You have the policy. You have the tool configured. You have the procedure documented. Then your C3PAO assessor asks: "Can you show me 90 days of this actually running?"

That question is where most CMMC Level 2 assessments start to unravel. Not because the contractor lacks the control — but because they can't prove it has been operating long enough to matter.

The Distinction That Matters

CMMC Level 2 assessments follow NIST SP 800-171A, which requires evaluators to assess whether controls are implemented and operating effectively — not just documented. Having a policy is necessary but insufficient. Having a configured tool is necessary but insufficient. Assessors need evidence of sustained operation.

How C3PAOs Evaluate Your Controls

C3PAO assessors use three methods defined in NIST SP 800-171A to determine whether a practice is MET or NOT MET. Each method targets a different dimension of control effectiveness:

METHOD 01
EXAMINE
Review of documentation, configurations, logs, and artifacts. Assessors look at policies, system security plans, audit logs, scan results, and configuration screenshots. This is where operational history becomes critical.
METHOD 02
INTERVIEW
Conversations with responsible personnel to verify understanding and ownership. The person responsible for a practice must be able to explain how it works, when it runs, and what happens when it fails.
METHOD 03
TEST
Hands-on validation that controls function as described. Assessors may request live demonstrations, attempt to trigger alerts, or review system behavior against documented procedures.

Across all three methods, C3PAOs look for a consistent, repeatable pattern of operation. A control that was turned on last week does not demonstrate a pattern. A control with 90 days of evidence does.

Practices That Fail Most Often for Insufficient Evidence

Practice What Exists Why It Fails
AU.L2-3.3.1 Logs exist in the SIEM Only 2–3 weeks of history. No evidence of review.
RA.L2-3.11.2 One clean vulnerability scan No historical scan data. No trending or remediation tracking.
CM.L2-3.4.3 Change management policy documented Zero change tickets in the system. Policy exists but was never followed.
IR.L2-3.6.3 Incident response plan exists Plan was never exercised. No tabletop records. No after-action reports.
AC.L2-3.1.5 Current role/privilege list No access review history. No evidence of periodic privilege audits.

In every case above, the contractor did the work to build the control. The failure was not having enough time under operation to produce evidence an assessor would accept.

The Root Cause: Starting Too Late

Most contractors begin serious CMMC preparation 30–60 days before their anticipated assessment date. That timeline is enough to write policies, configure tools, and stand up processes. It is not enough to generate the operational history that assessors require.

The Math Problem

Assessors typically expect 90 days of operational evidence. If you start 30 days before your assessment, you have a 60-day gap that no amount of documentation can close. The clock starts when the control starts running — not when the policy is signed.

This creates a frustrating reality: contractors who have invested significant effort in building their security program still receive NOT MET findings — not for lack of capability, but for lack of time.

Start the Clock Now

The fix is straightforward but requires action today, not next quarter. Each of these steps creates a timestamp that becomes evidence during your assessment:

ACTION 01
Run Your First Vulnerability Scan
Execute a full vulnerability scan against your CUI boundary systems. Save the results. Schedule recurring scans weekly or monthly. At 90 days, you have a scan history demonstrating RA.L2-3.11.2.
ACTION 02
Activate Log Review Cycles
Begin weekly log review meetings. Document attendees, findings, and actions taken. Even if the finding is "no anomalies detected," that record proves AU.L2-3.3.1 is operating.
ACTION 03
Open Change Tickets
Every configuration change, patch, or system modification gets a ticket. Use whatever system you have — Jira, ServiceNow, even a shared spreadsheet. The ticket history proves CM.L2-3.4.3.
ACTION 04
Schedule an IR Tabletop
Run a tabletop incident response exercise. Document the scenario, participants, decisions made, and lessons learned. This single exercise provides evidence for IR.L2-3.6.3.
ACTION 05
Capture Training Completions
Record security awareness training with completion dates and attendee lists. Training evidence is straightforward to produce but requires lead time to accumulate.

At 90 days, you have defensible evidence. At 30 days, you have a gap. The difference between these two outcomes is when you start — not how much you spend.

Get Started
Don't wait until assessment day to discover the gap.
We help defense contractors build evidence-ready security programs that withstand C3PAO scrutiny. Start building your operational history now.
Let's Talk Compliance →
Aligned to: CMMC Model v2.1 · NIST SP 800-171 · NIST SP 800-171A · 32 CFR Part 170 · DFARS 252.204-7012