CMMC Phase 1 Realities: The Technical Documentation and Scoping Gaps the GAO Identified

The Data

The GAO published GAO-26-107955 on March 12, 2026. The report found that DoD has not systematically assessed the external factors that could prevent the CMMC program from meeting its goals, including whether there are enough C3PAOs to meet certification demand. While that represents a systemic program risk, the more immediate concern for individual contractors is what organizations are actually bringing to the table when they attempt certification.

The CyberSheath State of the DIB Report 2025, conducted by Merrill Research and published in October 2025, surveyed 300 defense contractors and produced the following findings:

Only 30% of surveyed contractors had completed validated medium or high assessments that would confirm their actual security posture. And 17% were still carrying negative SPRS scores. Greenberg Traurig reported in October 2025 that third-party assessors estimate 25% of companies seeking certification have experienced false starts due to failed pre-assessments, meaning the assessor was unable to validate the contractor's readiness to advance to the actual certification. The consequences are not minor: the C3PAO must report an adverse readiness determination in the Enterprise Mission Assurance Support Service (eMASS), creating a documented record of unpreparedness.

The distance between self-reported compliance and verifiable implementation is the gap. It is driven by two specific, correctable technical deficiencies: incomplete System Security Plans and poorly defined asset scoping.

Incomplete System Security Plans

The SSP is the primary document a C3PAO evaluates during a Level 2 certification. Under CMMC practice CA.L2-3.12.4, it must describe system boundaries, the environment of operation, how each of the 110 NIST SP 800-171 controls is implemented, and the relationships with connected systems. The SSP functions as an implementation record, not a policy statement, and a C3PAO will evaluate it as such.

In practice, most SSPs across the DIB do not meet this standard. The National Defense Industrial Association noted in a July 2024 presentation that nearly all SSPs encountered in the field were inadequate. C3PAOs have reported that assessment delays and failures stem most often from incomplete SSPs, unclear control narratives, and insufficient objective evidence, not from missing technology.

The GRC Tool Problem

A significant contributor to SSP inadequacy is organizational misalignment. In many small and mid-sized contractors, CMMC compliance is handed to the IT department as a technology problem. IT purchases a Governance, Risk, and Compliance platform to manage the effort. The GRC tool provides a structured way to track control status and store evidence artifacts, but it does not produce a System Security Plan.

A GRC platform generates a control inventory: a list of requirements, their implementation status, and associated evidence references. That is useful for internal tracking, but it is not what a C3PAO evaluates. The SSP must be a cohesive, narrative document that describes the contractor's specific environment, how each control is implemented within that environment, what technologies and procedures support it, who is responsible for operating and maintaining it, and how the organization demonstrates implementation through verifiable evidence.

Most GRC platforms do not evaluate compliance at the NIST SP 800-171A assessment objective level. NIST SP 800-171 contains 110 security requirements, but each requirement is further decomposed into multiple assessment objectives, totaling 320 individual objectives. Compliance is measured first at the assessment objective level and then rolled up to the requirement level. Many GRC tools either do not reach that depth or present objectives as simple task checklists rather than compliance determinations tied to specific systems and evidence artifacts.

CMMC Is Not an IT Project

CMMC compliance is not just an IT project. It is a legal exposure point, and all departments need to understand their roles within the process, including procurement, contracts, IT and security, and legal. The controls that depend on non-IT functions illustrate why. Access control policies involve hiring and termination procedures. Physical security controls involve facility management. Incident response plans involve legal notification obligations. Media protection controls involve records management.

When the entire effort is delegated to IT and filtered through a GRC tool, the controls that require input from operations, human resources, physical security, and legal counsel are either undocumented or documented generically. The SSP reflects that gap, and the C3PAO is required to identify it.

Poorly Defined Asset Scoping

Scoping determines what the SSP must cover: every system, network segment, user, and facility that processes, stores, or transmits CUI, classified as a CUI Asset, Security Protection Asset, Contractor Risk Managed Asset, or Specialized Asset. Inaccurate scoping undermines every element of the compliance program that depends on it.

Two failure modes result. Underscoping excludes CUI-processing systems from the assessment boundary; the C3PAO identifies the gap and the contractor either fails or must halt for remediation. Overscoping pulls non-CUI systems into the boundary, inflating cost, extending timelines, and multiplying the documentation burden with no corresponding security benefit.

Both failures originate from the same deficiency: the contractor has not performed a data flow analysis. Without tracing how CUI enters the environment, where it moves internally, where it is stored, and how it exits, the assessment boundary is a guess. An SSP built on a guess is incomplete by definition. This compounds in environments that rely on external service providers, where the SSP must document which controls are inherited, shared, and retained.

The Affirmation Consequence

The SPRS affirmation requires a senior executive to attest, under 32 CFR § 170.22, that the organization has implemented and will maintain implementation of all applicable CMMC security requirements. An SSP that does not reflect the contractor's actual environment means the affirmation does not reflect reality. Under the False Claims Act, liability attaches not only to actual knowledge of falsity, but to deliberate ignorance and reckless disregard. An executive who signs an affirmation based on a GRC dashboard without verifying that the underlying SSP accurately describes the organization's implementation is operating within that standard.

Phase 2: Seven Months

Phase 2 begins November 10, 2026. At that point, C3PAO-assessed Level 2 certification will be required in applicable solicitations involving CUI. The preparation timeline for Level 2 certification runs 6 to 18 months depending on organizational complexity. That means the effective deadline for starting preparation has already passed for many organizations.

The sequence is fixed: data flow analysis, scope definition, SSP development, gap analysis against the CMMC Assessment Guide v2.13, remediation of identified gaps, and C3PAO engagement. Skipping steps does not accelerate the process. It defers deficiencies to the assessment, where they are more expensive to resolve and carry procurement consequences. As the assessment capacity analysis demonstrates, the cost of a failed assessment is by far the most expensive outcome in the compliance process.

The data from the GAO, CyberSheath, and Greenberg Traurig all point to the same conclusion. The majority of the defense industrial base is not ready. The two primary reasons, incomplete SSPs and undefined scoping, are technical problems with known solutions. The solution is not purchasing a GRC tool but rather building an accurate, environment-specific SSP informed by a thorough data flow analysis, with input from every function that touches a CMMC control. What that work requires most is lead time, and that resource is narrowing.