CMMC: One-Time Project vs. Ongoing Compliance Program

If you’re chasing DoD work, it’s tempting to treat CMMC like a single hurdle: prep hard, pass, move on. I get it. Small teams don’t have time for endless compliance work, and most of us would rather spend that energy on customers and delivery.

But here’s the truth I share with every subcontractor and small prime I talk to: CMMC isn’t “done” after an assessment. There’s an initial push to get ready, then I have to run it like a program that survives staff turnover, new laptops, Microsoft 365 setting changes, and MSP handoffs. That’s why CMMC ongoing compliance matters, especially for cloud-heavy shops where settings drift and identity access changes weekly.

If I treat CMMC as a one-time project, I’m betting my next award on luck. That’s not a good plan.

CMMC is ongoing, the assessment is just a checkpoint

CMMC has a moment where it feels like a project: scoping, gap fixes, writing the SSP, cleaning up accounts, tightening MFA, and getting evidence in order. That work is real, and it can be intense.

But the “project” part is only the on-ramp.

The assessment is a checkpoint that proves I met the requirements on that date. The requirement itself is to keep meeting them. The easiest way I explain it is fitness: I can’t work out once, take a photo, and expect to stay healthy for three years. Security controls behave the same way. They either keep running, or they slowly break as the business changes.

This becomes very real in early 2026 because CMMC 2.0 is already in phased enforcement for certain new DoD contracts. The rule’s rollout means some awards can require self-assessments now, and more contracts will require certified assessments as the phases expand. If you want a plain-language overview from a legal lens, I like this summary of when CMMC requirements “go live” and how they show up in new awards: CMMC Goes Live: New Cybersecurity Requirements for Defense Contractors.

The business risk is simple: I can do all the right work, then lose a bid later because my proof is stale, my scope got messy, or I can’t confidently sign an annual affirmation. I also risk a messy conversation with a prime if they ask for evidence and I can’t produce it fast.

So when someone asks me, “Is CMMC a one-time project?” my answer is: it’s a program with milestones. The milestone is the assessment. The program is everything I do the other 1,095 days.

What “ongoing” means in real life (governance, risk, continuous monitoring)

Ongoing doesn’t mean writing new policies every week. It means I run a steady routine so controls don’t drift.

In a typical small business stack (Microsoft 365, laptops, cloud file storage, maybe an MSP), “ongoing” looks like:

• Leadership assigns an owner (someone who can say “yes,” “no,” and “not yet”), and checks progress monthly.
• I track risk in plain terms, what changed, what could break, what needs funding.
• I keep recurring security checks on a calendar: patching, MFA coverage, backups, log reviews, vulnerability scans, and access reviews.
• I keep training current, including phishing and basic handling rules for FCI and CUI.
• I stay ready for incidents with a short plan and a contact list that’s actually up to date.

The goal is routines over big projects. I’d rather do small evidence captures all year than scramble for screenshots the week a prime calls.

Assessment and recertification cadence by CMMC level (what I must do each year)

Most small DoD suppliers land in Level 1 or Level 2, depending on whether they handle FCI or CUI. What trips people up is the timing: the certification cycle can be three years, but the work inside the cycle is annual (and in practice, monthly).

Also, contract language drives the requirement. That’s why I keep one bookmark handy: the DFARS clause that ties contract terms to CMMC levels and compliance expectations. When I’m reading a solicitation, I cross-check against DFARS 252.204-7021 on Acquisition.gov.

Here’s the planning reality I budget for:

• Every year: I’m collecting evidence, running internal checks, and preparing to affirm my status when required.
• Every three years (for some Level 2 work): I’m scheduling an external assessment, which means lead time, cost, and a cleaner evidence trail.

The three-year cycle is not a three-year break. It’s more like a three-year report card that proves I kept the habits.

Level 1: annual self-assessment for FCI

Level 1 focuses on basic safeguards for Federal Contract Information. I complete a self-assessment every year and, when required, submit the result and an affirmation.

The smartest move is keeping proof organized all year so it’s not a last-minute scramble. I keep simple artifacts like policy acknowledgments, security awareness completion, an account list, and basic configuration proof (MFA on, supported antivirus, patch status).

Level 2: self-assessment vs C3PAO, plus the 3-year cycle

Level 2 maps to NIST SP 800-171 practices and is where most IT-heavy small businesses feel the workload.

There are two common paths:

• Annual self-assessment for some lower-risk contracts.
• C3PAO assessment every 3 years for “prioritized” Level 2 contracts, based on what the solicitation requires.

In both cases, I still need ongoing monitoring and honest attestations. The contract and flow-down language decide, so I don’t guess. I plan for assessor lead time and costs early because waiting until a bid is due is how timelines explode.

For a helpful high-level view of why DoD calls out continuous compliance in the rollout, this coverage is useful context: Pentagon finalizes CMMC rule, requiring continuous compliance across defense supply chain.

How I stay audit-ready as my business changes (scope, evidence, and operating model)

The businesses that suffer the most are the ones that “pass” once, then quietly change everything. A new MSP comes in, file sharing shifts to a new cloud app, teams start using personal devices, and suddenly the documented boundary has nothing to do with reality.

Staying audit-ready means I treat CMMC like a repeatable system:

• My scope is clear, and I update it when things change.
• My evidence is organized by control, not by memory.
• My operating model is defined, even if I outsource IT.

Scope changes that force updates (new contracts, locations, cloud apps, subs)

These are the triggers that make me stop and re-check the CUI boundary:

• New DoD work with different data types (FCI vs CUI)
• New data flows (file sharing, ticketing, quoting, CAD)
• New location or shift to more remote work
• New cloud services (email, file storage, project management)
• New MSP or major network redesign
• New subcontractor that touches covered data
• Identity changes (new SSO, new tenant-to-tenant migration)

Each trigger means I re-check the boundary, update diagrams and asset lists, and confirm vendors are configured to meet the requirements.

Evidence management and living documents (SSP, policies, POA&M where allowed)

Evidence is boring, and it wins contracts.

I store things like screenshots, audit logs, tickets that show patching, training records, backup reports, vulnerability scan results, and access review records. I map each artifact to a control so I can find it in minutes, not hours.

My SSP has to match reality. If Microsoft 365 settings change, or my device fleet changes, I update the SSP so it stays true. If POA&Ms are allowed for my situation, I keep them tight: gap, owner, due date, proof of closure, and I close them fast.

Roles and operating model for small teams (who does what)

Small teams need clear ownership, not more meetings.

• Executive leadership funds the work and signs affirmations.
• A compliance lead (internal or vCISO) runs the plan and evidence habits.
• IT staff or the MSP runs the technical controls, then proves they ran them.
• HR owns onboarding, offboarding, and training records.
• Procurement manages vendor terms and subcontractor flow-downs.
• Contracts and BD check requirements before bidding.

Outsourced IT can do the work, but I still own the outcome.

Common “project mindset” pitfalls, plus my ongoing compliance checklist

I watch the same mistakes repeat:

• Treating the audit as the finish line
• Under-scoping (forgetting email, laptops, and cloud storage)
• Last-minute paperwork that doesn’t match operations
• Weak vendor oversight
• Skipping recurring reviews
• Waiting until a proposal is due

Here’s the simple routine I use.

Monthly

• Confirm patch status on laptops and servers
• Review key alerts and sign-off that they were handled
• Review account changes (new users, terminations, admin rights)
• Verify backups ran, test one restore

Quarterly

• Do a short risk review, what changed, what broke, what’s next
• Review vendors and subcontractors that touch covered data
• Spot-check the SSP and key policies against real settings
• Run a short incident tabletop drill and save the notes
• Spot-check evidence folders for completeness

Conclusion

CMMC is an ongoing requirement, the assessment is a milestone that proves I’m operating the program. If I want stable contract performance and fewer fire drills, I need a calendar, owners, and evidence habits that hold up when people and tools change.

If you want help putting this into a system, RVA Tech Visions can support the practical parts: scoping FCI vs CUI, setting a clean Microsoft 365 boundary, building an evidence folder structure that matches the controls, and planning for either annual self-assessment or a future C3PAO timeline. The best time to set that rhythm is before the next solicitation forces it.