Stop Fumbling Through Your CMMC Assessment

Practice-by-practice guidance for small defense contractors, written by someone who has actually been in the assessment room. Plain English. No vendor pitch. No "schedule a call."

Start Here Browse Practices
110
Level 2 Practices
Nov 2026
Phase 2 Deadline
6-18 mo
Typical Prep Time

The problem nobody talks about

You probably already have most of what you need to pass. The tools are there. The policies exist somewhere. Maybe your MSP handles half of it.

But when the assessor asks "how does your organization handle least privilege for administrative accounts?" can you answer that in two sentences? Can you point to exactly where your SSP defines it and show evidence it's happening?

That's where most small contractors fall apart. They have the controls. They just never practiced translating what they do into what the assessor needs to hear.

This site covers the hardest practices to explain, the ones where I've seen the most people stumble, with the kind of guidance you'd get from someone sitting next to you in the assessment room.

What you'll find here

Each practice page covers the same five things.

What the Assessor Is Actually Evaluating
The real-world version, not the NIST language. What they want to see and hear, from someone who has watched them evaluate it.
Realistic SSP Definitions
Example SSP text for a small contractor. These aren't templates to copy-paste. They're examples to learn from, with notes on why each phrase is there.
How to Present Your Evidence
What to have ready, what to say when the assessor asks, and how to handle the follow-up questions that trip people up.
Common Failures
What gets flagged. What makes assessors dig deeper. What makes them nod and move on. Specific patterns from real assessments.
The MSP/MSSP Question
If you use a managed service provider, how shared responsibility works for that specific practice and how to explain the split.

Don't know where to begin?

If you just found out you need CMMC Level 2, this is the page to read first.

Start Here →