CMMC Resources
March 2, 20264 min read

The Two Reviews in CMMC That Most Contractors Don't Know About

Most contractors preparing for CMMC Level 1 are focused on one thing: getting their documentation in order. Policies, procedures, and evidence artifacts, all forming the package that demonstrates compliance with the 15 practices required under the applicable contract clauses.

This focus is understandable. Documentation is what consultants produce. Documentation is what gets submitted. Documentation is tangible.

But there are two dimensions to any compliance verification, and they don't always point in the same direction.

One dimension is the documentation review: does your paperwork describe a compliant environment? The other is the implementation review: do your actual systems match what your documentation describes? In theory these are separate evaluations. In practice, the boundary between them is not clean. What counts as documentation evidence in one context gets treated as implementation proof in another, and which dimension carries more weight depends on factors the contractor doesn't control and often can't predict.

For Level 1, the self-assessment is supposed to cover both. When you sign, you're affirming that the practices are implemented, not that they're documented. The documentation is evidence of implementation, not a substitute for it.

The problem is that most contractor preparation focuses almost entirely on the documentation side. Consultants are hired to produce documentation. The question "does this match reality?" is often not asked with sufficient rigor.

When contractor groups have gone back and tested both dimensions independently, the results diverge. Documentation scores are consistently higher than implementation scores. The paperwork looks right. The systems tell a different story.

This divergence is where the legal exposure lives. If your documentation says MFA is implemented and your systems don't enforce MFA, you have a documentation problem and an implementation problem. But the attestation you signed certified implementation, which means the gap between the two dimensions is the gap between what you claimed and what is true.

The contractors who are preparing properly are testing against both dimensions. The ones who are preparing the way most of the market prepares are testing against one dimension and assuming the other matches.

That assumption is where the risk accumulates. Quietly, and then all at once.

cmmcdocumentationimplementationtwo-reviewsverification

More from the Index

Why Continuous Verification Keeps Breaking

Achieving CMMC compliance is the part the consulting industry addresses. Maintaining it is the part that keeps breaking, and the proposed fixes introduce their own uncertainties.

Locked Compliance Systems and the Documentation Question

A distinction is emerging between documentation-based compliance and locked compliance systems. What that distinction means in practice is less settled than either side suggests.

Why Point-in-Time CMMC Assessments Don't Work

A point-in-time CMMC assessment tells you whether you were compliant on the day it was conducted. It cannot tell you whether you're compliant today.