Let’s get serious.
There’s a version of this story that nobody talks about at conferences. The IT manager who actually understands the problem, who has read the framework, who knows exactly where the gaps are, but can’t get thirty minutes on the calendar with anyone who controls the budget. She watches the assessment date get closer while the people who could fix this are focused on contract renewals and fleet acquisitions. That version of the story is expensive, and it’s also avoidable.
That IT manager is you. You already know that requirement 3.1.1 says limit system access to authorized users, which means the dispatcher who left two years ago shouldn’t still have a login. Requirement 3.13.1 says protect CUI during transmission, which means service member data shouldn’t be floating across unencrypted email. These are discipline problems, not engineering problems.
You’ve also done the data inventory in your head a hundred times. You know where the CUI lives, where it travels, and who touches it. The problem isn’t knowledge. The problem is that the people who need to hear this haven’t heard it in a language that connects to their world.
So change the language. Stop talking about control families and assessment objectives and start talking about contract eligibility. Start talking about what happens to the company’s ability to compete for contract awards if a third-party assessor walks in and finds what you already know is there. CMMC compliance is a business continuity issue, and the moment your leadership understands that framing, the calendar opens up and the budget conversation gets a lot more serious.
Here’s what to do. Document the gaps in plain language. Attach a dollar figure to the risk wherever you can. Present a realistic remediation timeline and what it costs to execute it versus what it costs to ignore it. Give your leadership a clear choice with clear consequences rather than a technical briefing that makes their eyes glaze over. You’re not asking for permission to do your job. You’re giving them the information they need to make a decision that protects the company and the service members whose data you’re responsible for handling.
The compliance program your company needs already has a champion. It’s you. The data belongs to the service members your company moves every day, and right now you’re one of the few people in the building who fully appreciates what’s at stake. That’s not a burden. That’s a position of responsibility worth stepping into. Lead up, bring your leadership with you, and build the program correctly before someone else forces the issue on a timeline you didn’t choose.