Maintain to sustain: why CMMC is a continued practice
Gettyimages.com / Artemis Diana
Dr. Thomas Graham, vice president and chief information security officer at Redspin, lays out key principles for contractors to follow in the preparation and execution of their compliance with the Cybersecurity Maturity Model Certification.
As of December 16, 2024, the Cybersecurity Maturity Model Certification (CMMC) rule went into effect, stating that in the near future, all Department of Defense (DoD) contractors, must demonstrate CMMC compliance in an effort to further protect our nation’s critical and sensitive data.
Many believe that once you are CMMC certified, you’ve done your due diligence and can “set it and forget it.” In reality, this mindset underscores one of the larger challenges facing CMMC implementation: maintenance.
Achieving CMMC requires more than passing a test. It demands a culture of ongoing security and accountability. Think of CMMC as a sport; the assessment is like a big game. It’s the moment everyone’s watching, and success depends on executing your game plan.
For CMMC, that gameplan is the System Security Plan (SSP), which outlines how you protect Controlled Unclassified Information (CUI). Once it’s in place and your team is ready, it’s game time. The other team (assessors) ask tough questions about the 320 objectives that CMMC looks at. To win, you need to score, hopefully, with a perfect 110.
Just like in sports, preparation and execution are everything.
The 3-Year Stretch: Where Compliance Often Slips
Many organizations don’t realize that the prep work before the initial assessment and during the three-year window before the re-certification assessment are the most challenging. When getting ready for an assessment, the organization generally has a focused approach with a singular goal to pass the assessment.
However, once the goal is achieved, the focus falls off, and certain requirements may no longer be addressed. This time between assessments can be considered the “off-season,” where actions are still supposed to be completed, but seemingly, there isn’t much oversight.
The issue is that when you come back for reassessment, assessors will want to see evidence that you have been performing the actions as defined in your SSP.
The Importance of Off-Season Training
Without consistent focus during the three-year stretch, organizations risk falling behind, and items identified in the SSP might simply not be accomplished. Like athletes skipping off-season training, the result is scrambling to catch up, putting strain on the organization and increasing the risk of failure (A “Not Met”).
Remember, in CMMC, some items are not Plan of Actions and Milestone-able (“POA&Mable”) and, if missed, can derail an entire assessment, like a star player tearing an ACL on game day.
Staying prepared year-round reduces shock, builds resilience, and allows time to recover from compliance “injuries” before reassessment.
Staying in Shape: How to Maintain CMMC Between Assessments
Beyond keeping up with your SSP, organizations should conduct regular internal assessments. In fact, internal assessment results are required under CMMC. How can this be equated to sports?
Think of these as off-season training activities (OTAs). They are routine spot checks to ensure your organization doesn’t drift too far from readiness, and should be overseen by someone like the organization’s assessment official.
To stay on track, organizations can also bring in an Authorized CMMC 3rd Party Assessment Organization (C3PAO) during the off years to conduct a mock assessment or gap assessment that will help identify any areas where you are falling short.
You can also engage with External Service Provider (ESP) organizations to help. ESPs can act as your “trainers,” helping you meet SSP thresholds, track progress, and keep compliance efforts on course.
While most organizations haven’t yet faced a CMMC Level 2 reassessment, since formal certifications only began in January 2025, we’re already seeing early adopters from the Joint Surveillance Voluntary Assessment Program (JSVAP) begin preparing for re-certification.
These early efforts underscore the reality that CMMC is a continuous cycle, not a one-time event. Reassessments are coming, and organizations that haven’t maintained their controls may find themselves scrambling to catch up.
At the end of the day, what is accomplished over the three-year stretch is entirely up to you, but neglecting it brings serious risk. Non-compliance identified by the DCMA DIBCAC during a spot check can result in a revocation or not awarding a potential contract or even False Claims Act litigation from the Department of Justice (DOJ).
Like any great team, success depends on showing up every day, not just game day. CMMC isn’t a checkbox, it's a mindset.
Maintain to sustain, and you’ll be ready when the whistle blows.