If your organization is preparing for a CMMC Level 2 assessment, CMMC assessment readiness should be at the top of your priority list, and this podcast episode will show you exactly why. Logan Therrien, Lead CCA, Provisional CMMC Instructor, and assessment team leader at Kieri Solutions, gives a deep dive into the realities of the current assessment landscape.
Logan has over 24 years of military service, a master’s in information assurance, ongoing PhD research in Cyber Defense, and published research on sampling methodology in the CMMC ecosystem. He leads assessment teams and shares firsthand insights that every Organization Seeking Certification (OSC), Managed Service Provider (MSP), and compliance professional needs to hear.
Watch the full episode here.
The Current State of CMMC Assessment Readiness
According to Logan, the bottleneck in the CMMC ecosystem is not the availability of CMMC Third-Party Assessment Organization (C3PAO) assessment teams; it is OSC readiness, and many organizations arrive at the table unprepared.
The situation has improved significantly compared to a year ago. When Level 2 assessments first became available, many OSCs believed they were ready but quickly discovered critical gaps. Common sources of confusion included misunderstandings around NIST SP 800-171A assessment objectives, differences between the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) method and the CMMC final rule expectations, and outdated assumptions carried over from the year-long draft proposed rule period.
Today, the percentage of assessment delays due to OSC unpreparedness has dropped, even as the number of organizations seeking certification has increased. That is a meaningful trend in the right direction.
How the CAP Preliminary Phase Catches Problems Early
One of the most valuable mechanisms in the CMMC Assessment Process (CAP) is its preliminary phase. This stage includes framing and scoping opportunities that allow the C3PAO assessment team to review scope boundaries, asset categorization, and documentation completeness before the formal assessment begins.
Logan emphasized that this phase is not just a formality. It serves as a critical screening tool. If the assessment team identifies disagreements on scope, unclear asset categorization, or an inability to explain key aspects of the environment, those issues can be addressed before the clock starts. This protects the OSC’s financial investment and prevents the assessment team from wasting effort on a flawed foundation.
For OSCs, the takeaway is clear: engage your C3PAO early, take the preliminary phase seriously, and use it to validate your readiness before formal assessment activities begin.
The Assessor Variance Problem: Published Research on Sampling Gaps
One of the most compelling topics Logan raised was his published research on how CMMC assessors approach evidence sampling, which revealed a significant problem.
Among the assessors surveyed, there was a wide spectrum in what they considered adequate evidence. At one end, an assessor indicated they would examine just a single item from a population of 100. At the other end, an assessor stated they would review all 100. The rest fell across the entire range in between, with some taking a risk-based approach, such as scrutinizing privileged accounts more closely than standard user accounts.
This variance raises a fundamental question for the ecosystem: if two different assessment teams evaluate the same environment using the same evidence, will they reach the same conclusion? Logan’s research suggests the answer is not guaranteed under current conditions.
ISO 17020 Accreditation: A Path Toward Consistency
A future requirement that could address this gap is ISO 17020 accreditation for C3PAOs. This international standard for inspection bodies requires each C3PAO to have a documented sampling methodology. However, it does not mandate that all C3PAOs use the same methodology, only that each has one that is reliable, consistent, and repeatable.
For OSCs, this means that choosing a C3PAO with a rigorous, well-documented quality management system will become an increasingly important decision. The organizations that invest in strong internal standards will deliver more defensible and consistent assessment outcomes, a genuine market differentiator.
Kieri Solutions is already preparing for ISO 17020 accreditation and expects to go through the process in the coming months.
In Security and Compliance, Understanding the “Why” Matters
Logan made a compelling case that implementing CMMC controls without understanding the underlying security risks is a recipe for failure, both in assessments and in actual security posture.
Logan illustrated this with the example of authorized user lists. Simply exporting a list from Active Directory does not demonstrate that an authorization process is in place. The risk this control is intended to mitigate is the possibility that adversaries gain access, modify privileges, and move laterally without detection. Without a separate, validated baseline to compare against, unauthorized changes may never be identified.
He also highlighted the media labeling requirement, which references 32 CFR Part 2002. Many practitioners overlook that this regulation includes over 100 pages of preamble in the Federal Register explaining the reasoning behind each provision. Reviewing that context helps assessors and implementers alike stay grounded in the correct framework, rather than defaulting to habits from RMF, SOX, or other compliance regimes.
Preparing for NIST 800-171 Rev 3
The transition from Rev 2 to Rev 3 of NIST 800-171 is not an incremental update. Logan described it as a fundamentally different framework that will require substantial effort from every stakeholder in the ecosystem.
Key differences OSCs should prepare for:
- Organization-Defined Parameters (ODPs): Rev 3 introduces specific, prescriptive timeframes, such as 15 minutes or 24 hours, replacing the flexible, organization-defined timelines that Rev 2 allows. For organizations that currently define their own review cycles at three weeks or longer, this will be a significant adjustment.
- More assessment objectives despite fewer controls: The control count drops from 110 to 97, but assessment objectives increase by roughly 37%. The assessment workload grows.
- Documentation cannot carry forward: A System Security Plan (SSP) written for Rev 2 cannot be used for a Rev 3 assessment. The language, structure, and requirements are too different. Similarly, an SSP mapped to NIST 800-53 is not a substitute.
- GSA adds complexity: GSA’s IT Procedural Guide introduces parallel requirements for contractors who hold both DOD and GSA contracts, but with far less scoping guidance. There is no equivalent to the CRMA concept or specialized asset categories.
Logan’s advice is practical: do not sacrifice your Rev 2 readiness chasing Rev 3 preparation. Get certified under current requirements first, but start building awareness of what is coming.
Supply Chain Scale: Up to 118,000 Contractors at Level 2
Data from the preambles of 32 CFR 170 and the DFARS 7021 rule paint a daunting picture. The original estimate of approximately 87,000 contractors needing Level 2 certification has grown to roughly 118,000, an increase of about 35,000 organizations.
Many of these are small, specialized subcontractors who may not even realize they handle Controlled Unclassified Information (CUI). Logan noted that supply chains for major defense programs often extend dozens of tiers deep and frequently cross international borders. Identifying who builds components and whether CUI flows down to them is a challenge the industry is still working to solve.
The communication gap between primes and subcontractors remains one of the biggest obstacles. Logan observed that many conflicts around readiness and CUI handling could be resolved simply by primes and subs having direct conversations about expectations, contract clauses, and responsibilities.
The Five Most Common Mistakes OSCs Make Before an Assessment
Drawing from his experience leading assessment teams, Logan identified the most frequent pitfalls that cause OSCs to struggle or fail outright:
- Not recognizing your own knowledge gaps. The first step is acknowledging what you do not know. If your team has not been through CMMC-specific training, you are starting at a disadvantage. Bring in qualified help, and verify their credentials before onboarding them.
- Treating CMMC as only an IT problem. Compliance touches HR, legal, training, contracting, and the personnel who handle CUI daily. If your IT team is the only department engaged, critical gaps will go unaddressed.
- Ignoring the rules of engagement. The CAP, 32 CFR 170, 32 CFR 2002, NIST SP 800-171, the DOD Assessment Methodology, and the CMMC Assessment Scoping Guide all define how assessments work. Your team should be familiar with each of these before the assessment begins.
- Submitting an incomplete or misaligned SSP. Your System Security Plan must meet the requirements of control 3.12.4. It needs to describe your environment, define your boundaries, explain how each requirement is being met, and serve as the roadmap the assessment team will follow. An SSP that is vague, incomplete, or written against the wrong revision is a non-starter.
- Underinvesting in qualified support. There is a meaningful difference between minimal certification and a CCP with 40 hours or a CCA with 80 hours of training. The assessment is essentially a 320-question test of your environment. Prepare your people accordingly.
The CAP Is Still Evolving And That Is Normal
Logan offered a measured perspective on the CMMC Assessment Process. The CAP has been in official use only since January 2025, and the ecosystem has fewer than 1,000 assessments of real-world data to draw on. Growing pains are expected.
The Cyber AB has established subcommittees, including members like Logan, to gather ecosystem feedback and recommend improvements. His view is that the CAP served its purpose as a baseline. Areas needing clarification, such as the distinction between framing and scoping in the preliminary phase versus the pre-assessment phase, are being actively addressed.
One architectural decision Logan praised was the CAP’s approach of referencing external standards (32 CFR, ISO) rather than embedding every requirement directly. This makes the document more resilient to revision changes and reduces the risk of conflicting guidance when external regulations are updated.
You Don’t Have to Navigate CMMC Alone
If there is one theme that runs through every conversation we have on this podcast, it is this: the organizations that succeed with CMMC are the ones that stop guessing and start working with people who have been through it.
Logan said it plainly: know your gaps, know the rules of engagement, and get the right people in your corner. That is exactly what we do at IntelliGRC.
We have helped MSPs and OSCs across the defense industrial base cut through the noise, build compliant environments that make sense for their business, and walk into assessments with confidence. Have questions? Schedule a call on this form. Be sure to subscribe to our podcast; every episode brings you closer to the people and knowledge that make the difference.
Frequently Asked Questions About CMMC Assessment Readiness
What is the biggest bottleneck for CMMC Level 2 assessments right now?
According to active C3PAO assessment leads, the primary bottleneck is not C3PAO capacity; it is OSC readiness. Many organizations still arrive at the preliminary phase with documentation gaps, scope misunderstandings, or SSPs that do not meet the requirements of control 3.12.4.
Can I start a CMMC assessment if my SSP is written for NIST 800-171 Rev 3?
No. Your SSP must be written against the current requirements, NIST SP 800-171 Rev 2. An SSP based on Rev 3 or mapped to NIST 800-53 uses a different language and structure. Assessment teams cannot translate between frameworks on your behalf during the assessment.
How many contractors need CMMC Level 2 certification?
Based on data from the preambles of 32 CFR 170 and DFARS 7021, the estimated number of contractors expected to seek Level 2 certification is approximately 118,000 — up from an earlier estimate of roughly 87,000.
What is ISO 17020 and why does it matter for CMMC?
ISO 17020 is an international standard for inspection bodies. C3PAOs will eventually be required to hold ISO 17020 accreditation, which means they must maintain a documented, reliable, and repeatable assessment methodology. This is expected to improve consistency across the ecosystem.
Where can I find all the key CMMC documents in one place?
The DOD CIO CMMC Resources & Documentation page is the best starting point. It consolidates the final rule, scoping guides, assessment methodology, and related guidance documents. Logan recommends every OSC review these materials thoroughly before beginning the assessment process.