Sometimes the best way to understand the process is by hearing directly from those who have been through it.
In this Coffee and Compliance webinar, our own Brad Proctor, Director of Operations, and Jaclyn Jones, Compliance Lead, share what it was like for MAD Security to become one of the first ESPs to achieve CMMC Level 2 certification.
Watch the video to gain practical insights and real-world lessons that can help you prepare for your own assessment. And while the video offers a deeper dive, here are some of the most important lessons we took away from our assessment.
Did you know the Department of Justice has already used the False Claims Act to pursue contractors who misrepresented their cybersecurity compliance? With the Department of Defense (DoD) tightening oversight, and Cybersecurity Maturity Model Certification (CMMC) Level 2 soon becoming a requirement for most defense contracts, the stakes have never been higher.
Despite growing awareness, many defense industrial base (DIB) contractors still struggle to understand how Defense Federal Acquisition Regulation Supplement (DFARS), National Institute of Standards and Technology (NIST) 800-171, and CMMC fit together, and what they must do to remain eligible for DoD opportunities. Questions about scope, evidence, and assessment readiness continue to cause confusion across the industry.
At MAD Security, we decided not to wait for a mandate. We became one of the first External Service Providers (ESPs) to achieve CMMC Level 2 certification. This milestone demonstrates our commitment to “walking the walk” alongside our clients, proving that compliance and strong cybersecurity can go hand in hand.
In this post, we will share what this certification means, the lessons we learned along the way, and how our experience benefits you. You will also find our Coffee and Compliance webinar video, where our experts go deeper into the CMMC journey and offer practical advice for defense contractors preparing for their own assessments.
CMMC Level 2 is more than a box to check.
That is where ESPs come in. ESPs include organizations like Managed Security Services Providers (MSSPs) and IT partners that deliver critical security and compliance services to DIB contractors. While contractors are required to certify, ESPs are not. Even so, MAD Security made the decision to pursue certification voluntarily.
Why? Because if we are asking our clients to undergo the rigor of a CMMC Level 2 assessment, we should hold ourselves to the same standard. By becoming one of the first ESPs to earn certification, we showed that our own systems, processes, and people can stand up to the scrutiny of a third-party assessment.
For defense contractors, this decision matters. Partnering with a CMMC-certified ESP means you can trust that your provider has already navigated the challenges you face and can help you do the same.
Our experience reinforced that achieving CMMC Level 2 certification is not just about meeting technical requirements. It is about preparation, process, and partnership. Four lessons stood out that every contractor can apply.
|
A mock assessment is worth its weight in gold.Running a simulated assessment before the official one helped us practice presenting evidence, answering assessor questions, and identifying gaps. This step often gets skipped, but it can make the difference between being fully prepared and being caught off guard. |
|
Shared Responsibility Matrices (SRMs) can get complicated.
If you use tools like Microsoft 365 GCC High or PreVeil, compliance responsibilities are shared between you and the vendor. Assessors will expect proof that you understand exactly which controls are yours and which are covered by your provider. Aligning SRMs early prevents confusion later. |
|
Evidence must be clear and accessible.During the assessment, you must show that controls are implemented and effective. That means policies, procedures, and screenshots need to be organized and easy to reference. Think of it like math class: the right answer is not enough if you cannot show your work. |
|
Scope is broader than you might think.Even as an ESP that does not directly handle CUI, we had to clearly define which systems and processes were in scope. Contractors often underestimate this step, which can lead to delays and surprises. |
In one word: confidence. When you partner with a CMMC Level 2 certified ESP, you can be certain your provider has already faced the same rigorous process you are preparing for.
It reduces your risk. Many vendors talk about compliance but have never gone through a third-party assessment. MAD Security has proven that our systems, people, and processes meet the same high standards we expect from our clients.
In short, our certification is more than a badge. It is proof to you and to the DoD that we are a trusted partner committed to your success.
If you are preparing for CMMC Level 2 certification, the process can feel overwhelming.
The good news is that with the right steps, you can move forward with confidence.
Based on our experience, here are some practical tips:
| Start with a gap assessment. This gives you a roadmap for closing compliance gaps. | |
| Develop your System Security Plan (SSP). It will be one of the first documents assessor's review. | |
| Schedule a mock assessment. Treat it like a dress rehearsal to practice and find weaknesses. | |
| Validate your SRMs. Know what your vendors cover and what falls on you. | |
| Choose experienced partners. Work with providers who understand the DIB. | |
| Do not wait. With CMMC becoming contractual, last-minute prep is risky. |
CMMC compliance is more than a requirement. It is a way for defense contractors to demonstrate accountability, protect sensitive information, and strengthen national security. At MAD Security, we believe in holding ourselves to the same standards we ask of our clients, which is why we became one of the first ESPs to achieve CMMC Level 2 certification.
Our journey showed us that success comes down to preparation, partnership, and persistence. By sharing what we learned, we aim to help contractors across the DIB navigate compliance more confidently. Whether you are just beginning your journey or preparing for an assessment, you do not have to do it alone.
MAD Security is here to simplify compliance, strengthen security, and give you the confidence to move forward.
Ready to strengthen your compliance posture and simplify the path to CMMC Level 2 certification? MAD Security has been through the process and knows what it takes to succeed. Our team can help you identify gaps, prepare for assessments, and build a stronger cybersecurity foundation.
Original Publish Date:
By: MAD Security