CMMC Resources
March 2, 20264 min read

The Documentation Gap in CMMC Compliance

There is a pattern emerging among contractors who have gone back to verify their CMMC compliance after initial submission, and it's not what most people expect.

The pattern is this: the documentation says one thing. The actual systems say something else.

This isn't a problem of dishonesty. It's a problem of process. Most CMMC documentation is produced by consultants or IT providers who assess a contractor's environment at a point in time, generate the required policies and evidence artifacts, and deliver a package. The contractor reviews it, signs, and submits.

But systems change. People change passwords and don't update the access log. A new laptop gets added to the network without going through the onboarding procedure. An employee starts using a personal device for work email. The documentation reflects February. The systems reflect today.

The question nobody is asking clearly enough is: which one gets reviewed?

If the answer were just the documentation, this wouldn't matter much. You'd submit your package, it would look right on paper, and you'd move on. But the structure of CMMC review, even at Level 1, includes the possibility of verification against actual implementation. Documentation is necessary but not sufficient.

The contractors who've discovered this gap aren't finding small discrepancies. They're finding fundamental mismatches between what their consultant documented and what their systems actually do. Shared admin credentials that were supposed to be remediated. Multi-factor authentication that was documented as implemented but never actually turned on. Access control lists that exist in the policy document but not in the system configuration.

Each one of these individually might seem minor. Together they represent a compliance posture that doesn't match the signed attestation. And the liability for that mismatch sits with the person who signed, not the person who built the documentation.

The question of how widespread this is remains open. But the contractor groups that have started checking are not publishing their findings publicly, which tells you something about what they're finding.

cmmcdocumentationcompliance-gapauditsystems

More from the Index

Why Continuous Verification Keeps Breaking

Achieving CMMC compliance is the part the consulting industry addresses. Maintaining it is the part that keeps breaking, and the proposed fixes introduce their own uncertainties.

Locked Compliance Systems and the Documentation Question

A distinction is emerging between documentation-based compliance and locked compliance systems. What that distinction means in practice is less settled than either side suggests.

Why Point-in-Time CMMC Assessments Don't Work

A point-in-time CMMC assessment tells you whether you were compliant on the day it was conducted. It cannot tell you whether you're compliant today.