For most defense contractors, the biggest cybersecurity exposure isn’t inside the system of record, but rather, at the point of collection. With CMMC entering enforceable rollout, that gap has stopped being an operational inconvenience and started being a contract eligibility issue.
Sensitive data still enters federal organizations through email attachments, spreadsheets, PDFs, and ungoverned web forms long before it reaches a controlled environment. CMMC scrutinizes that entire path.
In a recent webinar with GovExec, the FormAssembly team unpacked what the CMMC rollout actually means for federal data collection — what’s changing, where the most common gaps live, and what teams should be doing now. Five of the most useful questions and answers from that session are below.
1. What is CMMC, and why is it suddenly raising the stakes for federal data collection?
CMMC stands for Cybersecurity Maturity Model Certification — a DoD program that verifies contractors have implemented the security measures required to safeguard Federal Contract Information and Controlled Unclassified Information. As of late 2025, it’s transitioning from a proposed framework into an enforceable contract eligibility requirement across the defense supply chain. The key shift: cybersecurity is no longer evaluated only at the system of record. It’s evaluated at the point of collection.
The implication for defense contractors is significant. Most organizations have already invested in compliant systems of record, such as Microsoft GovCloud, Salesforce GovCloud, and encrypted databases. But sensitive data continues to enter those systems through email, manual supplier workflows, PDFs, and unsecured forms. CMMC closes the audit around that entire path.
Phase 2 of the rollout begins on November 10, 2026, and requires Level 2 compliance to be validated by a Certified Third-Party Assessment Organization (C3PAO) rather than through self-assessment alone, broadening the pool of vendors affected and tightening the timeline for contractors that haven’t yet adjusted their intake processes. The bottom line is that CMMC turns data collection from an operational convenience into a compliance control point.
2. What does “compliance friction” actually look like in a federal data collection workflow?
Compliance friction is the drag that happens when a compliant tool has been selected, but the rollout across an agency stalls. The friction usually has very little to do with the tool itself and a lot to do with the manual processes the new tool is supposed to replace.
A CISO’s office does the diligence, selects a tool that’s FedRAMP High and DoD IL4 authorized, and issues an SOP saying “this is what we use now.” The procurement isn’t the hard part. The hard part is getting a clinic, a registrar’s office, or a benefits team to swap out the paper form they’ve been using for fifteen years for a new digital workflow.
Data intake tools build muscle memory faster than nearly any other category of software. A patient intake form, a permitting application, a grant submission — each one tends to be the single visible artifact of a process every team member already knows how to navigate. Replacing it feels disproportionately disruptive, even when the new tool is clearly better.
That muscle memory is where compliance rollouts slow down. And as rollouts slow, deadlines move closer, fines come into view, and organizational risk grows. The path forward isn’t to pick a different tool. It’s to pick a tool that’s usable enough — and fast enough to implement — that the muscle memory shifts naturally rather than being forced.
3. What’s the difference between FedRAMP High and DoD IL4 — and what do federal contractors actually need?
FedRAMP High is the federal government’s top-tier civilian cybersecurity baseline for handling sensitive but unclassified data, covering 410 controls from NIST SP 800-53 Rev. 5. DoD IL4 is an additional layer specifically for the Department of Defense, covering Controlled Unclassified Information under the DISA Cloud Computing Security Requirements Guide. Most defense contractors need both. CMMC then audits how the organization actually handles data under those controls.
The way to think about the three certifications is as a three-legged stool: FedRAMP High is the civilian foundation, DoD IL4 adds the DoD-specific controls, and CMMC examines whether the people, processes, and software around the data are all compliant in practice, not just on paper.
A few practical implications for vendor evaluation:
- A vendor running on a partner’s ATO (Authority to Operate) is common and entirely legitimate, but the partnership underneath is worth understanding. FormAssembly Gov Cloud, for example, operates inside FedHive’s FedRAMP High environment, which is how the product is available for both FedRAMP High and DoD IL4 use cases on the FedRAMP Marketplace.
- State and local agencies often look to FedRAMP High as the gold standard even when it isn’t strictly required at their level. Some states, like Texas with TX-RAMP, maintain their own programs, but the FedRAMP High packet generally satisfies state-level expectations.
- Compliance audits reach beyond the software itself. They examine how employees handle data, how access is controlled, how records are purged, and how the organization can prove every step.
If a vendor can’t speak fluently about both their environment’s certifications and their own internal audit cycle, that’s a flag worth surfacing early.
4. How can secure data collection fit into a tech stack that’s already heavily invested in Salesforce or Microsoft?
The most reliable pattern is to treat data collection as a connective layer that sits on top of the system of record, not as a separate silo competing with it. The system of record stays the source of truth. The collection layer feeds it cleanly.
Most public sector teams have already invested in a system of record (Salesforce GovCloud, Microsoft GovCloud, or a custom database) and built years of automation, reporting, and institutional muscle around it. Adding more software for its own sake usually compounds the problem. But systems of record alone rarely handle the breadth of data collection scenarios a federal organization faces. They’re built to store and analyze, not necessarily to capture from every intake surface.
A purpose-built data collection layer can sit across the entire tech stack, capturing data from any surface — public web forms, internal employee submissions, partner-facing surveys, vendor onboarding workflows — and routing it cleanly into whichever system of record needs it. Done well, this approach:
- Replaces several single-purpose tools (separate survey software, separate intake tools, separate file collection systems) with one governed layer.
- Reduces shadow IT by giving every team a compliant default they actually want to use.
- Keeps the system of record clean by handling validation, conditional logic, and approvals upstream.
When an agency is evaluating whether to add another tool to the stack, the right question is rarely “more software, yes or no.” It’s whether the new tool consolidates several existing tools and manual processes into something simpler.
5. What’s the single first step federal teams should take this week?
Start a conversation with the people closest to the data: front-line staff, CRM teams, intake teams, and survey administrators — anyone who touches information before it reaches the system of record. Ask where the friction is, where the manual workarounds live, and which tools they’re using that weren’t formally approved. Most CMMC compliance gaps surface from that conversation.
Executives often hold what one might call a privileged view of their organization’s data — a clean dashboard, a governed system of record, and confidence that the major investments are compliant. That view is accurate as far as it goes, but it can hide a lot. The chaos, when it exists, lives one layer below the executive line of sight, with the people actually handling the data day to day.
Take this example shared during the webinar: a senior nurse at an Army base medical clinic put this plainly to her commanding officer: “Colonel, you don’t see the problems we have because we don’t pass this on to you, but we really handle chaos on a daily basis.” The commander, focused on patient care and the data flowing to him, hadn’t realized the staff was spending substantial time fixing incomplete or incorrect inputs before any of it reached his desk.
That conversation is the work. Take a wide-lens view of what counts as data collection — every PDF, every spreadsheet, every “contact us” form, every shadow IT tool someone spun up to solve a real problem — and start mapping it. The CMMC framework and the broader “data as a national asset” directive both push toward the same exercise. The agencies that come out of the rollout in the strongest shape will be the ones that did the audit work before the auditor arrived.
CMMC is a deadline, but it’s also an opportunity to fix processes that have been quietly bleeding efficiency for years.
Watch the full webinar
The full session includes a deeper look at the CMMC rollout timeline, a FedRAMP High and DoD IL4 vendor evaluation checklist, real-world examples of compliance rollouts inside city and federal agencies, and the audience Q&A on ATOs, end-user workarounds, and the cost of doing nothing.
