The Roles That Made It Happen
Last week, in the first installment of Compliance Workshop Wednesday, we talked about what our CMMC Level 2 journey looked like behind the scenes. The scoping. The documentation. The technical work that had to come together long before an assessor ever stepped in.
This week, we want to focus on the people and roles that carried that work forward.
One of the biggest lessons from our CMMC effort is that compliance cannot live with one person or one team. It only works when security and compliance become part of how the organization operates every day. Not a side project. Not a last-minute push.
This post shines a light on a few of the roles that helped make that culture real. We are focusing on the work they did, how they approached it, and why that approach mattered.
Leadership
Leadership provided the vision, set the direction, and made compliance achievable by treating CMMC as a business priority, not an IT project. They funded the needed tooling and remediation work, cleared roadblocks quickly, and reinforced accountability by empowering control owners and holding teams to timelines. Just as importantly, they modeled the “how we operate” mindset by supporting process changes that made security sustainable and making it clear that evidence, documentation, and disciplined execution were everyone’s responsibility. Executive “buy in” is essential, but empowering the team and stepping out of the way until needed provided the best outcome.
Compliance Champion
The Compliance Champion served as the day-to-day connector between policy and practice by translating CMMC Level 2 requirements into clear, repeatable actions teams could actually follow. They kept control owners aligned, tracked artifacts and evidence as work happened (not after), and helped remove blockers by answering “what does good look like?” in real time.
That ownership and consistency reduced rework, prevented last-minute evidence scrambles, and strengthened audit readiness across the board. This ensured the assessment validated an operating rhythm we had already built, rather than forcing a late sprint to get compliant.
Human Resources
Human Resources strengthened our CMMC posture by operationalizing the “people side” of the requirements. They helped ensure the right personnel security practices were in place. This entailed coordinating background screening where required, working with the Compliance Champion to define roles and access needs, and partnering with IT/security to make onboarding and offboarding consistent and timely. HR also supported security awareness and policy compliance by driving training participation, collecting employee acknowledgments for key policies, and keeping records organized so evidence was easy to produce during assessment. By making these steps part of everyday hiring, employment, and separation workflows, HR reduced risk and helped turn compliance into a repeatable operation.
Lead Systems Engineer
The Lead Systems Engineer was instrumental throughout our CMMC certification journey, especially where engineering decisions met compliance requirements.
This role centered on documenting controls and processes in detail while architecting and implementing the systems that supported them. The goal was never to bolt security on after the fact. It was to design environments that met CMMC expectations while still supporting how teams needed to work.
A major focus was minimizing disruption. Controls were implemented strategically, with attention paid to operational impact, usability, and long-term maintainability. Compliance had to fit into the business, not fight against it.
As they put it:
“Successful CMMC implementation isn’t about forcing an organization into a rigid framework. It’s about intelligently aligning security controls with how the business already operates. The most effective approach integrates compliance into existing processes, minimizing disruption while strengthening security.”
That mindset helped ensure the end result was not just compliant, but sustainable. Systems stayed efficient. Documentation reflected reality. Security improved without slowing the business down.
Cybersecurity Analyst
The Cybersecurity Analyst focused on ensuring our controls could stand up to scrutiny and stay defensible.
Their work revolved around developing a strong evidence collection framework, validating control effectiveness, and making sure our technical environments truly aligned with CMMC Level 2 requirements. This included influencing security architecture decisions, strengthening endpoint and identity controls, and coordinating remediation efforts across teams to close gaps efficiently.
Throughout the process, the priority remained clear. Move quickly but do it cleanly. Compliance had to support day-to-day operations, not create chaos around them.
That perspective kept the effort grounded.
“CMMC isn’t a checklist. It’s the visible proof of all the discipline, documentation, and security we’ve built day by day.”
By treating evidence and validation as a continuous process instead of a scramble, the assessment became a confirmation of work already done rather than a stressful pivot at the end.
Service Desk
The Service Desk played a key role by absorbing the day-to-day operational load for our existing clients while the compliance effort was underway. They kept ticket triage, troubleshooting, communications, and routine changes moving through normal workflows, which prevented client support needs from becoming interruptions for the compliance team. That separation of duties protected focus time for documentation, evidence collection, control validation, and remediation. This allowed us to drive CMMC tasks to completion without sacrificing service levels.
CMMC Level 2 is often talked about as a milestone. For us, it was also a cultural checkpoint.
The real success came from shared ownership, steady execution, and roles working together with a common understanding of why the controls mattered. That is what made the compliance effort stick, and that is what continues to shape how we approach security moving forward.
Next week, Compliance Workshop Wednesday will focus on lessons learned and what we would do differently if we were to start again.
Questions about CMMC certification? Contact Hill Tech Solutions.
