Skip to content

Watch Our CMMC Journey in Action

Sometimes the best way to understand the process is by hearing directly from those who have been through it.

In this Coffee and Compliance webinar, our own Brad Proctor, Director of Operations, and Jaclyn Jones, Compliance Lead, share what it was like for MAD Security to become one of the first ESPs to achieve CMMC Level 2 certification. 

 

Watch the video to gain practical insights and real-world lessons that can help you prepare for your own assessment. And while the video offers a deeper dive, here are some of the most important lessons we took away from our assessment. 

 

Why CMMC Level 2 Matters for Defense Contractors

Did you know the Department of Justice has already used the False Claims Act to pursue contractors who misrepresented their cybersecurity compliance? With the Department of Defense (DoD) tightening oversight, and Cybersecurity Maturity Model Certification (CMMC) Level 2 soon becoming a requirement for most defense contracts, the stakes have never been higher. 

Despite growing awareness, many defense industrial base (DIB) contractors still struggle to understand how Defense Federal Acquisition Regulation Supplement (DFARS), National Institute of Standards and Technology (NIST) 800-171, and CMMC fit together, and what they must do to remain eligible for DoD opportunities. Questions about scope, evidence, and assessment readiness continue to cause confusion across the industry. 

At MAD Security, we decided not to wait for a mandate. We became one of the first External Service Providers (ESPs) to achieve CMMC Level 2 certification. This milestone demonstrates our commitment to “walking the walk” alongside our clients, proving that compliance and strong cybersecurity can go hand in hand. 

In this post, we will share what this certification means, the lessons we learned along the way, and how our experience benefits you. You will also find our Coffee and Compliance webinar video, where our experts go deeper into the CMMC journey and offer practical advice for defense contractors preparing for their own assessments. 

 

What CMMC Level 2 Means for ESPs

CMMC Level 2 is more than a box to check.What CMMC Level 2 Means for ESPs It represents 110 practices drawn from NIST 800-171, all designed to safeguard Controlled Unclassified Information (CUI). For defense contractors, achieving Level 2 is quickly becoming a non-negotiable step toward doing business with the DoD. But what about the partners who support those contractors? 

That is where ESPs come in. ESPs include organizations like Managed Security Services Providers (MSSPs) and IT partners that deliver critical security and compliance services to DIB contractors. While contractors are required to certify, ESPs are not. Even so, MAD Security made the decision to pursue certification voluntarily. 

Why? Because if we are asking our clients to undergo the rigor of a CMMC Level 2 assessment, we should hold ourselves to the same standard. By becoming one of the first ESPs to earn certification, we showed that our own systems, processes, and people can stand up to the scrutiny of a third-party assessment. 

For defense contractors, this decision matters. Partnering with a CMMC-certified ESP means you can trust that your provider has already navigated the challenges you face and can help you do the same. 

 

Key Lessons Learned from the CMMC Assessment

Our experience reinforced that achieving CMMC Level 2 certification is not just about meeting technical requirements. It is about preparation, process, and partnership. Four lessons stood out that every contractor can apply. 

MAD SEC - Website Images-1

 

A mock assessment is worth its weight in gold.

Running a simulated assessment before the official one helped us practice presenting evidence, answering assessor questions, and identifying gaps. This step often gets skipped, but it can make the difference between being fully prepared and being caught off guard.
MAD SEC - Website Images (1)

 

Shared Responsibility Matrices (SRMs) can get complicated.

If you use tools like Microsoft 365 GCC High or PreVeil, compliance responsibilities are shared between you and the vendor. Assessors will expect proof that you understand exactly which controls are yours and which are covered by your provider. Aligning SRMs early prevents confusion later. 
MAD SEC - Website Images (2)

 

Evidence must be clear and accessible.

During the assessment, you must show that controls are implemented and effective. That means policies, procedures, and screenshots need to be organized and easy to reference. Think of it like math class: the right answer is not enough if you cannot show your work. 
MAD SEC - Website Images (3)

 

Scope is broader than you might think.

Even as an ESP that does not directly handle CUI, we had to clearly define which systems and processes were in scope. Contractors often underestimate this step, which can lead to delays and surprises. 

These lessons reinforced why preparation is essential. By sharing them, we hope to make the path a little clearer for contractors across the DIB. 

 

How MAD Security’s Certification Benefits Defense Contractors

So how does this help you?

In one word: confidence. When you partner with a CMMC Level 2 certified ESP, you can be certain your provider has already faced the same rigorous process you are preparing for.

How MAD Security’s Certification Benefits Defense ContractorsIt simplifies your compliance journey. Because we have walked the path ourselves, we know how to anticipate assessor questions, present evidence effectively, and identify gaps early. That means fewer surprises for you. It aligns with DoD expectations. Assessors and contracting officers recognize that working with a certified ESP strengthens your overall compliance posture. It demonstrates that you take security seriously by choosing partners who do the same. 

It reduces your risk. Many vendors talk about compliance but have never gone through a third-party assessment. MAD Security has proven that our systems, people, and processes meet the same high standards we expect from our clients. 

In short, our certification is more than a badge. It is proof to you and to the DoD that we are a trusted partner committed to your success. 

 

Actionable Tips for DIB Contractors Pursuing CMMC


If you are preparing for CMMC Level 2 certification, the process can feel overwhelming.

The good news is that with the right steps, you can move forward with confidence.

Based on our experience, here are some practical tips: 

Start with a gap assessment. This gives you a roadmap for closing compliance gaps. 
Develop your System Security Plan (SSP). It will be one of the first documents assessor's review. 
Schedule a mock assessment. Treat it like a dress rehearsal to practice and find weaknesses. 
Validate your SRMs. Know what your vendors cover and what falls on you. 
Choose experienced partners. Work with providers who understand the DIB. 
Do not wait. With CMMC becoming contractual, last-minute prep is risky. 

Taking these steps now will make the official assessment smoother and far less stressful. 

 

Conclusion

CMMC compliance is more than a requirement. It is a way for defense contractors to demonstrate accountability, protect sensitive information, and strengthen national security. At MAD Security, we believe in holding ourselves to the same standards we ask of our clients, which is why we became one of the first ESPs to achieve CMMC Level 2 certification.

Our journey showed us that success comes down to preparation, partnership, and persistence. By sharing what we learned, we aim to help contractors across the DIB navigate compliance more confidently. Whether you are just beginning your journey or preparing for an assessment, you do not have to do it alone. 

MAD Security is here to simplify compliance, strengthen security, and give you the confidence to move forward. 

 

Take the Next Step Toward CMMC Readiness

Ready to strengthen your compliance posture and simplify the path to CMMC Level 2 certification? MAD Security has been through the process and knows what it takes to succeed. Our team can help you identify gaps, prepare for assessments, and build a stronger cybersecurity foundation. 

Secure your business today, contact MAD Security for expert protection. 

interactive-194075349118

Frequently Asked Questions (FAQs) 

Do External Service Providers (ESPs) need CMMC certification?

No. ESPs are not currently required to obtain CMMC certification. However, working with a CMMC Level 2 certified ESP like MAD Security gives contractors added confidence that their partner understands the process and has been validated by a third-party assessment. 

What is the difference between CMMC Level 2 and NIST 800-171?

CMMC Level 2 is based on the 110 requirements of NIST 800-171, but it requires a third-party assessment rather than self-attestation. This ensures contractors are truly implementing the practices, not just claiming compliance. 

How long does it take to prepare for a CMMC Level 2 assessment?

Timelines depend on your current cybersecurity maturity. Contractors already following NIST 800-171 may be ready in a few months, while others could need up to a year. A gap assessment is the best way to understand your timeline. 

Why are Shared Responsibility Matrices (SRMs) important for CMMC?

SRMs define which security controls are handled by your vendors and which are your responsibility. Assessors expect contractors to have this documented and understood to avoid compliance gaps.

How does MAD Security support defense contractors with CMMC?

We provide gap assessments, compliance management, managed detection and response, and incident response. As a CMMC Level 2 certified ESP, MAD Security brings firsthand experience to guide defense contractors through the process with confidence.

 

Original Publish Date: 

By: MAD Security

Related Posts

What is CMMC Level 2?
What is CMMC Level 2? If your organization works with the Department of Defense (DoD) and handles Controlled Unclassified Information (CUI), then CMMC Level 2 is a serious milestone in your...