As CMMC Phase One enforcement begins and independent validation replaces self-attestation for defense contractors handling federal contract information and controlled unclassified information, the compliance model has shifted from documentation to demonstrable security practices. Marci Womack, managing director in Schellman’s CMMC practice, examines why assessors focus on objective evidence of actual control operation, how limited assessment capacity creates timing risks for contract eligibility and what sustainable program management requires as Phase Two approaches in November 2026.
Phase one of CMMC 2.0 is officially underway as of November 2025. Changes are coming, but what will be their exact impact? This phase will bring new cybersecurity expectations to the entire defense industrial base, and these expectations are shifting from aspirational to enforceable. What was once largely a matter of contract language and contractor self-attestation is evolving into a more structured model that emphasizes demonstrable security practices, independent validation and long-term program maturity.
For contractors that handle federal contract information (FCI) or controlled unclassified information (CUI), this transition signals a clear message: Preparation can no longer be deferred. While timelines may vary by contract, the underlying expectations of CMMC are already influencing how organizations are evaluated for future work.
Navigating this transition demands an intentional approach to embed readiness and operationalize security across every part of an organization. The keys to this approach for contractors include understanding the FCI/CUI they handle (what and where), honestly evaluating and improving their true security posture for the protection of the identified FCI/CUI, preparing for independent assessments and planning around limited assessment capacity.
From self-attestation to security reality
One of the most significant shifts under CMMC is the growing emphasis on accuracy and accountability in self-assessments. For many contractors, previous approaches focused heavily on written policies or point-in-time compliance checks. Under the updated model, that approach is no longer sufficient.
Effective preparation begins with a realistic understanding of how security controls function in practice. That means identifying where FCI or CUI exists within the organization, the lifecycle of the FCI/CUI and which systems fall within scope because they store, process or transmit FCI/CUI. Without clear scoping, organizations risk misjudging both their compliance status and the effort required to improve it.
Once scope is defined, controls aligned to NIST SP 800-171 should be evaluated through the lens of execution, not intention. Assessments that focus solely on whether a policy exists often overlook whether controls are consistently implemented, monitored and maintained. The gap between documentation and reality is where many contractors encounter challenges later in the process.
Addressing those gaps requires prioritization. Rather than attempt to resolve every deficiency at once, organizations are better served by focusing on foundational areas like identity and access management, audit logging, authentication mechanisms and incident response. Incremental improvement, guided by a structured remediation plan, is more sustainable and more defensible during future reviews.
US Finalizes CMMC Rule: Cybersecurity Verification Now Determines Contract Eligibility for Defense Contractors
New requirements expected to affect more than 300,000 defense contractors by the time they are fully phased in
Read moreDetailsPreparing for independent assessment expectations
As focus shifts to third-party validation, contractors must adjust their mindset around what it means to be ready. Independent assessments are designed to verify that controls are operating as intended, not just that they are described accurately.
Assessors rely on objective evidence — organizational parameters clearly defined in a system security plan (SSP), configuration settings, documented access reviews, audit logs, system inventories and incident response records all play a role in demonstrating compliance. Organizations that struggle during assessments often do so not because controls are absent, but because evidence is incomplete, difficult to retrieve or inconsistent with policy or expected implementation.
Preparation for third-party validation benefits from structure. Centralizing evidence, assigning ownership to specific control areas and conducting internal walkthroughs and practice demonstrations before an assessment can significantly reduce friction and unexpected surprises. These activities also help internal teams become more comfortable articulating how controls work in practice.
Many organizations also find value in conducting readiness reviews ahead of formal assessments. These reviews provide an opportunity to test assumptions, validate interpretations of requirements and identify weaknesses that may not be obvious from internal reviews alone. The result is a more predictable assessment experience and fewer last-minute surprises.
Assessment demand has made planning crucial
Beyond technical readiness, contractors must also contend with practical constraints. For most contractors handling CUI subject to CMMC Level 2, third-party assessments will be required on a three-year cycle, making long-term scheduling and planning essential rather than optional. Notably, demand for CMMC assessments is increasing, and assessor availability has become much more limited.
This reality introduces a new risk: timing. Contractors that delay preparation until requirements appear in active solicitations may find themselves competing for limited assessment capacity. Scheduling delays can have downstream impacts on contract eligibility.
Organizations that prepare early are better positioned to manage this risk. Thorough self-assessments, organized assessment evidence and documentation and clearly defined system boundaries allow assessments to proceed more efficiently. When assessors can move quickly through evidence and validation, timelines become more predictable.
Strong internal ownership also plays a critical role. Teams that understand their controls and can respond quickly to assessor questions reduce the likelihood of delays. In a constrained assessment market, that level of preparedness can make the difference between meeting a deadline and missing an opportunity.
Building a program that lasts beyond certification
CMMC is far more than just checking a box on some to-do list. It’s an ongoing process with complex layers and interdependencies, and it carries real-world consequences for those that fall behind. Phase One stretches through to November of this year, when Phase Two begins with even more stringent CMMC enforcement, and organizations need to make sure they’re ready for what comes next.
As requirements continue to mature and enforcement expands, contractors will need to maintain their security posture over time. Treating compliance as an ongoing program rather than a discrete project is key to long-term success.
Organizations that invest in repeatable processes, continuous monitoring and regular reassessment are better equipped to adapt as expectations evolve. These efforts not only support compliance but also strengthen overall cybersecurity resilience.
The transition to CMMC represents a meaningful change for the defense industrial base and our national security by emphasizing the protection of sensitive information that has too-frequently fallen into the hands of adversaries. Contractors that act early, plan strategically and focus on sustainable security practices will be best positioned to navigate future phases and remain competitive in a changing landscape.
Marci Womack is a managing director in Schellman's federal practice overseeing the emerging CMMC assessment program, the established FedRAMP assessment program and related areas like StateRAMP, FISMA and other NIST 800-53 derivatives. She also serves as the 3PAO (third party assessment organization) representative on the Federal Secure Cloud Advisory Committee (FSCAC). Prior to joining Schellman as a senior associate, Marci worked as a federal contractor implementing and assessing federal cybersecurity programs, as well as an FFIEC/GLBA security controls assessor and consultant. Marci has over 10 years of information security experience across various industries and holds key certifications, including CISSP, CISA, CEH and (CMMC) CCA. 
