The Evidence Gap: Why Your Controls Don't Equal Compliance

The most consistent finding across CMMC assessment retrospectives is not a controls gap. It is an evidence gap.

The contractors showing up to CMMC assessments have the controls. They have the SSPs. They have the policies, the network diagrams, the access matrices. What they don’t have, and what’s failing them in the room, is evidence that any of it actually operated. Not on paper. In practice. Repeatedly. Across the assessment window.

That’s the evidence gap. And it’s the gap the industry has been mislabeling for five years.

Naming the Problem the Industry Got Wrong

Most CMMC content treats having controls as the finish line. The actual finish line is having evidence that those controls operated repeatedly across the entire assessment window. That gap, between control existence and control evidence, is what assessors actually fail contractors on.

It is not a documentation problem. It is not a policy problem. It is a proof problem.

Across the consistent body of assessment-outcome data, the failure mode is not missing controls. It is controls that exist in the SSP but cannot be substantiated as having run. The assessor questions are not “do you have AC.L2-3.1.1.” The questions are “show me the last six account reviews, with timestamps, with reviewer attribution, with the outcome of each.”

The industry has been selling control implementation. The audit is about evidence-of-process. Those are different products. We’ve watched contractors invest tens of thousands of dollars in the first one and walk into assessments still missing the second.

What Contractors Think They’re Doing vs. What Assessors Verify

There are three states a control can be in, and the industry routinely conflates them.

Documented. The control is written into the SSP. The policy exists. The procedure is named. A consultant produced a deliverable that references it. This is where most contractors think compliance lives.

Implemented. The control is operationally present. Group policy is configured. The MFA tenant is set up. The audit log destination is pointed at the SIEM. Someone in IT can demonstrate the control “works” if you sit them at a keyboard.

Evidentially-implemented. The control has been operating, on its stated cadence, across the assessment window, and the artifacts proving that are organized, traceable, and ready to hand to an assessor without rebuilding them. This is what gets you certified.

A C3PAO does not certify the first state. The second state is closer, but it is not sufficient either. A live demo proves the control is configured today. It does not prove the quarterly access review actually ran in Q1, Q2, Q3, and Q4. It does not prove the SIEM alerts were actually reviewed by the named role within the stated SLA. It does not prove that when a person left the company in October, their access was deprovisioned within the policy-stated window.

The assessor needs the artifact trail. The artifact trail is the proof. And in most engagements, that trail has to be reconstructed before the assessment, from email threads, from screenshots that may or may not be current, from memory.

That reconstruction is the failure point. It is also the most expensive line item across the six-figure CMMC engagements we’ve looked at, often eclipsing the cost of the controls themselves.

Why This Is Structural, Not Behavioral

Looking at this diagnosis, the temptation is to blame the contractor. They should have documented more carefully. They should have set up tickets. They should have run their reviews on time.

That reading is wrong. The contractors are doing the work. The problem is that the system they’re doing the work in doesn’t capture proof as a byproduct.

A 50-person manufacturer running quarterly access reviews on a spreadsheet is not going to retain the audit trail of who reviewed what, when, with what outcome, in a form an assessor can verify three years from now. The information dissipates. The spreadsheet gets overwritten. The person who ran the review changes roles. The reviewer’s notes live in their email.

The same control, operated through a system that records the action and the actor and the artifact at the moment of execution, produces evidence automatically. Same humans. Same control. Different system. Different audit outcome.

This is what we mean by proof in flow. The evidence isn’t a separate project the contractor runs at quarter-end. The evidence is what the system retains every time the work happens.

The reason willpower can’t close this gap is that willpower against a fundamentally manual system produces precisely the artifact trail assessors are rejecting. You cannot grit your way into a verifiable audit log. The system has to do that, or it doesn’t get done.

What Evidence-of-Process Actually Looks Like

Specifics, because the abstract version of this argument doesn’t move anybody.

AC.L2-3.1.1 (Authorized Access Control) and AC.L2-3.1.2 (Transaction & Function Control). These controls require limiting system access to authorized users and to authorized transactions. The contractor implements them by writing a policy that says HR notifies IT when employees leave, and IT deprovisions within five business days. The assessor will want, at minimum, a list of every account state change in the assessment window, paired with the triggering event (hire, role change, separation), paired with the operator who executed it, paired with the timestamp. The chain of custody runs from the HR event to the access change to the verification that the change took effect. If any link is missing, the control is not evidentially-implemented for that window.

AU.L2-3.3.5 (Audit Correlation). The control requires correlating audit record review, analysis, and reporting processes for investigation and response to anomalous activity. Most SSPs gloss this as “someone reviews audit logs.” Many SSPs say “the IT manager reviews logs weekly.” The assessor will not accept “the IT manager reviews logs weekly” as evidence. They will want fifty-two weeks of review artifacts. Each one timestamped. Each one showing what was reviewed, what was flagged, what was escalated, what was closed. If the IT manager has been reviewing logs but nothing is captured, the control is not evidentially-implemented.

CM.L2-3.4.3 (System Change Management). The control says changes are tracked, reviewed, approved or disapproved, and logged. The contractor implements it by running a change advisory board. The assessor will want the change record, the approval, the implementer, the verification of post-change configuration, and the linkage back to the system-of-record (the CMDB, the asset inventory, the SSP itself). One missing link, anywhere, and the chain breaks.

These are not exotic requirements. They are the baseline of what evidence-of-process means. And they are nearly impossible to retroactively produce, which is why contractors who try to assemble them in the four weeks before assessment fail.

Why Automation Is the Answer (and What People Get Wrong About That)

The reflexive critique of any compliance vendor right now is that automation is a buzzword. AI is a buzzword. Continuous compliance is a buzzword. We’ve heard it.

Here’s the actual reason automation matters for this specific problem.

The evidence gap is a volume problem and a synchronization problem at the same time. Volume, because evidence-of-process is hundreds of artifacts per quarter for a serious assessment, across dozens of controls, across multiple systems. Synchronization, because each artifact has to be linked to the right control, the right objective, the right system, the right actor, the right point in time. Humans operating manually generate volume but lose synchronization. The artifacts exist but they don’t tie together. That is the contradicting documentation problem every assessor describes.

Automation closes the gap not by removing humans but by capturing the linkage at the moment the action happens. An access review run inside the system, by a named reviewer, against a named asset, with a timestamped outcome, is a complete evidence packet the instant it concludes. Not assembled later. Not reconstructed. Already done.

This is the difference between a dashboard and a living system of record. The dashboard tells you the control exists. The living system retains the evidence that it ran. A living system of record is the structural prerequisite for closing the evidence gap. Everything else is wrapping.

The automation skepticism is fair where automation means “AI generates an SSP from a prompt and hopes the assessor doesn’t read it carefully.” That kind of automation makes the evidence gap worse. The automation that closes the gap is the boring kind. It’s the kind that captures what happened, tagged to what control it satisfies, in a way that survives the six-year evidence retention window (the artifact retention period codified at 32 CFR § 170.17(c)(4); distinct from the three-year reassessment cycle) without anyone curating it.

What Contractors Should Be Doing Now

For OSCs preparing for assessment in the next twelve months, three things are tractable right now.

First, audit your own evidence inventory. Pick three controls. AC.L2-3.1.1/3.1.2, AU.L2-3.3.5, and CM.L2-3.4.3 are good starting points. For each one, try to produce a complete evidence packet for the last 90 days, without contacting anyone. If you cannot do it in under an hour, your assessment is going to be expensive.

Second, separate documentation work from evidence work in your internal planning. The SSP is documentation. The artifact trail is evidence. They are different deliverables with different production processes, and treating them as the same is part of how organizations end up over-invested in the wrong thing. The 110 controls map tells you what to document. The evidence-of-process question tells you what to capture.

Third, pressure-test the system you’re using to run controls. If your access reviews live in a spreadsheet, the spreadsheet is your evidence system, and you should evaluate it honestly against what a C3PAO will ask for. If your change control runs in email, email is your evidence system. We’ve watched contractors discover this in week three of assessment prep. It’s a bad week to discover it.

For RPOs and MSPs, the strategic question is whether your engagement model produces evidence-of-process for your clients or just documentation. Most don’t. The ones that will scale through 2026 and 2027 are the ones whose delivery model leaves the contractor with a working evidence-capture system at the end of the engagement, not a one-time package that ages out before the next attestation.

Where This Lands

The diagnosis is consistent enough across CMMC assessment outcomes that the failure pattern is visible from any angle. You don’t pass a CMMC assessment with controls. You pass it with proof that the controls did the work. Those are different things, and the industry has been selling the first one.

The contractors who pass Phase 2 assessments won’t be the ones with the thickest SSPs. They’ll be the ones whose evidence trail proves the controls actually ran. Closing that gap is structural. It requires a system that captures proof as a byproduct of the work, not a binder assembled after.

The work is the evidence, or the evidence isn’t real.