CMMC Resources
March 2, 20265 min read

The CMMC Compliance Problems Contractors Keep Discovering

There is a shift happening in the defense contracting space, and most contractors can feel it even if they can't name it.

The shift isn't a single new regulation. The requirements are the same ones contractors were told about. The self-assessment process hasn't changed. The submission process works the same way. Nothing on the surface moved.

What changed is that contractors started checking.

Not all of them. Not even most of them. But enough of them, and the ones who checked found problems they weren't expecting.

The pattern looks like this: a contractor who submitted their self-assessment months ago, who believed they were compliant, who has been operating under that assumption, goes back and tests their actual systems against the practices they certified. Not the documentation. The systems. And the systems don't match.

This isn't a new problem. The documentation gap has existed since the first self-assessments were submitted. What's different now is that people are looking. And once one contractor in a supply chain discovers they have a problem, the question spreads: does everyone else have the same problem?

The answer, based on what contractor groups are finding, is that a significant number of them do.

The problems are not dramatic. They're mundane. Compliance drift, meaning systems that were configured correctly at assessment time but have since changed. Controls that exist in policy documents but aren't technically enforced. Practices that depend on employee behavior that nobody is monitoring.

What makes these discoveries unsettling is the context surrounding them. Federal enforcement mechanisms exist and have been used in adjacent areas. The False Claims Act connection to self-assessment inaccuracy is not hypothetical. And the contractor groups discovering their gaps are facing a question that doesn't have a comfortable answer: do we report the discrepancy, or do we try to fix it quietly?

Neither option is comfortable. Reporting means acknowledging that a federal submission was inaccurate. Fixing quietly means operating with the knowledge that the submission was wrong and hoping nobody looks before the fix is complete. And there is a third possibility that nobody talks about, that the gaps are deep enough that fixing them quietly isn't straightforward, that remediation itself surfaces new problems nobody mapped.

The contractors who aren't in this position are the ones who found a way to verify continuously rather than periodically. They didn't wait for the moment of crisis to discover the gap because their systems don't allow the gap to form silently. But whether continuous verification actually holds up under every circumstance is a question that hasn't been fully tested yet.

For everyone else, the assumption of compliance is being challenged. The tests are not going well. And the contractors who have been through it describe a particular kind of unease, the sense that checking created more questions than it answered, and that the next round of questions might be worse.

cmmccompliance-problemscontractor-discoveryenforcementverification

More from the Index

What Happened to Contractors Who Stopped Relying on Assessments

Contractors who moved away from assessment-based compliance found something different. Whether what they found is better depends on questions nobody has answered yet.

Why the Contractors Who Switched Aren't Talking About It

Contractors who adopted locked verification systems chose to stay quiet about it. The silence is strategic, and it's widening the gap between insiders and the rest of the market.

What Some Contractor Groups Are Using Instead of Consultants

A growing group of contractors has moved past the consultant model to something different. They're not sharing what they found, and their competitors are still paying for documentation.