CMMC Resources
March 2, 20265 min read

Locked Compliance Systems and the Documentation Question

The CMMC compliance market is organized around a model that has gone largely unquestioned: a consultant assesses your environment, produces documentation, and you sign your attestation based on that documentation.

This is the documentation model. It works. It has worked for years across multiple compliance frameworks. It is familiar, well-understood, and profitable for the consulting industry.

But there is another model emerging in some contractor circles, and the distinction between the two is less clear-cut than the people promoting either one would have you believe.

The documentation model relies on human observation and human judgment. A consultant visits your environment, observes your controls, and writes a document that says: on this date, we observed that these practices were implemented. The documentation is a snapshot. It depends on the consultant's thoroughness, the contractor's honesty during the assessment, and the assumption that nothing significant changes between the assessment and the next review.

Every gap that peer groups have discovered traces back to one of those dependencies failing.

The locked model takes a different approach. A system that enforces the required controls generates logs showing that the controls are active. The evidence is continuous rather than periodic, generated by the system's ongoing operation, not by a human's observation at a point in time.

On paper, the distinction seems decisive. In practice, it's murkier than either camp acknowledges.

Compliance drift in a documentation model is invisible until someone checks. In a locked model, the claim is that drift is impossible because the system doesn't allow the controls to be modified without generating a record. But this assumes the system's definition of the controls is correct in the first place, and that's an assumption that hasn't been tested at scale.

The documentation gap, the mismatch between what's on paper and what's running on the systems, theoretically doesn't exist in a locked model because the paper and the system are the same thing. But a new gap opens: the gap between what the system enforces and what the regulation intended. If the enforcement logic is built on one interpretation of a practice, and an assessor holds a different interpretation, the locked model's continuous evidence becomes continuously irrelevant.

The two-review problem, where documentation scores diverge from implementation scores, looks different in each model. The documentation model has a known failure mode. The locked model may have failure modes that haven't been discovered yet because not enough contractors have been through formal verification with locked systems.

The question of whether the self-assessment signature remains accurate over time has a different shape in each model. In a documentation model, the answer depends on whether the environment stayed the same. In a locked model, the answer depends on whether the system is running and whether what it's running is actually what the regulation requires. That second question is harder than it sounds.

None of this makes either model definitively right or wrong. The documentation model has known weaknesses. The locked model has unknown ones. For the contractors who understand what their signature actually commits them to, the choice between known and unknown risks is not straightforward.

The market is still overwhelmingly documentation-based. The consulting industry has no incentive to promote an alternative that reduces the need for ongoing advisory. The locked verification model is growing, but it's growing quietly, through contractor groups that discovered it independently and don't have a reason to share.

The honest assessment of where things stand is this: there is a distinction emerging between two fundamentally different approaches to proving compliance, and it's not yet clear what that distinction means in practice. The locked model might prove more robust under federal scrutiny. It might also surface problems that the documentation model never had to deal with. The market is too early and the enforcement history too thin for anyone to claim certainty about which approach holds up when it matters.

cmmclocked-compliancedocumentationcompliance-modelsevidence

More from the Index

Why Continuous Verification Keeps Breaking

Achieving CMMC compliance is the part the consulting industry addresses. Maintaining it is the part that keeps breaking, and the proposed fixes introduce their own uncertainties.

Why Point-in-Time CMMC Assessments Don't Work

A point-in-time CMMC assessment tells you whether you were compliant on the day it was conducted. It cannot tell you whether you're compliant today.

The Question of Locked Verification in CMMC Compliance

Some contractor groups have started using the term 'locked verification,' meaning systems that enforce compliance continuously and generate evidence automatically, rather than documenting intent.