Module 12: Governance, Evidence Management, and Continuous Compliance

Module 12 Overview: Why Governance & Continuous Compliance Matter

This module connects everything you have learned about CMMC 2.0 (especially Levels 2–3) to how organizations actually stay compliant over the entire contract lifecycle, not just at assessment time.

Current context (as of December 2025)

• CMMC 2.0 is being implemented through updates to the DFARS 252.204-7021 clause and related DoD guidance.
• DoD increasingly expects continuous (not one-time) assurance that contractors protect Controlled Unclassified Information (CUI).
• Governance, evidence management, and continuous monitoring are what make your System Security Plan (SSP) and POA&Ms live documents instead of shelfware.

In this 15‑minute module you will learn to:

1. Design a governance structure that clearly assigns ownership for CMMC controls and ongoing compliance.
2. Build an evidence management and documentation approach that stands up to recurring self-assessments and DIBCAC / C3PAO reviews.
3. Describe how continuous monitoring and change management keep your CMMC attestation valid and trigger required notifications to DoD when systems handling CUI change.

We will move from theory → structure → concrete workflows → edge cases, with short activities to test your reasoning.

Step 1 – Map Governance to CMMC: Who Owns What?

CMMC compliance is not just an IT problem. It’s a governance problem: who is accountable, who is responsible, who is consulted, who is informed.

A practical way to structure this is to use a RACI (Responsible–Accountable–Consulted–Informed) model across CMMC practices.

Core Governance Roles

In medium and large organizations (and as an ideal reference model for smaller ones), governance for CMMC commonly centers on:

• Board / Executive Sponsor (e.g., COO, CFO)
• Accountable for overall risk appetite and contract decisions involving CUI.
• Approves major investments and accepts residual risk.

• CISO / Security Director
• Accountable for the cybersecurity program aligned to NIST SP 800‑171 Rev. 3 and CMMC Level 2, and for advanced controls at Level 3 (NIST SP 800‑172).
• Owns security policies, risk assessments, and continuous monitoring strategy.

• CMMC Program Manager / Compliance Lead
• Coordinates CMMC activities across IT, HR, Legal, and business units.
• Maintains the SSP, POA&Ms, and score submissions (e.g., to SPRS under DFARS 252.204‑7019/7020).
• Orchestrates readiness for third‑party or DIBCAC assessments.

• System Owners (for each CUI-relevant system / enclave)
• Responsible for day‑to‑day implementation of controls on their systems (e.g., access control, configuration baselines, logging).
• Approve changes that affect their systems’ CUI boundary.

• IT Operations / Cloud & Network Engineers
• Implement technical controls (e.g., MFA, encryption, patching).
• Maintain configuration management databases (CMDBs), asset inventories, and backups.

• HR & Legal / Contracts
• HR: handles background checks, onboarding/offboarding, and security training requirements.
• Legal/Contracts: ensures DFARS/CMMC clauses are correctly flowed down to subcontractors; tracks notification requirements and contractual obligations.

Key idea: Every CMMC practice should have a named owner. If you cannot answer “who owns this control?”, that control is at high risk of drifting out of compliance.

Step 2 – RACI Thought Exercise: Assigning Ownership

You are the CMMC Program Manager for a mid‑size defense contractor (~300 employees) seeking CMMC Level 2 for a program that handles CUI in a dedicated cloud enclave.

Consider the following three CMMC practice areas (derived from NIST SP 800‑171):

1. Access Control (AC) – e.g., enforcing least privilege and MFA.
2. Audit & Accountability (AU) – e.g., log collection, retention, and review.
3. Personnel Security (PS) – e.g., background checks, termination procedures.

Task: For each practice area, decide who should be:

• Accountable (A) – ultimately answerable for the outcome.
• Responsible (R) – performs or ensures the work is done.
• Consulted (C) – gives input.
• Informed (I) – kept updated.

Write down a draft RACI for each practice area. Then compare to the example below.

---

Example solution (one of several valid models):

1. Access Control (AC)

• A: CISO
• R: Identity & Access Management (IAM) lead / System Owners
• C: HR (for role definitions), CMMC Program Manager
• I: Executive Sponsor, affected business unit leaders

1. Audit & Accountability (AU)

• A: CISO
• R: Security Operations (SecOps) / SIEM administrator
• C: System Owners, Compliance Lead (for evidence requirements)
• I: CMMC Program Manager, Internal Audit

1. Personnel Security (PS)

• A: HR Director
• R: HR Operations / Security Officer (for clearance checks where applicable)
• C: Legal (for privacy and labor law), CISO (for role-based access implications)
• I: CMMC Program Manager, hiring managers

Reflection prompt: Where did your RACI differ? Would your model still ensure that evidence is available for each practice during a DIBCAC review two years from now?

Step 3 – Evidence Management: What Counts as Evidence?

CMMC is evidence-based. An assessor (C3PAO or DIBCAC) will not accept “we do this” without verifiable artifacts.

Types of Evidence

For each CMMC practice, you should maintain:

1. Policy evidence – shows intent and rules

• Example: Information Security Policy, Access Control Policy, Incident Response Plan.
• Must be formally approved (e.g., by CISO and/or executive) and version-controlled.

1. Procedure / Standard evidence – shows how you do it

• Example: Standard Operating Procedures (SOPs) for account provisioning, patch management runbooks, logging configuration standards.
• Should be detailed enough that a new staff member could follow them.

1. Implementation evidence – shows it is actually being done

• Example: screenshots of MFA settings, SIEM dashboards, configuration baselines, firewall rules, vulnerability scan reports, training completion records.

1. Operation & Monitoring evidence – shows it is ongoing

• Example: recurring access review records, monthly vulnerability management reports, incident tickets, change records, meeting minutes of security governance forums.

1. Outcome / Performance evidence – shows effectiveness

• Example: metrics and KPIs (e.g., mean time to patch, number of privileged accounts, percentage of systems with logging enabled), trend reports.

Evidence Quality Criteria

High-quality evidence is:

• Relevant – clearly tied to a specific CMMC practice and system in scope.
• Current – within the timeframe expected (e.g., last 6–12 months, depending on control).
• Complete – covers the full scope (all CUI systems, all relevant users).
• Traceable – linked back to specific requirements in NIST SP 800‑171 Rev. 3 or CMMC practice IDs.
• Tamper‑resistant – changes are logged; audit trails are preserved (e.g., using immutable storage or version control).

Key design choice: Decide early whether you will use a central GRC/evidence platform (e.g., ServiceNow GRC, Archer, or a structured SharePoint/Confluence space) to index and version all CMMC evidence.

Step 4 – Example Evidence Library for a Level 2 Contractor

Imagine a small contractor (about 80 staff) pursuing CMMC Level 2 with CUI hosted in a GCC High tenant plus a small on‑prem network segment.

They create a CMMC Evidence Library in SharePoint with this structure:

```text

/ CMMCEvidenceLibrary

/ 00_Governance

• CMMCGovernanceCharter_v1.3.pdf
• SecuritySteeringCommitteeMinutes2025-10-15.pdf

/ 01_Policies

• InfoSecPolicyv4.0Approved2025-04-02.pdf
• AccessControlPolicyv2.1Approved_2025-05-10.pdf

/ 02_Procedures

• SOPUserProvisioningv1.72025-03-12.pdf
• SOPPatchManagementv2.22025-06-01.pdf

/ 03_Implementation

/ AC

• AzureADMFAConfigScreenshots2025-09-05.pdf
• PrivilegedAccountsInventory_2025-09-01.xlsx

/ AU

• SIEMLoggingScopeDiagram2025-07-20.pdf
• LogRetentionConfigExport2025-07-20.json

/ 04_Operations

• QuarterlyAccessReviewReports2025-Q1toQ3.pdf
• MonthlyVulnReports2025-01to_2025-11.zip

/ 05_Assessments

• NIST800-171SelfAssessment2025-09-30.xlsx
• SPRSScoreSubmissionConfirmation2025-10-01.pdf

/ 06_POAMs

• POAMRegister2025-10-15.xlsx
• POAMClosureEvidence_XXXX.pdf

```

Good practices demonstrated:

• Clear folder taxonomy that mirrors governance → policy → procedure → implementation → operations → assessments/POA&M.
• Date‑stamped filenames and versions for traceability.
• Evidence for closed POA&Ms is stored alongside the POA&M register.

Edge case:

If they use a managed security service provider (MSSP) for logging and monitoring, they must still maintain evidence of the MSSP’s activities (e.g., reports, SLAs, ticket exports) and contractual terms showing that CUI protection and CMMC responsibilities are clearly allocated.

Step 5 – Quick Check: What Is Strongest as CMMC Evidence?

Choose the best evidence item for proving that multi-factor authentication (MFA) is enforced for all administrative accounts in a CUI enclave.

Step 6 – Continuous Monitoring: From Point-in-Time to Ongoing Assurance

Under CMMC 2.0 and related DFARS clauses, compliance is not a one‑time event. Your self‑assessment score, SSP, and POA&Ms are expected to reflect your current security posture.

What Is Continuous Monitoring in the CMMC Context?

Drawing from NIST SP 800‑137 (Information Security Continuous Monitoring) and NIST SP 800‑171 Rev. 3, a continuous monitoring program for CMMC typically includes:

1. Asset & Boundary Monitoring

• Automated discovery of systems connected to the CUI environment.
• Verification that new assets inherit required configurations and are within the CUI boundary documented in the SSP.

1. Vulnerability & Patch Management

• Regular vulnerability scans (e.g., weekly/bi‑weekly for servers, monthly for workstations).
• Patch deployment within defined timelines (e.g., critical patches within 14 days) with exceptions documented and tracked via POA&Ms if needed.

1. Security Event & Incident Monitoring

• Centralized logging (SIEM) with correlation rules for suspicious activity.
• Defined thresholds and runbooks for escalation and incident response.

1. Configuration & Change Monitoring

• Baseline configurations for systems in the CUI enclave (e.g., CIS benchmarks).
• Automated alerts when critical settings drift (e.g., logging disabled, firewall rules changed).

1. Control Effectiveness Reviews

• Periodic control reviews (e.g., quarterly) to verify that key CMMC practices are still implemented as designed.
• Sampling (e.g., random user accounts, devices, tickets) to test adherence.

Key linkage: Continuous monitoring produces ongoing evidence and triggers updates to your SSP, POA&Ms, and—if material changes occur—your attestation and notifications to DoD.

Step 7 – Change Management & Required Notifications: Scenario Analysis

Consider three hypothetical changes in a company that already has a CMMC Level 2 assessment completed and has active DoD contracts involving CUI.

For each scenario, decide whether it is:

• Minor change – handled via internal change management, no external notification.
• Material change – requires updates to SSP/POA&Ms and may trigger notification under DFARS/CMMC expectations (e.g., via the contracting officer or as part of updated attestations).

---

Scenario A – Patching Schedule Adjustment

The IT team changes the patch deployment window from weekly to bi‑weekly for non‑critical servers, but still meets the defined timelines in policy for applying critical security patches.

Scenario B – New Cloud Service for CUI

A business unit starts using a new SaaS platform to store and process CUI, but this service is not in the original SSP, and its FedRAMP/CMMC posture is unclear.

Scenario C – Re‑architecting the CUI Boundary

The company migrates its CUI environment from a hybrid on‑prem + cloud model to a new GCC High tenant with a different network topology and identity provider integration.

---

Think through your answers before reading the guidance below.

---

Suggested classification and rationale:

• Scenario A – Minor change
• Likely handled internally as long as the organization still meets its documented patch timelines and risk criteria.
• Evidence: updated change records, possibly an updated SOP; no change to SSP boundary.

• Scenario B – Material change
• Introducing a new system that stores or processes CUI is a major change to the CUI environment.
• Requires updates to: SSP (system inventory, data flows), risk assessment, vendor due diligence, and possibly the self‑assessment / SPRS score if controls differ.
• May require notification to the contracting officer depending on DFARS clause language and internal policy.

• Scenario C – Material change
• Re‑architecting the entire CUI boundary is highly material.
• Requires: updated SSP, network diagrams, control mappings, and potentially a re‑assessment or updated attestation depending on timing and contract terms.
• The organization should proactively engage with its DoD program office / contracting officer.

Takeaway: A robust change management process must explicitly ask: “Does this change affect CUI or CMMC scope, and does it require updates to SSP/POA&Ms or notification to DoD?”

Step 8 – Practical Template: Minimal CMMC Governance & Monitoring Charter

Below is a text template (not programming code) you can adapt as a minimal governance and continuous monitoring charter for a CMMC program.

```text

CMMC Governance & Continuous Compliance Charter

1. Purpose

This charter establishes governance, evidence management, and continuous monitoring

practices to maintain compliance with CMMC 2.0 requirements for systems handling CUI.

1. Scope

• Applies to all information systems, services, and personnel within the defined CUI boundary.
• Includes internal systems and external service providers supporting CUI processing.

1. Roles & Responsibilities

• Executive Sponsor:
• Approves risk appetite and major investments.
• Reviews quarterly CMMC status reports.
• CISO:
• Owns cybersecurity strategy aligned to NIST SP 800-171 Rev. 3 and CMMC Level X.
• Approves security policies and standards.
• CMMC Program Manager:
• Maintains System Security Plan (SSP), POA&Ms, and assessment records.
• Coordinates internal and external CMMC assessments.
• System Owners:
• Ensure implementation of assigned CMMC controls on their systems.
• Approve changes that impact the CUI boundary.
• IT Operations & SecOps:
• Implement technical controls, monitoring, and incident response.
• Maintain logs, configuration baselines, and backup/restore capabilities.
• HR & Legal/Contracts:
• HR: manage personnel security processes and training.
• Legal/Contracts: manage DFARS/CMMC clauses and notification obligations.

1. Governance Forums

• Security Steering Committee (monthly):
• Reviews key risks, POA&M progress, and material changes to CUI systems.
• CMMC Working Group (bi-weekly):
• Tracks evidence collection, control status, and upcoming assessments.

1. Evidence Management

• All CMMC-related evidence shall be stored in the designated Evidence Library.
• Evidence must be:
• Clearly mapped to CMMC practices and NIST 800-171 controls.
• Dated, version-controlled, and retained according to policy.

1. Continuous Monitoring

• Asset & Boundary:
• Maintain an up-to-date inventory of systems in the CUI boundary.
• Vulnerability & Patch:
• Perform vulnerability scans at least monthly; track remediation.
• Logging & Events:
• Forward security logs to the central SIEM; review alerts daily.
• Control Reviews:
• Perform quarterly reviews of selected CMMC controls.

1. Change Management & Notifications

• All changes to systems within the CUI boundary must be logged in the change

management system and assessed for CMMC impact.

• Material changes (e.g., new CUI systems, boundary re-architecture) require:
• SSP updates and, if necessary, POA&Ms.
• Review by the CISO and CMMC Program Manager.
• Notification to the contracting officer where required by DFARS/contract.

1. Review & Approval

• This charter shall be reviewed at least annually or upon significant changes

to CMMC requirements or the CUI environment.

• Approved by: [Executive Sponsor], [CISO], [CMMC Program Manager].

```

Use this template as a starting point and expand it with organization-specific details and references to your actual policies and procedures.

Step 9 – Key Term Review

Flip the cards to reinforce the core concepts from this module.

Step 10 – Synthesis Quiz: Linking Governance, Evidence, and Monitoring

Test your ability to connect governance structure, evidence management, and continuous monitoring into a coherent continuous compliance approach.