CMMC Insiders Say the Quiet Part Out Loud: Passing Doesn't Mean Protected

There's a dangerous delusion spreading through the Defense Industrial Base: that passing a CMMC Level 2 assessment means you're secure.

Three experts who live in the trenches of CMMC assessments—a C3PAO CEO who's delivered 18 Level 2 certifications, a partner at a major consulting firm running their CMMC practice, and a GRC platform chief security officer who helped establish the CMMC Accreditation Body—gathered in Washington D.C. with a stark message: If a control can't stop data exfiltration or reduce risk to CUI, it shouldn't be in your System Security Plan.

Their collective thesis? Organizations are achieving compliance while remaining fundamentally insecure. And it's happening for five specific, fixable reasons.

This blog covers a DCMMC panel: "Defense Over Pretense: Making Audits Easy and Exfiltration Hard."
Watch the full panel above or keep reading for the recap. 

Reason #1: The Framework Rewards Documentation Over Defense

The first crack in CMMC's armor is structural: it's dangerously easy to satisfy assessors with paperwork that has zero correlation to actual security posture.

Andy Sauer, CEO of Sentinel Blue, was blunt about what he sees across 18 Level 2 certifications: "It is very easy to game your way through CMMC L2 with process and documentation that is entirely impractical. You can write a 500-page SSP that no one can action and you can just do enough shallow work that it'll pass and we're really not moving the needle."

He pointed to control 3.1.3—controlling the flow of CUI—as a prime example. "Most people demonstrate a CUI flow diagram, the assessor says 'Oh I see a diagram, you pass 3.1.3, good to go,'" Sauer explained. "But there's a whole lot more to controlling the flow of CUI… protecting against exfiltration, making sure the right people have access to it."

This isn't just one control. Sauer noted that Level 1 and 2 controls across domains "tend to be the high level" statements that are inherently vague. "You can get away with some pretty basic stuff, especially around process and policy statements without having to demonstrate really a lot of technical depth."

Sauer advocates for an inverted priority: "Do 80% technical and 20% documentation. Very often I see people pushing 80% documentation and 20% technical." It’s simple; you can revise a document between assessment sessions. You cannot fix fundamentally broken security architecture overnight.

This creates a perverse incentive structure where organizations optimize for audit performance rather than threat resistance. Which leads directly to the second problem.

Reason #2: Security Theater Has No Consequences... Until It Does

When compliance becomes disconnected from security culture, even "implemented" controls become meaningless checkboxes. And unlike failed audits, failed security culture doesn't show up until after the breach.

Michael Lipinski from Plante Moran shared a cautionary tale that perfectly illustrates this gap: A client deployed multi-factor authentication across their entire organization—a clear CMMC requirement, properly documented, fully implemented. Six months in, their frequently traveling CFO found MFA burdensome and requested an exemption. It was granted.

Six months after that, $3 million left the organization, presumably through the compromised account.

"Security is really more of a culture thing than it is tech stack or control framework," Lipinski emphasized. "It really comes down to the culture of the organization top down."

The organization had the right control. They had the right documentation. They even had the right technology deployed. But one cultural failure, prioritizing executive convenience over security, rendered it all meaningless. And here's the critical part: that exemption would likely never surface in a standard CMMC assessment.

The assessor would see MFA deployed organization-wide. They'd see the policy requiring it. They'd check the box and move on. The cultural rot that actually compromised security would remain invisible until the money disappeared.

Stuart Itkin from FutureFeed expanded on this, noting that when organizations view compliance as a checkbox exercise, "there's little consequences for people to look at this as simply check the box,” at least until the breach happens. Then the consequences are severe: contractual fines, regulatory penalties, and loss of the sensitive information you were entrusted to protect.

Reason #3: The Framework Ignores How Organizations Actually Get Compromised

Perhaps the most damning indictment of CMMC's current state is this: the framework is nearly silent on the threats that actually breach defense contractors.

Itkin brought the threat intelligence perspective: "Bad actors are certainly trying to exploit any area they can find within an organization, but the one that seems to be most frequently exploited are those that relate to people controls and not the technical controls."

Consider phishing—the number one attack vector. Major defense contractors like Stark Industries and General Dynamics (GDIT) have reported significant breaches starting with phishing attacks. Yet as Sauer noted, "Does anyone ever control-F 800-171 for the word 'phishing'? You won't find it."

Think about that. The most common way defense contractors get breached doesn't appear in the control framework.

Control 3.2.1 requires security awareness training, but Itkin observed organizations treating this as "a 20-minute video for individuals to go through, take a two-question test at the end to be able to document that they've completed the security training." Meanwhile, other organizations implement year-round phishing simulations with real consequences, including dismissal after three failures.

Both approaches "pass" the control. Only one actually reduces risk.

The disconnect gets worse when you look at insider threats and social engineering. Itkin highlighted the North Korean Bad Actor Scheme, where over 100 companies have been prosecuted for inadvertently hiring North Korean nationals using forged or stolen credentials. These individuals, working from North Korean office buildings, passed background checks and interviews—often using AI assistance—and gained access to CUI and ITAR information.

Control 3.9.1 requires "appropriate background screening," but clearly "appropriate" has dramatically different interpretations. One defense contractor's "appropriate" gave a foreign intelligence operative remote access to classified materials.

The framework assumes certain baseline competencies that don't exist in practice. Which is exacerbated by the next problem.

Reason #4: Assessor Quality Is Wildly Inconsistent

Even a perfect framework fails if the people assessing compliance lack the technical depth to distinguish theater from substance. And the rapid growth of the C3PAO marketplace has created exactly this problem.

The panel identified a fundamental split in assessor backgrounds: some come from consulting with deep technical skills but less audit rigor; others come from accounting firms with audit expertise but shallow technical knowledge.

"Some firms will be a little less technical," Lipinski admitted about audit-focused firms. "These may be CPAs that are looking at this and may not have the technical depth to understand the difference between Google Cloud and Azure cloud."

Itkin recounted being in an assessment where "an assessor came in asking to see our endpoint logs and I explained to the assessor we were actually using this new technology called cloud and a product called Windows Defender. It didn't have logs. We were doing this all in real time for analysis. They didn't understand the Microsoft stack."

This fundamentally compromises assessment validity. An assessor who doesn't understand your technology stack cannot properly evaluate whether your implementation of controls actually provides security value.

Sauer emphasized this from the assessor perspective: "Don't be afraid to say no. Turn away the thing that you don't understand because there's liability in saying 'We'll evaluate your Google environment' when your assessors have only ever looked at GCC High."

But many don't say no. The economic incentives push C3PAOs to take on work beyond their technical competency, leading to surface-level assessments that miss critical security gaps.

But there’s good news: there's a built-in quality check coming. Lipinski noted that while C3PAOs are currently certified against the CMMC framework, "the next step is to accredit them against ISO 17020, which is an audit framework" that requires demonstrating "a defined quality process, an audit process, understanding of what independence is."

But that's a future fix. Today's problem remains: organizations shopping primarily on price are getting assessors who lack the depth to properly evaluate their security posture.

Reason #5: We've Forgotten What the Documentation Is Actually For

The final dysfunction might be the most fundamental: a complete misunderstanding of why we create security documentation in the first place.

Itkin reframed it powerfully: "When anybody talks about documentation in the context of 'we're developing this so we can get through the assessment,' they're doing you a huge disservice. You're developing the documentation for yourself, for your organization."

He continued: "The word 'plan' is pretty operative. A plan is something that you develop to be able to follow. You're not developing a plan so that you can hand it over to an assessor and ensure it's adequate, it's sufficient, we check all the boxes, we can pass our assessment."

This gets to the core of why compliance theater persists: organizations have reoriented their entire CMMC effort around satisfying an assessor rather than protecting information.

Your System Security Plan should be an operational blueprint that your team actually follows. Your policies and procedures should reflect decisions you've made about how to protect CUI in your specific environment. Your documentation should enable new employees to understand your security posture and their role in maintaining it.

Instead, most SSPs are 500-page documents generated to satisfy assessment objectives, filled with generic AI-written policies that bear little resemblance to how the organization actually operates.

"If you're going to use AI to write your policies, they're going to stomp on that," Lipinski warned. "The policies have to be very specific. They can't be generic. They've got to be unique and they've got to flow. You've got to show that you've operationalized them and that's the way your business is functioning."

But operationalization requires actually following the plan, which requires the plan to be realistic and actionable, which requires viewing documentation as a tool for your organization rather than a performance for an assessor.

What Defense Over Pretense Actually Looks Like

Understanding why CMMC compliance often fails to deliver security is only valuable if we can chart a different path. The panel offered specific, actionable guidance that moves beyond checkbox compliance:

Stop shopping on price alone. The cheapest assessor may cost you far more when their superficial assessment misses gaps that lead to a breach. Ask potential assessors how many organizations with your specific tech stack they've assessed, what credentials their team holds, and how they handle incomplete controls.

Invest in technical implementation over documentation. Sauer's 80/20 rule isn't about ignoring documentation, it's about priorities. "You know what I can fix between session one and session two? A document. You know what I can't fix? A bad security configuration, a bad baseline being deployed."

Eliminate on-premises infrastructure wherever possible. Cloud solutions address dozens of controls more effectively and reduce the assessment complexity significantly.

Deploy force multiplier technologies. Zero Trust Network Access tools like Cloudflare Zero Trust and Zscaler can impact multiple controls while genuinely improving your security posture.

Demand partners who speak in concepts, not control numbers. If an assessor talks about "3.1.1, 3.1.2" instead of "how we evaluate least privilege across AD groups, local accounts, and SaaS applications," they lack the technical depth you need.

Be willing to fire underperforming partners. Whether your assessor, RPO, or MSP, if they lack the technical depth or business understanding to properly support you 30 days in, move on. You're not stuck with them.

Know your current state honestly. If you're just starting your gap assessment now, you're a year from readiness. Plan accordingly rather than rushing to check boxes.

Get involved in the community. LinkedIn, Discord, and Reddit have generous experts who've been focused on this for years and openly share lived experience.

Most importantly: Remember that your SSP is for you. When you shift from "what do I need to pass the assessment" to "what do I need to protect the information I've been entrusted with," everything else falls into place.

The Stakes Are Real

When the panel concluded, Salinas summarized the core message perfectly: organizations need to demand "not just documentation; a partner as you're an OSC starting your CMMC Level 2 journey to make sure they are adequate to handle not just your business but your tech stack, how you are handling CUI."

Because ultimately, when adversaries bypass your "compliant" controls and exfiltrate your CUI, the assessor might lose their C3PAO status. But you'll face contractual fines, regulatory penalties, loss of business, and the compromise of sensitive information that directly impacts national security.

Defense over pretense isn't just a catchy panel title. It's the only defensible approach to CMMC compliance—and it requires fundamentally rethinking what compliance is actually for.

Organizations that treat their SSP as an operational plan, invest in technical implementation, partner with assessors who have genuine depth, and build a security culture that values protection over convenience—those organizations will be both compliant and secure.

The rest will pass their audits right up until the day they get breached.

DCMMC is an annual practitioner-led, vendor-neutral CMMC community event focused on delivering real security outcomes for the DIB and was a chance to connect with DC’s defense peers. Learn more and watch the other panels here.