A visit from a certified third-party assessment organization can feel like a high-stakes moment for any contractor working toward CMMC level 2 compliance. Preparation isn’t just about checking boxes—it’s about having proof that the right safeguards are in place and functioning as intended. The right records tell the story of a contractor’s security posture and readiness to meet CMMC compliance requirements without last-minute scrambling.
System Security Plan Covering All NIST 800-171 Requirements
An assessor’s first request often centers on the System Security Plan (SSP). This living document maps the contractor’s environment against every NIST 800-171 control. It explains which systems handle controlled unclassified information, where security measures are applied, and how requirements are implemented. A complete SSP will outline technical configurations, policy frameworks, and operational procedures in plain terms an assessor can follow.
For contractors aiming for CMMC level 2 compliance, the SSP also demonstrates maturity in maintaining documentation. Updates should happen alongside system changes, not months later. A C3pao will look for consistency between what the SSP claims and what is observed during interviews and evidence reviews. Gaps or outdated entries will stand out immediately, so accuracy and timeliness matter as much as completeness.
POA&M Noting Resolved and Outstanding Actions
A Plan of Actions and Milestones (POA&M) is more than a list of to-dos—it’s a log of how the organization is working toward meeting CMMC level 2 requirements. The POA&M details deficiencies found during internal reviews, the corrective steps taken, and the timelines for any remaining fixes. Assessors use this document to gauge whether the organization is proactive or reactive when closing gaps.
What impresses a C3pao is not an empty POA&M, but one that shows measurable progress over time. Completed actions should have evidence attached—screenshots, test results, or updated policies. Outstanding actions should be realistic, with clearly assigned owners and achievable dates. This transparency gives assessors confidence that the organization manages remediation effectively, even if some work is still in progress.
Tested and Documented Incident Response Procedures
Incident response plans must be more than a binder collecting dust. They should detail exactly what happens when a security event occurs—who is contacted, how systems are isolated, how evidence is preserved, and how communication is handled internally and externally. For CMMC compliance requirements, these procedures must be both documented and tested.
Contractors meeting CMMC level 2 requirements should have records of tabletop exercises or simulated incident drills. These show a C3pao that the team can execute the plan under pressure. Documentation of these tests should note what went well and where improvements are needed. This proves the plan is more than theory—it’s a functional tool in maintaining security readiness.
Proof of Monitoring, Audit Logs, and Access History
Monitoring isn’t just a technical control—it’s the record that shows what happened and when. Contractors must have logs that track user access, system changes, and security alerts. These should be detailed enough for an assessor to reconstruct key events if needed. Audit logs also help demonstrate compliance with role-based access rules and timely removal of accounts for departing users.
A C3pao will want to see not only the logs themselves but also how they are reviewed. Documentation showing regular log analysis or automated alerting strengthens a CMMC level 2 compliance posture. Retention policies should be clear, ensuring logs are available for the required timeframe and stored securely to prevent tampering.
Evidence of MFA Use and Defined Role-based Permissions
Multi-factor authentication (MFA) is a cornerstone of CMMC level 2 compliance. Records should prove MFA is enforced for all applicable accounts, including administrative and remote access. This might include screenshots of configuration settings, policy documents, and system reports verifying active enforcement.
In addition, assessors will expect a clear mapping of user roles to permissions. Role-based access control records should show that employees have only the access necessary for their job duties. Periodic access reviews—documented with dates, participants, and findings—demonstrate that permissions are actively managed, not left to drift over time.
Records of Physical Protections for Secure Areas
Cybersecurity often overshadows physical security, but both are required under CMMC compliance requirements. Contractors should maintain records showing how physical access to servers, networking gear, and workstations handling sensitive data is controlled. This includes key card logs, visitor sign-in sheets, camera footage retention policies, and maintenance records for locks or access systems.
A C3pao will look for proof that these controls are enforced daily, not just on paper. Photos of secured areas, floor plans marking restricted zones, and procedures for escorting visitors all help confirm physical protections are real and consistent. Tying these safeguards to the overall security plan strengthens the compliance narrative.
Daily Documentation of Audit, Access, and Incident Activities
Daily operational records are where theory meets practice. These can include log review summaries, access change approvals, and incident tickets. The goal is to show that security activities happen continuously—not just before an assessment. These records also help organizations spot trends, such as repeated unauthorized access attempts, before they escalate into incidents.
For CMMC level 2 compliance, assessors expect these records to be accessible and well-organized. A C3pao should be able to trace an event from detection through resolution, supported by timestamps and responsible party notes. Having this level of documentation ready reflects a mature, disciplined approach to protecting controlled unclassified information and meeting CMMC level 2 requirements consistently.