As the November CMMC deadline approaches, many organizations are accelerating their compliance efforts. Yet one of the most common—and costly—mistakes organizations make is treating CMMC as a cybersecurity project owned solely by IT. During Alluvionic’s recent webinar, “CMMC Is More Than IT: The Team You Need to Actually Succeed,” industry experts explored why successful compliance requires far more than technical controls and security tools.
Hosted by Sydney Wright, PMP and Project Manager at Alluvionic, the discussion featured David Sullivan, Cybersecurity and IT Manager at Alluvionic, and Eric Levitas, VP of Business Development at ControlCase, a Certified Third Party Assessment Organization (C3PAO). Together, they shared lessons learned from helping organizations prepare for assessments, avoid common pitfalls, and build sustainable compliance programs.
The Biggest CMMC Myth: “IT Will Handle It”
Many organizations begin their CMMC journey by assigning responsibility to their IT department and assuming the rest of the company can continue as usual. According to the panel, that’s often where problems begin.
As Sydney Wright explained, CMMC requirements touch nearly every function of the business, including HR, contracts, operations, facilities, leadership, vendor management, and employee training—not just cybersecurity.
“When the organization throws everything over to IT, there’s so much more than technical implementation that needs to happen,” said David Sullivan. “There has to be a manager who approves access, HR onboarding processes, contracts that determine what data is handled, and vendor relationships that impact compliance.”
The result is often unclear ownership, missing evidence, and audit findings tied to processes that IT never controlled in the first place.
Accountability Is What Auditors Are Really Looking For
A recurring theme throughout the discussion was that CMMC isn’t just about implementing controls—it’s about proving those controls are consistently owned, followed, and maintained.
“Accountability is huge,” explained Eric Levitas. “Tools and technologies are just this much. Most people implement tools correctly. The bigger challenge is showing that they’re implemented, showing who’s responsible for them, and proving those responsibilities are being carried out.”
The panel stressed the importance of creating shared responsibility models and RACI matrices that clearly define accountability between internal teams, managed service providers, cloud providers, and compliance leadership. Organizations that cannot demonstrate ownership often encounter assessment delays or “false starts” before the audit can even begin.
One key takeaway: compliance documentation alone isn’t enough. Organizations must be able to show that employees understand their responsibilities and execute them consistently.
Why “Cramming” Before an Assessment Doesn’t Work
Another common challenge discussed during the webinar was organizations trying to rush compliance efforts immediately before an assessment.
“We see organizations try to buy as much as they can and cut corners to get into an assessor’s queue quicker,” said Eric Levitas. “The breakdown happens when organizations aren’t actually doing what their documentation says they’re doing.”
The panel cautioned against relying on AI-generated policies, template-based documentation, or technology purchases without operational alignment. Assessors are trained to validate that policies are actively followed—not simply written down.
“Don’t write things you’re not doing,” advised Levitas. “Be succinct with how you’re actually managing your program and make it something you can actually keep doing.”
Because CMMC certification must be maintained over time, organizations that rush implementation often struggle during future assessments and recertification cycles.
Tools Don’t Create Compliance—Processes Do
One of the webinar’s strongest messages challenged a common misconception: buying the right technology does not automatically create compliance.
Organizations frequently invest in GCC High, secure enclaves, security monitoring tools, or governance platforms before fully understanding their CUI scope or operational requirements.
As David Sullivan put it:
“Tools support a process, but they do not define your process.”
He offered a memorable analogy:
“Buying a tool without defining the process is like going out and buying a treadmill and assuming that now that you have the treadmill, you’re in shape.”
The panel unanimously agreed that organizations should begin with scoping, then build processes, and only afterward select the technologies that support those processes.
Leadership Buy-In Can Make or Break Compliance
While IT teams often carry the operational burden of implementation, the panel emphasized that executive leadership must remain actively involved throughout the process.
“Leadership needs to be involved in the front end and they need to periodically check in,” said Levitas. “If they’re not, it’s a recipe for disaster.”
The discussion highlighted how many CMMC decisions—including budgeting, organizational structure, CAGE code strategy, assessment planning, and resource allocation—require executive-level authority. Without leadership engagement, IT managers are often left trying to solve business challenges they don’t have authority to address.
The experts also stressed that involving leadership early often reduces overall compliance costs by preventing rework, failed assessments, and last-minute remediation efforts.
Compliance Extends Across the Entire Supply Chain
The conversation also explored how CMMC affects contractors, subcontractors, and vendor ecosystems.
Organizations must understand not only their own compliance posture but also how Controlled Unclassified Information (CUI) flows through their supply chain. Prime contractors increasingly expect subcontractors to demonstrate readiness and may evaluate compliance status before awarding work.
“If your prime flows [CUI] down to you, you’re responsible for it, whether you want it or not,” explained Levitas.
The panel emphasized that vendor management and flow-down requirements should be addressed during initial scoping activities rather than postponed until assessment preparation.
Building a Sustainable CMMC Program
Toward the end of the webinar, the discussion shifted from certification to sustainability.
CMMC isn’t a one-time event. Organizations must continuously maintain evidence, perform recurring reviews, collect artifacts, conduct training, and demonstrate adherence to documented processes over multiple years.
According to the panel, sustainable success starts with:
- Executive sponsorship and ongoing engagement
- Clearly defined ownership across departments
- Shared responsibility and RACI matrices
- Continuous evidence collection
- Role-based training
- Structured change management processes
- Supply chain awareness and oversight
- Scoping decisions made before technology purchases
As Sydney Wright concluded:
“It’s not an IT project. While IT plays a critical role, successful compliance requires participation across leadership, operations, HR, contracts, business development, and program teams. It’s truly an operational maturity certification at the end of the day.”
Watch the Full Webinar Replay
CMMC success depends on more than technology. It requires the right people, clear ownership, leadership engagement, and sustainable operational processes working together.
Want the full discussion, audience Q&A, and practical advice from compliance practitioners and assessors?
Watch the full webinar replay to learn how to build a cross-functional CMMC program that supports certification success—and long-term operational maturity.



