The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) Level 2 is based on the 110 security practices from NIST SP 800-171 rev 2. These practices are designed to protect controlled unclassified information (CUI) within the defense supply chain. For most DoD contractors, achieving CMMC Level 2 compliance is now mandatory, but the process is challenging. Organizations must navigate evolving requirements, implement technical controls, manage costs, train their workforce, and prepare for stringent audits. Here’s an overview of the top challenges contractors face along with the best practices for overcoming them.

1. Compliance Complexity & Evolving Requirements

Navigating the Framework:
CMMC Level 2 requires contractors to implement a wide array of cybersecurity controls covering 14 control families from NIST SP 800-171. Smaller organizations often lack the in-house expertise needed to interpret and implement these technical controls, which leads to confusion and sometimes a “check-the-box” approach, leaving gaps in compliance.

Evolving Standards:
The shift from CMMC 1.0 to 2.0 brought significant changes, simplifying the levels but altering certain rules. For example, Level 2 now directly aligns with NIST SP 800-171 rev 2 without extra “Delta” controls, and assessments are largely conducted by third parties instead of self-attestation. Additionally, updates like the 2024 revision of NIST SP 800-171, which reduces the requirements from 110 to 97, mean that contractors must continually update their compliance strategies as the regulatory landscape changes.

What to Do:

• Conduct a detailed gap analysis against the current CMMC/NIST 800-171 requirements.
• Engage cybersecurity experts or consultants to interpret and implement controls effectively.
• Develop a compliance roadmap with clear milestones to address evolving standards.
• Ensure executive leadership buy-in to secure resources and prioritize compliance as a strategic initiative.

2. Technical Implementation & Scoping Challenges

Identifying What to Protect (Scoping CUI):
Determining which systems and data are in scope for CUI protection is often the first major challenge. Contractors might either over-scope leading to unnecessary expense and complexity, or under-scope, leaving sensitive data unprotected. This confusion is often increased by vague contract language regarding which data qualifies as CUI.

Implementing Required Controls:
Even with proper scoping, technical implementation can be difficult. Contractors must maintain a current inventory of assets (hardware, software, cloud services, accounts) and ensure that controls such as access management, encryption, system hardening, and continuous monitoring are effectively implemented. Poor asset management and overly permissive access controls can compromise compliance and risk management efforts.

Third-Party/Supply Chain Risk:
CMMC requirements extend beyond an organization’s internal systems to include third-party vendors and subcontractors. Many companies overlook the need to ensure that their supply chain partners are equally compliant, which can expose the entire organization to security vulnerabilities.

What to Do:

• Start with thorough data mapping and clear scoping of what qualifies as CUI.
• Invest in asset management tools to maintain an up-to-date inventory of systems that store, process, or transmit CUI.
• Prioritize critical controls like multi-factor authentication, least-privilege access, and system hardening.
• Leverage automation (e.g., automated vulnerability scanning and centralized logging) to maintain control consistency.
• For third-party risk, institute a vendor security review program and require suppliers to demonstrate their compliance.

3. High Costs and Resource Constraints

Financial Burden of Compliance:
Achieving and maintaining CMMC Level 2 compliance involves significant upfront and ongoing costs. These include investments in security tools, system upgrades, cybersecurity consulting, and assessment fees. Even organizations already aligned with NIST 800-171 may face tens of thousands of dollars in added costs, with continuous expenses for re-assessments every three years.

Strain on Small Businesses:
The financial impact is often more severe for small and medium-sized businesses. In some cases, the compliance cost can exceed the revenue from a DoD contract, making it financially unsustainable.  We have heard from small businesses that they are making hard decisions on whether they can continue in the defense supply chain space.

Resource and Personnel Limitations:
Besides monetary costs, many organizations underestimate the human effort required. IT teams juggling daily operations may struggle to manage the additional workload of compliance tasks. Securing management buy-in is also challenging when compliance is seen solely as a bureaucratic requirement.

What to Do:

• Develop a realistic budget and timeline for compliance, prioritizing cost-effective measures.
• Consider using Managed Security Service Providers (MSSPs) or Managed Service Providers (MSPs) to cover specific technical gaps while retaining overall governance in-house.
• Explore assistance programs, such as proposed tax credits for small businesses, and collaborate with prime contractors for support.
• Integrate CMMC efforts with existing compliance processes (e.g., ISO or SOC 2 audits) to maximize efficiency and control costs.
• Emphasize to leadership that investments in cybersecurity also reduce breach risks and protect valuable intellectual property.

4. Workforce Training and Cultural Gaps

Human Factor Challenges:
Even with the right technology and policies, the effectiveness of CMMC compliance depends on employee behavior. Many organizations fall short in implementing robust, ongoing security training programs. Generic annual training is often insufficient to cover specific CMMC requirements, leaving employees ill-prepared to handle CUI securely.

Resistance to Change:
New security measures can disrupt established workflows, leading to resistance or “security fatigue.” Without clear communication about the rationale behind new policies and strong leadership support, employees may adopt workarounds or ignore protocols.

What to Do:

• Develop comprehensive, role-based training programs that address specific threats like phishing, proper CUI handling, and multi-factor authentication usage.
• Provide regular training refreshers rather than relying solely on annual sessions.
• Track training participation and comprehension to ensure that staff understand their roles.
• Secure visible leadership support to reinforce the importance of cybersecurity, ensuring that the entire organization views compliance as integral to their mission.
• Offer support materials, such as clear guides and responsive helpdesk support, to ease the transition to new practices.

5. Audit Preparation and Common Pitfalls

Facing the C3PAO Assessment:
Preparing for a formal CMMC Level 2 audit by an accredited third-party assessor (C3PAO) is often a major hurdle. Many organizations wait until the last minute to assemble the necessary documentation, leading to gaps that can jeopardize the audit outcome.

Common Documentation Pitfalls:
Typical shortcomings include:

• Incomplete System Security Plans (SSP) that fail to map out control implementations.
• Missing or outdated policies such as those for access control or incident response.
• Insufficient evidence for control activities, such as logs, training records, or change management documentation.
• Unclear scoping of CUI, which can result in auditors finding both over-scoped and under-scoped systems.

What to Do:

• Begin collecting and updating documentation continuously, not just before an audit.
• Perform regular self-assessments or mock audits to identify and address deficiencies.
• Maintain a robust, updated SSP that clearly links each CMMC control to the organization’s policies and evidence.
• Designate a knowledgeable coordinator to manage audit communications and ensure prompt responses to auditor requests.
• Keep an organized evidence repository to streamline the audit process and demonstrate proactive compliance management.

Conclusion

CMMC Level 2 compliance is a complex, multi-faceted challenge that requires a strategic, well-resourced approach. By conducting thorough gap analyses, investing in asset management, training staff, and preparing robust documentation, contractors can overcome the pain points associated with evolving requirements, technical implementation, high costs, workforce challenges, and audit readiness. Ultimately, viewing compliance not just as a regulatory requirement but as a strategic investment in cybersecurity will help organizations protect sensitive data, maintain their position in the defense supply chain, and secure long-term success.

A trusted partner like Appalachia Technologies can help ease many of these pain points, paving a smoother path toward CMMC compliance.  You do not have to do this alone – we can help as much or as little as you need, whether you need strategic consultation or a full managed security program.  Accredited by Cyber-AB as a Registered Provider Organization (RPO), you can trust we have the experience and concern for security necessary to guide you through. 

Contact us to start the conversation – 888-277-8320 or info@appalachiatech.com.

Jimmy Armour is a cybersecurity and compliance professional specializing in NIST, SOC 2, and CIS GRC frameworks. As a Practice Lead, he guides cross-functional teams to streamline audit processes, strengthen security posture, and meet rigorous regulatory requirements—always staying on the cutting edge of emerging cybersecurity trends.

Outside of his professional pursuits, Jimmy is deeply involved in Harrisburg Young Professionals Sports—playing kickball, dodgeball, and bowling—while also participating in the 247Kickball leagues. Some years even take him to national kickball tournaments. All of which are experiences he finds mirrors the same camaraderie and teamwork that drive his success in the workplace.