Real-World Lessons from a CMMC Level 2 Assessment

ICYMI: Behind the Scenes of a Successful CMMC Level 2 Assessment

For small to mid-sized government contractors navigating the CMMC landscape, it’s easy to feel overwhelmed. That’s why our recent webinar, Lessons Learned from a CMMC Level 2 C3PAO Assessment, gave attendees a rare, behind-the-scenes look at what it takes to succeed with real people, real problems, and real solutions.

Here’s a recap of what you missed.

The Players

The panel included:

  • RUSH Facilities: A company in the RUSH family of businesses, now CMMC Level 2 certified.
  • TeamLogic IT: Managed Service Provider, supported two clients through CMMC Level 2 certification.
  • Alluvionic: Cyber-AB Registered Practitioner Organization (RPO), CMMC Registered Practitioner Organization (RPO) and CMMC Level 2 certified.

Why RUSH Chose to Act Early

Portrait of a man with short gray hair and a mustache, wearing a black suit, white shirt, and patterned tie. He stands against a brown gradient background.

Bob Dillow, President at RUSH Facilities, saw CMMC coming four years ago. After attending a DoD-centric conference, he initiated internal conversations to get ahead of compliance requirements.

His rationale? “The government doesn’t move fast, but this is coming. Let’s be ready.”

The harder sell was the investment. As a company just recently left the small business category, convincing the board and officers to commit resources wasn’t easy. But after a candid look at their cybersecurity posture, and with support from the CFO who recognized that the cost of a breach would far exceed the investment in compliance, they decided to move forward.

“We realized we were behind, not just for CMMC, but across the board.” – Bob Dillow, RUSH Facilities

Key Success Factors

According to Alluvionic’s Bobby Padilla, Director of Information Security, the collaboration worked because:

  • RUSH had executive buy-in: Leadership understood the value.
  • They started early: Giving time to tackle gaps before crunch time.
  • The team was cross-functional: Involving stakeholders from IT to operations.
  • Alluvionic provided structured guidance: Clear milestones, accountability, and expert support.

Common Surprises During the Assessment

Man in blue shirt with bright background smiling in a professional photo.

Even with preparation, surprises happened:

  • Depth of evidence requested: The C3PAO wanted real-world proof including screenshots, logs, and user examples.
  • Need for live system access: Assessors conducted live demonstrations, not just documentation review.
  • Clarity matters: Vague policies or missing mappings between controls and systems slowed things down.

“If you say you’re doing it, you better be ready to show it.” – Roberto Padilla, Alluvionic

The Question on Everyone’s Mind: Do MSPs Need CMMC Certification?

One of the most talked-about questions in the webinar: do Managed Service Providers (MSPs) need to be CMMC certified?

It depends—but tread carefully.

Bobby Padilla noted this has become a major discussion point at recent Cyber-AB Town Halls. Under the final 32 CFR rule, external service providers that don’t process, store, or transmit CUI aren’t required to be certified. But that’s only part of the story.

A man smiling in a white shirt in a professional setting

TeamLogic IT shared how they stayed out of scope by making intentional choices around network segmentation and using tools like Prevail, which kept them from ever directly handling CUI. Because of that, they avoided needing certification. But that didn’t mean they escaped scrutiny. Assessors still reviewed their security practices, especially how they accessed RUSH’s systems remotely.

Wiles emphasized the stakes: “If you’re backing up CUI to your facility, congratulations—your backup facility is now in scope for CMMC.”

Alluvionic added that too many MSPs get this wrong. “We see providers assume they’re out of scope when they might not necessarily be. That creates serious risk for everyone.”

The takeaway for MSPs: You might not need certification—but if you’re supporting a CMMC-bound client, your practices must be clean, secure, and fully documented. Misunderstanding your role could compromise the entire assessment.

Lessons for Contractors & Their MSPs

If you’re preparing for CMMC, here’s what the panel suggests:

  • Start early: Plan at least 12–18 months in advance.
  • Loop in your MSP: From gap analysis to technical implementation, their role is critical.
  • Document clearly: Prove how each system and vendor supports compliance.
  • Don’t assume out-of-scope: CUI touches many systems—yours and your partners’.
  • Get expert help: A Cyber-AB Registered Practitioner Organization (like Alluvionic) keeps your efforts focused and assessment-ready.

Scoping Is Critical (and Misunderstood)

CMMC Level 2 scoping isn’t just a paperwork exercise. It defines what gets assessed and what doesn’t.

RUSH benefited from Alluvionic’s detailed review, ensuring only necessary systems were in scope while nothing critical was missed.

Learn more about CMMC Level 2 scoping on our website.

Current State of CMMC

Padilla shared that, as of the latest Cyber-AB town hall, few organizations had achieved CMMC Level 2 final certification—making RUSH’s success even more notable.

With DFARS 252.204-7021 looming in contracts and the final rule well underway, the message was clear: Get compliant now, or risk losing out on contracts.

Alluvionic’s Role as Your GuideProject Assurance

Alluvionic is both a Cyber-AB Registered Practitioner Organization and a CMMC Level 2 certified company. We bring proven experience from both sides of the process. Whether you need help scoping your environment, performing a gap analysis, getting assessment-ready, or handling full remediation, we can support your needs.

For many companies, CMMC is a six-figure investment, so choosing the right partner is critical. From long before the framework was finalized to the moment we earned our certification, Alluvionic was with us every step of the way. With them as a partner, there was no way we could fail.” – Bob Dillow, President at RUSH Facilities.

What’s Next?

If you’re wondering whether CMMC is worth the time and money, consider this:

  • It’s not optional.
  • It’s complex.
  • But it doesn’t have to be painful.

Start with a quick CMMC gap analysis from Alluvionic, and let’s chart your path to compliance—efficiently, effectively, and without the guesswork.

Watch the full webinar now

YouTube screenshot from Lessons Learned from a CMMC L2 Assessment Webinar

Categories

Contact Us

Set Your Business Up For Success

The race to compliance has already begun—don’t fall behind. Alluvionic’s experts provide cybersecurity support and focused change management. We minimize disruptions, ensure smooth adoption, and set your business up for success.
authorized-training-partner_large
pmi_logo_ogShare
US Marshal Department of Justice
US Department of Homeland Security
US Department of Defense
Army Logo
Emblem_of_the_United_States_Navy
Seal_of_the_United_States_Space_Force
Seal_of_the_U.S._Department_of_the_Air_Force
SBA _8(a)
SBA_WOSB
SBA_EDWOSB
Untitled design (3)
WBE_Seal_CMYK (2)
IBM_logo®_pos_blue60_RGB
GSA-Logo
CMMIin
sewp-1
8(a) STARS III Logo
smartsheet
CyberAB-RPO-Badge-2022-Transparent-BG
isaca
ISO Logo_Alluvionic
230302-F-F3456-0011
NIWC_Atlantic_Logo

Privacy Policy

© 2025 Alluvionic

PMI®, PMP®, CAPM® and PMBoK® are registered marks of the Project Management Institute

NAICS Codes: 541611, 541330, 541511, 541512 ,541519, 541613, 541614, 541618, 541990, 561990, 611420, 611430, 813910, 813920

Where are you on your CMMC Journey?

Get Started
Main Menu
Start Your Project

DOWNLOAD OUR PROJECT ASSURANCE® CHECKLIST

Fill out the form below to access our checklist that will ensure your project's success!