CMMC Implementation Gap: Why Small Contractors Should Audit Readiness Themselves Before Hiring a C3PAO
Key Takeaways
The CMMC implementation gap is the difference between knowing what CMMC requires and knowing how to build, document, operate, and prove a compliant cybersecurity program.
For small and mid-sized defense contractors, the smartest first move is usually not calling a C3PAO. It is auditing where the organization stands today against where it needs to be.
A readiness audit helps contractors define CUI scope, inventory assets, review their System Security Plan, test controls, organize evidence, estimate remediation costs, and decide when they are actually ready for a formal assessment.
CMMC Level 2 certification costs vary widely. DoD’s official estimate for a small entity Level 2 C3PAO certification assessment and affirmations is $104,670 over three years, but that estimate assumes the contractor has already implemented the underlying NIST SP 800-171 requirements.
At Squared Compass, we have found that many CMMC struggles are not caused by ignoring the rules. They are caused by doing the right things in the wrong order.
The CMMC Implementation Gap: Why the Hardest Part Happens Before the Assessment
For many small defense contractors, CMMC feels like opening a simple home repair project and discovering there is plumbing behind the drywall, electrical from three decades ago, and a mysterious wire that nobody wants to touch.
At first, the task sounds manageable: protect Federal Contract Information and Controlled Unclassified Information. Then the practical questions start.
Where is our CUI?
Which systems are in scope?
Does our Microsoft environment meet the requirements?
What evidence do we need?
Is our MSP responsible for this, or are we?
Should we build a CUI enclave?
How much will certification cost?
When should we hire a C3PAO?
That space between the requirement and the real-world execution is the CMMC implementation gap.
The Department of Defense established the CMMC program to verify that contractors have implemented required security measures to safeguard FCI and CUI. CMMC requirements apply to many DoD solicitations and contracts where a contractor or subcontractor will process, store, or transmit FCI or CUI on unclassified contractor information systems, with some exceptions such as acquisitions exclusively for commercially available off-the-shelf items.
That is the regulatory baseline.
The implementation problem is different.
CMMC tells contractors what must be protected and what will be assessed. But small businesses still need a practical roadmap for how to get from “we know this matters” to “we are ready for a C3PAO to evaluate us.”
That roadmap is where many contractors are stuck.
What Is the CMMC Implementation Gap?
The CMMC implementation gap is the disconnect between understanding CMMC requirements and knowing how to build a working, evidence-ready cybersecurity program.
Official CMMC materials explain the model, assessment expectations, scoping concepts, and certification paths. DoD’s CMMC resource page includes scoping guides, assessment guides, model overviews, SPRS guidance, eMASS materials, and implementation briefings.
That guidance is important. But many small businesses are not only asking, “What will an assessor check?”
They are asking:
What should we do first?
Who owns each control?
How do we identify CUI?
How do we define the assessment boundary?
What evidence should we collect?
Which Microsoft tools map to which requirements?
How do we avoid over-scoping the entire business?
How do we know when we are ready for a C3PAO?
This is the heart of the issue: auditors have assessment guidance; SMBs need implementation roadmaps.
At Squared Compass, we have found that small contractors often do understand the seriousness of CMMC. The struggle is usually not motivation. The struggle is sequencing.
They start buying tools before defining scope.
They write policies before understanding workflows.
They call assessors before organizing evidence.
They ask their MSP to “handle CMMC” before assigning internal ownership.
They treat the System Security Plan as paperwork instead of the operating map of the environment.
That creates cost, confusion, and avoidable delay.
Why This Matters Now
CMMC is no longer a future concern. DoD’s CMMC Phase 1 implementation began on November 10, 2025 and runs through November 9, 2026, with Phase 1 focused primarily on CMMC Level 1 and Level 2 self-assessments.
The DFARS CMMC rule now provides contracting procedures for including CMMC level requirements in DoD contracts. Under DFARS 204.7503, contracting officers check SPRS and are not to award a contract, task order, or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the level required by the solicitation, or higher, for each relevant CMMC UID.
That means CMMC is not merely a cybersecurity project. It is becoming a contract-readiness issue.
For small contractors, the risk is not just failing an assessment. The risk is waiting too long to understand what the assessment will require.
By the time a solicitation demands a specific CMMC status, a contractor may need to have already completed scoping, implementation, evidence collection, remediation, affirmation, and possibly third-party assessment. Compressing that work into a last minute sprint is not a strategy. It is a recipe for expensive panic.
And panic is rarely a compliant control.
The Wrong First Question: “Which C3PAO Should We Hire?”
A C3PAO is a CMMC Third Party Assessment Organization. For CMMC Level 2 certification assessments, an authorized or accredited C3PAO performs the assessment in accordance with NIST SP 800-171A and the CMMC Level 2 scoping requirements.
That role matters. But it is important to understand what a C3PAO is not.
A C3PAO is not your implementation team.
A C3PAO is not your policy writer.
A C3PAO is not your MSP.
A C3PAO is not your evidence organizer.
A C3PAO is not there to discover foundational gaps for the first time and then help you fix them.
A C3PAO evaluates whether the scoped environment meets the required CMMC level. That is different from helping a contractor build the program.
This is why the better first question is not:
“Which C3PAO should we hire?”
The better first question is:
“Are we ready for a C3PAO to evaluate us?”
At Squared Compass, we have found that this shift in thinking changes the entire CMMC journey. Contractors become less reactive. They stop treating CMMC as a compliance fire drill and start treating it as an operating model.
Why Contractors Should Audit Readiness Before Engaging a C3PAO
A CMMC readiness audit is not the official certification assessment. It is a preparation exercise designed to answer one practical question:
Where are we today compared with where we need to be?
A good readiness audit gives leadership a clear view of:
CMMC level applicability
FCI and CUI handling
Assessment scope
Asset inventory
System Security Plan maturity
Control implementation status
Evidence quality
Technical gaps
Documentation gaps
Ownership gaps
Remediation cost
Timeline to assessment readiness
Go/no-go readiness for a C3PAO
This matters because a C3PAO assessment should validate readiness, not reveal basic program unknowns.
The best time to discover that your CUI is flowing through unmanaged file shares is before the formal assessment. The best time to discover that your SSP does not match your environment is before an assessor is asking questions. The best time to discover that your MSP cannot provide needed evidence is before the evidence request is live.
A readiness audit is the difference between walking into an assessment with a map and walking in with vibes.
The Most Common CMMC Readiness Gaps for SMB Contractors
1. Contractors Do Not Know Where Their CUI Lives
CMMC starts with information. Before a contractor can define scope or select controls, it has to understand what information it handles.
Does the business process FCI?
Does it process CUI?
Where does the data come from?
Where does it go?
Who touches it?
Which systems store it?
Which subcontractors receive it?
Is it marked correctly?
Is it mixed into ordinary business systems?
This is where many small contractors underestimate the work.
CUI often moves through email, shared drives, engineering systems, cloud storage, collaboration platforms, accounting workflows, ticketing systems, backups, and subcontractor exchanges. It does not politely stay in the one folder where everyone hoped it would stay.
A readiness audit should create a data-flow map showing how FCI and CUI enter, move through, and leave the organization.
Without that map, scope becomes guesswork.
And if scope is guesswork, cost is guesswork too.
2. The Assessment Boundary Is Too Broad, Too Narrow, or Undefined
CMMC Level 2 scoping requires contractors to define the assessment scope before assessment. Level 2 scoping includes asset categories such as CUI assets, security protection assets, contractor risk-managed assets, specialized assets, and out-of-scope assets.
This is where many contractors make one of two mistakes.
The first mistake is over scoping. They assume the whole company must be brought into the same compliance boundary, even when CUI only touches a smaller part of the business.
The second mistake is under-scoping. They exclude systems that support, protect, connect to, or influence the CUI environment.
Both mistakes are expensive.
A readiness audit should help determine whether the contractor needs an enterprise wide approach or a CUI enclave.
An enterprise-wide approach may make sense when CUI is embedded across the business. A CUI enclave may make sense when only a small group of users, systems, or contracts handle CUI.
Neither answer is automatically right. The right answer depends on data flows, user workflows, technical architecture, contract requirements, cost tolerance, and operational discipline.
The key is to decide intentionally.
3. Contractors Assume Tools Equal Compliance
Buying tools is not the same as implementing controls.
A contractor may have Microsoft 365, Entra ID, Defender, Intune, Purview, backup tools, endpoint protection, vulnerability scanning, and an MSP. Those tools can be valuable. But CMMC is not satisfied by a receipt.
For each control, the contractor needs to show that the requirement is implemented, operating, owned, documented, and evidenced.
For example, it is not enough to say, “We have MFA.”
A readiness audit should ask:
Is MFA enforced for all in-scope users?
Is MFA enforced for privileged accounts?
Are legacy authentication methods disabled?
Are conditional access policies configured?
Are exceptions documented and approved?
Are logs retained?
Who reviews access?
How is onboarding handled?
How is offboarding handled?
What evidence proves all of this?
That same level of scrutiny applies to logging, endpoint protection, encryption, configuration management, incident response, media protection, vulnerability remediation, security awareness, and access control.
The question is not, “Do we own a tool?”
The question is, “Can we prove the control works?”
4. The SSP Does Not Match Reality
The System Security Plan is one of the most important documents in the CMMC journey. It should describe the system boundary, environment, roles, assets, data types, control implementation, inherited services, external service providers, and supporting evidence.
In practice, many SSPs fall into one of three categories:
The SSP does not exist.
The SSP exists but is outdated.
The SSP exists but describes a world everyone wishes they lived in.
That third category is especially dangerous.
An SSP that does not match reality can create more problems than no SSP at all because it gives leadership a false sense of readiness. A polished document that says “access is reviewed quarterly” does not help if nobody can produce access review records.
At Squared Compass, we have found that the SSP works best when it is treated as the operating narrative of the environment, not a compliance artifact assembled at the end.
A readiness audit should compare the SSP against actual systems, actual configurations, actual workflows, and actual evidence.
The goal is not pretty paperwork. The goal is defensible alignment between what the organization says and what the organization does.
5. Evidence Is Collected Too Late
Evidence is where CMMC becomes real.
A contractor can have a policy, a tool, and a process. But if it cannot produce credible evidence, the control may still fail assessment scrutiny.
NIST SP 800-171A provides assessment procedures and a methodology for assessing the CUI security requirements in NIST SP 800-171. CMMC builds on that assessment discipline by requiring contractors to show that controls are not just designed but implemented and operating.
A readiness audit should create an evidence model before the formal assessment.
For each requirement, evidence may include:
Policies
Procedures
Configuration exports
Screenshots
System logs
Tickets
Review records
Training records
Risk decisions
Asset inventories
Access review evidence
Incident response test records
Vulnerability scan results
Remediation records
Interview preparation notes
For Level 2 certification assessments, hashed artifacts used as evidence must be retained by the contractor for six years from the CMMC Status Date.
That means evidence management is not a one time scramble. It is part of the long term CMMC operating model.
6. MSP Responsibility Is Misunderstood
Many small contractors rely on MSPs or MSSPs. That is normal. But outsourcing IT support does not outsource CMMC accountability.
If an MSP manages identity, endpoints, backups, logging, security tools, or cloud configurations, the contractor still needs to understand which CMMC requirements the MSP supports, what evidence the MSP can provide, and what responsibilities remain internal.
A readiness audit should clarify:
What does the MSP manage?
What does the contractor manage?
Which controls are shared?
Which evidence comes from the MSP?
How quickly can the MSP provide evidence?
Are service descriptions and responsibilities documented?
Are external service providers inside the assessment boundary?
Do contracts and procedures reflect actual responsibilities?
“Ask our MSP” is not an evidence strategy.
The MSP may be essential, but the contractor still owns the risk.
How Much Does CMMC Level 2 Certification Cost?
CMMC cost is one of the most common questions contractors ask, and it is also one of the hardest to answer cleanly.
The honest answer is: it depends on scope, current maturity, technical debt, documentation quality, number of users, number of systems, external service providers, cloud architecture, CUI flows, remediation needs, and how much work has already been done.
DoD’s official estimate for a small entity Level 2 C3PAO certification assessment and affirmations is $104,670 over three years. That includes a triennial assessment and affirmation plus two additional annual affirmations. The estimate also includes a C3PAO engagement cost of $31,234 for a three person team over 120 hours.
However, the most important part of that estimate is the assumption behind it: DoD states there are no nonrecurring or recurring engineering costs associated with the Level 2 certification assessment estimate because it assumes the contractor has already implemented the NIST SP 800-171 Revision 2 security requirements.
That assumption is everything.
If a contractor has already implemented NIST SP 800-171, documented the environment, defined scope, built evidence, and maintained the program, the cost profile may be closer to assessment support and affirmation.
If a contractor is starting from an immature environment, the real first cycle cost can be much higher.
For many SMB contractors, a practical planning range for a first-cycle CMMC Level 2 effort may be $75,000 to $250,000+, depending on starting point and scope. That range is not an official government estimate. It is a planning range that reflects the broader work contractors often need before they are ready for formal assessment.
CMMC Cost Planning Table for SMB Contractors
The main takeaway is simple: the C3PAO assessment is only one part of the cost.
The larger cost may be everything required to become assessment ready.
This is why auditing first matters. A readiness audit turns “CMMC could cost anything” into a more useful answer: “Here is what it is likely to cost us.”
The Readiness Audit Framework: Where You Are Versus Where You Need to Be
A strong CMMC readiness audit should be practical, sequenced, and evidence-driven.
It should not be a generic questionnaire that produces a colorful dashboard and no clear next step. Contractors do not need more compliance confetti. They need a roadmap.
Step 1: Identify FCI and CUI
The first step is determining what information the contractor handles.
A readiness audit should review:
Active DoD contracts
Subcontracts
Statements of work
CDRLs
DD Form 254s, if applicable
CUI markings
File repositories
Email flows
Engineering systems
Manufacturing systems
Collaboration platforms
Subcontractor exchanges
The output should be a data flow map showing where FCI and CUI enter, move, reside, and exit.
This is the foundation for everything else.
Step 2: Determine the Required CMMC Level
CMMC Level 1, Level 2, and Level 3 have different requirements and assessment paths.
DoD describes Level 2 as broad protection of CUI, requiring either a self-assessment or an independent assessment by an authorized C3PAO every three years, as specified in the solicitation. Level 2 includes annual affirmation and verification against the 110 security requirements in NIST SP 800-171 Revision 2.
For many contractors handling CUI, Level 2 is the key concern. But contractors should not assume. The required CMMC level should be tied to the contracts, data, and solicitation requirements.
Step 3: Define the Assessment Scope
Once data flows and level requirements are understood, the contractor should define the assessment boundary.
This includes:
Users
Workstations
Servers
Cloud services
Identity systems
Security protection assets
Backup systems
Network devices
External service providers
Subcontractor touchpoints
Out-of-scope systems and justification
This is where the enterprise versus enclave decision should be made.
A readiness audit should not only define scope. It should test whether the scope is realistic.
Step 4: Build the Asset Inventory
The asset inventory should connect systems to data, users, control responsibilities, and evidence.
For each asset, ask:
Does it process, store, or transmit CUI?
Does it protect CUI assets?
Is it connected to the CUI environment?
Who administers it?
What logs does it produce?
What configuration evidence exists?
What policy governs it?
Is it included in the SSP?
Is it truly out of scope, or just inconvenient?
You cannot defend a boundary you cannot explain.
Step 5: Review the SSP
The SSP should tell the truth about the environment.
A readiness audit should review whether the SSP accurately describes:
System boundary
Data types
In-scope assets
In-scope users
Network architecture
Cloud services
Control implementation
Inherited controls
External service providers
Evidence sources
Known gaps
POA&M items
If the SSP is outdated, vague, or aspirational, it should be fixed before a C3PAO assessment.
Step 6: Test Control Implementation
For each applicable requirement, the readiness audit should evaluate whether the control is:
Implemented
Documented
Operating
Evidenced
Assigned to an owner
Reviewed on a recurring cadence
This should include both technical and procedural controls.
For example, access control is not only a configuration issue. It involves user approval, account provisioning, privileged access, account removal, periodic review, logging, exception handling, and evidence.
Likewise, incident response is not just a document. It requires roles, procedures, reporting expectations, testing, lessons learned, and records.
Step 7: Organize Evidence
The readiness audit should create an evidence library organized by control family and requirement.
A simple evidence structure might include:
Access Control
Awareness and Training
Audit and Accountability
Configuration Management
Identification and Authentication
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communications Protection
System and Information Integrity
Each folder should contain the policies, procedures, screenshots, exports, tickets, logs, reports, and review records needed to support the control.
The goal is not just to collect evidence. The goal is to know whether the evidence is current, relevant, complete, and tied to the control being assessed.
Step 8: Build the Remediation Roadmap
After gaps are identified, the contractor needs a prioritized plan.
Not all gaps are equal.
Some are documentation gaps.
Some are technical configuration gaps.
Some are ownership gaps.
Some are process gaps.
Some are architecture gaps.
Some are budget gaps.
Some are cultural gaps, which is a polite way of saying people are still doing things the old way because the old way was easier.
A good remediation roadmap should include:
Gap description
Related CMMC requirement
Risk level
Business impact
Required action
Control owner
Supporting vendor or MSP
Estimated cost
Target completion date
Evidence required
Dependency notes
The roadmap should help leadership answer: What do we fix first, what can wait, what will cost the most, and what must be done before engaging a C3PAO?
Step 9: Decide Whether POA&M Is a Safety Valve or a Risk
For Level 2, a POA&M may be allowed only under specific CMMC requirements. For Level 2 self-assessment, if a Conditional Level 2 status includes a POA&M, the organization must remediate the NOT MET requirements, perform a POA&M closeout self-assessment, and post compliance results to SPRS within 180 days. If the POA&M is not closed within that timeframe, the Conditional status expires.
For a Level 2 certification assessment, if a POA&M exists, a C3PAO must perform a POA&M closeout certification assessment within 180 days of the Conditional CMMC Status Date.
In plain English: POA&M is not a strategy for avoiding hard work. It is a controlled mechanism with rules, limits, and deadlines.
Do not build the plan around “we will POA&M that later.” That is like planning a road trip around the spare tire.
Step 10: Make the Go/No-Go Decision for C3PAO Engagement
Before engaging a C3PAO for a formal Level 2 certification assessment, a contractor should be able to answer yes to most of these questions:
Have we confirmed the required CMMC level?
Have we identified where FCI and CUI live?
Have we defined the assessment boundary?
Have we inventoried in scope assets?
Have we reviewed and updated the SSP?
Have we mapped controls to evidence?
Have we remediated high priority gaps?
Have we clarified MSP and external provider responsibilities?
Have we built an evidence library?
Have we conducted an internal or third-party readiness review?
Have control owners prepared for interviews?
Have leadership and the affirming official reviewed the risk?
Do we know the likely cost and timeline to complete assessment?
If the answer is mostly no, the contractor is probably not ready for a C3PAO assessment.
That is not failure. That is useful information.
The readiness audit has done its job.
CMMC Is Not a Checklist. It Is an Operating Model.
One of the biggest mistakes contractors make is treating CMMC as a one time compliance event.
CMMC is not just about passing an assessment. It is about maintaining a security posture that can be demonstrated over time.
That means assigning control owners.
Refreshing evidence.
Reviewing access.
Testing incident response.
Updating policies.
Monitoring logs.
Managing vulnerabilities.
Training users.
Controlling CUI movement.
Tracking subcontractor risk.
Maintaining the SSP.
Reaffirming compliance when required.
This is why the phrase “CMMC made easy” usually misses the mark.
CMMC should not be made “fake easy”. It should be made operational.
At Squared Compass, we have found that the contractors who make the most progress are the ones who stop treating CMMC as a mystery and start treating it as a managed business process. They define the current state, identify the target state, sequence the work, assign owners, and build evidence habits before the formal assessment.
That approach does not eliminate the work.
It makes the work visible.
And visible work is manageable work.
What Small Contractors Should Do Before Calling a C3PAO
Before hiring a C3PAO, small contractors should complete a readiness audit that answers these questions:
What contracts require CMMC, and at what level?
Do we handle FCI, CUI, or both?
Where does CUI enter, move, reside, and exit?
Which systems and users are in scope?
Are we using an enterprise wide approach or a CUI enclave?
Do we have a complete and accurate asset inventory?
Does our SSP reflect reality?
Are the 110 Level 2 requirements implemented, if Level 2 applies?
Do we have evidence for each requirement?
Are MSP and external provider responsibilities documented?
What gaps remain?
What will remediation cost?
What is our realistic assessment timeline?
Are we ready for a C3PAO to validate the program?
That last phrase matters: validate the program.
A C3PAO should not be the first organization to tell you whether your CMMC program exists in a defensible form.
FAQ: CMMC Implementation Gap and Readiness Audits
What is the CMMC implementation gap?
The CMMC implementation gap is the difference between knowing what CMMC requires and knowing how to build, document, operate, and prove a compliant cybersecurity program. Many small contractors understand the assessment requirements but need a practical roadmap for CUI discovery, scoping, asset inventory, control implementation, evidence collection, remediation, and C3PAO readiness.
Should we hire a C3PAO first?
Usually, no. A contractor should generally conduct a readiness audit before engaging a C3PAO for a formal certification assessment. A readiness audit helps identify scope, evidence gaps, technical gaps, documentation gaps, remediation costs, and whether the organization is actually ready to be assessed.
What should a CMMC readiness audit include?
A CMMC readiness audit should include CMMC level determination, FCI and CUI identification, data-flow mapping, scope definition, asset inventory, SSP review, control-by-control gap analysis, evidence review, MSP responsibility review, remediation planning, cost forecasting, and a go/no-go recommendation for C3PAO engagement.
How much does CMMC Level 2 certification cost?
DoD estimates that a small entity Level 2 C3PAO certification assessment and affirmations cost $104,670 over three years, including the triennial assessment and annual affirmations. However, that estimate assumes the contractor has already implemented NIST SP 800-171 Revision 2. Contractors that still need remediation, documentation, tooling, scoping, and evidence development may need to budget significantly more.
What is the biggest CMMC mistake small contractors make?
The biggest mistake is treating CMMC as a checklist or a tool purchase. CMMC requires a working operating model: defined scope, assigned owners, implemented controls, accurate documentation, recurring reviews, and defensible evidence.
Is an MSP responsible for CMMC compliance?
An MSP may support CMMC implementation and operations, but the contractor remains accountable for its CMMC status. Contractors should document which controls the MSP supports, what evidence the MSP provides, and which responsibilities remain internal.
What is better: a CUI enclave or enterprise-wide compliance?
It depends on how the business handles CUI. A CUI enclave can reduce scope if CUI is limited to specific users and workflows. Enterprise wide compliance may be better if CUI is deeply embedded across operations. A readiness audit should help determine which approach is realistic, defensible, and cost-effective.
When are we ready for a C3PAO?
A contractor is closer to C3PAO readiness when it has confirmed the required CMMC level, mapped CUI flows, defined scope, inventoried assets, updated the SSP, implemented controls, organized evidence, remediated high priority gaps, clarified MSP responsibilities, and completed a mock or readiness assessment.
Final Thought: Audit First, Assess Later
CMMC is not just a cybersecurity standard. It is a test of whether a contractor can protect sensitive government information in a repeatable, evidence-driven way.
For small contractors, the most expensive mistake may be approaching CMMC in the wrong order.
Do not start by asking how quickly you can hire a C3PAO.
Start by asking whether you understand your current state.
Where is your CUI?
What is in scope?
What controls are implemented?
What evidence exists?
What gaps remain?
What will remediation cost?
Who owns the work?
When will you actually be ready?
At Squared Compass, we have found that CMMC readiness improves dramatically when contractors stop asking, “How soon can we call an assessor?” and start asking, “Do we know our environment well enough to survive an assessment?”
That is the real implementation gap.
And closing that gap before the formal assessment may be the difference between a controlled certification effort and a very expensive surprise.
Need to get CMMC certified, but do not want to spend thousands of dollars just getting started? Reach out to us.
