The contract renewal notice arrived last week with the new requirement: CMMC certification by the end of the year. Your team had a meeting. Someone mentioned that you’ve been “doing cybersecurity stuff” for a while now, so this should be straightforward. You’ve got firewalls, antivirus, password policies. How hard could documenting it be?
Then you actually started looking for the documentation the CMMC compliance audit will require, and you discovered it doesn’t exist. There’s no formal incident response plan, no documented access control procedures, no security awareness training records, no configuration management documentation. You’ve been doing some of these things, sure, but nothing’s written down in a way that would satisfy an assessor.
Six months feels like plenty of time until you understand what actually needs to happen between now and the audit.
The documentation gap nobody talks about
Most defense contractors assume documentation means keeping records of what you’re already doing. Just write down your current practices and you’re done, right?
The reality is messier. CMMC documentation requirements are specific about what needs to be documented and how:
Policies that define what you’re supposed to do – Not just “we take security seriously” but actual written policies covering each practice area the framework requires. Access control policies, incident response policies, media protection policies, system maintenance policies.
Procedures that explain how you do it – Step-by-step documentation of how policies get implemented. How do you provision new users? How do you handle a suspected security incident? How do you patch systems?
Evidence that proves you’re doing it – Logs, records, training certificates, meeting minutes, assessment results. The CMMC compliance audit will ask for proof that policies aren’t just written down but actually followed.
Most companies discover they have bits and pieces of the first category, almost nothing in the second, and scattered evidence in the third that isn’t organized or complete enough to present to an assessor.
The time math that doesn’t add up
Six months sounds reasonable until you break down what needs to happen:
Month 1: Gap assessment – Figure out what you actually have versus what you need. This takes longer than expected because you keep discovering that things you thought were documented aren’t, or that documented processes aren’t actually being followed.
Month 2-3: Policy development – Write the actual policies and procedures. This isn’t just typing—it requires understanding the requirements, getting input from people who do the work, and management review. Each policy goes through multiple drafts.
Month 3-4: Implementation and adjustment – Start following the new documented procedures and discover they don’t quite match how work actually happens. Revise documentation to reflect reality while also adjusting practices to meet requirements.
Month 4-5: Evidence gathering – Collect proof that you’re following the procedures. This means training logs, configuration backups, access control records, incident reports, system inventories. Some of this evidence needs to show consistent practice over time, which you can’t fake.
Month 6: Pre-assessment preparation – Organize everything for the assessor, fix gaps discovered during internal review, and prepare staff for the actual CMMC compliance audit process.
That’s the optimistic timeline assuming nothing goes wrong, no one gets pulled into other priorities, and you don’t discover major gaps that require significant remediation.
The policies you didn’t know you needed
The CMMC framework covers 14 domains at Level 2 (where most defense contractors need to certify). Each domain requires specific documentation:
- Access control: Who can access what and how you enforce it
- Awareness and training: How you educate staff on security
- Audit and accountability: What you log and how you review it
- Configuration management: How you maintain baseline configurations
- Identification and authentication: How you verify user identity
- Incident response: How you handle security events
- Maintenance: How you maintain and repair systems
- Media protection: How you protect and sanitize media
- Personnel security: How you screen and manage staff access
- Physical protection: How you protect facilities and equipment
- Risk assessment: How you identify and assess security risks
- Security assessment: How you test and evaluate security controls
- System and communications protection: How you protect data in transit and at rest
- System and information integrity: How you detect and respond to flaws
Each of these needs documented policies and procedures. Just writing “we follow best practices” doesn’t cut it—you need specific, implemented processes that an assessor can verify.
The evidence collection nightmare
Even if you write policies quickly, evidence collection takes time because some evidence requires demonstrating consistent practice over months.
Training records – You need proof that employees completed security awareness training. If you haven’t been tracking this, you need to conduct training now and wait for the completion records.
Configuration management – You need documented baseline configurations and evidence of configuration reviews. If you don’t have current baselines, you need to create them and document the review process.
Incident response testing – You need evidence that your incident response plan has been tested. If you’ve never done a tabletop exercise, you need to conduct one and document the results.
Access reviews – You need records showing regular reviews of user access rights. If you haven’t been doing quarterly access reviews, you need to start now and build a history.
Some contractors try to backdate documentation or create retroactive evidence. This is both obvious to experienced assessors and potentially problematic for the integrity of your certification.
The scope creep you didn’t anticipate
Initially, you thought CMMC only applied to specific systems that handle CUI (Controlled Unclassified Information). Then you started mapping data flows and discovered CUI touches more systems than you realized.
Your email system has CUI in attachments. Your file server has engineering drawings that contain CUI. Your backup system contains copies of CUI. Your personal devices that employees use for work emails access CUI. Suddenly your CMMC scope includes infrastructure you weren’t planning to document or secure to the required level.
Adjusting scope means more documentation, more policies, more procedures, and more evidence. Each system added to scope multiplies the documentation burden.
The consultant question
At some point in the six-month countdown, most companies consider hiring a consultant to help with CMMC compliance audit preparation. This isn’t a bad idea, but it doesn’t solve the time problem.
Consultants can:
- Identify gaps faster than you would on your own
- Provide policy templates that comply with requirements
- Guide implementation to avoid common mistakes
- Conduct pre-assessments to identify issues before the real audit
Consultants cannot:
- Create evidence of practices you weren’t following
- Implement changes without your staff’s involvement
- Complete documentation without your input on actual processes
- Compress the timeline for building evidence of consistent practice
Even with expert help, the work still takes months. Bringing in a consultant in month five when the audit is in month six means paying for someone to tell you that you’re not going to be ready.
The honest timeline assessment
If you’re six months out from a required CMMC compliance audit with minimal documentation:
You can probably get to Level 1 – The basic cyber hygiene requirements are achievable with focused effort. The documentation is lighter and the practices are foundational.
Level 2 in six months is aggressive – Possible if you dedicate significant resources, accept that some normal business activities will be delayed, and don’t encounter major gaps requiring infrastructure changes.
Level 3 in six months is unrealistic – Unless you’ve already been operating at near-Level 3 practices and just need to document them, which wouldn’t be the scenario where documentation doesn’t exist.
The alternative to aggressive timelines: negotiate with the contracting officer for more time, or accept that you might not be ready for contract renewal. Neither is ideal, but both are better than failing the audit or submitting documentation so rushed that it creates problems during assessment.
Starting now with the time you have
If you’re in this situation—six months out, minimal documentation—here’s the triage approach:
- Hire the assessor now – Many organizations offer pre-assessment services. Get them involved early so they can identify critical gaps immediately.
- Focus on high-risk gaps first – If you’re missing fundamental practices like multi-factor authentication or encryption, implement those before perfecting documentation on lower-risk items.
- Document current practices – Even imperfect documentation of what you actually do is better than perfect documentation of theoretical processes you don’t follow.
- Build evidence systematically – Start logging, tracking, and recording everything now so you have months of evidence rather than weeks.
- Prepare staff for the reality – CMMC compliance requires ongoing work. The audit isn’t the finish line—it’s the beginning of maintaining certification.
Six months isn’t much time, but it’s enough to make significant progress if you start immediately and work systematically. The companies that fail their CMMC compliance audit are usually the ones who spent the first four months planning to start and the last two months panicking.
Sandra Larson is a writer with the personal blog at ElizabethanAuthor and an academic coach for students. Her main sphere of professional interest is the connection between AI and modern study techniques. Sandra believes that digital tools are a way to a better future in the education system.
