EP 70 — A-LIGN's Matt Bruggeman on External Service Provider Scope Issues That Kill CMMC

Defense contractors assume they understand CMMC assessments, but Matt Bruggeman, Director of GTM Federal at A-LIGN, has a harsh reality check for them: organizations consistently arrive for certification without basic documentation like authorization boundaries or data flow diagrams. The gap between CMMC perception and assessment reality is creating a compliance crisis, he tells Dave.

A-LIGN operates as a top-3 FedRAMP assessor and C3PAO, giving Matt unique visibility into federal compliance across multiple frameworks. His unconventional background combining electrical engineering from Wright-Patterson Air Force Base with professional improv comedy shaped his approach to explaining complex technical requirements through clear communication.

Topics discussed:

• The assessment methodology uses NIST 800-171A that evaluates 320 assessment objectives rather than just 110 controls, requiring organizations to prove compliance across significantly more granular requirements.
• External service provider scope issues that consistently trip up organizations during assessments, particularly around MSP, MSSP, and cloud service relationships that require FedRAMP authorization or equivalent.
• C3PAO backlog management and timing strategies, with smaller assessors facing 3-9 month delays while larger firms like A-LIGN maintain shorter timelines through strategic CCA and CCP resource investments.
• The three-bucket cost structure of CMMC compliance covering infrastructure changes, readiness process management, and assessment fees ranging from $40,000-$80,000 depending on scope complexity.
• Phase 1 documentation review failures where organizations arrive without basic elements like system security plans, authorization boundaries, or data flow diagrams for CUI handling.
• Readiness partner selection criteria and the risks of attempting internal-only compliance approaches that result in failed assessments and doubled costs for remediation.
• The relationship between compliance frameworks and actual security posture, including how feedback during public comment periods can influence framework development and practical implementation.
• FedRAMP equivalency requirements for cloud service providers handling CUI, including the December 2023 DoD memo defining the single pathway through 3PAO assessment against FedRAMP moderate baseline.
• Early C3PAO engagement advantages including assessment planning coordination, partner network efficiencies, and pricing benefits for organizations working with vetted readiness partners.