CMMC Resources
March 2, 20264 min read

Why CMMC Submissions Don't Match Actual Systems

The word that keeps coming up when contractors go back and check their CMMC compliance is "drift."

Not failure. Not fraud. Drift.

Compliance drift is what happens between the day your consultant documents your environment and the day you actually need it to be accurate. Systems get updated. Employees change. Configurations get modified. Someone adds a device to the network. Someone changes a sharing permission. Someone resets a password policy because it was causing help desk tickets.

Each change is minor. Each change is rational. And each change moves the actual system further from what the documentation describes.

The result is a compliance submission that was accurate at one point and is no longer accurate at another. The documentation says one thing. The systems say something else. And the gap grows wider over time without anyone noticing because nobody is checking the systems against the documentation on a continuous basis.

What makes this different from a general documentation problem is the submission itself. The score you entered into the federal system is a number. It doesn't have a timestamp that triggers re-evaluation. It doesn't decay. It sits in the system as a current representation of your compliance state, and contracting officers query it during source selection as though it reflects reality right now. The submission process has no mechanism for flagging that the underlying data has gone stale. The number you entered six months ago looks identical to a number entered yesterday.

This is not a problem that auditing once solves. A point-in-time assessment captures the state of the system on the day of the assessment. By the following week, drift has already started. By the following month, the most common finding among contractor groups that re-verify is that at least one practice has drifted out of compliance.

The practices most prone to drift are the ones that depend on human behavior rather than technical enforcement. Access control policies that require manual de-provisioning when employees leave. Media protection practices that require people to follow procedures for handling FCI. Open systems where the controls are recommendations rather than constraints.

The consultants who produced the original documentation typically don't monitor for drift. Their engagement ends when the documentation is delivered. The contractor who signed the attestation is now responsible for maintaining a compliance posture that their consultant captured at a single point in time.

The contractors who've recognized this problem are looking for ways to verify compliance continuously rather than periodically. The ones who haven't recognized it are still operating on the assumption that their original assessment is still accurate.

For some of them, it is. For a meaningful percentage of them, it's not.

cmmccompliance-driftsystemsdocumentationcontinuous-compliance

More from the Index

Why Continuous Verification Keeps Breaking

Achieving CMMC compliance is the part the consulting industry addresses. Maintaining it is the part that keeps breaking, and the proposed fixes introduce their own uncertainties.

Locked Compliance Systems and the Documentation Question

A distinction is emerging between documentation-based compliance and locked compliance systems. What that distinction means in practice is less settled than either side suggests.

Why Point-in-Time CMMC Assessments Don't Work

A point-in-time CMMC assessment tells you whether you were compliant on the day it was conducted. It cannot tell you whether you're compliant today.