How BEMO Aced CMMC Level 2

Getting CMMC Level 2 certified isn't about checking a box. It's about fundamentally transforming how your organization operates, and the path to certification is far more rigorous than most companies anticipate. In this episode of Trust Issues, Brandon and Bruno Lecoq share their firsthand experience achieving CMMC Level 2 certification as an MSSP, walking through the mock audit process, the documentation challenges they encountered, and the operational changes required to maintain compliance at scale.

This is a candid breakdown of what actually happens during a five-day assessment, why the preparation phase matters more than most realize, and how scoping decisions made early can make or break your certification timeline.

What You’ll Learn:

Why the mock audit is non-negotiable and how to structure your audit team across multiple departments
The real scope of documentation you'll need and the operational reality of audit weeks
Why setting your scope boundary correctly in Phase 1 determines everything downstream
How automation and ticketing discipline transform from "nice to have" to a survival requirement
The hidden cost of MSSP certification and why "self-tested and compliant" claims should raise red flags
Why preparation isn't a sprint, but rather a sustained operational shift

Episode Chapters:

00:00 Introduction

00:38 How BEMO Achieves CMMC Level 2 Certification as an MSSP

01:50 Why the Mock Audit Is Your Only Risk-Free Test Run

05:17 What Happens During a Five-Day Mock Audit Assessment

09:18 The 240 Fail-Critical Controls That End Your Certification

12:40 Building a Cross-Functional Audit Team Beyond IT

15:13 The 10-Day Window to Fix Mock Audit Findings

28:22 Why Documentation Prep Takes Months, Not Weeks

29:36 Scoping as an MSSP: How Your Boundaries Affect Your Customers

30:58 Why Uncertified MSSPs Fail Your Customer's Audit

33:45 Most Organizations Are Operating at 30% Maturity While Claiming Readiness

35:33 Three Layers of Prep Before Your Official Audit

37:26 Why Artificial Scoping Boundaries Get Rejected at Phase One

39:08 The Scoping Session: Where Most Organizations Fail

40:54 Key Takeaways & Closing Thoughts

Quotes:

"What I would say to all our customers, you have to do a mock. So what was interesting from a BEMO perspective is we did the mock - it was one week, starting at 7 AM Pacific until 3 PM, every day for five days, very intense. You go through with the assessor, they go through all your controls, and from a people perspective on IT, we had 100% no problem, no control, but we ended up with five documentation issues."

"They cannot tell you how to fix it. They just say you failed; we needed to see that, and we didn't see it, or this was wrong. But now you go fix it - they don't tell you how. So it's not like you come back and hope they like how you fixed or changed it."

"People for sure underestimate the prep. From an IT perspective, if people work with us, we do the IT, but what people don't realize is that at the end, we go with them to their audit, but we are only IT. We are not the HR, we are not the one who represents their company. Their procedure is their procedure. You have to know your procedure and know the policy because it's your policy."

"For me, going through CMMC is a best practice, and I will never run a business without running it the way CMMC does it. Yes, it's more work, but it makes total sense. I have learned a best practice, and now BEMO is following that best practice."

Connect with the team:

👉 Bruno Lecoq on LinkedIn: https://www.linkedin.com/in/brunolecoq/

👉 Brandon Lecoq on LinkedIn: https://www.linkedin.com/in/brandon-lecoq

👉 BEMO Website: https://www.bemopro.com/