The CMMC Mistake Confident Contractors Make
You read the requirements. You built your policies. You feel ready. Here's what the assessment might still reveal — and why it matters before you submit your SPRS score.
This is one of the most common experiences we hear from small contractors who reach out to Overwatch Tools — not because they didn't try, but because they measured their readiness against their own understanding of the requirements rather than against what an assessment actually looks for.
CMMC Level 1 covers 17 practices derived from FAR 52.204-21. That list is short enough to feel manageable. And that's exactly where the confidence trap lives.
The requirements sound simple. Limit system access to authorized users. Verify users' identities. Sanitize or destroy media. Protect audit information. Straightforward language — until you realize that "doing it" and "being able to prove you're doing it" are two very different things. And both matter for your SPRS score.
The Confidence Trap: Why Prepared Contractors Still Get Surprised
Reading the CMMC Level 1 requirements and knowing them are not the same thing. Neither is knowing them and having them implemented at the level an assessment demands. The gap in between — between understanding a control and being able to demonstrate it — is where most surprises live.
This isn't a criticism. The 17 practices in CMMC Level 1 are written at a level of abstraction that makes it genuinely difficult to know whether what you've built actually satisfies the requirement. "Limit access to systems and information to authorized users" seems obvious. But what counts as authorization? What counts as limiting? What's your documentation trail?
When primes and DoD auditors (who increasingly request compliance verification even for Level 1) look at your evidence, they're asking those second-order questions. Most contractors don't realize this until they're in the process.
The 5 Most Common "I Thought That Counted" Mistakes
These aren't exotic edge cases. These are the five issues we see most frequently when we do our initial review in the first consultation session — even with contractors who have done serious preparation.
Shared Admin Accounts
This one is extremely common in small teams. The owner, the IT person, and one other trusted employee all know the admin password and share a single admin login. It's practical. It works. And it fails the access control requirements.
CMMC Level 1 Practice AC.1.001 requires that access to organizational information systems be limited to authorized users, processes acting on behalf of authorized users, and devices — including other systems — the organization authorizes. When multiple people share one set of admin credentials, you lose the ability to demonstrate who accessed what and when. Audit logs become useless because every action shows up under the same login. You can't show individual accountability.
The fix isn't complicated — separate admin accounts, each assigned to an individual — but the compliance gap is real, and auditors will ask for your access control evidence. "We all trust each other" is not an artifact.
What this looks like in evidence: You need an access control policy, individual accounts with role-based permissions documented, and log evidence showing those individual accounts in use.
Having Antivirus — But Not Proving It's Working
Every small business has antivirus. It came with the laptops, or IT installed it years ago, or it's part of the Microsoft 365 subscription. So most contractors check the "malicious code protection" box without a second thought.
The CMMC Level 1 requirement under SI.1.210 doesn't ask whether you have antivirus. It asks whether you have mechanisms to protect against malicious code at appropriate locations, update them when new releases are available, and perform periodic scans. The critical piece that most contractors miss: you need to be able to demonstrate it's running, updating, and catching things.
That means documentation. Logs of scans. Evidence that definitions are being updated. Screenshots of configuration settings. A written procedure that describes how malicious code protection is managed. "We have Windows Defender" is the beginning of the answer — not the whole answer.
What the evidence actually requires: Scan logs (even periodic), proof of update configuration, a written malicious code protection procedure, and ideally a log of any alerts or incidents (even if there are none — you need to show the system is active).
Policy Documents That Nobody Follows
This is the single most common gap we see with contractors who've done serious compliance preparation: they've written the policies, but they haven't built the implementation evidence that shows those policies are actually being followed.
CMMC isn't a documentation exercise. It's an implementation exercise that documentation supports. A written acceptable use policy is a starting point. But if your assessment includes questions like "show me the last employee who acknowledged this policy" or "show me that this procedure was followed during your last incident" — and you don't have evidence — the policy on paper doesn't protect you.
The most common version of this: contractors write an incident response plan (required under IR.1.076) but have never tested it, never documented a tabletop exercise, and have no evidence that their team knows what the plan is. The plan exists. The implementation doesn't.
The critical distinction: Every practice requires two things — the mechanism (the policy, the tool, the control) and evidence that the mechanism is in use. Both columns need to be filled before your assessment.
Media Sanitization Confusion: Delete ≠ Dispose
CMMC Level 1 Practice MP.1.118 requires that you sanitize or destroy information system media before disposal or reuse when the media contains Federal Contract Information (FCI). Most small contractors interpret this as "delete the files before you get rid of the computer." That's not sufficient.
Proper media sanitization under DoD standards means rendering data unrecoverable — not just deleted. A standard file delete leaves data recoverable through forensic tools. Even formatting a drive does not meet the standard for media that contains FCI. DoD-compliant sanitization means either cryptographic erasure, secure overwrite to standards like NIST 800-88, or physical destruction.
Many small contractors have disposed of old laptops or hard drives through standard recycling programs, donated equipment, or simply throwing them away — confident that wiping the device was enough. That equipment may have contained FCI. That's a gap, and it's one that requires documentation of your current sanitization procedures going forward.
What assessment-ready looks like: A written media sanitization policy, a log of disposed media with dates and methods, and evidence of DoD-compliant sanitization (certificates from vendors if outsourced, or tool logs if done in-house).
Former Employees with Live System Access
This one is uncomfortable to talk about because it's not a process mistake — it's a time-sensitive oversight that often happens because terminations are chaotic and off-boarding is an afterthought in small companies.
CMMC Level 1 Practice AC.1.001 and IA.1.076 together require that you limit access to authorized users and verify user identities. An employee who left six months ago and whose email account is still active, whose VPN credentials still work, or who can still log into your project management system is a direct failure of this practice.
This is more common than it sounds. In small teams, off-boarding means "we said goodbye and wished them well." The system accounts get forgotten. Google Workspace licenses don't automatically deactivate. Microsoft 365 accounts sit active for months. And every one of those accounts is a live access point that an assessor will notice — and that represents real security risk.
The fix: A documented off-boarding checklist, a periodic access review procedure (quarterly is reasonable for small teams), and evidence that those reviews have been conducted. You also need a current, accurate list of authorized users and a log showing when accounts were created and terminated.
Not Sure If Your Setup Has Any of These Gaps?
A 30-minute consultation costs nothing and could save your next contract. Our experts have reviewed hundreds of small contractor setups — and we know exactly where to look.
Schedule a Free ConsultationLearn About the Turnkey Package
The Cost of a Low SPRS Score: More Than You Think
What Is an SPRS Score?
The Supplier Performance Risk System (SPRS) score is where your CMMC Level 1 self-assessment results live. It's a number that DoD primes and government contracting officers can see when evaluating contractors. The maximum score is 110. Every unmet practice costs you points — sometimes many points for high-weighted controls.
A low SPRS score doesn't just mean you "need to improve." It's a visible signal to every contracting officer and prime who looks you up that your cybersecurity posture is below standard. And in a competitive bid environment, that signal costs contracts.
The contractors who score well on their SPRS assessment aren't necessarily the ones who have better infrastructure. They're the ones who understood what "meeting the practice" actually required — in terms of both implementation and evidence — and who built their compliance documentation to reflect both.
A contractor with a strong SPRS score doesn't just pass the assessment. They can confidently respond to prime contractor compliance questionnaires, they can share evidence quickly when requested, and they don't have to re-scramble every time a new contract requires compliance verification. The SPRS score becomes a competitive advantage, not just a checkbox.
What "Assessment-Ready" Actually Looks Like
Most contractors assume "assessment-ready" means "we have policies for everything and our security is decent." Here's what it actually means:
⚠ What Most Contractors Have
- Written policies (often generic templates)
- Security tools in place (antivirus, firewall)
- Informal access controls (trust-based)
- No evidence logs or audit trails
- No media disposal documentation
- No off-boarding records
- No tested incident response
✓ What Assessment-Ready Looks Like
- Customized policies tied to specific practices
- Configured tools with log evidence
- Individual accounts with documented role assignments
- Audit trails with retention records
- Media disposal log with compliance method
- Documented off-boarding checklist + access reviews
- Tested IR plan with tabletop evidence
The difference between these two columns is rarely a technology gap. It's an evidence gap. The infrastructure is often similar — what's missing is the documentation that shows the infrastructure is being used correctly and consistently.
What a Pre-Assessment Expert Review Actually Looks Like
When we say "expert eyes on your setup," here's what that means in practice through the Turnkey Consultation Package:
Session 1: Discovery and Gap Analysis
Before we write a single policy or template, we map your current environment against all 17 CMMC Level 1 practices. We identify which ones you're meeting fully, which you're meeting partially, and which have gaps. We look specifically for the five issues above — and the others that are less common but equally important. You leave Session 1 knowing exactly where you stand, not where you think you stand.
Sessions 2–4: Policy and Artifact Development
We work through your customized artifact library — 400+ templates pre-built for your platform (Google Workspace or Microsoft 365) — and adapt each one to your specific environment. By the end of Session 4, your policy documentation is complete, customized, and tied directly to specific practice requirements.
Sessions 5–6: Evidence Collection and Configuration
This is where most contractors struggle alone. We walk through exactly what evidence you need for each practice, where to find it in your specific platform, and how to package it so it's assessment-ready. We use our platform configuration guides — step-by-step instructions for Google Workspace or Microsoft 365 — to make sure your settings are correct and your logs are flowing.
Sessions 7–8: Pre-Assessment Review and SPRS Preparation
Before you submit a single number to SPRS, we do a full review of your evidence package. We verify that every practice has both implementation evidence and policy documentation. We run through the assessment questions as if we're the assessor. We generate your SPRS Submission Report. You go into submission confident — because we've already done the review that would otherwise catch you off guard.
Most clients who work through the Turnkey package complete their Level 1 assessment in 2–4 weeks. The reason isn't that we rush the process — it's that the artifacts, templates, and expert review eliminate the back-and-forth and guesswork that make DIY compliance take months. The timeline depends on your existing infrastructure and how quickly you can implement changes, but having expert guidance at each step keeps things moving.
The Information You Deserve to Have
This post is not about making you feel underprepared. If you've done your research and you're taking CMMC seriously, you're already ahead of most small contractors. What we want you to have is the same information that experienced compliance professionals use when they review an organization's readiness — because that's the information that closes the gap between "I think we're good" and "I know we're good."
The five mistakes above are fixable. None of them require expensive technology upgrades or months of work. They require targeted attention, the right evidence collection process, and usually a few configuration changes in your existing platform. What they require most is knowing they exist before assessment day rather than on it.
That's exactly what the expert review sessions in the Turnkey package are designed to find and fix — before they affect your score, your contracts, or your reputation with the primes you're working with.
Assessment day should be a confirmation, not a discovery session.
Schedule Your Free Consultation Before Your Assessment — Not After
Our compliance experts will review your current setup against all 17 CMMC Level 1 practices and show you exactly where you stand. No jargon, no scare tactics — just honest, experienced guidance from people who've done this with hundreds of small defense contractors.
Turnkey Package: $2,495/year — 8 bi-weekly expert sessions, 142 artifacts, 400+ templates, SPRS report generation, and full email support after submission.
Schedule Your Free ConsultationExplore the Full Turnkey Package →
This article is Part 1 of the CMMC Level 1: The Reality Check series — a six-part guide to what small defense contractors need to know before submitting their SPRS score.