CMMC introduces structured certification requirements for organizations handling Controlled Unclassified Information (CUI), but the path to compliance is often unclear in practice.

In this session, Insight Assurance and RADICL discuss what organizations are actually experiencing as they prepare for CMMC assessments. The conversation covers scoping, documentation, assessment readiness, and ongoing compliance, with a focus on simplifying the process and avoiding common pitfalls.

Panelists included:

  • Adam Glover, Senior Director of CMMC Services, Insight Assurance.
  • Victor Cich, Manager of Compliance Consulting, RADICL.

Below are the key points from the session, including why CMMC still feels uncertain for many contractors, how scope decisions shape effort and pricing, and what to prioritize before a Level 2 assessment.

Why CMMC Still Feels Uncertain

Victor Cich opened with a direct explanation of why CMMC remains difficult to “standardize” across organizations. “A lot of things are still moving,” he said, pointing to evolving guidance, shifting expectations across assessors, and the gap between what CFR language suggests and what organizations see show up in real contracts. He also noted that contractors are often expected to protect CUI without clear markings, which makes early scoping conversations harder than they should be.

Scope and Complexity Drive Time and Cost

Adam Glover reinforced that scoping is not just a technical decision; it also affects risk exposure, assessment effort, and downstream cost. His recommendation was to keep scope as narrow as practical, limiting access to only the users who truly need it. He also noted that when an enclave approach is feasible, it can reduce the number of systems and workstations that remain in scope.

Glover also highlighted virtual desktops as a practical way to reduce scope when they fit the environment. He described virtual desktop infrastructure (VDI) as a lever that can “help limit your scope,” especially when teams want to take end-user workstations out of scope.

Documentation Has to Match How Controls Operate

The session also emphasized that readiness often breaks down when documentation stops at high-level requirement statements. Cich discussed the importance of writing SSPs in a way that aligns to what assessors evaluate during testing. He also returned to ownership and accountability. If teams cannot clearly identify who owns a requirement, it becomes harder to show consistent operation during interviews and evidence review.

A recurring warning was evidence mismatch. When teams describe an activity as automated but execute it manually, or when retention claims do not match what systems can substantiate, those gaps tend to create friction during assessment.

Key Takeaways From The Session

During the closing recap, the host summarized three takeaways that captured the tone of the session:

  • Scope correctly, and align documentation with reality.
  • Prepare your team, not just your tools.
  • Validate controls before your assessment.

Want to learn more? Watch the full webinar, or contact Insight Assurance to understand Level 2 assessment expectations and the evidence typically reviewed during testing.