Kevin Schaaff, a Lead CMMC Assessor at Business Transformation Institute (BTI), has conducted dozens of CMMC assessments. He helped write the CMMC Assessment Process itself. And he’s watched defense contractors fail for the same seven mistakes over and over again.

The difference between companies that pass and those that don’t usually isn’t technical sophistication … It’s thoroughness, alignment, and follow-through.

In a recent training session, Kevin walked us through the 7 most common failures. Some are technical oversights, some are organizational blind spots. All of them end the same way: “not met” findings that derail certifications and delay contract awards.

If you’re preparing for a CMMC assessment, you need to read this blog to know what separates companies that pass from those that don’t.

Mistake #1: Scoping Errors (The Assessment-Ender)

If your scope is wrong in the formal assessment, the assessment’s over. The whole thing begins and ends with scope.” – Kevin

The challenge: During your assessment, the assessor discovers assets that touch CUI but aren’t documented in your boundary. The assessment stops immediately, and you do not pass.

Companies often either over-scope (“everything needs to be in CMMC scope”) or under-scope (missing shadow IT, not understanding CUI flows). Both are failures, but under-scoping is the one that ends assessments.

Kevin notes that organizations that can’t produce a data flow diagram invariably have scope errors because they don’t understand how their data flows and where their CUI is. And if you don’t know where your CUI is, you’re going to miss something in the scoping.

How to avoid it:

  • Create a data flow diagram – Kevin requires this in every assessment, even though CMMC doesn’t mandate it, and many other assessors do the same
  • Map CUI from entry – Know where your CUI is processed, stored, transmitted, and disposed of. 
  • Interview non-IT teams: Talk to non-IT teams to discover potential undocumented CUI usage
  • Look for “shadow IT – Backup systems, printers, cloud services, external consultants are examples of entities that can handle CUI. Make sure you don’t leave them out of your scope.

How PreVeil can help: PreVeil’s Compliance Accelerator guides you through scoping your boundary to avoid over- or under-scoping your environment. It helps you identify your CUI data flow—where it comes in and out—so you can clearly define your CUI assets and establish your boundary correctly.

Mistake #2: SSP Lacks Substance

“You cannot give us an SSP that says met or not met. You also cannot give us an SSP that says see this policy, see this procedure. The SSP must explain at a high level how you’re meeting the objectives.” – Kevin

The challenge: Your SSP is essentially a checklist. You mark each control as either “met” or “not met” but provide no explanation. Or perhaps you just give a list of references such as “See Access Control Policy. See Incident Response Plan.” The assessor will mark your SSP non-compliant before the assessment even begins.

How to avoid it:

  • SSP provides the “how,” but policies provide the “what”: Your SSP must explain at a high level HOW you meet each control. You can reference policies for detailed procedures, but the SSP itself must contain enough explanation that an assessor understands your approach without opening another document
  • Single source of truth: Never duplicate detailed procedures in both SSP and policy documents – they get out of sync. Put details in the policy, high-level approach in the SSP

How PreVeil can help: PreVeil’s SSP assessor-validated documentation provides a high-level view demonstrating how you meet each control. These assessor-validated documents link to our SOP templates for procedural details, keeping your SSP substantive without duplicating information.

Mistake #3: Documentation Contradicts Reality

“Write it, say it, do it – those three have to line up. This is like ISO: we look at what you wrote, what you do, and what you tell us. Those three have to match.” -Kevin

The challenge: Your documentation says one thing, your interview says another, and when the assessor tests it, they find a third answer. Even one misalignment is an automatic ‘not met’.

This mistake often happens because documentation is written aspirationally rather than describing what the organization actually does. Additionally, system configurations will sometimes change, but the documentation doesn’t get updated.

How to avoid it:

  • Quarterly alignment audits: Does system configuration still match SSP statements?
  • Version control: When you change a setting, immediately check if SSP/policies need updates
  • Red flag test: Can your system admin log in right now and demonstrate everything in your SSP?

How PreVeil can help: PreVeil’s Compliance Accelerator maps each SSP statement to your actual system configurations, making it visible when documentation and reality drift apart. The learning modules then ensure your team can accurately discuss these configurations during interviews—aligning what you write, what you do, and what you say.

Mistake #4: Training Records Don’t Match Training Requirements

“Awareness and training is almost a gimme. It’s almost a gimme until it isn’t. Here’s how you take good documentation and a good process and turn it into a not met – by not following through.” – Kevin

The challenge: Your organization’s Standard Operating Procedure clearly states: “All employees who will have access to CUI are expected to complete their security awareness training obligations, including insider threat training.” Your process is documented and your training tracker exists. But when the assessor pulls up an individual’s record, they see: 3-year employee, never took insider threat training. Not met.

How to avoid it:

  • Monthly gap reports: Who hasn’t completed the required training? Make it someone’s job to chase this down.
  • Checklist: Create an onboarding checklist with verification 
  • Tracking: Ensure annual renewals are tracked systematically
  • Don’t rely on self-reporting: Pull actual completion records

How PreVeil can help: PreVeil’s training tracker templates help you systematically track who has completed required training and when. These templates surface gaps before assessments and provide the evidence trail assessors need, such as who took what training, when, and where records are stored.

Mistake #5: Wrong People in Interview Rooms

Make sure you have the right staff with the training and they understand what they’re doing. Put people who actually do the work in the interviews.” – Kevin

The challenge: The assessor will ask a question, and the interviewee gives a vague answer; can’t demonstrate the control, or outright contradicts the documentation. Even if your systems are configured correctly, vague or incorrect answers will result in a ‘not met’.

Answer quality matters:

  • Fails immediately: “I think we do that” or “I’m pretty sure it’s three strikes or something.” Fails burden of proof, automatic not met
  • Incomplete: “Yes, we limit unsuccessful login attempts.” Requires follow-up questions, but not wrong yet
  • Passes: “Yes, here’s our access control policy. We limit to 5 unsuccessful attempts within 30 minutes. The lockout policy is applied through a Group Policy Object. Let me show you.” Proves the objective immediately, the assessor moves on

How to avoid it:

  • Never say “I think” or “probably” – if you’re unsure, redirect: “That’s handled by [name on the networking team], let me get them for you.”
  • Practice the expert answer format: state the policy → reference the control → point to where it lives in the system
  • Create interview prep sheets: each control mapped to the policy setting + where to find it in the system + who owns it
  • Avoid vague answers: The more vague you are, the deeper the assessor will dig – precision closes questions, ambiguity opens investigations

How PreVeil can help: PreVeil’s Compliance Accelerator educates your point of contact on your compliance controls, enabling them to identify which staff members should be in the room for each assessment topic.

Mistake #6: Incomplete Asset Inventory

“If you don’t understand the scope and network diagram, you’re going to have an incomplete or inaccurate asset inventory. And that is required.” – Kevin

The challenge: This is different from getting your scope wrong (Mistake #1). Here, you’ve correctly identified your boundary, but your documentation doesn’t accurately reflect all the assets within it. Your asset inventory doesn’t match what the assessor sees in your environment. There are missing systems, outdated records, or assets that touch CUI but aren’t documented. If you don’t know all your assets, your scope is incomplete.

The asset inventory is how assessors verify your boundary. If the network diagram shows 15 systems but the asset inventory lists 12, something’s wrong. If the data flow diagram shows CUI moving through a system that’s not in your inventory, your scope is incomplete.

How to avoid it:

  • Your network diagram must show everything touching CUI
  • Asset inventory must match the network diagram exactly
  • Include hardware, software, cloud services – anything in the CUI path
  • Update your inventory immediately when new assets are added to your scope

How PreVeil can help: PreVeil’s asset management module ties directly to your scope documentation, automatically flagging mismatches between your asset inventory, network diagram, and boundary definition—so discrepancies are visible before the assessor finds them.

Mistake #7: The “We Don’t Do That” Confession

“I see this a lot. Usually the managers get defensive. The technical people are like, ‘yeah, we don’t do it.’ ” –Kevin

The challenge: Your assessor asks about a required control, but instead of demonstrating compliance, your colleague admits you don’t do it.

Why it happens:

  • Cost concerns (“that’s too expensive, we’ll do it later”)
  • Misunderstanding requirements (“that doesn’t apply to us”)
  • Self-assessment inflation (“we’ll just say we do it and hope they don’t check”)
  • Leadership believes rules don’t apply to them

The correct response if you have gaps is to note that it’s a known deficiency in your last risk assessment and that it’s documented in your Plan of Action and Milestones (POAM).

If something is identified during the assessment and it’s POAMable (one-pointer controls only), you can get a conditional pass and have time to close it out. Close it satisfactorily, and you get full certification.

How to avoid it:

  • Conduct an honest gap analysis before formal assessment – know your weaknesses before the assessor finds them
  • Document known gaps in a POAM during prep and close them before assessment. If gaps are discovered during the assessment, only one-point controls can be POAMed for conditional certification
  • Never misrepresent compliance: If you misstate your compliance status, the assessor can stop the assessment immediately and you fail everything

How PreVeil can help: Our gap analysis tool maps your current state to requirements, showing real gaps vs. aspirational compliance, so you know what needs to be implemented or fixed before you register for an assessment.

PreVeil is the leading CMMC compliance solution for small and mid-sized defense contractors. Trusted by 2,500+ organizations, PreVeil’s proven platform is secure, easy to use, and saves SMEs 75% compared to GCC High. 

Business Transformation Institute (BTI) is a CMMC Assessor (C3PAO) and performance improvement firm whose staff includes Lead Assessors, appraisers, and systems engineering professionals with deep DoD experience. Kevin Schaaff is Chief Engineer at BTI and a Lead CMMC Assessor. Learn more at biztransform.net.

screen_share
Get a

PreVeil Demo

support_agent
Schedule a free

Compliance Call

book
Download Our

CMMC Guide