It usually starts the same way. CMMC hits the radar, leadership looks around the room, and the assignment lands on the person who manages technology. "This is an IT thing. Can you figure this out?"
The IT leader says yes. That's what good IT leaders do. They start doing what most mid-sized manufacturers do with DIY CMMC. They read,hey pull up NIST 800-171. They call a few vendors. They buy a tool that promises to simplify the process. They build a spreadsheet.
Six months later, the spreadsheet has grown. The progress hasn't.
The IT director can talk about access controls and encryption with more confidence than they could in January. But the honest update in every leadership meeting sounds the same: "We're making progress, but I'm not sure how far along we are."
It's not that they've done nothing. They've done a lot. The problem is that every answer creates new questions. Access control policies need sign-off from HR. The incident response plan requires coordination across departments that have never coordinated on security before. Physical security controls have nothing to do with anything the IT team manages. Security awareness training needs buy-in from people who report to the COO, not the IT leader.
Meanwhile, the IT team still has their actual jobs. The help desk tickets don't stop because CMMC exists. The network still needs monitoring.
DIY CMMC preparation looks manageable on paper. Six months in, it feels like a second full-time job layered on top of the first one, with no way to measure whether the work is actually moving toward certification.
At some point, the IT leader sits down with the NIST SP 800-171 requirements and maps what they've built against the fourteen domains. The technical side looks solid. Network security, system hardening, access controls. The team knows that work.
Then they hit personnel security. That's HR policies and background check procedures. Not their department.
Physical protection. Facility access controls and visitor logs. Not their building to manage.
Awareness and training. A company-wide program with tracked completion, owned by people who don't report to them.
Risk assessment needs leadership involvement and documented business impact analysis.
Incident response needs a cross-departmental plan nobody has written.
Audit and accountability needs log review processes with roles that don't exist yet.
Out of fourteen domains, the IT team can own maybe five. The rest require decisions, budget, and authority that sit outside their role entirely. They've been identifying organizational problems for months with no organizational mandate to solve them.
That's the week the IT leader stops being behind on a project and starts carrying one they were never equipped to finish.
Nobody pulls up the CMMC framework and looks at its full scope before handing it to IT. Nobody counts fourteen domains and asks how many of them are actually technology decisions.
Every article frames DIY CMMC as a technology project. Every vendor pitch is about tools and controls. Every webinar walks through technical requirements and assumes the IT team will handle the rest.
The IT leader didn't fail. They were sent into unfamiliar territory with a map drawn by people who only see the technical layer. They covered the ground they could see and flagged the territory they couldn't reach. That's exactly what a capable person does with an incomplete map.
The question isn't whether the team is good enough. It's whether anyone told them this was a fourteen-domain organizational change project before they said yes.
The IT leader's technical work has value. They know the environment better than any outside expert ever will. What's been missing is the compliance picture laid over the technical picture, so the controls they built connect to what an assessor actually evaluates.
When that picture exists, everything moves differently. Controls already in place get documented properly. Gaps that were invisible become visible and prioritized. Work that sits outside IT gets assigned to the people who should own it. And the IT leader stops carrying a project alone that was never one person's job.
A gap assessment is often the turning point where DIY CMMC efforts stop spinning and start connecting to certification. It shows where the team actually stands, which domains are covered, and where the gaps live. Contact Prescott to start that conversation.
Frequently Asked Questions