We finished our CMMC Level 2 assessment earlier this year, and many people have asked what the process looked like from the inside. This seemed like a good time to share how we approached it at Hill Tech Solutions and what the journey really felt like. We are using this to kickstart “Compliance Workshop Wednesday” providing weekly insights into the process and continual nurturing required for a robust program.
The work started with scoping. It set up the foundation, but it was only a small part of the overall effort. The real lift came from documentation. Policies, procedures, and supporting material made up the largest chunk of our time. It took close to a third of the entire project. We also had to redefine several policies and procedures to make sure they lined up cleanly with each required control. That meant breaking things down to the objective level and showing how each step was carried out in practice. We mapped related policy documents to each other, so the flow was easy to follow, and the full process was represented without gaps. Even with a strong baseline, the level of detail required for CMMC forced us to slow down and make sure each control was backed by clear, workable documents.
Technical implementation sat right behind documentation in terms of effort. Environments never fit a clean template, and ours was no exception. We had to line up our technical controls with how our business runs. Each control needed to secure the environment and meet the intent of the requirement without turning daily operations into a burden. That meant looking at how our systems were used in real time and adjusting the implementation, so the controls worked in practice, not only in theory. The nuance in each system forced us to understand why the requirement existed and then build it in a way that supported the business instead of slowing it down. That extra work made the final build stronger.
Physical work and facility controls were more straightforward but still required deliberate planning. Before we could put any controls in place, we had to identify our physical security boundaries. We documented what was in scope by location, room, storage area, and called out what sat outside that line. We recorded how access was granted, how visitor activity was handled, and where media was stored. That clarity made it easier to apply the right safeguards in the right places and explain why certain areas were excluded.
Fully documenting the proof of how things are implemented was key. Gathering videos, pictures, and screenshots requires substantial effort. That effort paid off when it was time for assessment. Each artifact had a clear title, the requirement it supported, the system or location involved, and the date it was taken. We stored the files in a standard folder structure and kept a simple index so auditors could go straight to what they needed. The upfront effort paid off during the assessment because it kept the discussion on verification instead of discovery.
Our final stage in preparation was a mock assessment that followed the same flow as the real engagement. We walked through each requirement, reviewed the evidence set, and documented findings with owners and due dates. Minor gaps were remediated and re‑tested. We updated the evidence index and noted any residual risk with a plan of action. That made the final assessment faster and more predictable.
If you are preparing your own CMMC effort, our biggest takeaway is that the process is challenging, but certification is attainable. It takes structure, clarity, and a willingness to adapt when you hit something unexpected. CMMC is about maturity as much as compliance. The more proven and repeatable your posture is, the smoother the assessment feels. When the controls, documents, and evidence line up, the conversation shifts from interpretation to confirmation.
Questions about CMMC certification? Contact Hill Tech Solutions.
