Why Point-in-Time CMMC Assessments Don't Work
The standard approach to CMMC compliance follows a predictable timeline: engage a consultant, conduct a gap assessment, remediate findings, document the controls, submit the self-assessment. The process takes weeks or months. When it's done, the contractor has a compliance posture that reflects their environment on the day the assessment was completed.
The problem is that the day after the assessment, the posture starts to change.
This is not a criticism of the assessment process. It's a structural observation about what point-in-time evaluation can and cannot guarantee. A point-in-time assessment can tell you whether you were compliant on the day it was conducted. It cannot tell you whether you're compliant today.
Compliance drift is not a risk that might happen. It's a process that is always happening. Every system change, every personnel change, every configuration modification, every new device. Each one has the potential to move the actual compliance state away from the documented compliance state.
The pace of drift depends on the type of controls. Technical controls that are enforced by systems drift less than procedural controls that depend on human behavior. A firewall rule that blocks unauthorized ports stays in effect until someone changes the firewall configuration. An access control policy that requires employees to log out when they leave their workstations drifts every time an employee doesn't.
The contractor groups that have tested this report that drift in procedural controls is nearly universal. The drift begins almost immediately, and the longer the gap between assessment and reality, the wider it gets. The contractor's score in the federal system still says full compliance. The systems say something else.
This is the foundational problem with the compliance model that most of the market is operating under. The model assumes that compliance is a state you achieve and then maintain through periodic re-assessment. But maintenance requires monitoring, and monitoring requires either continuous human attention or systems that enforce and verify automatically.
Most contractors don't have continuous monitoring. They have an annual re-assessment plan at best. Between assessments, compliance is an assumption, not a verified state.
The question this creates for the self-assessment signature is uncomfortable. If you signed your attestation affirming compliance, and your systems have drifted since then, is your attestation still accurate? The government's position is that your recorded score should reflect your current compliance state. If it doesn't, the same liability framework that applies to an initially inaccurate assessment applies to one that became inaccurate through drift.
The contractors who've internalized this are looking for something the compliance industry hasn't traditionally provided: not a better assessment, but a way to make the assessment permanently current. A system where verification is locked to the actual state of the environment rather than to a document produced at a point in time. The ones who found it describe a fundamentally different experience of what compliance feels like.
Until then, every point-in-time assessment has a shelf life. And most contractors don't know when their assessment expired.