Inside a Real CMMC Audit: What MSPs Can Learn from the Other Side of the Table

Corporate Information Technologies always considered delivering secure IT services to clients in highly regulated industries core to the mission. But the introduction of the Cybersecurity Maturity Model Certification (CMMC) — and the realities of a formal CMMC audit — marked a turning point for all MSPs operating in the Defense Industrial Base (DIB).

The CMMC model introduces a new role: the external service provider (ESP). This role includes MSPs that support systems containing Controlled Unclassified Information (CUI), even if they don’t handle the data directly. Unless they process or store CUI, ESPs don’t need Level 2 certification, but assessors still include them in the scope of customer audits.

That changes everything.

Perspectives from the Assessment Table

At CorpInfoTech, a cybersecurity-focused MSP, we spent decades helping clients build compliance programs and prepare for audits. But going through a formal CMMC assessment firsthand was a different experience altogether. The assessors didn’t simply run through an IT checklist. The team reviewed procurement workflows, HR onboarding, and the links between risk decisions and implemented controls. Their knowledge of NIST standards and high-assurance environments pushed the process well beyond traditional IT audits.

Despite my deep involvement with CMMC since its early days, the experience revealed how unprepared even mature MSPs might be for this level of scrutiny.

Compliance Isn’t Optional; It’s Operational

CMMC demands intentionality and transparency at every level of service delivery. MSPs must align their practices with each customer’s system security plan (SSP), support evidence production, and meticulously document configurations and decisions. It’s not enough to focus on uptime and SLAs. Service providers must also demonstrate verifiable security and compliance, even if they aren’t pursuing certification themselves.

Compliance is no longer just the client’s responsibility. For MSPs, it’s now a core part of doing business in the DIB and other regulated industries.

Lessons from the CMMC Front Lines

CorpInfoTech recently completed a formal CMMC assessment. In 2023, CorpInfoTech boosted its long-standing commitment to security, when we became the first MSP to earn formal accreditation from the Center for Internet Security (CIS).

To prepare for the assessment, I pursued extensive training, achieving CMMC Certified Professional (CCP) status and completing the coursework required for CMMC Certified Assessor (CCA) designation.

The list below shares real-world lessons, each reflecting a presumption we held before the assessment and reshaped through direct experience.

Assumption #1: CMMC Is Primarily an IT Issue

I entered the CMMC assessment process believing that a well-prepared IT and Technical Service department would be the cornerstone of CMMC success. The traditional MSP model shaped this assumption, emphasizing infrastructure, hardening, and endpoint management as key signs of preparedness. However, the assessment exposed a broader truth: CMMC compliance demands alignment across the entire organization.

While our security-first MSP had a very mature technical foundation, the assessment evaluated far more than infrastructure. It scrutinized business processes, interdepartmental communication, policy execution, and risk articulation. These areas fell outside of the conventional boundaries of an IT team’s responsibilities.

It revealed that you cannot achieve effective cybersecurity through technical excellence alone. You also need collaborative governance, clearly defined roles, and a deep understanding of the mission behind each control.

The assessment made clear that compliance is not an IT function, but an organizational commitment, requiring participation, accountability, and fluency in security practices across every operational domain.

Assumption #2: We Optimized Our Operational Structure

Expecting minor adjustments, I underestimated the challenges we would face for deeply embedded practices. I presumed our long-standing operational paradigms, built over decades of service delivery, were sufficiently mature. The assessment quickly invalidated that assumption.

Changes were required in unexpected areas, from facilities management and vendor screening to marketing and communications. Even our data center partners with extensive third-party certifications had to undergo rigorous review under CMMC criteria.

We didn’t adjust these for security’s sake alone. Changes needed to meet the evidentiary threshold demanded by the assessment process. It became evident that existing efficiencies had to be re-engineered through a compliance-centric lens.

Assumption #3: My Role as Executive Is Peripheral (to the Technical)

Initially, I viewed my responsibility as supportive, limited to authoring and approving policies, attending executive interviews, and determining risk tolerances. That belief was quickly dispelled during the assessment’s first phase. Executive engagement is not merely beneficial; it is fundamental.

Assessors expected detailed, informed responses about the organization’s security posture, risk decisions, and SSP. More importantly, they required assurance that leadership owned those decisions.

As the executive attesting to the contents of the SSP, I recognized the legal implications tied to accuracy and completeness, particularly under the False Claims Act. The role that I originally assumed to be symbolic proved to be materially accountable.

Assumption #4: Our Security Culture Is Well Understood

Prior to the assessment, I was confident in our security culture. For over 14 years, CIS Controls served as our organizational North Star.

We weren’t just familiar but were steeped in the controls. They were deeply embedded in our service delivery methodology, governance model, and policy framework. We operated in regulated sectors, supporting clients subject to SEC/FINRA oversight and NERC CIP regulations. Documented processes, consistent risk management, and policy alignment have long been part of our operational DNA. Going back to 2017, I highlighted this growing risk at a national level and years ahead of the mainstream recognition of the threat.

Lawrence Cruciana

CMMC revealed that while our team followed policies, not everyone fully understood their purpose. Some acted out of habit or documentation without grasping the broader security significance. These gaps, while not outright failures, illustrated that culture is not static. Even when built on a strong foundation, culture must be actively maintained. It requires continuous reinforcement, communication, and leadership modeling.

The assessment revealed that alignment with culture must extend beyond intention. Staff must know what to do, how to do it, and why it matters. Plus, that understanding must be visible to an external auditor. CMMC helped surface areas where our culture had drifted into routine rather than reflection. It proved that culture is not measured in sentiment but in behavior, evidenced consistently across roles, functions, and levels of the organization.

Assumption #5: Our Documentation Is More Than Adequate

Entering the process, I considered our documentation to be robust. Policies, procedures, and standard operating procedures (SOPs) were meticulously maintained. However, I learned that adequacy in documentation is not measured by its existence but by its traceability to daily operations.

CMMC’s standard of evidence required every policy to be demonstrably enacted and clearly mapped to operational behavior. The most important realization was not the volume of documentation, but its practical alignment to how our teams operate. Each NIST 800-171 control required corresponding evidence of enactment. And not just in records and logs, but in how and why individuals across departments performed their work.

For example, in incident response simulations, we focused not just on whether the process was followed, but whether front-line technicians understood their roles, timing, and actions in relation to the documented procedure. This clarified that everyone involved in the ‘doing’ fully understood the rationale behind their tasks and how they contribute to broader compliance objectives.

Documentation cannot exist in a vacuum. It must reflect awareness, support operational purpose, and reinforce operational integrity.

Assumption #6: Our Maturity Would Be Self-evident

I presumed that our decades of cybersecurity experience and industry recognition would speak for itself during the assessment. Instead, I discovered that maturity must be demonstrated, not implied.

The assessment scrutinized our organization across technical, procedural, and cultural dimensions. While our history established credibility, our ability to show alignment between policy, execution, and verification substantiated maturity. The assessment team did not evaluate reputation, intentions, or assumed expertise. Instead, they evaluated the documented practices, the clarity of the SSP, the alignment of procedures with operational reality, and the evidence that connected each NIST 800-171 control to our business processes. Every supporting artifact, from policies to implementation records, became a measure of our operational integrity.

The outcome was a perfect 110 passing score with no Limited Practice Deficiencies (LPDs) or Plan of Action and Milestone (POA&M) items on the first pass. Rather than legacy, it was a product of rigorous preparation and systemic discipline grounded in the clarity and defensibility of our SSP, its related documentation, and a set of practices that were established and operationalized well in advance of our assessment.

Key Takeaways: Transformation Through Assessment

Each misconception held before the CMMC assessment provided an opportunity for personal and organizational growth. The assessment served not only as a technical audit but as an organizational reckoning. It demanded clarity, accountability, and cohesion across all facets of the business.

Most Important Lessons Learned

1. A unified understanding of cybersecurity is an organizational imperative.
2. Enhance cross-departmental coordination and policy execution.
3. Strengthen leadership accountability and legal awareness.
4. Elevate cultural resilience and operational transparency.
5. Write SSPs, Policies, SOPs, and related documents in a common language. Share them with both the internal team and the external assessment team.

These lessons resulted in more than a passing score. They transformed how we operate. That can be helpful for others gearing up for a CMMC journey.

Experiential Recommendations for Organizations Preparing for CMMC

1. Approach CMMC as a business challenge, not an IT challenge.
2. Challenge assumptions early. Identify what you believe to be true and test it.
3. Involve leadership from the beginning. Executive presence must be consistent and informed.
4. Map policies to practice. Evidence must be readily available and clearly attributable.
5. Treat cultural alignment as a control. Reinforce the purpose behind every procedure.
6. Prepare for transformation, not just compliance. The journey will reshape the business.

Concluding Reflections

CorpInfoTech’s CMMC assessment validated the depth of our organizational alignment. More importantly, it illuminated the gap between assumption and demonstrable assurance. It proved that effective cybersecurity is not theoretical. It must be evidenced, owned, and continuously demonstrated.

This principle extends beyond compliance artifacts. An organization cannot claim maturity through reputation or historical competence alone. It must provide verifiable, consistent proof that cybersecurity controls are implemented as designed, aligned with NIST 800-171 requirements, understood by those responsible for execution, and integrated into the operational fabric of the business.

Especially challenging for MSPs is that CMMC, and the SSP at its core, runs counter to the foundational operating model of the MSP industry. The managed services model is built on principles of automation, systemization, and operational efficiency that often seeks to remove human intervention in favor of streamlined, scalable processes. CMMC, in contrast, demands intentional human oversight, ongoing documentation, and demonstrable understanding across all layers of the organization.

Success in a CMMC assessment requires more than well-written policies. It requires language that is accessible and meaningful to everyone involved: internal staff, external stakeholders, and the assessment team alike. Documentation must reflect not only compliance, but comprehension. The evidence must show that procedures are followed with purpose, that each constituent part of the organization — technical teams, leadership, HR, procurement, and more — understands how their work connects to security outcomes.

True effectiveness emerges when everyone, from front-line technicians to executive leadership, can articulate the “why” behind a policy and demonstrate its enactment through observable outcomes. CMMC compels organizations to shift from a mindset of assumed security to one of provable security, built collaboratively through shared understanding and coordinated execution.

Lawrence Cruciana is the founder and president of Corporate Information Technologies (CorpInfoTech). The cybersecurity-centric MSP delivers secure IT services to highly regulated industries, including organizations within the Defense Industrial Base (DIB). Under Cruciana’s leadership, CorpInfoTech became one of the nation’s first companies to achieve CMMC Level 2 certification. It also was among the earliest organizations recognized as a CMMC Registered Provider Organization (RPO).

Featured image: DALL-E