Most of the conversation on the Cybersecurity Maturity Model Certification (CMMC) has been about controls: Do you have multi-factor authentication (MFA)? Is your controlled unclassified information (CUI) encrypted at rest? Have you deployed endpoint detection and response (EDR) across your endpoints? These are the right questions for a compliance implementation. But they are the wrong questions for a compliance verification regime. And CMMC, as it is currently designed and being assessed in the field, is a verification regime.
Under a traditional compliance framework, a company earns credit for having a policy, a plan and a documented intent. Under CMMC’s verification requirements, documentation is not evidence — it is merely a claim. The assessor’s job is to determine whether that claim is true. And the only way to do that is to examine the proof.
This distinction — between claiming a control exists and proving it exists — is where most defense contractors are unprepared. It is also where the bottleneck in CMMC acquisition timelines will ultimately emerge.
From frameworks to first principles: Risk, control, evidence
The purpose of a security compliance program is not to satisfy a framework. It is to manage risk. Every framework — the National Institute of Standards and Technology’s Special Publication 800-171, the International Standards Organization’s 27001 and Systems and Organization Control 2 — exists to help organizations identify their risks, implement controls to address them and demonstrate those controls are working. The framework is a scaffolding. The actual structure underneath is: Risk → control → evidence.
Most contractors approach CMMC as a checklist exercise — they map NIST 800-171’s 110 requirements, assign owners and document policies. But NIST 800-171 is not your security program. It is a reference architecture for thinking about your security program. NIST control 3.5.3 requires MFA. Your organizational control should be specific: “We require MFA for all administrative access to cloud-hosted systems containing CUI, enforced through Azure Conditional Access policies, verified monthly.” The NIST requirement is a prompt. Your control is the implementation decision you made in response to your actual environment and risk posture.
Critically, this is not a one-to-one relationship. A single well-designed organizational control often satisfies multiple NIST requirements simultaneously — a control governing access provisioning workflows can address requirements spanning access control, identification and audit accountability domains at once. The relationship runs the other direction too: Some requirements are best addressed by two or three controls working together. This many-to-many mapping between your controls and framework requirements is a feature, not a complication. Most organizations face more than one compliance obligation — CMMC alongside SOC 2, or NIST 800-171 alongside ISO 27001. A corporate control tied to continuous evidence can satisfy requirements across multiple frameworks at once, making compliance sustainable rather than additive.
When organizations author their own controls — grounded in actual risk posture and expressed with operational specificity — the evidence question becomes tractable. You know exactly what you need to prove because you designed the control around what could be proven.
Why evidence fails: Velocity and scale
Here is what actually happens when assessment time arrives. A contractor has spent months implementing security controls — systems configured, staff trained, policies updated. Then the CMMC third-party assessor organization (C3PAO) arrives. The assessor asks for evidence that access reviews were conducted quarterly. The contractor goes looking. There are records in a shared drive from 18 months ago, an email thread from last quarter, AD exports with inconsistent naming conventions. Reassembling the evidence chain takes three days. One quarter has a gap because the responsible person left the organization.
The assessor marks the control as not met.
The contractor is bewildered. The reviews happened — mostly. The control was implemented — in spirit. But they cannot prove it, continuously and defensibly, at the speed an assessment demands. The limiting factor was not the security control. It was the evidence.
This is what I call evidence velocity: the speed at which an organization can produce defensible, attributable proof of control execution on demand. For most organizations, it is dangerously low.
The scale problem makes this worse. Each corporate control typically requires one to three distinct pieces of evidence — a configuration export, an access review log, a scan report. Mapped across an organization’s full control set, this produces hundreds of individual evidence items collected on defined schedules: some monthly, some quarterly, some annually. Each has an owner, a due date, a source system and an expected format. Managing this manually — assigning owners, sending reminders, chasing submissions, verifying completeness — is not a compliance program. It is a compliance fire drill, repeated indefinitely.
The consultant model doesn’t solve this. Consultants snapshot the organization’s state and leave. The evidence they collect reflects one moment in time. By the time the assessment occurs — often months later — the environment has changed. New users have been added. Systems reconfigured. An exception granted and not documented. The gap between the consultant’s snapshot and the assessor’s evaluation is where compliance deficiencies live.
What CMMC’s verification regime actually demands is continuous compliance: evidence of control execution generated automatically as a byproduct of normal operations, not reconstructed under audit pressure.
What this means for acquisition timelines — and beyond
The stakes are contractual, not just operational. Contracting officers and program managers know what happens when a supplier fails their CMMC assessment: the contract is delayed, the award is challenged, the program schedule slips. A CMMC assessment failure is a program problem.
The contractors most likely to fail are not necessarily those with the worst security. They are the ones with the lowest evidence velocity — companies that have implemented controls but cannot prove it. This creates a perverse outcome: Strong security with poor documentation can fail; mediocre security with excellent documentation can pass. The assessment measures what can be proven, not what is true.
For program managers, supplier risk assessment should include a new dimension: evidence readiness, not just control implementation. For contracting officers, self-attestations unsupported by continuous evidence are claims without proof — with significant False Claims Act exposure for contractors who get it wrong.
CMMC is also not the only federal program moving in this direction. Department of Homeland Security contracts, FedRAMP authorizations and emerging supply chain security requirements share the same trajectory: The government is increasingly unwilling to accept self-reported compliance without supporting evidence. Organizations that build evidence-ready compliance programs around their own controls today will be better positioned for the full range of federal contracting tomorrow — not just CMMC, but any framework their contracts demand.
Proof is the product
The defense industrial base has spent years focused on whether controls exist. CMMC forces a different question: Can you prove it?
This is not a paperwork problem. It is a design problem. Start by authoring your own controls — specific to your environment, your risk, your architecture — using NIST 800-171 as a reference, not a script. Design evidence sources into each control at the point of authorship. Connect those sources so evidence is collected continuously, on defined schedules, without manual intervention. Ensure your evidence matches your scope exactly.
Organizations that architect their programs around risk → control → evidence will navigate CMMC assessment with significantly less pain than those treating it as a checklist. The contractors that succeed under CMMC’s verification regime are not necessarily those with the most sophisticated security tools. They are the ones who understood, early enough, that compliance is not about what you have implemented.
It is about what you can prove.
Justin Beals is CEO and co-founder of Strike Graph.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
