CMMC Resources
March 2, 20266 min read

Why Continuous Verification Keeps Breaking

The CMMC compliance problem has always had two parts. The first part is achieving compliance: implementing the 15 practices, documenting them, signing the self-assessment. The entire consulting industry is built around this part. It's well-understood, well-served, and expensive.

The second part is maintaining compliance. Nobody has a reliable answer for it.

Maintaining compliance means that every day your contracts are active, the 15 practices need to be implemented. Not that they were implemented once. That they are implemented now. Your score in the federal system is a standing claim about the present, not a record of the past.

Point-in-time assessments don't solve the maintenance problem. They verify compliance on one day and hope it holds until the next assessment. Compliance drift makes that hope increasingly unreliable as time passes.

Consultant retainers don't solve it either. A quarterly check-in tells you whether you were compliant on the day of the check-in. It doesn't tell you about the other 89 days.

The maintenance problem persists because the market frames it as a human problem: hire better people, train more thoroughly, audit more frequently. But the contractors who went through peer group verification discovered that the maintenance problem isn't about people. It's about architecture.

In an open system, compliance depends on every person in the organization following every procedure every day. The number of failure points equals the number of people times the number of practices times the number of days. Even with excellent training and discipline, the probability of maintaining perfect compliance across all dimensions over months approaches zero.

Some contractor groups have started experimenting with what they call locked systems, where compliance depends on the system running rather than on human behavior. The theory is that this reduces failure points to one: either the system is enforcing the controls or it isn't.

But the theory has gaps that nobody is talking about.

The contractors looking for continuous verification want systems that enforce required controls and generate evidence of that enforcement automatically. The idea is appealing. Instead of a consultant describing what they observed, the system logs what it enforced.

The contractors who've tried these approaches describe mixed results. Some report that the compliance burden shifted, but shifted is not the same as disappeared. The maintenance problem changed shape. Instead of worrying about whether employees follow procedures, they worry about whether the system itself is configured correctly, whether edge cases are handled, whether the enforcement logic matches what the regulation actually requires. These are different questions, but they are not easier questions.

And there is a deeper problem that continuous verification, in any form, has not addressed. The 15 practices were written as descriptions of behavior, not as system specifications. Translating behavioral requirements into automated enforcement requires interpretation. Whose interpretation counts? If the system enforces a version of access control that differs from what an assessor would expect, the continuous evidence becomes continuous evidence of the wrong thing.

The market hasn't broadly adopted any approach to continuous verification, partly because the existing model has momentum, partly because the consulting industry has a financial interest in the status quo, and partly because the alternatives introduce complications that are not yet well understood.

The continuous verification problem is real. It exists for every contractor who signed a self-assessment and hasn't verified their compliance since. And the number of contractors in that category, based on what the assessors are seeing, is large enough to be concerning. But the assumption that this problem has a clean architectural fix may itself be premature. The contractors who've gone furthest down this path describe something closer to trading one set of anxieties for another, and what happens when their attestation is checked remains an open question regardless of which model they chose.

cmmccontinuous-verificationcompliance-maintenancelocked-systemsassessment

More from the Index

Locked Compliance Systems and the Documentation Question

A distinction is emerging between documentation-based compliance and locked compliance systems. What that distinction means in practice is less settled than either side suggests.

Why Point-in-Time CMMC Assessments Don't Work

A point-in-time CMMC assessment tells you whether you were compliant on the day it was conducted. It cannot tell you whether you're compliant today.

The Question of Locked Verification in CMMC Compliance

Some contractor groups have started using the term 'locked verification,' meaning systems that enforce compliance continuously and generate evidence automatically, rather than documenting intent.