CMMC programs might look like they’ll pass on paper, but fall apart in the interview. Assessor Fanta-Marie Toure shares how organizations can better prepare.
Most defense contractors walk into a CMMC assessment with their documentation in good shape. Policies are written, the SSP is signed off, and the controls are mapped. The harder question is whether the people who actually execute those controls can demonstrate them when an assessor sits down with them.
Fanta-Marie Toure is a Cyber Security Analyst at Sentar and a CMMC Certified Assessor (CCA). She runs assessments and advises organizations preparing for certification across the defense industrial base. When she's in an assessment, she isn't there to grade the SSP. She's there to find out whether the SSP matches how the organization actually operates, and that answer rarely comes from a policy. It comes from the conversation she has with the person responsible for the control.
"We always like to remind them that we're assessors. We want to know how the organization really operates as a well-oiled machine." — Fanta-Marie Toure
For defense contractors who can't bid without a CMMC score, this is the readiness gap that quietly sinks the most assessments: not missing controls, but the moment a non-IT teammate is asked to explain a process they were never part of writing.
Below, Fanta-Marie walks through why CMMC isn't an IT-only project, what assessors are actually doing in the room, and the playbook for closing the cross-functional gap before assessment day.
Key Takeaways
- CMMC readiness rarely fails because of missing technology. It fails when the people responsible for demonstrating a policy were never part of writing it.
- Assessors validate every control three ways: examine the documentation, interview the person responsible, and test the system. The interview is where cross-functional gaps surface.
- HR, marketing, facilities, and operations all own CMMC controls and will likely be interviewed by an assessor, not just IT.
- The strongest programs pre-brief non-IT teammates and run a mock examine-interview-test on themselves before assessment day.
Table of Contents
- The CMMC Gap That Doesn't Show Up on Paper
- What an Assessor Is Actually Doing in the Room
- Where the Gap Shows Up by Function
- Closing the Cross-Functional Gap Before Assessment Day
- The Downstream Impact: Cure Windows, Stress, and Missed Awards
- Frequently Asked Questions
The CMMC Gap That Doesn't Show Up on Paper
The most common gap Fanta-Marie sees isn't technical. It's that controls written by IT often describe processes other teams actually execute, and those teams are the ones an assessor will ask to demonstrate them.
"Assessments are IT-focused, but it's not just the purview of IT. There are other organizations involved like marketing, HR, facilities, officers." — Fanta-Marie Toure
When IT owns the policy alone, a predictable pattern emerges. The document describes a process that touches multiple departments, but the responsibility for being able to demonstrate that process never gets handed off. The policy describes what should happen. No one outside IT has been told it's their job to show that it does.
"Something is written down in a policy and it's signed off by whoever wrote it, likely IT. When it comes time to validate that certain control, they're not able to demonstrate it the way they said." — Fanta-Marie Toure
That gap is rarely about technology. It's about awareness, communication, and ownership across teams. And it's the single most common readiness failure she sees.
What an Assessor Is Actually Doing in the Room
To understand why the interview is where readiness breaks, it helps to understand how assessors actually validate a control. Fanta-Marie points to the official method from the DoD CIO's assessment guide. There are three ways an assessor confirms a control is met, and they're often used in combination.
Examine. Read what's written. Start with the SSP, which Fanta-Marie calls "the organization's security IT hygiene bible." It should map where CUI enters, lives, and leaves the environment. If a control isn't covered in the SSP, it should be referenced in another policy.
Interview. Talk to the person responsible. Ask them, in their own words, how the process works. Their answer has to match the policy without coaching.
Test. Watch them prove it. If the policy says authorized users live in Entra ID, the assessor wants to see them open Entra ID and show where.
The interview is where most cross-functional gaps surface, because it's the only step that requires someone outside IT to describe a control in their own words.
Where the Gap Shows Up by Function
Once an assessor moves from documents to people, the cross-functional shape of CMMC becomes obvious. Fanta-Marie gives a few examples of where she has to leave IT to validate a control.
HR. Personnel security covers background checks, screening criteria, and what might disqualify someone from being hired at a defense contractor. Fanta-Marie almost always asks to interview HR for these controls.
Marketing. Anything publicly accessible falls under access control. That includes blog posts, social media, conference materials, and trade show collateral.
"Nine times out of ten, marketing is the one responsible for publishing materials. Can you bring someone in from marketing to talk to us about their process?" — Fanta-Marie Toure
Facilities and operations. Physical access, printing, and paper trails sit outside IT's day-to-day visibility but inside CMMC's scope.
IT admins themselves. Even when the right person is in the room, the interview can go sideways. Admins sometimes over-explain, drift outside the question, or describe a process slightly differently than the policy states.
Each of these is a place where IT may have written something accurate, but the person who'd have to demonstrate it in front of an assessor has never been briefed on what their answer should be, or has never been asked to articulate it at all.
"They're saying 'this is what we would do,' but they don't really have evidence for it." — Fanta-Marie Toure
You don't have to figure this out alone.
BEMO coordinates the entire CMMC compliance process, from gap assessment to audit day, so you can focus on running your business.
Talk to BEMO about CMMC readiness →
Closing the Cross-Functional Gap Before Assessment Day
A strong CMMC program closes this gap before the assessor ever shows up. Based on what Fanta-Marie sees consistently across assessments, four moves separate organizations that pass cleanly from organizations that scramble in the ten-day cure window.
1. Map Every Control to the Function That Would Be Interviewed for It
The first move is recognizing that controls don't belong to IT just because they're written by IT. For every control in scope, identify the person whose process actually executes it. That might be HR for personnel security, marketing for public materials, facilities for physical access, or IT for technical configuration. Many controls touch more than one function.
This map becomes the readiness universe. If a function lives on the map, that team needs to know it.
2. Pre-Brief the People Who Will Be Interviewed
Don't hand non-IT teams the SSP. Hand them the part of their work that the SSP describes, in plain language, and walk them through what an assessor will likely ask. They don't need to memorize the policy. They need to be able to describe the real process they own, in their own words, in a way that matches what's been written.
If their honest answer doesn't match the policy, that's a finding. It's better to find it now than in the room.
3. Run a Mock Interview Using Examine, Interview, and Test
Use the assessor's own method on yourself. Pull the SSP for a control. Sit down with the person responsible and ask them, without coaching, how the process works. Then ask them to show it in the system. If any of the three steps wobble, the control isn't ready, no matter how clean the policy looks.
This is the closest possible simulation of what assessment day will feel like, and it surfaces the exact gaps an assessor would.
4. Fix the Policy When Reality Doesn't Match It
When the real process doesn't match what's written, the instinct is to coach the person to match the policy. Don't. The policy is supposed to describe the operating reality. If reality has drifted, update the document. If the policy describes the right future state and the team isn't there yet, build the process before the assessment, not the script.
"We just want to talk to decision-makers, and we want to make sure they're doing what they say they're doing on paper." — Fanta-Marie Toure
The Downstream Impact: Cure Windows, Stress, and Missed Awards
Every gap in the playbook above has a downstream cost. Assessments that find cross-functional gaps fall into one of two outcomes: a ten-day cure window to produce missing evidence, or a failed control that has to be re-assessed.
The cure window is a safety net, not a plan, and it puts your team under serious pressure to produce evidence that wasn't ready in the first place. A failed assessment delays your ability to bid on contracts that require CMMC Level 2, and at the point of award, that delay translates directly to lost revenue.
The organizations Fanta-Marie sees pass most cleanly aren't the ones with the prettiest documentation. They're the ones where the person responsible for each control can describe it in their own words and show it in the system.
BEMO is the managed compliance provider built for this.
From gap assessment to cross-functional readiness to audit day, BEMO coordinates pen testing, prepares the people who will be interviewed, manages auditors, and keeps you compliant year-round.
Book a free consultation → 
Frequently Asked Questions
Who outside of IT needs to be involved in CMMC readiness?
At minimum, HR (for personnel security and background check controls), marketing (for anything publicly accessible, which falls under access control), facilities (for physical security and visitor management), and leadership (for budget and risk decisions). Operations may also be involved depending on how CUI flows through the business. Fanta-Marie notes that almost every control with an interview component requires someone outside IT to speak to it.
What is the "interview" portion of a CMMC assessment?
The interview is one of three official validation methods CMMC assessors use, alongside examine (reading documentation) and test (watching the system perform). During the interview, an assessor talks to the person responsible for a control and asks them, in their own words, how the process works. Their answer needs to match the policy without coaching. This is the step where cross-functional gaps most often get exposed.
Can policies written only by IT pass a CMMC assessment?
The documentation itself can be technically complete, but it has to match operating reality. If a policy describes a process that touches HR, marketing, or facilities, those teams have to be able to demonstrate the process when interviewed. When the lived process doesn't match the written one, assessors will flag it, regardless of how well-written the policy is.
We've got more resources for you to become a cyber-pro.
Leave us a comment!