CMMC is no longer a “someday” requirement. The Department of Defense finalized the CMMC program rule in 32 CFR Part 170 (effective Dec 16, 2024), and the 48 CFR acquisition rule that flows CMMC into contracts is finalized—meaning new DoD solicitations will start including CMMC requirements beginning November 2025.
For defense contractors seeking Level 2 certification, the biggest risks aren’t exotic technical gaps—they’re scope mistakes, misaligned service providers, and audit-day surprises. With more than 200,000 suppliers in the Defense Industrial Base and at least 80,000 expected to require Level 2 certification, assessor capacity is already stretched thin.
To help contractors prepare, Omnistruct recently hosted Inside the Audit Room: Real Reasons DIB Contractors Fail CMMC, featuring John Riley, Omnistruct and Eric Levitas, ControlCase, a C3PAO. Their guidance offers a practical roadmap for passing CMMC Level 2 the first time.
Why this time is different?
“The can is no longer kicked,” says Eric Levitas. “CMMC is real… and primes can set requirements now.” When a prime inserts Level 2 certification into its subcontractor requirements, readiness isn’t optional—it’s the cost of staying in the supply chain.
John Riley explains the cultural shift: “There’s no self-attestation for Level 2. You have to be culturally ready—and if you’re just doing this to try and pass the audit, you’re going to fail.”
The days of paper checkboxes are over. CMMC was created because self-attestation failed to protect sensitive defense data. Now, contractors must prove their controls work—with evidence.
The #1 Reason Contractors Stumble: Scope Gaps and Lack of Readiness
Most failures don’t happen because organizations are incapable of meeting the controls. They happen because the readiness foundation is weak. Contractors go into the process thinking it’s like a quick ISO audit or that an MSP’s assurances will carry the weight. But CMMC Level 2 is different: assessors follow a strict roadmap, and they are looking for tangible evidence tied to every control objective.
Eric Levitas put it bluntly: “It’s less about failing and more about not being ready. There’s a shock factor when the assessor asks for something that’s been published in the process all along, and the organization can’t produce it.”
This lack of readiness usually shows up in three predictable ways:
- Unclear scope. Contractors struggle to define where CUI lives, who touches it, and whether their environment is an enclave, enterprise-wide, cloud, hybrid, or on-prem.
- Missing evidence. Policies exist, but proof—like logs, tickets, or signed training records—can’t be tied directly to the control objectives.
- Unassigned responsibilities. Staff and vendors can’t articulate ownership when auditors ask. CAP requires clear role accountability.
In practice, this is why mock assessments are so critical. They force the organization to rehearse scope, gather evidence, and practice role ownership before a real C3PAO is in the room. Think of it as the dress rehearsal before opening night—if your team doesn’t know its lines, the play falls apart.
John Riley underscored this with a warning: “If you’re asked a specific question, don’t overshare. Stick to the script. Oversharing can expand your scope in the middle of the audit.”
Failing CMMC Level 2 rarely comes down to technology gaps. It comes down to whether leadership invested the time to get the organization ready, clarify boundaries, and validate evidence against each control. When readiness is sloppy, failure becomes inevitable.
The Service Provider Trap: MSPs and CSPs in CMMC Level 2 Audits
A major source of failure is trusting service providers’ claims without verifying them.
If your cloud service provider (CSP) stores, processes, or transmits CUI, it must be FedRAMP Moderate (or equivalent)—and you can verify that on the FedRAMP Marketplace. If you use an MSP or MSSP that doesn’t handle CUI, they may not need FedRAMP or CMMC Level 2 themselves. But they still must demonstrate alignment with NIST SP 800-171 controls through shared responsibility documentation. Assessors will require evidence like Customer Responsibility Matrices (CRM) and Shared Responsibility Matrices (SRM).
Eric Levitas: “Validate your external service providers—and get a third party to validate them. Any player in that environment can cause the play to go awry.”
How to avoid the trap:
- Classify providers correctly. Use DoD guidance to decide if they are a CUI Asset or Security Protection Asset.
- Collect proof. Request FedRAMP listing, SOC 2, PCI, or their own CMMC certification—plus CRMs/SRMs mapped into your SSP.
- Don’t rely on inheritance. A vendor’s certification covers their environment—not yours. You must show how their services meet your controls.
Inside the Audit Room: Real Questions Assessors Ask at Level 2
Walking into a CMMC Level 2 audit isn’t like sitting down for a quick certification. Assessors are bound by the CMMC Assessment Process (CAP), which lays out the methodology for every control and objective (DoD CIO – CAP v2.0). That means they aren’t improvising—they’re following a defined script.
Eric Levitas shared that assessors typically begin with three scope-defining questions:
- Who are your external service providers (ESPs)? Which MSPs, MSSPs, or CSPs are in play, and what tools are in scope?
- What’s your IT footprint for CUI? Cloud, hybrid, or on-prem? Is data ever printed, and if so, how is it secured?
- Is this an enclave? If so, how is it separated from the broader enterprise, and how is access restricted?
But those are only the opening lines of what can become a very tough performance. The CMMC Level 2 Assessment Guide (DoD CIO – Assessment Guides) requires assessors to dig deeper using a combination of document review, interviews, and tests. Contractors are often caught off guard by the level of detail. Here are examples of other questions an assessor may ask during the process:
- Asset management: Can you show me a current inventory of all systems that store, process, or transmit CUI? How do you classify those assets?
- Access control: Who approves new user accounts? Show me the logs of recent account creations and terminations. How often are privileged accounts reviewed?
- Incident response: Walk me through your incident response plan. When was your last tabletop exercise? Can I see the report?
- Audit and accountability: Where are your system logs stored? How long do you retain them? Show me how you monitor for unauthorized access attempts.
- Configuration management: How do you test patches before deployment? Can you show me change management records for the last system update?
- Physical security: Who has badge access to areas where CUI is stored? Show me your visitor logs for the last 90 days.
- Training and awareness: When was the last time staff received security awareness training specific to CUI? Show me completion records.
- Vendor management: Do you have shared responsibility matrices (SRMs) for each external service provider? How do you verify they meet their assigned controls?
- Documentation consistency: Your System Security Plan (SSP) says you encrypt laptops at rest. Can you demonstrate one?
These questions aren’t theoretical—they come directly from the control objectives that assessors must verify. The key challenge isn’t the surprise of the question but the organization’s ability to put the right person and the right evidence in front of the auditor immediately. That’s why mock assessments and evidence indexing are critical. They prepare your staff for what’s coming, ensure documentation is easy to find, and prevent audits from turning into fire drills. As John Riley put it, “Don’t try to be the smartest person in the room. Stick to the script. Oversharing can expand your scope in the middle of the audit.” Riley likens it to a stage production: “As the CISO, you are the director of the play. Curtain up, curtain down—you decide who speaks when. If you don’t rehearse, your team won’t know their lines.”
Bottom line: a CMMC Level 2 audit isn’t easy. It’s not a checkbox exercise. It’s a structured, evidence-driven evaluation of how your organization protects sensitive defense data—and the difference between passing and failing often comes down to preparation.
What Happens if You Fail—or Have a “False Start”?
No contractor wants to talk about failure, but it’s a real risk. Under the CMMC Assessment Process (CAP), assessors are required to log results in the DoD’s Enterprise Mission Assurance Support Service (eMASS). If your organization fails, that outcome becomes part of the official record. There’s no “do-over” without consequences.
While CMMC does allow limited flexibility—such as 10-day fixes for minor findings and Plans of Action & Milestones (POA&Ms) with a maximum of 180 days for certain allowable items—serious deficiencies mean you’ll need to remediate, reapply, and get back into the queue for reassessment. That queue is already crowded, with many C3PAOs booking months in advance.
Imagine this scenario:
- You fail in June.
- Remediation takes 90 days to update policies, reconfigure systems, and retrain staff.
- You reapply in September, only to find the next open assessment slot is December.
- Meanwhile, contract opportunities requiring CMMC Level 2 are flowing into solicitations starting November 2025 (DefenseScoop, Dec 2024).
That’s not just an inconvenience—it could mean losing out on contracts for months or even years. Eric Levitas made this point clear: “If you fail, getting back into a queue costs you time you don’t have. That’s why mock assessments and readiness partners are critical.”
The scale of the challenge is huge. According to the Government Accountability Office (GAO), the Defense Industrial Base includes more than 200,000 suppliers, and the DoD estimates at least 80,000 will need Level 2 certification. With so many organizations chasing limited assessor availability, the bottleneck is inevitable. This is why the big picture isn’t just about passing—it’s about being ready early, so you don’t risk falling to the back of the line when the stakes are highest. John Riley put it bluntly, “You have to be ready culturally. If you’re just doing this for the audit, you’ll fail.”
Key takeaways for contractors:
- Passing isn’t guaranteed. A single gap in evidence or scope can stall certification.
- Remediation eats time. Even minor fixes extend the process by weeks or months.
- Queues are real. C3PAOs are booking assessments months ahead—if you miss your slot, you wait.
- Contract flow-down is coming. With CMMC enforcement built into DFARS via 48 CFR starting November 2025, primes will demand proof of certification.
The bottom line: failing isn’t just about compliance—it’s about competitiveness. Contractors who wait until the last minute may find themselves locked out of opportunities their competitors are ready to seize.
Ready to Pass the First Time?
Omnistruct helps defense contractors build the program, rehearse the play, and walk into the audit with confidence—including scope design, enclave strategy, ESP validation, and mock assessments aligned to CAP and DoD Assessment Guides. Talk to our team today about your CMMC readiness.
