EP 70 — A-LIGN's Matt Bruggeman on External Service Provider Scope Issues That Kill CMMC

by Chris Petersen on 2025 | 07

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >EP 70 — A-LIGN's Matt Bruggeman on External Service Provider Scope Issues That Kill CMMC</span>

Defense contractors assume they understand CMMC assessments, but Matt Bruggeman, Director of GTM Federal at A-LIGN, has a harsh reality check for them: organizations consistently arrive for certification without basic documentation like authorization boundaries or data flow diagrams. The gap between CMMC perception and assessment reality is creating a compliance crisis, he tells Dave.

A-LIGN operates as a top-3 FedRAMP assessor and C3PAO, giving Matt unique visibility into federal compliance across multiple frameworks. His unconventional background combining electrical engineering from Wright-Patterson Air Force Base with professional improv comedy shaped his approach to explaining complex technical requirements through clear communication.

Topics discussed:

The assessment methodology uses NIST 800-171A that evaluates 320 assessment objectives rather than just 110 controls, requiring organizations to prove compliance across significantly more granular requirements.
External service provider scope issues that consistently trip up organizations during assessments, particularly around MSP, MSSP, and cloud service relationships that require FedRAMP authorization or equivalent.
C3PAO backlog management and timing strategies, with smaller assessors facing 3-9 month delays while larger firms like A-LIGN maintain shorter timelines through strategic CCA and CCP resource investments.
The three-bucket cost structure of CMMC compliance covering infrastructure changes, readiness process management, and assessment fees ranging from $40,000-$80,000 depending on scope complexity.
Phase 1 documentation review failures where organizations arrive without basic elements like system security plans, authorization boundaries, or data flow diagrams for CUI handling.
Readiness partner selection criteria and the risks of attempting internal-only compliance approaches that result in failed assessments and doubled costs for remediation.
The relationship between compliance frameworks and actual security posture, including how feedback during public comment periods can influence framework development and practical implementation.
FedRAMP equivalency requirements for cloud service providers handling CUI, including the December 2023 DoD memo defining the single pathway through 3PAO assessment against FedRAMP moderate baseline.
Early C3PAO engagement advantages including assessment planning coordination, partner network efficiencies, and pricing benefits for organizations working with vetted readiness partners.

Listen to more episodes: