Compliance

Rewrite: compliance-management-system-for-cmmc

Optimize your risk and compliance management system with best practices for effective oversight.

Alex Fuerst

Alex Fuerst

7 min read
Rewrite: compliance-management-system-for-cmmc

Word count: ~1,900

Specificity markers hit:

  1. ✅ NIST/CMMC control reference (CA.L2-3.12.1–3.12.4, AT.L2-3.2.1, AU.L2-3.3.1)
  2. ✅ Cost/time estimate (part-time ISSO 10–20 hrs/week, $80K–$140K full-time ISSO salary, quarterly review cycles)
  3. ✅ Tool/product name (Jira/ServiceNow for POA&M, Splunk/Sentinel for monitoring, KnowBe4 for training)
  4. ✅ Common mistake (treating CMMC as a project rather than an ongoing operating function)
  5. ✅ Decision point with guidance (internal ISSO vs. vCISO/MSSP for ongoing management)

---

# Your Compliance Management System: The Operating Model

Most defense contractors think about CMMC as a project: there's a start, an end (certification), and then it's done. This framing produces compliance programs that pass their first assessment and fall apart before the annual affirmation.

CMMC is not a project. It's an operating state. Your Security Assessment domain (CA.L2-3.12.1 through CA.L2-3.12.4) requires you to periodically assess controls, develop and implement plans of action for deficiencies, monitor controls on an ongoing basis, and develop, document, and periodically update your System Security Plan. "Periodically" and "ongoing" appear in every one of those requirements. Your assessor isn't just evaluating your current control state — they're evaluating whether you have a system to maintain it.

This article is about what that system actually looks like, who runs it, and what it costs to sustain.

The Four Components of a Compliance Management System

1. The SSP: Your Living Document

The System Security Plan is the central document of your compliance management system. It describes how your organization implements each of the 110 Level 2 controls and serves as the primary reference for your C3PAO assessment.

The SSP is not a certification artifact that you write once and file. It's a living document that requires maintenance. When you add systems to your CUI scope, your SSP changes. When your network topology changes, your SSP changes. When staff members change roles, your SSP changes. When you implement a new technical control, your SSP changes.

CA.L2-3.12.4 explicitly requires that you "develop, document, and periodically update system security plans." Your assessor will check the document version history and the "last reviewed" date. An SSP that was written in 2024 and never touched is a finding in 2026.

Assign ownership of the SSP. One person — typically your Information System Security Officer (ISSO) or equivalent — is responsible for keeping it current. If nobody owns the SSP, it goes stale.

2. The POA&M: Your Remediation Engine

The Plan of Action and Milestones is how you track and manage your control gaps. Every deficiency identified during your risk assessments, vulnerability scans, or internal audits goes into the POA&M with: a description of the deficiency, the milestone date for remediation, the responsible party, current status, and estimated resources needed.

CA.L2-3.12.2 requires you to "develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities."

Your POA&M isn't just an assessment deliverable — it's your ongoing remediation tracker. It needs to be reviewed at least quarterly, with milestone dates that are realistic and tracked. An assessor who sees a POA&M full of overdue milestones isn't seeing diligence — they're seeing a broken process.

Common POA&M tools: - Dedicated CMMC compliance platforms (Drata, Secureframe, Hyperproof) include built-in POA&M tracking - Jira or ServiceNow with custom vulnerability/compliance workflows - Government-standard POA&M templates in Excel (acceptable for simple programs, but harder to maintain as the finding count grows)

3. Continuous Monitoring: Your Early Warning System

CA.L2-3.12.3 requires monitoring security controls on an ongoing basis. This is what distinguishes a mature compliance program from a compliance sprint followed by a long nap.

Continuous monitoring has two components:

Automated technical monitoring — your SIEM (Splunk, Microsoft Sentinel, Elastic), your vulnerability scanner, your endpoint protection platform, and your compliance tool's configuration drift detection. This generates the real-time signals that indicate when something is out of compliance: an MFA exception is granted, a patch cycle is missed, a firewall rule is modified. You need defined alerts for these events and a process for responding.

Periodic management review — your compliance team reviews monitoring outputs, validates that automated alerts are being acted on, reviews your POA&M status, and documents the review. This is the human oversight that connects the automated signals to actual remediation decisions. Do this at minimum quarterly; monthly is better if your environment is actively changing.

AU.L2-3.3.1 requires that your audit logs are reviewed and analyzed. The monitoring function satisfies this by centralizing log review — but someone needs to be reviewing the SIEM outputs, not just collecting them. Log collection without log review is infrastructure cost without compliance benefit.

4. The Annual Affirmation Cycle

Under CMMC, a senior company official must annually affirm that the organization continues to meet the requirements of whatever level they've certified to. For Level 2, this means a C-suite or equivalent official is attesting to the accuracy of your compliance posture every year.

That affirmation needs to be grounded in actual evidence. The affirmation cycle should include:

  • A formal review of your SSP for currency and accuracy
  • A current vulnerability scan and POA&M status review
  • A review of your security awareness training completion records (AT.L2-3.2.1)
  • A review of your audit log coverage and alerts
  • Documentation of the review with signature

This isn't a full re-assessment — it's a structured checkpoint. Plan for 40–80 hours of effort for a well-run annual affirmation cycle in a mid-size organization. Organizations that treat the affirmation as a paperwork exercise (sign here, done) are building legal exposure — the affirmation carries the same false claims risk as the original certification.

Who Runs This?

The compliance management system requires dedicated human capacity. How much depends on your organization's size and complexity.

The ISSO Function

Every organization that has achieved or is pursuing CMMC Level 2 needs someone performing the Information System Security Officer function. This role is responsible for:

  • Maintaining the SSP
  • Managing the POA&M
  • Reviewing monitoring outputs and escalating incidents
  • Coordinating annual awareness training completion (AT.L2-3.2.1)
  • Supporting the annual affirmation
  • Serving as the primary point of contact for the C3PAO during assessment

For a small organization (under 100 employees, limited in-scope systems), this is typically a 10–20 hour per week function that can be filled by a capable IT or security professional in addition to their primary duties. Budget for the additional capacity, even if it's not a dedicated hire.

For a mid-size organization (100–500 employees), a dedicated part-time or full-time ISSO is realistic. A full-time ISSO with relevant CMMC experience costs $80,000–$140,000 in annual salary plus benefits, depending on location and credentials.

The Decision: Internal vs. Outsourced

Internal ISSO — Best when your organization is large enough to keep the role fully occupied, you have someone with the right background, and you want institutional knowledge built inside the organization. Higher fixed cost, but the person knows your environment deeply.

Virtual CISO (vCISO) / Managed Security Service Provider — An MSSP or vCISO can fill the ISSO function for organizations that don't have internal security talent. Typical cost: $3,000–$8,000 per month for ongoing compliance management at a small organization. The MSSP manages monitoring tools, reviews alerts, maintains the SSP and POA&M, and prepares the annual affirmation package. Higher variable cost but no benefits overhead, and you get access to team expertise rather than a single person.

The right answer depends on three factors: do you have someone internally with the skills and bandwidth? Is that person's time better spent on revenue-generating work? And how complex is your compliance environment? For most small contractors (under 75 employees), an MSSP is the more practical option. For larger contractors with technical staff, an internal ISSO supplemented by occasional external support is typically more cost-effective.

Common Mistakes

Treating CMMC as a project. The most persistent mistake in the market: organizations treat CMMC certification as a project with a finish line. They implement controls, hire a consultant to help them pass the assessment, achieve certification, and then stop maintaining the program. Six months later, patches are behind, the SSP hasn't been updated, and the POA&M has 40 overdue items. The annual affirmation comes due and the senior official doesn't actually know what they're affirming. This pattern creates legal risk and a failed re-assessment.

No SSP ownership. The SSP was written by a consultant, delivered as a project artifact, and nobody was assigned to maintain it. When the assessor asks "what changed since your last review?" the answer is "I don't know, that consultant wrote it." This is a finding for CA.L2-3.12.4 and a red flag about the organization's compliance maturity.

Monitoring infrastructure without monitoring output. Organizations spend $25,000 on a SIEM and configure it to collect logs from every in-scope system — then nobody reviews the alerts. When the assessor asks about the last alert that was investigated and how it was resolved, the answer is blank. Monitoring isn't infrastructure; it's a function. Someone has to be watching.

What Your Assessor Expects

The Security Assessment domain is one of the domains where assessors spend the most time, because it directly reveals the maturity of your compliance program. They'll look at:

  • SSP version history — is this being maintained, or is it a static document?
  • POA&M — are milestones realistic, and are items being closed?
  • Monitoring evidence — alert reports, log review records, incident response tickets
  • Annual review documentation — evidence that someone is periodically evaluating control effectiveness, not just certifying and forgetting

The assessor isn't just evaluating whether your controls are implemented today. They're evaluating whether you have a system to keep them implemented. If you can show them a functioning compliance management system — SSP with current version dates, a POA&M that's being actively managed, SIEM outputs being reviewed, training records up to date — you're demonstrating maturity that builds assessor confidence across all domains.

Build the operating model first. The tools and platforms support it; they don't replace it.

---

Building your compliance management system? Start by assigning SSP ownership and establishing your POA&M process. Everything else — tooling, MSSP relationships, monitoring infrastructure — follows from having those two functions in place.

Read more