TL;DR: CMMC certification remains below 2% for Level 2 organisations as of May 2026, despite 104 authorized C3PAOs and 988 Certified CMMC Assessors, according to Secureframe’s analysis and survey of more than 800 defence contractors and federal practitioners. The bottleneck is now interpretation, scope definition, and evidence readiness, not assessor capacity.
At a glance
What this is: This analysis argues that CMMC’s slow certification rate is being driven more by control interpretation, scope uncertainty, and documentation burden than by a shortage of assessors.
Why it matters: For IAM and GRC teams, the lesson is that compliance programmes fail when ownership, scope, and evidence models are unclear, especially where identity-controlled access to CUI depends on documented enforcement.
By the numbers:
- As of May 2026, there are 104 authorized C3PAOs and 988 Certified CMMC Assessors.
- Only 23% of respondents cited a shortage of qualified C3PAOs as a top challenge.
- 44% of respondents said they do not know what assessors will look for.
- 51% called compliance cost prohibitive.
👉 Read Secureframe's analysis of why CMMC certification is still lagging
Context
CMMC readiness is not failing because the programme lacks assessors alone. The deeper problem is that many defence contractors still do not have a consistent internal model for scope, evidence, and control interpretation, which makes compliance hard to prove even when the underlying work has begun. For IAM and GRC teams, that is a governance problem as much as a technical one, because access control, identity lifecycle, and documentation all have to align around CUI handling.
The article’s core claim is that enforcement has exposed a maturity gap across the defence industrial base rather than a simple capacity gap in the certification market. That matters to identity programmes because regulated environments depend on clear ownership of accounts, privileged access, and audit-ready evidence, and CMMC turns those assumptions into assessed obligations rather than internal aspirations.
Key questions
Q: What breaks when CMMC scope is not clearly defined?
A: When scope is unclear, teams usually over-include systems or under-document access paths, and both outcomes create assessment risk. The organisation cannot prove which identities touch CUI, who owns them, or how exceptions are governed. That uncertainty usually surfaces as failed evidence reviews, delayed remediation, and inconsistent treatment of privileged access across environments.
Q: Why do identity controls matter so much in CMMC readiness?
A: CMMC turns identity governance into something assessors must be able to verify. If account ownership, least privilege, offboarding, and privileged access reviews are not documented and repeatable, the organisation may have controls in theory but not in practice. In regulated programmes, access management is evidence, not just configuration.
Q: How do security teams know if CMMC evidence is actually usable?
A: Evidence is usable when a reviewer can trace a control from policy to implementation to a dated artefact without needing extra explanation. If the trail breaks at account ownership, access exceptions, or approval history, the evidence is weak. Usable evidence is specific, current, and tied to the systems and identities that are truly in scope.
Q: Who is accountable when CMMC certification slips past contract deadlines?
A: Accountability usually sits with the organisation that accepted the contract obligation, but it often spreads across security, compliance, and programme leadership when scope and remediation were not managed early. In practice, the risk is commercial as well as regulatory: delayed certification can block work, increase cost, and expose weak governance across the supply chain.
Technical breakdown
Why assessor capacity is not the binding constraint
CMMC certification output does not rise and fall in lockstep with the number of assessors. That is a sign that the limiting factor is not simply marketplace capacity but the organisation’s ability to prepare a defensible control narrative. In practice, the assessment process is testing whether teams can show repeatable implementation, not just whether tools exist or policies are written. For identity teams, this means proving who can access CUI, why they have access, and how that access is reviewed and constrained.
Practical implication: build evidence around actual control operation, not around tool deployment alone.
How CMMC exposes scope and evidence weaknesses
The hardest part of many CMMC programmes is not implementing controls, but deciding what is in scope and producing evidence that assessors can interpret consistently. That makes documentation a control surface, not a clerical afterthought. When scope is vague, identity boundaries become vague too, and that leads to overbroad access, weak segmentation, and inconsistent offboarding across systems that touch CUI. NIST SP 800-171 may define the control set, but it does not standardise every implementation choice, which is why evidence quality becomes decisive.
Practical implication: map CUI scope to identity boundaries and keep evidence aligned to those boundaries from the start.
Why third-party verification changes identity governance
Third-party assessment changes the economics of compliance because teams can no longer rely on informal understanding of access controls. If the organisation cannot show how privileged accounts, shared access, and system accounts are governed, then the control is functionally incomplete even if the technology exists. This is where IAM, PAM, and audit readiness converge. In a CMMC environment, access approval, least privilege, and review frequency all need to be defensible under scrutiny, not just internally accepted.
Practical implication: treat identity governance as assessed evidence, with named owners, review cadence, and archived proof.
Threat narrative
Attacker objective: The practical objective is not always theft in the classic sense, but rather exploiting governance gaps that produce noncompliance, delayed contract readiness, and exposure of sensitive defence data if access control weakens.
- Entry begins when a contractor environment handles controlled unclassified information without a clear scope boundary or adequate control evidence, leaving the organisation unable to prove who has access and why.
- Escalation follows when broad or poorly documented access paths remain in place, especially where privileged and shared accounts are not tightly governed or routinely reviewed.
- Impact occurs when the organisation fails a CMMC assessment, cannot meet contract requirements on time, or inherits remediation cost and delivery delays across the supply chain.
NHI Mgmt Group analysis
CMMC’s bottleneck is governance clarity, not just certification capacity. The article’s data shows that assessor supply exists, but organisations still struggle to explain what assessors will evaluate and how scope is defined. That is a control maturity problem, not a market shortage problem. In regulated identity environments, ambiguous scope almost always turns into ambiguous access, so practitioners should treat governance clarity as a prerequisite for readiness.
Identity controls become audit controls the moment enforcement starts. CMMC turns access management, evidence collection, and documentation into externally tested obligations. That means IAM and PAM teams can no longer rely on internal confidence or tool coverage alone. If account ownership, review trails, and privileged access exceptions cannot be demonstrated, the control has not been operationalised in a way that survives assessment.
Scope reduction is a security strategy, not just a compliance tactic. The article shows that many contractors are still defining their CUI scope while deadlines are already active. Narrowing that scope reduces the number of systems, identities, and access paths that must be governed and defended. Practitioners should read that as a mandate to simplify the identity estate before the assessment clock runs out.
Documentation debt is now a material risk factor. The article makes clear that teams with informal control knowledge are the ones most likely to struggle when third-party verification begins. That matters because undocumented access decisions often hide the same weaknesses that attackers exploit, especially in environments where service accounts, shared administrative access, and offboarding are poorly tracked. Practitioners should treat documentation as part of the control itself, not a post hoc report.
Auditable identity governance is becoming the real compliance product. The named concept here is assessment-ready identity evidence: the ability to show, quickly and consistently, who has access, why they have it, and how that access is reviewed. CMMC is accelerating a wider market shift in which identity governance is judged by provable operation, not policy intent. Practitioners should prepare for that standard now.
What this signals
Assessment-ready identity evidence is becoming a useful operating concept for programmes that have to prove control operation under scrutiny. For defence contractors, the challenge is no longer just whether IAM exists, but whether the organisation can produce dated, reviewable proof that access decisions match the stated CUI scope. That is where policy, access review, and offboarding discipline meet compliance reality.
The next maturity step is to treat documentation as part of the control plane, not a separate compliance project. Teams that can connect identity ownership, privileged access exceptions, and evidence retention will move faster through assessment and remediation. Those that cannot will keep paying for ambiguity at the point where contract deadlines become enforceable.
For identity leaders, the signal is clear: CMMC is rewarding programmes that reduce scope, tighten ownership, and keep control evidence continuously current. That aligns closely with the governance patterns described in the NHI Lifecycle Management Guide and the broader access-control expectations in NIST Cybersecurity Framework 2.0.
For practitioners
- Define CUI scope as an identity boundary Map every system, account, and privileged path that can touch CUI, then remove anything that cannot be defended as in scope. Keep the boundary tight enough that reviews and evidence collection are manageable.
- Build assessor-ready evidence packs Create recurring evidence bundles for access approvals, privileged account reviews, offboarding, and control exceptions. Make the artefacts easy to trace from requirement to implementation to proof.
- Reduce standing access before assessment Replace persistent elevated access where possible, and document every exception with a named owner and expiry. This is especially important for administrative and service accounts that touch CUI.
- Test control interpretation before the formal assessment Run a pre-assessment review with independent reviewers who can challenge scope, evidence quality, and control wording. The goal is to find interpretation gaps before a C3PAO does.
Key takeaways
- CMMC is exposing a governance gap more than a capacity gap, because many organisations still cannot explain their scope or evidence with enough precision to satisfy assessors.
- The article’s numbers show that assessor availability is not the main blocker, while interpretation, scope definition, and documentation remain the dominant frictions.
- Identity teams should treat assessment-ready evidence, access ownership, and scope reduction as core programme controls, not as last-mile compliance tasks.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Access control and governance are central to CMMC readiness and evidence. |
| NIST SP 800-53 Rev 5 | AC-2 | Account management is repeatedly implicated in assessment readiness and proof. |
| CIS Controls v8 | CIS-5 , Account Management | Account lifecycle governance underpins the evidence teams must show to assessors. |
| ISO/IEC 27001:2022 | A.5.15 | Access control policy and its evidence mapping are directly relevant here. |
Use AC-2 to enforce account ownership, approvals, and review evidence across in-scope systems.
Key terms
- CMMC assessment-ready evidence: Evidence that shows a control is not only designed but operating in a way an external assessor can verify. In practice, this means dated artefacts, traceable ownership, and a clear line from requirement to implementation to review. It is a governance discipline as much as a compliance one.
- CUI scope: The defined set of systems, data flows, identities, and access paths that can handle controlled unclassified information. Scope is critical because it determines what must be protected, documented, and assessed. When scope is too broad or too vague, compliance cost and failure risk rise quickly.
- Standing access: Access that persists beyond the immediate task or approval window. In regulated environments, standing access increases review burden and widens the risk surface because it creates more opportunities for misuse, drift, or undocumented exceptions. Reducing it is often a practical way to improve both security and auditability.
- Third-party verification: An assessment model where an external party checks whether required controls are actually implemented and evidenced, rather than relying on self-attestation. This changes how organisations must prepare because internal confidence is no longer enough; the control has to be demonstrable under scrutiny.
What's in the full article
Secureframe's full blog covers the operational detail this post intentionally leaves for the source:
- The survey methodology behind the 800-plus respondent poll, including how defence contractors, primes, and C3PAOs were grouped.
- The full breakdown of assessment friction by cost, scope, evidence, and interpretation, useful for remediation planning.
- The practical examples of how organisations are reducing CUI scope and preparing for formal assessment.
- The timing pressure created by prime contractor notices and the Phase 2 deadline.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle management, and secrets management. It helps practitioners connect identity control design to the governance and evidence demands that regulated programmes now face.
Published by the NHIMG editorial team on 2026-06-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org