prepare accurate SPRS entries in eMASS. His background includes over a decade in federal cybersecurity implementing RMF and NIST 800-53 for DOD organizations, preceded by five years as a software engineer.
Whether you're an executive evaluating a vendor's proposal or a compliance leader preparing for assessment, the question is the same: does this solution actually cover what it claims to in your environment? Below, Bryan walks through why that question matters, how to answer it, and what to do about the gaps.
It sounds straightforward: purchase a solution and it will cover a significant share of your 110 CMMC Level 2 controls. But Bryan sees a recurring pattern when he examines what those claims actually mean. The technology may work as advertised within the vendor's environment, but CMMC compliance isn't just about what tools are in place. It's about whether your organization has made the business decisions those tools depend on.
Who controls access to CUI? Who decides how authentication works? Who enforces policy when something changes? Those are organizational decisions, not software features. And they're exactly what CMMC is designed to evaluate.
"CMMC by nature is trying to get an organization to reach a certain level of maturity that it reflexively understands that it needs to protect data and takes action to do it. There's no piece of technology that can do that for you." — Bryan Lee
Many vendors operate within their own FedRAMPed cloud environments. The controls they implement are real, but they protect that boundary. When CUI moves outside of it (onto local laptops, through a different subnet, across unprotected endpoints) the vendor's controls no longer apply. And yet the documentation may still claim inheritance.
Bryan describes this with a recent client. The organization had purchased a solution with documentation showing control inheritance across a significant number of practices. On paper, it looked strong.
"I went to the vendor's documentation, compared it to what they thought they were getting, and then one by one we were able to look at it and say, ‘okay, actually this only applies to their environment, not yours," Byran shared.
The vendor's protections covered CUI inside their cloud boundary. But the client's actual data flow brought CUI through local machines and down to laptops that hadn't been locked down. The gap between what was claimed and what the environment actually required was significant.
The takeaway: purchasing a compliance solution isn’t the same as achieving compliance.
Rather than accepting documentation at face value, Bryan walks organizations through a structured evaluation that maps claims to their actual environment. Here are the steps:
Before evaluating any vendor claim, understand where CUI enters your organization, where it moves, where it's stored, and where it exits. In Bryan's client engagement, the CUI data flow revealed information moving through areas the vendor's solution didn't cover. Without that map, the gaps would have stayed invisible until assessment.
Vendor inheritance documents describe what the vendor does within their security boundary. The critical question is whether those protections extend to yours.
"You need to show me how you make those controls met on my specific security environment, not John Doe's security environment with his security architecture and his computers and his router and his firewalls. No, you need to show me how you can do it for me." — Bryan Lee
Go through the claimed controls one by one. For each, ask: does this protect CUI where it actually lives in my environment, or only within the vendor's boundary?
Claiming inheritance is allowed under CMMC, but the vendor must attest to what they're specifically doing for you, and that attestation must be part of the contract or license you're paying for. If those specifics aren't documented, the claim won't hold up under assessment.
Not every organization needs the most expensive or comprehensive tooling available.
"You don't want to use an elephant gun to kill a fly. What is your attack surface? How big is your organization? What kind of tools do you really have versus what you really need? Those are all specific questions that can be answered." — Bryan Lee
In Bryan's client case, the solution didn't require additional spending. The team segmented their network, isolated CUI assets on a separate subnet behind an existing firewall, and addressed the gaps using resources they already had.
Before committing budget, demand specificity. What controls does this solution actually cover in your environment? How would you prove that coverage during a C3PAO assessment? What falls outside the vendor's scope that your team still needs to own?
Bryan emphasizes that these answers need to be documented, not assumed. If a vendor claims their solution satisfies a specific CMMC control, they should be able to articulate exactly how, for your security architecture, in writing. A general inheritance document that applies to a generic customer environment is not enough.
"Trust but verify. MSPs can offer you a bunch of different services, but you still need to get very specific things in writing." — Bryan Lee
Bryan's client went through this process and avoided a false start: paying a C3PAO for an assessment they weren't ready to pass, then circling back to fix gaps that could have been caught earlier.
"They were able to save money because they actually understood what their CUI gaps were, and they didn't go into an assessment with a false start." — Bryan Lee
The bigger shift was organizational. Once the client saw the real gaps, they stopped treating compliance as something a vendor handled for them and started owning it. Bryan compares CMMC to CMMI: both are maturity models built to change how an organization operates. The audit exercise is where that maturity starts.
For organizations that haven't taken this step yet, Bryan's advice is clear:
"A lot of companies get really spooked at the scoping stage. It doesn't have to be nearly as high as some of the numbers I've seen. Some companies are a lot further than they think they are and a lot closer than they think they are." — Bryan Lee
BEMO helps defense contractors see the full picture before assessment day.
From mapping CUI data flow to validating vendor claims to coordinating implementation across your entire compliance boundary, BEMO manages the process so gaps don't become surprises.
Talk to BEMO about CMMC readiness →
How do I know if my vendor's compliance claims apply to my environment?
Map your CUI data flow first, then compare it to the vendor's documentation control by control. The key question is whether each protection applies within the vendor's boundary only or extends to where CUI actually lives and moves in yours.
Can a vendor really cover most of my CMMC controls?
Some solutions cover a meaningful number of controls within their own security boundary, but coverage depends on your architecture and CUI data flow. The number of controls claimed matters less than whether those claims hold up in your specific environment.
What should I ask a vendor before purchasing a CMMC compliance solution?
Ask them to demonstrate, in writing, how their solution makes specific controls met within your environment. Ask what their inheritance attestation covers and what it doesn't. Ask how you would prove that inheritance during a C3PAO assessment.
How long does it take to audit vendor claims?
Bryan describes working through a client's vendor documentation in a matter of hours, not weeks. The exercise is structured comparison: mapping your CUI data flow against what the vendor claims, control by control. The time investment is small relative to the cost of discovering gaps during a live assessment.