You can have firewalls in place, MFA enforced, a top-tier MSP, and still fail your CMMC assessment.
Why?
Because your documentation doesn’t match your practices—or worse, doesn’t exist.
CMMC isn’t just about implementing controls. It’s about being able to prove that the right controls are in place, are effective, and are being managed over time. That proof comes through thorough, well-maintained documentation.
Here are 10 of the most common documentation gaps we see across the Defense Industrial Base—and why each one could derail your compliance effort if left unaddressed.
- No Documented Processes for Daily IT Activities
We often hear, “We do that all the time. It’s just not written down.”
In CMMC, that’s a fail.
IT teams frequently perform secure actions—like user provisioning, patching, or log review—but unless there’s a documented procedure, an assessor has no reason to believe it’s done consistently or securely.
Fix it: Convert your tribal knowledge into written procedures. Start with recurring tasks (e.g., new hire onboarding, log monitoring, backup validation) and assign owners and frequencies.
- Missing or Incomplete CUI Flow Documentation
One of the most critical—and misunderstood—requirements is the need to explicitly document how CUI flows through your environment. This includes where it’s:
- Created
- Stored
- Transmitted
- Accessed
Many organizations think general data flow diagrams or network diagrams are enough. They’re not.
Fix it: Create or update CUI handling guides and CUI-specific data flow maps, identifying:
- Systems involved
- Storage locations
- Transmission methods (including encryption protocols)
- Authorized access points
- No Documented Change Management Process
Change happens. But if it’s not documented, reviewed, and approved, it’s a compliance risk.
CMMC requires formal change control processes—not just for code, but for any modifications to:
- Firewalls
- Cloud configurations
- System components
- Security tools
Fix it: Build a Change Management SOP that includes:
- Impact assessments
- Approval workflows
- Testing and rollback plans
- Documentation of implemented changes
- Asset Inventory Lacking Firmware, FIPS, and Component Details
An assessor won’t be impressed by a spreadsheet that only lists device names and IP addresses.
For CUI-impacting assets, your inventory must also document:
- Component details (e.g., RAM, processors)
- Firmware versions
- FIPS 140-2/3 certification status (for cryptographic modules)
Fix it: Use automated tools like RMMs, CMDBs, or vulnerability scanners to capture detailed asset info. Then layer on manual review to classify CUI relevance and FIPS validation.
- No Approved Services, Ports, or Protocols List
Firewalls may be in place, but what exactly is allowed to traverse your network?
CMMC requires documentation of what ports, services, and protocols are permitted—and why.
Fix it: Develop a living document that includes:
- Approved traffic (by service/port/protocol)
- Justifications for each
- Change management reference if additions are made
- Regular review schedule (at least annually)
- In-House SIEM with No Documented Operations or Alert Handling
If you run your own SIEM—or even manage your own MSSP relationship—be ready to show your work.
Many companies implement a SIEM but can’t show:
- How alerts are triaged
- How incidents are documented
- Who reviews logs and how often
- What use cases are configured
Fix it: Create a SIEM Operations Guide that includes:
- Roles and responsibilities
- Use case list
- Escalation matrix
- Incident response handoff process
- Missing Risk Assessment Documentation
A risk assessment isn’t just a gut feeling or “we think our firewall’s good.”
CMMC requires documented, repeatable risk analysis tied to business impact.
Fix it: Develop a Risk Assessment Methodology that defines:
- Scoring logic (likelihood x impact)
- Risk register
- Remediation plans and timelines
- Roles responsible for risk review and tracking
Update at least annually or after significant changes.
- No Formal Security Assessment Process
Control self-checks must be formalized and recurring. That includes:
- Policy reviews
- Technical control reviews
- Evidence validation
Many companies simply “walk through” a checklist verbally. That won’t pass muster.
Fix it: Define your Security Assessment Plan, including:
- Scope and cadence (e.g., quarterly, annually)
- Tools used (e.g., Nessus, PowerShell scripts)
- Review workflows
- Documentation of findings and corrective actions
- Service Accounts Not Included in Authorized User List
Most orgs provide an “authorized user list” that includes humans—but forget machine/service accounts.
Assessors will ask:
“How do you know which non-interactive accounts are authorized? Who owns them?”
Fix it: Expand your authorized user tracking to include:
- Service accounts
- Purpose of the account
- Associated system or application
- Rotation policies and ownership
- No Process to Keep Documentation Up to Date
Even if you have all the right documentation today, if it’s not maintained, it becomes stale fast—especially in IT environments where tools, vendors, and personnel change frequently.
Fix it:
- Assign document owners by domain (e.g., Access Control, Configuration Management)
- Schedule quarterly or semi-annual reviews
- Use version control and a document review log
🧩 Final Takeaway
CMMC isn’t just about “being secure.” It’s about proving you are secure, every day, through living documentation.
Whether you're managing compliance internally or through a trusted partner, make sure your documentation is:
- Complete
- Accurate
- Maintained
- Traceable to control objectives
Need help getting your documentation gap-assessed and aligned to CMMC Level 2 or beyond?
We’ve built living documentation systems for companies just like yours—and we can help you build one too.
