CMMC NUGGET #5

Common Documentation Failures

For each of the 110 controls, assessors evaluate three things:

• Examine: Does documentation exist describing how the control is implemented?
• Interview: Can personnel explain how the control works and demonstrate they follow it?
• Test: Does technical evidence confirm the control is functioning as described?

Weak or missing documentation undermines all of these simultaneously!

The most common SSP failures assessors encounter:

• Control implementation statements that say “Implemented” with no description of how
• Assessment boundaries that don’t match actual network diagrams
• Asset inventories that are incomplete or out of date
• Missing interconnection agreements for external systems, Cloud Service Providers, or Managed Service Providers

An SSP that lists controls without explaining implementation is not a compliant SSP — it is an index. Before your assessment, walk through each control entry and ask: could an assessor seeing this for the first time understand exactly how this control is implemented and where to find evidence of it?

CA.L2-3.12.3 requires ongoing monitoring of security controls. The failure here is not simply failing to monitor, it is failing to document that monitoring is happening and that results are acted upon. Assessors look for:

• A written monitoring strategy describing what is monitored, how frequently, and who does it
• Evidence of human review of monitoring outputs, not just tool collection
• Records of actions taken in response to findings

Assessor Reality Check: “We have a SIEM” is not evidence of continuous monitoring. “Here are our weekly review records, the findings log, and the POA&M items opened as a result” is.

• CM.L2-3.4.1 requires a formally documented and approved baseline configuration
• CM.L2-3.4.3 requires that changes are tracked, reviewed, approved, and logged

The most commonly missed element: CM.L2-3.4.4 requires a formal security impact analysis before implementing changes… not just a functional test. Many organizations document that changes were tested but have no record of a security impact review. These are two separate assessment objectives.

Common failures under IR.L2-3.6.1, 3.6.2, and 3.6.3:

• IRP exists as a document but has never been exercised. No tabletop records, no after-action reports, no list of participants, etc.
• Missing external reporting contacts. The IRP must explicitly name DC3 (DoD Cyber Crime Center) via the DIBNet portal as the required reporting destination for cyber incidents under DFARS 252.204-7012. It must also clearly articulate the 72-hour reporting requirement
• No documented process for preserving compromised system images for 90 days post-incident
• Incident log gaps because the organization has defined “incident” too narrowly

Assessors commonly find poor documentation across the AC and IA control families:

• User access reviews performed but not recorded
• No documented termination/role-change access revocation process
• MFA implementation is undocumented. Which systems, which accounts, how exceptions are managed (IA.L2-3.5.3)
• Password policy documented but has a different implementation on the system

Access control spans 22 controls. Assessors will ask for documentation across each of them.

Under AT.L2-3.2.1 and AT.L2-3.2.2, assessors look for:

• Training completion records covering all personnel
• Documented training content, things like tabletop exercise results & findings, phishing simulation results, etc. What was covered must be verifiable
• Employee acknowledgment sign-offs confirming understanding of responsibilities

Stating that “we do annual security training” without providing training records is not a defensible position.

Under CA.L2-3.12.1, organizations must retain evidence that reviews occurred and findings were acted upon. A defined assessment frequency must appear in policy, so stating “periodically” is insufficient.

Assessors may look for independence between implementation and evaluation. As a best practice consider ensuring that the person evaluating a security control isn’t the same person implementing it.

The most pervasive failure across the DIB. Common manifestations:

• SSP describes systems or configurations that no longer exist
• Network diagrams don’t reflect current architecture
• POA&M items show passed completion dates with no evidence of closure
• Procedures describe processes that have since changed

Assessors compare documentation to reality. Any discrepancy is a finding. Build documentation review into your change management process so updates happen automatically and not only during the pre-assessment scramble.

A missing POA&M cascades in that the Assessor has one finding per unaddressed control gap as well as the CA.L2-3.12.2 finding for the absent POA&M itself. The POA&M must be current, complete, and active. See Nugget #4 for full requirements including conditional status scoring rules.

Two documentation obligations with immediate contract consequences:

• A lapsed Annual Affirmation means your CMMC status is no longer current, this affects contract eligibility even if your technical controls are fully in place
• A missing or outdated SPRS score can disqualify an otherwise compliant organization from award

Both are calendared obligations. Treat them as hard deadlines.