Sign in Subscribe
INFOSEC

CMMC Final Assessment: What I Did Right, What I’d Change, and How You Can Prepare

A senior security analyst shares key lessons, wins, and improvements from completing a CMMC audit to help others prepare effectively.

Miguel A. Calles

4 min read
CMMC Final Assessment: What I Did Right, What I’d Change, and How You Can Prepare
Lessons learned from a CMMC audit. A stack of books on a table with a city landscape.

When I started my organization’s CMMC journey, I knew I was stepping into one of the most important projects of my career. As a Department of Defense subcontractor, our business depends heavily on contract awards from large prime contractors. When I learned that CMMC would roll out in phases, where certified companies receive priority in Phase 1 and non-certified organizations could be excluded entirely in Phase 2.

I committed myself to:

“I will not be responsible for putting this company out of business.”

That clarity of purpose fueled every decision I made. We ultimately succeeded, earning a CMMC Conditional Certification with only one POAM, and later achieving the full certification. But the journey wasn’t flawless. I am sharing what worked, what I would do differently, and how you can prepare for your own assessment.

What I Did Well

1. Taking the CMMC Certified Professional (CCP) Course

One of the best decisions I made early on was completing the CCP training. I was not trying to become an auditor—I wanted to understand how auditors think.

The course gave me:

  • A strong understanding of CMMC history and intent
  • Clarity on the three evaluation methods: examine, interview, test
  • Insight into what auditable evidence actually looks like

This foundation removed guesswork and let me structure our implementation around defensible, auditable evidence instead of assumptions.

2. Following a Proven Audit Preparation Plan

Our Quality Manager (QM), who leads our AS9100 audits every year, gave us a plan that became the backbone of our preparation. It was simple, realistic, and highly effective:

Year-long audit readiness plan:

  • Step 1: Hire an external CMMC consultant to conduct an initial assessment and create an implementation plan.
  • Step 2 (6 months later): Have the actual CMMC auditor perform a gap assessment.
  • Step 3 (6 months later): Conduct the pre-assessment—the final gate before the real assessment.

This phased approach made expectations clear and prevented surprises late in the journey.

3. Using an Auditing Firm We Already Knew

We selected the same audit organization that handles our other certifications.

That mattered because:

  • They already understood our business operations.
  • We didn’t waste assessment time explaining our structure.
  • They referred us to a consultant whom they trusted and worked well with.

Relationships matter in this process. Familiarity reduced friction and helped us avoid misunderstandings during evidence inspection.

4. Implementing Requirements In-House (With Help)

We chose to implement the consultant’s findings ourselves rather than outsourcing every change. It wasn’t always fast—but it worked.

Benefits of the DIY approach:

  • We built internal competency.
  • We tailored policies and procedures to our real business operations.
  • We avoided forcing the company to conform to “canned” templates.

Ironically, during our final assessment, we learned that our consultant’s other clients had more findings than we did. That validated our more hands-on approach.

5. Setting Realistic Expectations With Leadership

I made it clear early on that the goal wasn’t a perfect 110 score.

The real objective was:

  • Pass all 3-point and 5-point controls, and
  • Get at least 80% with allowable POAMs

This mindset kept leadership aligned and supportive. When we earned a conditional certification with one POAM, they understood it was a success, not a failure.

What I Wish I Had Done Differently

1. Securing an Executive-Level Champion

I reported to an IT Manager who didn’t have enough organizational influence to push company-wide changes. I was four levels down from the CEO, yet responsible for implementing policies that affected the entire organization.

Without a champion at the director/VP/C-suite level:

  • I spent countless hours negotiating and socializing changes.
  • Adoption took longer than it needed to.
  • Enforcement became a constant battle.

If I could start over, I would secure an executive sponsor from day one. It would be someone who could clear resistance and endorse changes from the top.

2. Defining a CMMC Enclave Early

Our leadership wanted the entire company to be certified instead of just the handful of employees who actually handle CUI. Looking back, this was one of our biggest inefficiencies.

The analogy I use is PCI compliance: Imagine certifying a 500-employee company for credit card handling when only 10 employees actually process payments. Now everyone—from custodians to executives—must take PCI training and follow PCI procedures.

That’s what we did with CMMC, and that added an excessive and unnecessary burden to everyone.

Yet, having a small, well-structured enclave would have:

  • Reduced training
  • Eliminated unnecessary policy scope
  • Simplified implementation
  • Reduced audit burden
  • Improved overall compliance

I strongly recommend assessing whether your organization truly needs enterprise-wide certification—or if an enclave is the smarter path.

3. Involving the Quality Manager Earlier

Leadership was anxious about whether we would pass, so they instructed the QM to audit all evidence during the final month before the assessment.

The result?

  • I worked 7 days a week, rushing to restructure evidence.
  • We survived—but it was unnecessary stress.

If I had involved the QM throughout the entire program, the evidence format would have been clean, consistent, and audit-ready from the start.

The Final Result

We earned a CMMC Conditional Certification with one POAM during the final assessment period.

We closed that POAM within five months and achieved full CMMC Certification.

This journey pushed me professionally and personally, and I’m proud of the outcome. The lessons above aren’t hypothetical: they’re battle-tested. If you’re preparing for your own assessment, I hope these insights help you navigate your path more efficiently and with fewer surprises.

Closing Thoughts

CMMC is challenging, especially if you work for a small or mid-sized contractor. But with the right structure, the right people, and realistic expectations, it’s absolutely achievable.

If you’re getting ready for your final assessment:

  • Invest in training.
  • Choose your partners wisely.
  • Secure an executive champion.
  • Scope your environment thoughtfully.

And remember: the goal isn’t perfection—it’s certification.

Before You Go

Wishing you much success in your CMMC certification journey.

Sign up for my mailing list at https://miguelacallesmba.medium.com/subscribe

Sign up for more like this.

Enter your email
Subscribe