CMMC Is Basically an IRS Audit (Here's What We Learned)

The phrase “Third time’s the charm” gets a makeover in the latest episode of Trust Issues as Brandon and Bruno Lecoq take us behind the scenes of BEMO’s journey to CMMC success and how they finally cracked it on their fourth try.

Hear from their team - Cindy, David, Ademar, Cata, Bruno, Shamiso, and Sylwia - about the critical decisions, surprising challenges, and hard-won lessons that determined their outcome. Together, they walk us through why switching between document and live evidence types demands obsessive preparation, how defining your CUI boundary early prevents costly rework, and why configuration management emerged as the most underestimated control area.

What You’ll Learn:

How to prepare evidence strategically by making upfront decisions
Why CMMC audits operate fundamentally differently from SOC 2 and ISO 27001 audits
The critical distinction between change management and configuration management
How to avoid the cascade effect of scope creep by nailing your CUI boundary
Why operationalizing compliance through automated workflows beats standalone documentation
The post-certification operational cost of security controls most teams don't anticipate
How to build your audit narrative and evidence structure before implementation, not after
Why engaging a certified lead CCA early is the highest-ROI investment you can make

Episode Chapters:

00:00 Introduction & Meeting the Team

00:01 Acing Evidence Strategy & Making Key Decisions

00:05 CMMC Audits Are Line-by-Line IRS-Style Reviews

00:07 Build Compliance as an Operating System

00:10 Configuration Management vs. Change Management

00:18 CUI Boundary Scope Decides Everything

00:24 Why You Should Hire a Certified Lead CCA Early

00:26 Six Lessons on What to Do Differently: Scope, Preparation, and Process Focus

00:36 Key Takeaways & Closing Thoughts

Quotes:

"During the live audit, since we go control by control and then the subprocessors redeem those controls, you kind of have to switch very fast between evidence types. So you have to be really prepared on switching between evidence types from your signed policies to live, into the configuration, to sign procedures, to your ticketing system." - David

"If we had read up on CMMC from DOD, you would have noticed that it's much more like an IRS audit. They want to see all of the evidence, they wanna see the procedures, they wanna know everything, and they go through it point by point on everything. With the CMMC, you're asked everything, and you have to have an answer for everything." - Catalin

“Every change across the policy or across the control groups impacts operation. Because operations is people, process, technology, everything we look at. So we came up with automating and operationalizing the things we do in the context of what CMMC asks us to deliver, to minimize the external kind of documentation that would be external from the systems that we use as control groups." - Bruno

"I still have CMMC PTSD. Because when you open the hood, and you start implementing all the changes and stuff, you’ve got to have a lot of people screaming after the fact. The system is very secure, but WDAC, the application control policy, ties up a lot and creates noise because people are blocked from installing PowerShell modules." - Ademar

Connect with the team: