Less than a year after the final version of the Cybersecurity Maturity Model Certification program was published, OSIbeyond has become one of the first companies to successfully achieve CMMC Level 2 certification.
To help other organizations prepare for their own CMMC journeys, OSIbeyond’s CEO and GovCon Expert Payam Pourkhomami sat down with Michael Soepnel, the company’s chief information security officer and Certified CMMC Assessor, or CCA, to discuss his experience leading the company through the CMMC Level 2 assessment.
In this Q&A, Soepnel shares candid insights about the challenges, timelines and success factors that defined the path from preparation to certification.
Payam Pourkhomami: Why did OSIbeyond choose to become CMMC Level 2 certified?
Michael Soepnel: As a managed service provider—known as MSP—OSIbeyond began its journey toward CMMC Level 2 compliance several years ago. At that time, the requirements for MSPs were uncertain.
Nonetheless, we recognized early on that regardless of how the final regulations would treat MSPs, our position as a technology partner to defense industrial base contractors meant we needed to lead the way for our clients by becoming certified ourselves. By achieving our own certification, we could provide them with the confidence that their MSP understood the requirements firsthand and had successfully implemented them.
We remained committed to our original path of pursuing standalone CMMC Level 2 certification even when the final CMMC rule was published in October 2024 and confirmed that external service providers would not be required to be certified. Instead, ESPs are allowed to be included in their client’s system security plan, or SSP, and to be assessed alongside them.
Pourkhomami: What key milestones signaled you were ready for the CMMC assessment?
Soepnel: At the beginning of 2024, we significantly accelerated our preparation efforts by increasing both time and resource investments. We conducted a non-consultative gap assessment with a CMMC Third Party Assessment Organization, or C3PAO, in August 2024 to identify and systematically address gaps in our security posture. This assessment evaluated us against NIST 800-171 standards rather than CMMC requirements.
Since CMMC Level 2 incorporates all 110 NIST 800-171 security controls as its foundation, achieving solid NIST 800-171 compliance would put us most of the way toward CMMC certification. By September 2024, we addressed the gaps identified during the assessment and achieved full NIST 800-171 compliance.
While this dual-assessment approach required additional investment, its benefits made it worth it. By the time we underwent our official CMMC assessment in March 2025, we had a very good idea of what assessors would expect. This familiarity made the certification assessment significantly less stressful than it might have been if it had been our first independent evaluation.
We also decided to build a 30-day buffer before our CMMC assessment date. Rather than working on compliance activities right up to the assessment, we aimed to be fully prepared a month in advance. During the final 30-day period, we meticulously reviewed our SSP and documentation so that nothing had been overlooked. Besides triple-checking everything, this gap between readiness and assessment allowed us to take a breath when we needed it the most.
All in all, while our focused CMMC preparation took approximately four to five months, that effort built on the foundation of the time we had already invested in achieving full NIST 800-171 compliance. For most organizations, we recommend allocating at least 12 months to become assessment-ready (it’s always better to allocate more time than less). Over time, this timeframe may decrease as all involved parties become more experienced, but a year-long runway remains the most realistic benchmark for success for now.
Pourkhomami: What were the main challenges you faced during CMMC preparation?
Soepnel: From a financial standpoint, we were ready. Thanks to strong support from leadership, we had the green light to invest in the tools, software and other resources needed for compliance. However, the real challenge was finding the time for our internal resources to get everything done.
Like many organizations, we had to manage the demands of both implementation and ongoing operations. Our compliance team and engineering team were tasked with building out new systems and procedures while still supporting daily business needs. That meant executing on two fronts at once: developing and documenting new processes to meet CMMC requirements, and maintaining the systems that keep our clients running. This balancing act was by far the most challenging aspect of our preparation.
While demonstrating most controls followed a relatively consistent process, implementing robust configuration management was a different story. It’s one of the most resource-intensive controls to get right because it requires continuous upkeep. You need to document exactly what’s installed, where it lives and who uses it so that everything is consistently up to date.
Of course, the complexity of the environment is a significant factor in how difficult it is to implement robust configuration management and also in the total investment required to become CMMC assessment-ready.
For example, organizations with a 100 percent cloud-based infrastructure will generally face fewer logistical and implementation hurdles than those managing a mix of legacy on-premises systems and multiple physical locations. More sites can translate to more scrutiny, although assessors do have the discretion to streamline visits when standardized solutions are deployed across locations.
Another important consideration is whether the contractor is working with a CMMC Level 2 certified MSP or managed security service provider, a.k.a. MSSP. This certification provides a level of assurance for the assessor, potentially reducing the depth of control checks required and, consequently, the effort and cost of the assessment. However, the exact savings in terms of labor are still uncertain, but it could be around 10 percent to 20 percent.
Pourkhomami: Can you walk us through the C3PAO assessment process?
Soepnel: Our CMMC Level 2 assessment process was somewhat unique. The C3PAO conducting the certification had recently performed our non-consultative NIST 800-171 assessment. The knowledge of our environment gained during that assessment aided them in scoping discussions and general understanding of our approach and infrastructure. As a result, their focus was able to move more quickly to controls and assessment than it might have otherwise.
The official assessment week began promptly at 9:00 a.m. on a Monday. The assessors started with the very first control—3.1.1: Access Control—and systematically worked their way through each requirement. While they did not go through every domain alphabetically, they used a methodology that would cover a review of all controls. They reviewed our SSP line by line, asking for implementation details and requesting corroborating evidence for each control. This evidence included policy documents, procedures, screenshots and—in many cases—live system demonstrations.
While we had prepared hundreds of screenshots in advance, we quickly learned that assessors strongly preferred live demonstrations. Fortunately, we were well-prepared for this approach and able to present a cohesive set of live artifacts linked directly to each control.
Over the course of the assessment, we submitted 254 pieces of evidence. For example, when the SSP stated that all employees undergo background checks, the assessors asked to see documentation related to the most recent hire. We were able to show the title page and verification of completion (without sharing the actual background check details).
Interestingly, the controls that had caused some of the most stress during preparation were unremarkable during the assessment process. Instead, the assessors focused on other areas that we had thought would be straightforward. While we passed the assessment on the first attempt without any plan of action and milestones items, this highlighted the idea that assessors have their own preferences and areas of focus, so it’s best to prepare equally well across all controls and be ready for anything.
The assessment process itself lasted about a week. During this time, our chief technology officer, compliance manager and I participated in interviews and walked the assessors through the necessary controls and supporting evidence. The assessors told us we had passed by the end of the assessment week, but the official certificate still took another three to four weeks to arrive.
Pourkhomami: How do plans of action and milestones work during the CMMC assessment process?
Soepnel: Because we cleared every control on the first try, we didn’t need POA&M to finish our certification, but POA&Ms are an important part of the CMMC framework—and also one of its most misunderstood components.
During the assessment, if the team can’t produce enough evidence for a requirement, the assessors may let you fix a minor issue overnight. Think of things like a missing screenshot or a policy reference that needs correcting. Anything more substantial—say a control that needs a technology change or a brand-new procedure—will be documented on a POA&M instead of being fixed on the spot. In other words, the Department of Defense doesn’t want organizations to be re-engineering their environment in the middle of an assessment; the preferred approach is to look harder for corroborating evidence first and, if that fails, accept the finding and put it on a POA&M. However, be advised that not all requirements can be included in a POA&M, depending on eligibility criteria and minimum score, only specific requirements can be included in a POA&M.
Once a control lands on a POA&M, you have 180 days to resolve it. At the end of that window, you must undergo a close-out assessment, which is essentially a mini-assessment focused only on those open items. If everything is verified as “Met,” your status moves from Conditional Level 2 to Final Level 2, and the clock resets for the normal three-year cycle.
We treated POA&Ms as an absolute last resort and recommend others do the same: gather every scrap of evidence you can before your assessment so that you avoid giving yourself a six-month homework assignment or failing outright.
Pourkhomami: How has achieving CMMC Level 2 certification impacted your organization?
Soepnel: Culturally, the biggest shift actually happened months before the official CMMC assessment, when we pushed to become fully NIST 800-171 compliant. By the time the CMMC assessors arrived, all the required processes and procedures were already muscle memory, so earning the certificate didn’t feel like a sudden transformation.
For the same reason, our post-certification life looks similar to the six-month run-up to the assessment. We have recurring compliance activities scheduled on our calendar—many planned a year in advance—and we continue to give them the priority they need to stay on top of them, just as we did during the preparation phase.
Pourkhomami: What advice would you give to organizations beginning their CMMC journey?
Soepnel: Don’t do it alone. The NIST 800 –171 requirements that any CMMC Level 2 assessment revolves around may look straightforward when you skim the plain-language control statements, but the intent behind each requirement can be surprisingly nuanced.
Misreading just one word in a scoping clause can cause you to spend months hardening a system that was never in scope—or, worse, miss a control completely and have to scramble during the assessment. That’s why we strongly recommend that all organizations beginning their CMMC journeys seek independent guidance early on.
Conclusion
The primary lesson from our experience undergoing the CMMC Level 2 assessment is: 1. collaborate with an organization that possesses the credentials, expertise and understanding of CMMC requirements, and 2. begin preparing for CMMC assessment readiness at the earliest opportunity.
If your organization is prepared to embark on its CMMC compliance journey, please contact us to discover how we can assist you in achieving certification.