Lessons Learned: CMMC Level 2 Assessments

Compiled from firsthand accounts on r/CMMC, 2025-2026. Every entry has a source. Prioritized: firsthand accounts > community consensus > speculation.

What WORKED

1. Front-Load Evidence Collection

Providing evidence to the C3PAO AHEAD of the assessment dramatically cuts assessment time
One org with ~80 pre-submitted artifacts cut their Access Control session from 2 hours to 45 minutes
18-month prep org → full assessment in 3 days + 1 hour (assessors called them "best prepared ever")
Action: Build an evidence locker organized by domain/control BEFORE scheduling assessment
Sources:
mcb1971 in megathread (2026-01)
https://old.reddit.com/r/CMMC/comments/1qq8prg/ (2026-01-29)

2. Separate Policy Docs Per Domain (Not One Big Doc)

mcb1971 (110/110): Created separate policy/procedure documents for each of the 14 domains
Easier implementation, easier tracking, easier to present to assessors
Some controls overlap domains (that's fine — reference between docs)
Contrast: ComplianceForge's massive all-in-one docs freeze Word and overwhelm small teams
Source: megathread (2025-11)

3. Know Your Scope / CUI Flow First

"YOU MUST KNOW WHERE THE CUI COMES FROM, GOES TO, AND WHERE IT'S PROCESSED"
Scoping is the #1 reason organizations fail to get assessed (per Navyauditor2, assessment veteran)
Don't say "everything is in scope" — that's almost never true and makes everything harder
Build a data flow diagram before anything else
Sources:
lotsofxeons megathread comment (2025)
Navyauditor2 in https://old.reddit.com/r/CMMC/comments/1qd79o6/ (2026-01)

4. Leverage Microsoft Inheritance (GCC High)

On GCC High, ~30-40% of controls are fully inherited from Microsoft
Significant additional portion is partial inheritance (Microsoft covers technical, you document your side)
Key resources: Appendix J + Microsoft CMMC Implementation Guide
Get Azure-specific Appendix J separately
Don't just assume inherited = done — document the inheritance and verify
Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (2026-03-09, Kieri client)

5. Documentation is 70% of the Work

Controls aren't that hard — documentation is the killer
"Almost everything you do has to be backed by a policy or procedure that people need to learn and follow like a bible"
People sitting through the audit must know the policies; assessors will ask
Most common stumble: policy or procedure that doesn't back up a control implementation
Assessor (Adminvb292929) who witnessed 12 assessments: this was the pattern across all of them
Source: https://old.reddit.com/r/CMMC/comments/1qd79o6/ (2026-01)

6. Prepare Your People, Not Just Your Systems

mcb1971: "We spent months preparing both our documentation AND our people"
Technical staff need to be able to articulate their controls during assessor interviews
Senior leadership buy-in is essential — if they don't own it, it fails
Source: megathread (2026-01) + https://old.reddit.com/r/CMMC/comments/1r0tcww/ (2026-02)

7. Get Mock Assessment From Your C3PAO (Not Consultant)

"Skip any mock/gap from a consultant, get the mock assessment from your C3PAO. Way better."
C3PAOs know exactly what they'll be looking for
Source: lotsofxeons, megathread (2025)

8. Enclave Strategy Works Well for Small Orgs

Limiting CUI scope to a small enclave (3-6 users) dramatically reduces assessment complexity
Multiple small orgs used PreVeil + M365 in a tight enclave and passed
Don't scope in the whole enterprise if only a few people touch CUI
Sources: Multiple megathread entries (2025-2026)

9. PreVeil as CUI Container

PreVeil (AWS GovCloud) repeatedly mentioned as viable CUI storage/transfer solution
Enables keeping the rest of the environment in commercial M365
Has its own documentation package that covers many controls
Business Premium (not GCC High) can work when paired with PreVeil
Sources: Multiple megathread comments, https://old.reddit.com/r/CMMC/comments/1rls675/ (2026-03)

10. SSP in Word Works Fine

No need for fancy GRC tools for small/medium orgs
One large Word doc (~100 pages) covering all controls was accepted by Kieri with no complaints
Excel for evidence tracking is perfectly viable
Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (2026-03)

New Lessons (2026-03-14)

6. RMM Tools Can pass as SPA (if locked down properly)

**LogMeIn RMM tool passed CMMC Level 2 with lockdown (file transfer disabled, Mfa, RBAC for logging) + administrative policy requiring users to close CUI before support
Key insight: If you can lock down file transfer, screenshots, copy/paste, then LogMeIn becomes an SPA (Security Protection Asset). If it's a CSP (Cloud Service Provider), then FedRAMP Moderate is required.
Confirmed pass: Quickt17 reports passing L2 with LogMeIn as RMM. Key requirements: MFA on RBAC, logging user training to expect the script
Source: https://old.reddit.com/r/CMMC/comments/1rsnzyg (2026-03-14)

7. C3PAO Lead Times are Book early

Lead time: 8-12 weeks reported by community
Advice: Book assessment early ( lead times already stretching to several months)
Source: https://old.reddit.com/r/CMMC/comments/1rrp19k/ (2026-03-12)

8. Solo IT Can do this - get help

Context: Construction company, 220 employees, 30-50% DoD work, directly handles CUI, needs L2
Current state: Had NIST 800-171 assessment, scored -23
Technology questions: Community suggests GCC High or MSSP vs. in-house
Cost question: $100k+ for ~100 employees
Resources mentioned:
ndisac.org/blog/dib-msp-shopping-guide (MSP selection)
CMMC Audit (cmmcaudit.org)
GRC COA (grc-coa.com)
NIST 800-171A (assessment guide)
DoD CMMC Resources (dodcio.defense.gov/CMMC/Resources-Documentation/)
source: https://old.reddit.com/r/CMMC/comments/1rqbl58/ (2026-03-12)

9. Change Management Needs Software Review Checklists

Question: Looking for guidelines/survey checklists for new software before production
Reddit thread: https://old.reddit.com/r/CMMC/comments/1rsmdhz/ (2026-03-14,- Source: https://old.reddit.com/r/CMMC/comments/1rsmdhz/ / What to AVOID

1. Google Workspace (Commercial) for CUI Environments

"There was no way possible for us to be compliant with Google... just putting more and more bandaids"
Migration to GCC High was painful but necessary
Google Meet blocked by government customers — additional business reason to migrate
Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (2026-03)

2. AWS Workspaces VDI for CUI

Employees don't use it correctly → CUI leakage
Better to use physical machines in a properly controlled environment
Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (2026-03)

3. Cheap Consultants

"What you pay is what you get" — one org failed with a cheap vendor, then passed with Stratify IT
Cheap vendors may not have actually implemented the controls they claimed to
Unknown vendor in Kieri pass case: hardening controls never implemented, OOBE broken
Sources: Multiple (see vendors/avoid.md)

4. No Leadership Buy-In

If C-suite doesn't own compliance, IT will carry accountability without authority
Without leadership, CMMC efforts consistently break down
"Update your resume" is genuine advice when leadership doesn't engage
Source: https://old.reddit.com/r/CMMC/comments/1r0tcww/ (2026-02)

5. Not Knowing Your Firewall Posture Before the Audit

"Midway through I realized we had never implemented block-all inbound/outbound with allow-by-exception"
Emergency night-before fixes are stressful and risky
Build and test firewall rules as part of regular assessment prep
Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (2026-03)

6. Delaying Documentation to Focus on Technical

"Holding off on documentation (which is 70% of CMMC) is a mistake"
Technical controls without documented policies/procedures = assessor findings
Start documentation from day 1, not when technical is "done"
Source: multiple threads

7. Putting Everything In Scope

Almost never correct
Makes the entire process more expensive, longer, and harder
Start with CUI flow analysis → scope only what touches CUI
Source: lotsofxeons + Navyauditor2

Assessment Timeline & Cost

Timeline Reality

Minimum realistic: 14-18 months from scratch to passing
Fast track (cloud-only, small org): 3-6 months IF starting from ~90% compliant
Fastest documented (research): 3 months A-Z (Accusights client, enterprise scope — unusual)

Cost Ranges (2025-2026 market)

Org Size	Architecture	Total Cost Range	Notes
<10 users	Cloud (GCC H or PreVeil enclave)	$20K–$40K	Includes C3PAO + implementation
~20-30 users	Cloud	$30K–$50K	Competitive market rate
20-30 users	Cloud + consulting only	$45K–$80K	Consulting, no implementation
SMB any size	Self-managed + consultant	$20K–$30K + $500-1K/mo maintenance
Enterprise hybrid	500+ endpoints	$100K+	Complex environments

C3PAO assessment alone: $30K+ minimum (widely cited)
VDI-based solution: ~$3K/user/year + $30K-40K for C3PAO
Secureframe: ~$30K for L2 (per one community comment)

Sources: r/CMMC multiple threads (2025-2026)

Assessor Behavior Observations

Variability is real: Same control can be evaluated differently by different assessors
"It depends on your assessor" is the most frustrating but honest answer to many questions
Having 2 assessors for different control families is common — some harder, some easier
Binary: you meet the requirement or you don't — no middle ground, no guidance during assessment
Assessors DO notice when orgs are well-prepared — it sets a positive tone
Physical assessments (site visits) do happen for on-prem environments
Source: Multiple (megathread, https://old.reddit.com/r/CMMC/comments/1rpitjk/, community)

New Lessons (2026-03-12)

"We Passed" Post #4 — 40-person DC Company (Kieri Solutions, 2026-03)

Source: https://old.reddit.com/r/CMMC/comments/1rpitjk/ (76 upvotes)

Vendor red flags confirmed (again): - Hired unnamed CMMC vendor for GCC High migration; vendor never verified their own hardening work — controls were not implemented. VP of Engineering had to spend months fixing in Intune. - Same vendor also missed entire Google Shared Drives in the SharePoint migration. - Lesson: audit your vendor's output, not just their deliverables. Don't assume "we paid for it" = "it works."

Baseline documentation: - One week to build baseline document properly. Separate sections per device type (PC models, iPhones, Macs, OS minimums). Windows 11 25H2 as floor. - "Specifying that all devices must be enrolled and compliant with clearly defined compliance criteria does a lot of the heavy lifting." - Used Claude AI + PowerShell output to structure the baseline document faster than starting from scratch.

SSP implementation statements as work instructions: - "If your controls are written well enough, they describe the how, not just the what." Well-written implementation statements can satisfy the work instruction requirement.

Physical assessment detail: - Kieri came on-site. ~2-hour visit. Had a dedicated printer locked in a server rack for CUI printing. - Another commenter: Redspin will do on-site visit if you have physical CUI and allow printing.

Evidence tools this org used: - SnipeIT for asset management (assessors could see records) - JIRA Service Desk for IT tickets (had to retrain staff to use it) - MS Intune + Conditional Access (no VPN to tenant) - Sentinel with custom KQL queries (AI-assisted) - macOS: macOS Security Compliance Project + Jamf Compliance Editor for Mac baselines

Appendix J access (GCC High): - Not publicly downloadable — must email Microsoft: - O365 GCC High: O365FedRAMP@microsoft.com - Azure Government: AzFedDoc@microsoft.com - Source: https://techcommunity.microsoft.com/blog/publicsectorblog/support-for-fedramp-in-microsoft-365-government-gcc-high/4112262

First-submission pass rate: - Community reporting first-submission pass rate may be under 30% across C3PAOs - Source: https://old.reddit.com/r/CMMC/comments/1rnu0yr/ (7 upvotes)

MSP W-2 requirement claim = FALSE: - An MSP told a client their ISSM must be a W-2 employee for CMMC compliance. Community consensus: false, no such requirement exists in NIST 800-171 or CMMC regulations. - MSPs can provide third-party monitoring via contractual relationship. W-2 is an upsell tactic. - Source: https://old.reddit.com/r/CMMC/comments/1rmq8is/

CMMC certification as new business generator: - Community thread: Most companies say CMMC L2 is primarily a requirement to keep existing DoD business, NOT an opener of new doors. Very few report unsolicited new contracts from certification alone. - Source: https://old.reddit.com/r/CMMC/comments/1rml8gj/

ISACA exam transition (BREAKING as of 2026-03-12): - ISACA taking over CCA/CCP exams on April 1st; PSI will administer - Measure Learning cancelled some exam slots ahead of schedule - CCP holders must pay $100 delta exam fee to get CCP badge on CyberAB - Source: https://old.reddit.com/r/CMMC/comments/1rmxurd/

New Lessons (2026-03-13)

C3PAO Lead Times (March 2026)

Source: https://old.reddit.com/r/CMMC/comments/1rrp19k/

Current scheduling reality: - 8-12 weeks is most common across C3PAOs - Some "better firms" at 90-120 days - Anecdotally: many booking into early summer 2026 - One C3PAO rep (FJminer): "8-12 weeks seems most common, some are out even further" - Community advice: "Ask their audit schedule/duration for your proposed assessment. Last thing you want is a 1-week audit crammed through with lots of findings."

Implication: As Phase 2 (Nov 10, 2026) approaches, expect lead times to grow. Book early.

Level 1 MSP Misinformation

Source: https://old.reddit.com/r/CMMC/comments/1rrtptn/

The claim: MSP told subcontractor that L1 requires all 110 controls (but "just self-attestation").

Reality: - L1 = 15 controls ONLY - MSP was either incompetent or trying to upsell - Official source: DoD CMMC Assessment Guide L1 v2 — https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf - If MSP is confused about L1, their L2 support may be questionable

Community tools for L1: - Project Spectrum cyber-readiness check: https://www.projectspectrum.io/#/cyber-readiness-check - CMMC CAP v2.13 Level 1 (official)

"CMMC is an Organizational Problem Disguised as an IT Problem"

Source: https://old.reddit.com/r/CMMC/comments/1rqbl58/ (18 up, 32 comments)

Context: Solo IT person at 220-employee construction company, 30-50% DoD work, -23 SPRS score.

Key community insights: - "I describe CMMC as an organizational problem disguised as an IT problem" (HSVTigger, 25 up) - "Not to mimic the other responses but what they're saying is the truth. First and foremost CMMC really isn't an IT problem, and putting the entire brunt of the effort on IT can often do more harm than good without proper buy-in from leadership." (DarthCooey, mod, 18 up) - Construction specifics: If drawings are marked CUI, the organization has to track how drawings flow through the entire org — including every trade subcontractor

Cost estimate from thread: - "Expect to spend $100k per 100 employees-ish" (Reasonable_Rich4500, 7 up) - For 220 employees: roughly $200-250k total

Solo IT survival tips: - Get exec support immediately — CFO, FSO, HR, Head of Operations all need to be involved - Offload to MSP/consultant; don't try to do it all while running helpdesk - Consider GRC platform if forced to do it yourself - Build enclave for 80 CUI-touching employees, not all 220

Cross-Tenant Collaboration (GCC High ↔ Commercial)

Source: https://old.reddit.com/r/CMMC/comments/1rr2t5w/

Question: How do enclave users (GCC High) collaborate with non-enclave users (commercial)?

Answers: - Cross-tenant collaboration IS supported between GCC High and commercial tenants (inbound + outbound guest access) - Don't need both PreVeil AND GCC High — pick one architecture - Two-tenant "sovereign ground" approach is viable but requires documentation - Get CRM from Microsoft for both commercial and government tenants; understand what's inherited vs. your responsibility

Most Commonly Flagged Controls / Pain Points

From community discussion:

AC (Access Control): AC.L2-3.1.11 (session termination) — active Reddit thread (2026-03-04)
AC.L2-3.1.20: Caused debate (referenced in readiness thread)
CM (Configuration Management): CM.L2-3.4.7 (non-essential ports/protocols) and CM.L2-3.4.8 (application execution policy) both had dedicated threads
IA (Identification & Authentication): IA.L2-3.5.7 (password complexity) — dedicated thread; MFA requirements cause confusion
SC (System & Communications): SC.L2-3.13.7 (split tunneling) — active developer debates
Scoping for Security Protection Assets (SPAs): "The single biggest grey area in the standard is the evaluation of 'relevant' controls for SPAs. There is no alignment."

Source: r/CMMC thread titles and comments, Jan-Mar 2026

🕸️ Ada Research Browser