Beyond the Audit: What a CMMC Level 2 Assessment Reveals About Continuous Compliance 

In 2025, CMMC stopped being theoretical. The DFARS Final Rule (DFARS Case 2019-D041) took effect on November 10 of last year, and every applicable DoD solicitation issued after that date now carries a new clause, a new SPRS identifier, and a new annual signature from an Affirming Official who is personally exposed under the False Claims Act. Phase 1 is already in our contracts. Phase 2, the one requiring third-party Level 2 certification, begins this November 10.. 

At Evolver, we completed our own CMMC Level 2 assessment in March. I have run IT and cybersecurity organizations through HIPAA and HITECH transitions in elder care, SOC 2 and ISO maturity cycles in private-equity portfolios, FERPA and research-data controls in higher education, and ITAR-adjacent regimes in manufacturing. I came to the DIB from outside, and I will say this plainly: CMMC is not harder than any of them. It is more consequential for the signature. That is what most of the commentary misses.. 

The most expensive decision a CIO makes in a CMMC program is not a tool selection. It is where you draw the line around your environment for handling Controlled Unclassified Information..Over-scoping results in hundreds of thousands of dollars wasted applying Level 2 controls to assets that never needed them. Under-scoping leads to an assessment failure the moment an assessor traces a data flow into an “excluded” segment. 

Industry cost data puts a first-cycle Level 2 certification at somewhere between $138,000 and $400,000 for most mid-market contractors. A PreVeil survey found roughly 70% of contractors had budgeted less than DoD’s own $100,000 baseline. The delta between those numbers and reality is almost always the boundary. 

The pattern I have seen across every regulated industry – and confirmed again on our own assessment – is that an enclave-first architecture beats an enterprise-wide lift for the vast majority of mid-tier firms. 32 CFR § 170.19 defines five asset categories, and the one most organizations underweight is Security Protection Assets: your SIEM, your identity provider, your logging infrastructure, your backup systems. They are in scope because they protect the CUI environment. Missing that is how a “tight” 40-asset enclave balloons into a 200-asset scope two weeks before the assessor arrives. 

After a successful audit, I endorse the position that if you cannot defend a segment’s exclusion with current data-flow evidence, then that segment is in scope. Draw conservatively, enclave aggressively, and route everything else around it. 

32 CFR § 170.22 requires a senior representative with authority to bind the organization – the Affirming Official – to attest to compliance after every assessment, after POA&M closeout, upon achievement of Conditional CMMC Status, and annually thereafter. The affirmation is filed in SPRS. It is also, in legal effect, a sworn statement. 

The reason this matters more today than it did two years ago is enforcement.  

In March 2025, MORSE Corp settled a False Claims Act matter for $4.6 million, the first CMMC-adjacent FCA case, triggered in part by failure to update an SPRS score after a third-party assessment revealed a negative 142.  

In May, Raytheon and its Nightwing subsidiary settled for $8.4 million, notably for conduct that predated the 2024 acquisition, establishing successor liability as a live risk in M&A. DOJ closed FY2025 with roughly $52 million in cyber-related FCA recoveries, a reported 233% year-over-year increase, and the Civil Cyber-Fraud Initiative has continued under the current administration. 

I will state the operating implication as a recommendation rather than a hedged observation: the Affirming Official should refuse to sign without a current, evidenced, date-stamped scorecard of all 320 assessment objectives across NIST SP 800-171’s 110 security requirements. Spreadsheets are not evidence. An SSP last updated months ago is not evidence. If the data is not defensible in a deposition, the signature should not happen. If leadership insists, the refusal should be documented in writing. That is not a compliance position, but rather a fiduciary one. 

The most expensive misconception I’ve encountered throughout my career (and the one I watch peers repeat constantly) – is the assumption that outsourcing IT operations to a Managed Service Provider or a Cloud Service Provider outsources liability. It does not. Liability for certification stays with the organization holding the contract. If the MSP is non-compliant, the organization will fail. 

The artifact that closes this gap is a “Customer Responsibility Matrix,” (CRM) not a “Shared Responsibility Matrix.” The distinction matters because a CRM is a contractable document that maps every one of the 320 assessment objectives to a specific owner of record – internal, MSP, CSP, or shared – with the evidence stream each party will produce. Under 32 CFR § 170.19(c)(2), External Service Providers handling CUI must themselves meet Level 2. Under the December 2023 DoD CIO memo, cloud services must achieve FedRAMP Moderate equivalency, which requires a zero-findings 3PAO-performed assessment. 

My minimum bar if an MSP cannot produce an itemized CRM covering all 320 objectives within two weeks of being asked, treat the unmapped objectives as yours. In most cases, they already are. 

CyberSheath’s 2025 State of the DIB Report found that only 1% of surveyed defense contractors consider themselves fully prepared for CMMC assessments, down from 8% in 2023. The median self-reported SPRS score across the DIB remains around 60 against a required 110. In March 2026, GAO-26-107955 publicly confirmed what the ecosystem has been saying privately: DoD has no plan to scale the certified C3PAO population fast enough – roughly 80 authorized C3PAOs are expected to certify a universe of some 76,000 contractors, with Phase 2 beginning in seven months. 

These numbers reframe the problem. Continuous compliance is not a tools problem. It is a staffing, cadence, and evidence-pipeline problem. Every regulated industry I have worked in eventually makes the same move: from periodic binder-based evidence to automated, streaming evidence tied to the System Security Plan. Healthcare made that move under HITECH. Financial services made it post-SOX. Higher education is making it now under GLBA Safeguards. CMMC is the DIB’s version of the same transition, compressed into a shorter timeline and with a False Claims Act backstop the other industries mostly did not have. 

The practical prescription: run a quarterly internal mock assessment against DIBCAC-style evaluation criteria, automate evidence collection for the 80% of objectives that can be, and treat the remaining 20% – the ones that require interviews, policy reviews, and artifact inspection – as a rolling operational exercise rather than a pre-audit fire drill. For us, that quarterly assessment meets our needs for CMMC/NIST and ISO standards.  

I have started calling the operating posture this series will build out the Affirmation-Ready Operating Model. Five pillars, in plain language: 

1. A scoped enclave defensible with data-flow evidence. 

2. An evidenced scorecard covering all 320 objectives, refreshed at a known cadence. 

3. CRM-bound partners: no unmapped objectives hiding in vendor contracts. 

4. Quarterly mock assessments modeled on DIBCAC criteria. 

5. An Affirming Official sign-off gate that refuses stale or undefended evidence. 

If a CIO cannot point to each of these in their own program, the affirmation is a risk acceptance, not a compliance statement. That is the bar and what I believe information leaders should be told when preparing for the CMMC audit process. 

— 

Ryan Haylock is Chief Information Officer at Evolver, a federal technology and cybersecurity firm headquartered in Reston, Virginia. Prior to Evolver, he led IT and cybersecurity organizations across commercial, private-equity, higher education, manufacturing, and elder care with a focus on operationalizing compliance efficiently, smart process automation, and building highly performing teams. Evolver achieved CMMC Level 2 certification in March 2026.