Think You're Ready for CMMC? Think Again

By Guernsey Cyber Team

The countdown is on. In just a matter of days, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) will officially take effect, marking a new era for defense contractors across the country. For those who haven’t yet started preparing, time is running short.

At a recent industry panel, Tim Fawcett, Vice President and Director of Guernsey’s Cyber Consulting team, and one of the first certified CMMC assessors in the nation, shared hard truths about the state of readiness in the Defense Industrial Base (DIB).

“We’ve Canceled More Assessments Than We’ve Completed”

CMMC compliance isn’t just another IT checklist. It’s a rigorous, evidence-based process designed to protect Controlled Unclassified Information (CUI) across the defense supply chain.

“We’ve postponed or canceled more C3PAO assessments than we’ve performed,” Fawcett said. “We get out there and people think they’re ready and they’re not.”

The issue, he explained, often isn’t the technology; it’s the documentation. Each assessment covers 110 controls and requires assessors to verify that policies AND procedures are both written and implemented.

“Some of the requirements seem small, but there’s no flexibility,” he added. “If the standard says it must be defined and documented, it must be. That’s what we test.”

Why Readiness Is So Challenging

Guernsey holds a unique position as both a Certified Third-Party Assessment Organization (C3PAO) and a federal contractor delivering large-scale utility and engineering projects. That dual role gives Fawcett’s team a firsthand understanding of how demanding CMMC can be, especially for smaller organizations with limited budgets and staff.

“We know what it’s like to implement these controls while balancing time, money, and resources,” Fawcett said. “That’s why we’ve focused on helping small and mid-sized contractors find practical, sustainable paths to compliance so they can keep their contracts.”

Scoping: The Step Most Companies Miss

One of the most misunderstood aspects of CMMC is scoping, determining exactly where sensitive data resides and who or what has access to it.

“You have to know where your information lives, whether it’s in a file, in the cloud, or on a local drive,” Fawcett explained. “You can’t just call a cloud provider a week before your assessment and expect to be compliant. Some take months to provision a FedRAMP environment.”

Updated scoping guidance now categorizes assets as security protection assets, CUI assets, or risk-managed assets, allowing contractors to better prioritize what needs to be protected and how.

The Clock Is Ticking

CMMC is here to stay, and while it may feel like one more regulatory hurdle, its intent is clear: to safeguard national security data. But readiness doesn’t happen overnight.

“We’ve been preparing companies for years,” Fawcett said. “Those who start now can still get there, but the window is closing fast.”

Ready or Not, the Deadline Is Here

Whether you’re just starting to plan your compliance strategy or you’ve already completed self-assessments, the time to act is now.

Connect with Guernsey’s Cyber Team to start your CMMC readiness review today.