Many of the dialog on the Cybersecurity Maturity Mannequin Certification (CMMC) has been about controls: Do you’ve gotten multi-factor authentication (MFA)? Is your managed unclassified data (CUI) encrypted at relaxation? Have you ever deployed endpoint detection and response (EDR) throughout your endpoints? These are the proper questions for a compliance implementation. However they’re the mistaken questions for a compliance verification regime. And CMMC, as it’s at the moment designed and being assessed within the area, is a verification regime.
Beneath a standard compliance framework, an organization earns credit score for having a coverage, a plan and a documented intent. Beneath CMMC’s verification necessities, documentation is just not proof — it’s merely a declare. The assessor’s job is to find out whether or not that declare is true. And the one means to try this is to look at the proof.
This distinction — between claiming a management exists and proving it exists — is the place most protection contractors are unprepared. It’s also the place the bottleneck in CMMC acquisition timelines will in the end emerge.
From frameworks to first rules: Threat, management, proof
The aim of a safety compliance program is to not fulfill a framework. It’s to handle danger. Each framework — the Nationwide Institute of Requirements and Expertise’s Particular Publication 800-171, the Worldwide Requirements Group’s 27001 and Programs and Group Management 2 — exists to assist organizations establish their dangers, implement controls to handle them and exhibit these controls are working. The framework is a scaffolding. The precise construction beneath is: Threat → management → proof.
Most contractors method CMMC as a guidelines train — they map NIST 800-171’s 110 necessities, assign house owners and doc insurance policies. However NIST 800-171 is just not your safety program. It’s a reference structure for serious about your safety program. NIST management 3.5.3 requires MFA. Your organizational management ought to be particular: “We require MFA for all administrative access to cloud-hosted systems containing CUI, enforced through Azure Conditional Access policies, verified monthly.” The NIST requirement is a immediate. Your management is the implementation determination you made in response to your precise setting and danger posture.
Critically, this isn’t a one-to-one relationship. A single well-designed organizational management usually satisfies a number of NIST necessities concurrently — a management governing entry provisioning workflows can deal with necessities spanning entry management, identification and audit accountability domains without delay. The connection runs the opposite course too: Some necessities are greatest addressed by two or three controls working collectively. This many-to-many mapping between your controls and framework necessities is a characteristic, not a complication. Most organizations face multiple compliance obligation — CMMC alongside SOC 2, or NIST 800-171 alongside ISO 27001. A company management tied to steady proof can fulfill necessities throughout a number of frameworks without delay, making compliance sustainable relatively than additive.
When organizations writer their very own controls — grounded in precise danger posture and expressed with operational specificity — the proof query turns into tractable. precisely what it’s worthwhile to show since you designed the management round what may very well be confirmed.
Why proof fails: Velocity and scale
Here’s what truly occurs when evaluation time arrives. A contractor has spent months implementing safety controls — programs configured, workers skilled, insurance policies up to date. Then the CMMC third-party assessor group (C3PAO) arrives. The assessor asks for proof that entry evaluations have been performed quarterly. The contractor goes trying. There are data in a shared drive from 18 months in the past, an e-mail thread from final quarter, AD exports with inconsistent naming conventions. Reassembling the proof chain takes three days. One quarter has a spot as a result of the accountable individual left the group.
The assessor marks the management as not met.
The contractor is bewildered. The evaluations occurred — principally. The management was carried out — in spirit. However they can’t show it, constantly and defensibly, on the pace an evaluation calls for. The limiting issue was not the safety management. It was the proof.
That is what I name proof velocity: the pace at which a company can produce defensible, attributable proof of management execution on demand. For many organizations, it’s dangerously low.
The dimensions downside makes this worse. Every company management sometimes requires one to 3 distinct items of proof — a configuration export, an entry evaluate log, a scan report. Mapped throughout a company’s full management set, this produces a whole bunch of particular person proof gadgets collected on outlined schedules: some month-to-month, some quarterly, some yearly. Every has an proprietor, a due date, a supply system and an anticipated format. Managing this manually — assigning house owners, sending reminders, chasing submissions, verifying completeness — is just not a compliance program. It’s a compliance fireplace drill, repeated indefinitely.
The advisor mannequin doesn’t resolve this. Consultants snapshot the group’s state and go away. The proof they gather displays one second in time. By the point the evaluation happens — usually months later — the setting has modified. New customers have been added. Programs reconfigured. An exception granted and never documented. The hole between the advisor’s snapshot and the assessor’s analysis is the place compliance deficiencies dwell.
What CMMC’s verification regime truly calls for is steady compliance: proof of management execution generated mechanically as a byproduct of regular operations, not reconstructed underneath audit strain.
What this implies for acquisition timelines — and past
The stakes are contractual, not simply operational. Contracting officers and program managers know what occurs when a provider fails their CMMC evaluation: the contract is delayed, the award is challenged, this system schedule slips. A CMMC evaluation failure is a program downside.
The contractors most probably to fail are usually not essentially these with the worst safety. They’re those with the bottom proof velocity — corporations which have carried out controls however can not show it. This creates a perverse consequence: Sturdy safety with poor documentation can fail; mediocre safety with glorious documentation can cross. The evaluation measures what could be confirmed, not what’s true.
For program managers, provider danger evaluation ought to embody a brand new dimension: proof readiness, not simply management implementation. For contracting officers, self-attestations unsupported by steady proof are claims with out proof — with vital False Claims Act publicity for contractors who get it mistaken.
CMMC can also be not the one federal program transferring on this course. Division of Homeland Safety contracts, FedRAMP authorizations and rising provide chain safety necessities share the identical trajectory: The federal government is more and more unwilling to just accept self-reported compliance with out supporting proof. Organizations that construct evidence-ready compliance applications round their very own controls right now will likely be higher positioned for the complete vary of federal contracting tomorrow — not simply CMMC, however any framework their contracts demand.
Proof is the product
The protection industrial base has spent years targeted on whether or not controls exist. CMMC forces a unique query: Are you able to show it?
This isn’t a paperwork downside. It’s a design downside. Begin by authoring your individual controls — particular to your setting, your danger, your structure — utilizing NIST 800-171 as a reference, not a script. Design proof sources into every management on the level of authorship. Join these sources so proof is collected constantly, on outlined schedules, with out guide intervention. Guarantee your proof matches your scope precisely.
Organizations that architect their applications round danger → management → proof will navigate CMMC evaluation with considerably much less ache than these treating it as a guidelines. The contractors that succeed underneath CMMC’s verification regime are usually not essentially these with probably the most refined safety instruments. They’re those who understood, early sufficient, that compliance is just not about what you’ve gotten carried out.
It’s about what you may show.
Justin Beals is CEO and co-founder of Strike Graph.
Copyright
© 2026 Federal Information Community. All rights reserved. This web site is just not supposed for customers positioned throughout the European Financial Space.
