Avoid These Common Pitfalls in CMMC Level 2 Assessments

Written By Joseph Lissenden

CMMC Level 2 assessments fail for predictable reasons. Most issues are not advanced technical gaps. They are basic execution mistakes that surface during scoping, documentation, and evidence review.

Here are the most common CMMC Level 2 pitfalls and how to avoid them.

Pitfall 1: Incomplete or Incorrect Scoping

Failing to map all CUI data flows is one of the fastest ways to derail an assessment. CMMC Level 2 scope must include CUI assets, security protection assets, and risk-managed assets. Missed systems or undocumented connections often lead to scope expansion mid-assessment.

How to avoid it:
Document where CUI is stored, processed, transmitted, and accessed, including remote access paths and integrations.

Pitfall 2: Weak or Outdated SSP Documentation

An incomplete System Security Plan (SSP) is a red flag for assessors. If your SSP does not clearly describe how each NIST SP 800-171 control is implemented, the control may be scored as not met, even if it exists technically.

How to avoid it:
Keep the SSP detailed, accurate, and aligned to real-world implementation.

Pitfall 3: Controls That Exist but Are Not Enforced

Many organizations have tools deployed but not consistently enforced. Common failures include partial MFA coverage, inconsistent logging, or unmanaged privileged access.

How to avoid it:
Test controls internally. If enforcement varies by system or user, it will be discovered.

Pitfall 4: No Evidence of Ongoing Operations

CMMC Level 2 assesses operational security, not one-time setup. Missing logs, training records, vulnerability scans, or incident response testing can sink an assessment.

How to avoid it:
Maintain evidence that shows controls operating over time.

Pitfall 5: Poor Remote Access Controls

Remote access is a frequent failure point, especially for vendors, administrators, and subcontractors.

How to avoid it:
Ensure MFA, session logging, and access restrictions are applied consistently.

Pitfall 6: Inadequate Security Training

Assessors expect role-based security awareness training. Generic or undocumented training does not meet expectations.

Pitfall 7: Untested Incident Response

Plans that exist only on paper are easy to spot. Lack of testing or exercises weakens credibility.

Pitfall 8: Treating Compliance as a One-Time Event

Organizations that “rush to pass” often fail surveillance or renewal requirements later.

Why This Matters

If a contract requires CMMC Level 2 and you fail the assessment, you are ineligible to bid until deficiencies are resolved. Delays cost opportunities, not points.

Avoiding these pitfalls reduces assessment risk, shortens timelines, and protects your eligibility for DoD work.

Joseph Lissenden
Next

Is Your Company Ready for CMMC Level 2? A Step-by-Step Readiness Check