The Checklist Illusion
When most people hear "CMMC 2.0 compliance," they picture a checklist. Complete the items, get certified, move on. That's the marketing version. The reality, especially at Level 2, is a sustained operational commitment that touches nearly every corner of an organization's IT environment.
I learned this firsthand working with NIST SP 800-171 and CMMC frameworks during my internship at Digital Cloak LLC. What looked like a finite set of controls on paper turned into a web of interdependencies, documentation requirements, and organizational culture problems that no checklist was going to solve.
The Documentation Problem
CMMC Level 2 requires you to not just implement 110 security practices, you have to prove you implemented them. That means System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), audit logs, configuration baselines, incident response records, and more.
For a small defense contractor with a lean IT team, this documentation burden alone can be overwhelming. I've seen organizations that had solid security practices in place but failed assessments simply because they couldn't demonstrate those practices on paper. Security without documentation doesn't exist in the eyes of a CMMC assessor.
CUI Is Harder to Track Than You Think
The whole framework revolves around protecting Controlled Unclassified Information (CUI). Simple enough in theory. In practice, organizations often don't have a clear picture of where their CUI actually lives.
Is it in email? Shared drives? A contractor's laptop? A chat app someone started using because it was convenient? Before you can protect CUI, you have to find it, and that data discovery process can take months for a mid-sized organization.
The Human Factor
Technology controls are the easy part. Getting employees to follow them consistently is where CMMC compliance actually gets hard. Multi-factor authentication, access controls, and clean desk policies mean nothing if staff are sharing credentials, forwarding work emails to personal accounts, or plugging in unauthorized USB drives.
CMMC compliance isn't just an IT project, it's a culture change. Organizations that treat it as purely a technical problem will struggle every single assessment cycle.
My Takeaway
CMMC 2.0 is a serious framework built for a real threat environment. Defense contractors handle sensitive information that adversaries actively target, and the bar should be high. But the gap between "we have the controls" and "we can prove the controls work consistently" is where most organizations fall short.
If you're starting a CMMC journey, the best advice I can give is this: start with your CUI inventory, get your documentation culture right early, and don't wait until an assessment is scheduled to find out where your gaps are.