CMMC

What Evidence Is Required for a CMMC Assessment?

Leave a Comment / CMMC, Compliance, Cybersecurity, Federal Contracting, GCCH, Security, Technology / / , , , ,

What Evidence Is Required for CMMC?

A CMMC assessment requires organizations to provide objective, verifiable evidence that security controls are implemented, enforced, and functioning as intended across their environment.

This evidence must demonstrate not only that policies exist, but that systems, configurations, and operational processes align with those policies in practice.

In CMMC, stated intent is not sufficient—evidence must be observable, testable, and defensible.

Why Evidence Matters in CMMC

The Cybersecurity Maturity Model Certification (CMMC) is explicitly designed as an evidence-based framework. According to the Department of Defense’s CMMC Model 2.0, assessments are focused on validating that practices are implemented—not just documented.

Rather than evaluating whether an organization has purchased tools or written policies, assessors evaluate whether:

  • Controls are implemented correctly
  • Configurations support those controls
  • Systems produce evidence that controls are functioning

This aligns directly with the NIST SP 800-171A assessment methodology, which defines how security requirements are evaluated through examination, testing, and interviews.

Source:
https://dodcio.defense.gov/CMMC/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171A.pdf

The Types of Evidence Required for CMMC

CMMC assessments rely on multiple categories of evidence. These are grounded in NIST SP 800-171A, which defines “assessment objects” such as specifications, mechanisms, and activities.

1. Policy and Procedural Evidence

This includes documented materials that define how your organization intends to meet security requirements.

Examples:

  • Security policies
  • Standard operating procedures (SOPs)
  • Access control policies
  • Incident response plans

These documents establish intent, but do not prove implementation.

2. Technical and Configuration Evidence

This is the most critical category for validation.

It demonstrates how systems are actually configured and whether controls are implemented at the technical level.

Examples:

  • Identity and access configurations (e.g., MFA enforcement)
  • Conditional access policies
  • Endpoint security settings
  • System configuration baselines
  • Encryption configurations
  • Network segmentation

NIST SP 800-171A specifically requires assessors to evaluate mechanisms, meaning the technical implementations that enforce controls.

Source:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171A.pdf

3. Operational and Logging Evidence

This evidence demonstrates that controls are functioning over time.

Examples:

  • Audit logs
  • Security event logs
  • Monitoring outputs
  • Alerting and response records
  • Log retention configurations

These artifacts support validation that controls are not only configured, but actively operating.

The Difference Between Documentation and Evidence

A common point of confusion is the difference between documentation and evidence.

Documentation:

  • Describes what should happen
  • Exists in policies and procedures

Evidence:

  • Shows what is actually happening
  • Exists in configurations, logs, and system outputs

For example:

  • A policy may require multi-factor authentication (MFA)
  • Evidence must show MFA is enabled, enforced, and consistently applied across users

This distinction is reinforced in NIST guidance, which separates specifications (policies) from mechanisms (systems) and activities (operations).

How Assessors Evaluate Evidence

During a CMMC assessment, evidence is evaluated using standardized methods defined in NIST SP 800-171A:

Examine

Reviewing documents, configurations, and artifacts

Interview

Speaking with personnel to confirm implementation

Test

Validating that controls function as expected

Assessors are looking for:

  • Completeness — Coverage across systems
  • Accuracy — Reflects current environment
  • Consistency — Controls applied uniformly
  • Traceability — Mapped to specific CMMC practices

Source:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171A.pdf

Why Security Tools Alone Do Not Satisfy Evidence Requirements

Security tools such as XDR platforms and vulnerability scanners provide important data, but they do not independently fulfill CMMC evidence requirements.

For example:

  • XDR provides detection and response data
  • Vulnerability scans identify known exposures

However, they do not:

  • Validate configuration alignment with CMMC controls
  • Confirm consistent enforcement of policies
  • Produce structured evidence mapped to compliance requirements

NIST SP 800-171 requires controls to be implemented and enforced, not simply supported by tools.

Source:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

What a Complete Evidence-Based Assessment Looks Like

A comprehensive approach to CMMC evidence includes:

  • A snapshot of system configurations
  • Validation of identity and access controls
  • Verification of logging and monitoring coverage
  • Correlation of tool outputs with control requirements
  • Structured documentation aligned to CMMC practices

This transforms raw technical data into audit-ready, defensible evidence.

How ARCH by Rolle IT Supports Evidence Validation

ARCH is designed to help organizations generate and validate the types of evidence required for CMMC assessments.

It combines:

  • XDR data
  • Vulnerability scan results
  • Security telemetry
  • System configuration state

Into a unified assessment model.

ARCH enables organizations to:

  • Capture a point-in-time snapshot of their environment
  • Validate configurations against compliance expectations
  • Identify gaps between policy and implementation
  • Correlate data across systems
  • Produce structured, actionable reporting

This supports the creation of verifiable, audit-aligned evidence consistent with CMMC and NIST requirements.

From Documentation to Demonstration

CMMC assessments require organizations to move beyond describing their security posture.

They must demonstrate it through:

  • Configuration validation
  • Control enforcement
  • Evidence generation

This is the shift from policy-driven compliance to evidence-based compliance.

Final Thought

Understanding what evidence is required for CMMC is essential for any organization preparing for assessment.

Security tools provide important inputs, but compliance depends on:

  • How systems are configured
  • How controls are enforced
  • How evidence is produced and validated

An evidence-based assessment approach ensures your organization is not relying on assumptions, but on verifiable data aligned with federal standards.

Sources and Framework Alignment

This approach aligns with:

Next Step

If your organization is preparing for CMMC or needs to validate its current posture:

Learn how ARCH by Rolle IT can help you generate and validate compliance evidence across your environment.

👉Contact [email protected] to request an ARCH assessment

What Evidence Is Required for a CMMC Assessment? Read More »

What Is a Compliance Assessment (and Why XDR and Vulnerability Scans Aren’t Enough)?

Leave a Comment / AI, Business, CMMC, Compliance, Cybersecurity, GCCH, MSSP, Security, Small Business, Technology / / , , , , , , , , , ,

What Is a Compliance Assessment?

A compliance assessment is a structured evaluation of whether your systems, configurations, and security controls meet defined regulatory or framework requirements such as CMMC or NIST.

Unlike traditional security tools, it does not just identify risks—it verifies whether controls are correctly implemented and functioning as intended.

A compliance assessment validates whether controls are correctly implemented—not just whether tools are present.

Why This Matters More Than Ever

Many organizations believe they are compliant because they have invested in modern security tools like XDR and vulnerability scanners.

But compliance is not about tool deployment.
It is about control effectiveness, configuration accuracy, and documented evidence.

This is where the gap exists—and where most audit failures occur.

What XDR Does (and Doesn’t Do)

Extended Detection and Response (XDR) platforms are critical for modern security operations.

What XDR Does Well:

  • Detects suspicious activity and threats
  • Provides endpoint and identity visibility
  • Enables rapid response to incidents

What XDR Does NOT Do:

  • Validate system configurations against compliance frameworks
  • Confirm that required controls are implemented correctly
  • Provide structured, audit-ready compliance evidence

XDR is designed for detection and response, not compliance validation.

What Vulnerability Scanning Does (and Doesn’t Do)

Vulnerability scanning tools identify known weaknesses across systems and applications.

What Vulnerability Scans Do Well:

  • Identify missing patches and known CVEs
  • Highlight exposed services and outdated software
  • Provide risk-based prioritization of vulnerabilities

What Vulnerability Scans Do NOT Do:

  • Assess whether security policies are correctly configured
  • Validate control implementation across environments
  • Correlate findings with real-world compliance requirements

Vulnerability scans measure exposure, not compliance readiness.

Compliance Assessment vs. Security Tools

CapabilityXDRVulnerability ScanCompliance Assessment
Detect threatsYesNoPartial
Identify vulnerabilitiesNoYesYes
Validate configurationsNoNoYes
Confirm compliance alignmentNoNoYes
Provide audit-ready documentationNoNoYes

This distinction is critical.

Security tools generate signals.
Compliance assessments validate the environment behind those signals.

What a True Compliance Assessment Includes

A real compliance assessment goes beyond scanning and detection. It provides a comprehensive, evidence-based view of your environment.

Key Components:

1. Configuration Validation
Evaluates system settings, policies, and configurations against compliance requirements.

2. Control Implementation Review
Confirms whether required controls are properly deployed and enforced.

3. Cross-System Correlation
Analyzes data from multiple sources—XDR, vulnerability scans, telemetry—to identify gaps.

4. Evidence and Documentation
Produces structured output that supports audits and internal reporting.

5. Actionable Remediation Guidance
Identifies not just what is wrong, but what to fix and how to prioritize it.

Where Organizations Typically Fail

Even well-resourced IT teams encounter the same challenges:

  • Over-reliance on tools instead of validation
  • Misconfigured policies and security settings
  • Configuration drift across environments
  • Lack of centralized visibility across systems
  • Insufficient documentation for audits

The result is a false sense of security—and increased risk of compliance failure.

Introducing ARCH by Rolle IT

ARCH is Rolle IT’s AI-supported compliance assessment platform designed to close the gap between security tools and compliance validation.

It combines:

  • XDR data
  • Vulnerability scan results
  • Security telemetry
  • System and environment configurations

Into a single, real-time assessment model.

What ARCH Delivers:

  • A snapshot of your current environment
  • Identification of hidden gaps and misconfigurations
  • Validation of control implementation
  • Detailed, audit-ready reporting
  • Actionable insights for remediation

ARCH is purpose-built for organizations operating in Microsoft GCC High environments and those pursuing CMMC compliance.

From Assumption to Evidence

If your organization relies solely on XDR and vulnerability scanning, you are only seeing part of the picture.

A compliance assessment provides the missing layer:
validation, alignment, and proof.

ARCH gives you the ability to move from:

  • Tool deployment → Control validation
  • Security signals → Compliance evidence
  • Assumptions → Confidence

Take the Next Step

Before your next audit—or before risk becomes reality—understand where you truly stand.

Learn how ARCH can help your organization validate compliance, identify gaps, and build a defensible security posture.

Contact [email protected] for more information

What Is a Compliance Assessment (and Why XDR and Vulnerability Scans Aren’t Enough)? Read More »

The Misunderstanding Around GCC High

Leave a Comment / AI, CMMC, Compliance, Cybersecurity, GCCH, Managed Service Provider, MSSP, Security, Small Business, Technology / / , , , , , , ,

Many organizations assume:

“If we are in GCC High, we are closer to compliance.”

While partially true, this assumption is dangerous.

GCC High provides:

  • A compliant infrastructure baseline

But it does not guarantee:

  • Proper configuration
  • Control implementation
  • Policy enforcement

Compliance still depends on how your environment is configured and managed.

Key Challenges in GCC High Compliance Validation

1. Identity and Access Complexity

Identity is central to CMMC and security frameworks.

In GCC High environments, organizations often struggle with:

  • Conditional access misconfigurations
  • Over-permissioned accounts
  • Inconsistent MFA enforcement
  • Role-based access issues

These gaps are difficult to detect without detailed configuration analysis.

2. Policy and Configuration Misalignment

Security policies must be:

  • Defined
  • Applied
  • Verified

Common issues include:

  • Policies created but not enforced
  • Conflicting configurations across systems
  • Incomplete deployment of required settings

Without validation, these issues remain hidden.

3. Logging and Telemetry Gaps

CMMC requires:

  • Logging
  • Monitoring
  • Traceability

In GCC High, organizations often encounter:

  • Incomplete log coverage
  • Misconfigured retention policies
  • Gaps between systems generating logs and systems storing them

This creates risk in both security operations and compliance validation.

4. Configuration Drift in Cloud Environments

Cloud environments are dynamic by nature.

Over time:

  • Settings change
  • Permissions evolve
  • Policies are modified

This leads to configuration drift, where the environment no longer matches its intended compliant state.

Without regular validation, drift introduces silent compliance gaps.

5. Lack of Unified Visibility

GCC High environments span multiple layers:

  • Microsoft 365 services
  • Identity systems
  • Endpoint configurations
  • Security tools

Most organizations lack a unified way to see:

  • How these systems interact
  • Whether controls are consistently implemented
  • Where gaps exist across the environment

This fragmentation makes validation difficult.

The Core Challenge: Seeing the Whole Environment

Compliance in GCC High is not about individual tools or settings.

It is about:

  • How systems are configured
  • How controls are enforced
  • How data flows across the environment

Without a unified, correlated view, organizations are left with:

  • Partial insights
  • Incomplete validation
  • Increased audit risk

What Effective GCC High Validation Requires

To confidently validate compliance in GCC High, organizations need:

Configuration-Level Visibility

Understanding how systems are actually configured—not just how they should be configured.

Cross-System Correlation

Connecting identity, endpoint, telemetry, and policy data into a cohesive assessment.

Control Mapping

Aligning configurations and findings to frameworks like CMMC.

Evidence Generation

Producing documentation that supports audit requirements.

How Rolle IT ARCH Tool Solves GCC High Validation Challenges

ARCH by Rolle IT was built with GCC High environments in mind.

It provides a structured, real-time assessment that combines:

  • XDR insights
  • Vulnerability data
  • Telemetry
  • System configurations

ARCH Enables Organizations To:

  • Capture a true snapshot of their environment
  • Identify misconfigurations across systems
  • Validate control implementation against compliance standards
  • Detect gaps caused by drift or misalignment
  • Generate actionable, audit-ready reports

ARCH delivers the visibility that GCC High environments require—but most organizations lack.

From Complexity to Clarity

GCC High environments are powerful, but they are not self-validating.

Compliance requires:

  • Insight
  • Validation
  • Documentation

Without these, complexity becomes risk.

Operating in GCC High does not guarantee compliance.

It raises the standard for how compliance must be validated.

If your organization needs a clearer, more defensible view of its environment:

ARCH provides the assessment capability to get there.

Connect with us at [email protected]

The Misunderstanding Around GCC High Read More »

Microsoft GCC High Licensing Costs

Business, CMMC, Compliance, Federal Contracting, GCCH, MSSP, Security, Small Business / / , , , , , , ,

GCC High licensing is generally more expensive than both commercial and GCC environments due to the additional security controls, segregated infrastructure, and compliance assurances provided.

Cost drivers for GCC High include:

  • Specialized government cloud infrastructure
  • U.S.-based data residency and screened U.S. personnel access
  • Limited service availability compared to commercial environments
  • Increased administrative and operational overhead

GCC High licenses are available only after Microsoft eligibility approval and are typically procured through authorized government cloud resellers.

Security and Compliance Feature Considerations

Organizations should carefully evaluate which security and compliance features are required to meet contractual obligations.

Higher-tier licenses may be necessary to support:

  • Advanced threat detection and response
  • Identity governance and privileged access management
  • Audit logging and eDiscovery
  • Continuous compliance reporting

Selecting licenses without aligning them to compliance requirements can result in unexpected costs or gaps in control coverage.

Request your GCC or GCCH License Quote from [email protected]

Microsoft GCC High Licensing Costs Read More »

Best Practices for Implementing Microsoft GCC High

Business, CMMC, Compliance, Cybersecurity, Federal Contracting, GCCH, MSSP, Security, Small Business / / , , , , ,

A Guide for Defense Contractors

Executive Summary

Organizations that handle sensitive government information are increasingly required to meet stringent cybersecurity and compliance standards while maintaining operational efficiency. Microsoft Government Community Cloud High, known as GCC High, is designed to support these requirements by providing a secure, sovereign cloud environment for United States government agencies and authorized contractors. Rolle IT helps appropriate organizations procure and deploy GCC High environments.

Successful implementation of GCC High requires more than technical migration. It demands a structured approach that integrates compliance frameworks such as NIST SP 800-171 and CMMC, strong identity and access controls, secure configuration standards, and continuous monitoring. This document outlines best practices to help organizations deploy GCC High in a manner that is secure, compliant, and sustainable.

By following these practices, organizations can reduce risk, maintain audit readiness, and enable secure collaboration for users handling Controlled Unclassified Information and Federal Contract Information.

Understanding GCC High and Its Purpose

Microsoft GCC High is a sovereign cloud environment built specifically for United States government agencies and authorized contractors. It supports compliance with frameworks and regulations such as DFARS, CMMC, NIST SP 800-171, ITAR, CJIS, and HIPAA. The environment features segregated infrastructure, enhanced access controls, and United States-based data residency.

Due to its elevated security posture, GCC High deployments require deliberate design decisions to ensure both compliance and usability.

Conduct a Compliance-Driven Readiness Assessment

Prior to implementation, organizations should perform a readiness assessment focused on compliance and risk.

Key areas to evaluate include data classification, regulatory obligations, and the current technical environment. This includes identifying where Controlled Unclassified Information and Federal Contract Information reside, determining which compliance frameworks apply, and reviewing identity, endpoint, and network security controls already in place.

This assessment provides the foundation for a GCC High architecture aligned with both security and business requirements.

Establish Strong Identity and Access Controls

Identity is the cornerstone of a secure GCC High environment. Organizations should implement Azure Active Directory Conditional Access policies to enforce access based on user risk, device compliance, and contextual factors. Multi-factor authentication should be enabled for all users without exception.

Privileged access should be tightly controlled using role-based access control and Privileged Identity Management. Administrative roles should be segmented to reduce the risk of unauthorized access and insider threats.

Apply Secure Configuration and Hardening Standards

Although GCC High includes enhanced default protections, additional hardening is essential.

Organizations should apply Microsoft-recommended security baselines for GCC High workloads and adopt Zero Trust principles that continuously verify user identity, device health, and application context. Endpoint security should be enforced using tools such as Microsoft Defender for Endpoint and Intune to ensure devices accessing GCC High resources meet compliance requirements.

Implementing secure configurations early helps avoid operational disruptions and costly remediation later.

Plan and Sequence Workload Migrations Carefully

Not all workloads are immediately suitable for GCC High. Organizations should define a phased migration strategy that prioritizes critical services such as email, collaboration tools, and document management systems.

Dependencies on third-party applications should be reviewed carefully, as some vendors may not support GCC High environments without modification. Custom applications may require redesign or reconfiguration to integrate securely.

A phased approach reduces risk and minimizes disruption to business operations.

Implement Robust Data Governance Controls

Data governance is essential for maintaining compliance and protecting sensitive information.

Organizations should use sensitivity labels to identify and protect Controlled Unclassified Information, enforce retention and deletion policies, and ensure encryption is applied appropriately. Legal hold, eDiscovery, and audit capabilities should be validated prior to production use.

Effective data governance supports both regulatory compliance and operational accountability.

Validate the Environment Through Testing

Before full production deployment, organizations should conduct thorough testing using real-world scenarios.

This includes piloting GCC High access with select user groups, validating collaboration workflows, and testing security controls. Threat simulations and tabletop exercises help verify incident response procedures and monitoring effectiveness.

Testing ensures the environment performs as expected and supports secure day-to-day operations.

Provide Training for Users and Administrators

Security controls are only effective when users and administrators understand how to operate within them.

End users should receive training on secure collaboration, phishing awareness, and multi-factor authentication usage. Administrators should receive advanced training on identity governance, security monitoring, and compliance management.

Clear documentation and operational playbooks should be developed to support onboarding, incident response, and audits.

Operationalize Continuous Monitoring and Threat Detection

GCC High provides extensive logging and telemetry, but organizations must actively monitor and respond to security events.

Security operations should include continuous monitoring through Microsoft Defender and Microsoft Sentinel, real-time alerting for suspicious activity, and routine reviews of access and configuration changes.

Ongoing monitoring ensures threats are identified and addressed before they impact sensitive systems.

Maintain Continuous Compliance Posture

Compliance is not a one-time effort. Organizations should regularly assess their control posture against applicable frameworks such as NIST SP 800-171 and CMMC.

Compliance dashboards, control mappings, and periodic reviews help maintain audit readiness and identify gaps early. Policies and configurations should be updated as regulations and threat landscapes evolve.

Engage Experienced GCC High Security Partners

Implementing and operating GCC High requires expertise across cloud architecture, cybersecurity, and regulatory compliance. Many organizations benefit from working with partners experienced in securing government and defense workloads.

Rolle IT Cybersecurity supports government agencies and federal contractors by delivering GCC High readiness assessments, secure architecture design, workload migration, and continuous security monitoring aligned with federal compliance requirements.

Microsoft GCCH Deployment

Microsoft GCC High provides a powerful platform for protecting sensitive government data, but its effectiveness depends on thoughtful implementation and disciplined operations. By following structured best practices across identity, security configuration, governance, and monitoring, organizations can achieve compliance while enabling secure, modern collaboration.

For organizations seeking to implement or optimize GCC High, Rolle IT Cybersecurity offers the expertise and operational support required to secure mission-critical environments.

[email protected] 321-872-7576

Best Practices for Implementing Microsoft GCC High Read More »

A Strategic Microsoft Partner for GCC High Environments

Business, CMMC, Compliance, Cybersecurity, MSSP, Security, Security, Small Business, Technology / / , , , , ,

For organizations already operating under Microsoft 365 GCC High (GCCH) requirements, the primary challenge is not determining whether GCCH is needed, but ensuring it is implemented, governed, and sustained correctly.

Rolle IT supports executive leadership and procurement stakeholders by providing structured oversight and long-term partnership for GCC High environments, reducing operational risk and ensuring contractual obligations are met.

Executive and Procurement Priorities

Organizations required to operate in GCC High face several non-negotiable priorities:

  • Proper eligibility validation and license issuance
  • Secure, defensible tenant configuration
  • Alignment with contractual and regulatory obligations
  • Audit readiness and documentation support
  • Long-term operational sustainability

Rolle IT works with leadership teams to ensure these priorities are addressed consistently and deliberately, without introducing unnecessary complexity or risk.

Rolle IT’s Role as Your GCC High Partner

Rolle IT acts as a governance-focused Microsoft partner, supporting GCC High environments throughout their lifecycle.

Our role includes:

  • Eligibility and Licensing Assurance
    Supporting accurate qualification, documentation, and license procurement through authorized channels.
  • Tenant Architecture and Governance Advisory
    Advising on administrative structure, identity strategy, and access models aligned with security and compliance expectations.
  • Security and Compliance Alignment
    Ensuring GCC High configurations support requirements such as NIST SP 800-171, DFARS, ITAR, and CJIS, where applicable.
  • Operational Readiness and Continuity
    Supporting adoption, change management, and long-term sustainability within the GCC High environment.

This approach enables leadership to make defensible, well-informed decisions.

Designed for Oversight and Accountability

GCC High environments must withstand scrutiny—from auditors, assessors, and contracting authorities.

Rolle IT emphasizes:

  • Clear governance models
  • Documented configuration decisions
  • Repeatable security practices
  • Reduced reliance on ad-hoc or reactive changes

This structure supports accountability and reduces long-term risk.

Engagement Beyond Initial Implementation

GCC High is not a one-time project. Licensing changes, new users, evolving contracts, and assessments introduce ongoing demands.

Rolle IT remains engaged to support:

  • Licensing lifecycle management
  • Configuration and governance reviews
  • Audit and assessment preparation
  • Strategic guidance as requirements evolve

Our clients value continuity and institutional knowledge, not one-time delivery.

A Partner for Leadership and Procurement Teams

Rolle IT complements internal IT organizations by providing specialized expertise and advisory support where it matters most. We help leadership and procurement teams move forward with confidence, clarity, and documented assurance.

Partner with Rolle IT

For organizations already committed to GCC High, selecting the right Microsoft partner is a critical governance decision.

Rolle IT provides the oversight, experience, and continuity required to operate GCC High environments with confidence and control.

[email protected] 321-872-7576

A Strategic Microsoft Partner for GCC High Environments Read More »

Active Directory Secure Backup

Business, CMMC, Compliance, Cybersecurity, Managed Service Provider, MSSP, Small Business, Technology /

An estimated 90% of today’s cyberattacks target Active Directory. It’s no surprise, given that AD is the gateway to your entire digital infrastructure.

A single AD breach enables bad actors with a centralized location to take control, deny access to critical applications and data, and even bring your entire network-and business-to a standstill.

That’s why the protection and recoverability of AD is a top priority for Rolle IT’s clients.

Rolle IT leverages Commvault’s Cloud Backup & Recovery for Active Directory bringing resilience to your entire digital infrastructure. Let’s talk about how we can help secure your critical identity services.

CMMC Compliant Services, as well as commercial platforms available.

[email protected] to learn more.

Active Directory Secure Backup Read More »

Top 10 Failed CMMC Controls, #10 System Baselining

By Grant Mooney, CMMC, Compliance, Cybersecurity, Email Security, Managed Service Provider, MSSP, Security /

CMMC Journey Guides

#10- CM.L2-3.4.1: System Baselining

When working with individual controls, we know that they have to be dissected from an objective level. For this specific control out of the 110 controls, 320 objectives in CMMC, I have chosen to split it up with objectives a/b/c and d/e/f. Two parts, mainly covering “baseline configurations” and “system inventory”. If you work with CUI, you don’t get to “wing it” on configurations or inventory. CM.L2-3.4.1 asks you to do two big things across the system life cycle:
(1) build and maintain secure, documented baselines for each system and
(2) keep a trustworthy inventory that actually reflects reality in production.

The CMMC Level 2 Assessment Guide spells this out clearly, including exactly what assessors will “Examine/Interview/Test” to verify it’s in place. In this article we will get granular with 1) Dissecting the Control, 2) What full implementation looks like, 3) Why this Control Fails, 4) A Quick Checklist.

1) Dissecting The Control in Two Logical Halves

Objectives A/B/C: Baseline Configurations

  • [a] Establish a baseline configuration for each system component type. For every deployed machine type, you define the approved build: OS version, required apps, hardened settings, network placement, and anything else that affects security and function.
  • [b] Include the full buildout for each system. Baselines must cover hardware, software, firmware, and documentation—not just a golden image. Think platform model/BIOS, OS and app versions/patch status, and the config parameters that lock it down.
  • [c] Maintain it consistently moving forward. As your environment changes, review and update baselines so they always reflect the live system and enterprise architecture (create new baselines when things change materially).

What lives in a solid baseline:

  • Laptops/Desktops/Servers
  • Enclaves (e.g., entire VDI and each component), laptops/workstations, servers
  • ALL Applications per asset group
  • Versions & patch levels for OS/apps/firmware
  • Networking elements: routers, switches, firewalls, WAPs, etc.

Objectives D/E/F: System Inventory

  • [d] Establish a system inventory. A real one… no, seriously. This is ideally software via Asset Management agent(s) that automate most of this process. BUT that is not required, just advice. Any devices classified as any of the CMMC asset types will be in-scope and should be in the system inventory.
  • [e] Include the full buildout for each system in the inventory. (again: hardware, software, firmware, and documentation).
  • [f] Maintain it. Review and update it as systems evolve so it stays accurate to production reality in a reasonable and timely manner.

What lives in a solid inventory:

  • Manufacturer, device type, model, serial number, physical location, owners/main users
  • Hardware specs & parameters
  • Software inventory with version control and potentially licensing information
  • Network info (machine names, IPs)

Assessor angle (what they look at): Policies, procedures, SSP, Configuration Management plan, inventory records and update logs, config docs, change/install/remove records; plus, interviews with the people who build and maintain these things; plus, tests of the actual processes and mechanisms you use to manage baselines and the inventory.

2) What Full Implementation Looks Like

A simple, effective pattern from the Assessment Guide:

  1. Design a secure workstation baseline. Research the hardened settings that deliver the least functionality needed to do the job, then test that baseline on a pilot machine.
  2. Document it (build sheet, settings, required software, version list, how it’s joined to the network) and roll it out to the rest of that asset class from the documented baseline.
  3. Update the master inventory manually, or make sure an appropriate agent is live to reflect the software changes and the devices now at the new baseline.
  4. Schedule a regular review interval to re-validate versions, patches, and settings; or make review a normal part of your SOP that is updated on a regular basis.

Scale that approach across all deployed machine types:

  • Enclaves & Virtual Desktop Infrastructure: baseline the image and each supporting component (connection brokers, secure gateways, user-profile layers, and file-system layers).
  • Laptops & Workstations: document hardware models and BIOS/UEFI versions, OS build, required apps, GPOs/MDM profiles.
  • Servers: OS baselines per role (AD/DNS, file, app, DB), service hardening, approved modules/agents.
  • Networking: switch/router/Firewall/WAP firmware baselines, approved feature sets and templates.
  • Applications Inventory: version standards, required configs, and how they’re deployed/updated.
  • Docs: build guides, change records.

And yes, tie everything to change management controls, because the second you patch, you either (1) update the baseline or (2) record an approved deviation and a plan to reconcile. The guide’s “Potential Assessment Considerations” call out version/patch levels, configuration parameters, network info, and communications with connected systems (proof for [a]/[b]), and timely baseline updates ([c]).

How computers are actually baselined, end-to-end:

  1. Procurement & intake: approve models; capture serials/asset tags at receipt; record ownership/location.
  2. Imaging: apply the gold image (or Autopilot/MDT/SCCM/Intune flow); inject drivers; enforce policies (GPO/MDM).
  3. Hardening: apply CIS/NIST-inspired settings that match your baseline; lock services/ports/protocols; set logging.
  4. Application set: install required software; check licensing; verify versions.
  5. Join & place: join to domain/MDM; put it in the right OU/MDM group/VLAN/segmented subnet.
  6. Recordkeeping: update the inventory with HW/SW/firmware/docs and network details; save the build sheet and sign-off.
  7. Review cadence: calendar-based (e.g., quarterly) and/or event-based (whenever a major patch lands) to keep baseline and inventory current ([c], [f]).

3) Why This Control Fails (Top-10, sitting at #10)

Short answer: it’s a lot of work. and it’s the kind that doesn’t scream until something goes terribly wrong…

  • Documentation feels heavy. A real baseline covers hardware, software, firmware, and documentation and needs regular updates. That is inherently more than “we have an image.” It is buildout documentation, version matrices, network placement, and the approval trail that shows the baseline evolved with your environment.
  • Inventory discipline gets neglected. Many shops run with a “good enough” list. CMMC expects manufacturer, model, serial, location, owner, license/version data, and network identifiers; and expects you to keep it aligned to reality. If the list doesn’t match what’s plugged in, you’ll feel it during interviews and evidence review… and potentially a failed assessment.
  • Change is constant. Patches, feature updates, firmware drops, and hardware refreshes mean your baseline and inventory are living artifacts. If you don’t have a trigger to update both when changes roll out, drift creeps in, and you’ll miss [c]/[f] maintenance requirements.
  • Historical culture. Plenty of orgs “got by” without rigorous Change Management and Asset Inventory. CMMC is forcing the shift from tribal knowledge to documented, reviewable practice. Assessors will Examine/Interview/Test to verify it’s not just policy on paper.
  • Tool sprawl and ownership ambiguity. If imaging is owned by one team, firmware by another, and inventory by a third, gaps appear. You need clear roles and a single source of truth that each team updates as part of their workflow (again, the guide’s methods target exactly these mechanisms).

4) A Quick checklist you can actually use:

  • A baseline configuration exists for each asset class (VDI, laptop/WS, server roles, network devices, key apps) with:
    • Versions/patch levels, hardened settings, required software, network placement, and rationale (A/B).
    • An update log proving periodic and event-driven reviews (C).
  • A system (asset) inventory exists and matches production, with HW/SW/firmware/docs and the who/where/how (D/E).
  • A cadence (calendar + change triggers) keeps both baseline and inventory in sync with reality (F).
  • Evidence on hand for assessors: policies, CM plan/SSP, build sheets, images/scripts, install/removal/change records, inventory review logs, asset inventory dashboards, and interviews with the people who actually do the work (the assessment guide lists these explicitly).


Sources:

  • CMMC Assessment Guide – Level 2, CM.L2-3.4.1 (practice statement, objectives a–f, methods, discussion, example).
  • NIST SP 800-171A, 3.4.1 (assessment objectives and methods).
  • NIST SP 800-171r2, 3.4.1 discussion (what belongs in baselines and inventories).

Top 10 Failed CMMC Controls, #10 System Baselining Read More »

Outsourcing Compliance and MSP Support is the Smart Choice

Business, CMMC, Cybersecurity, Managed Service Provider, MSSP, Security, Small Business, Technology /

The Compliance Challenge

For defense contractors, achieving and maintaining CMMC compliance isn’t optional—it’s the key to winning and keeping Department of War (DoD) contracts. But staying compliant is complex, time-consuming, and expensive if handled in-house:

  • Detailed Requirements and Configurations: Rolle IT MSSP Administrators are experienced and well versed in CMMC compliant configurations.
  • High Costs: Hiring full-time compliance, cybersecurity, and IT operations staff is not always cost effective for small and medium size businesses.
  • Resource Drain: Managing all IT, Compliance and Cybersecurity needs in house diverts attention from your core mission of serving the DoD
  • Audit Stress: Gathering evidence and maintaining documentation consumes valuable time.

The Smart Choice: Outsource to Rolle IT Cybersecurity

Outsourcing to Rolle IT means you get compliance expertise + 24/7 cybersecurity protection without the overhead of building it all yourself.

Benefits of Outsourcing:

Lower Cost, Higher Value

  • Pay only for the services you need—far less than hiring a full cybersecurity, compliance, and IT operations team.

Always Audit-Ready

  • We map technical controls directly to your SSP and CMMC requirements and maintain documentation, so you’re prepared when auditors arrive.

Specialized Expertise

  • Our MSSP services are designed for the Defense Industrial Base (DIB) and backed by CMMC, NIST 800-171, and DFARS expertise.

More Than An Internal Team

  • Instead of relying on one or two internal hires, Rolle IT delivers a full team of subject matter experts across compliance, cybersecurity, and IT operations.
  • Our team brings diverse skills—policy, monitoring, threat intelligence, forensics—that a couple of associates simply can’t match.
  • Greater efficiency: Less reliance on outside contractors since we cover more domains in-house.

Better Buying Power

  • As an MSSP, we can procure software licenses, cybersecurity tools, and hardware at negotiated rates—saving you money compared to going it alone.
  • Existing relationships with CMMC compliant Tools and FedRamp High Certified tools allows easier implementation and shorter ramp up times.

24/7 Monitoring & Protection

  • Our CrowdStrike-powered SOC detects and stops threats in real time—keeping you compliant and secure.

Focus on Your Core Business

  • You deliver for the DoD, while we handle compliance and cybersecurity.

Why Rolle IT?

  • Defense-Grade MSSP: Serving the DIB with CMMC-ready services.
  • Compliance-First Approach: Every service mapped to CMMC controls.
  • Scalable Solutions: From readiness assessments to full compliance-as-a-service.
  • Trusted Partner: A team dedicated to keeping you contract-eligible.

Take the Next Step

Don’t let compliance hold you back from DoD opportunities.
Partner with Rolle IT and stay secure, audit-ready, and competitive.

[email protected]

Outsourcing Compliance and MSP Support is the Smart Choice Read More »

DoD’s 48 CFR Final Rule Reaches OIRA Review & is Cleared

Business, CMMC, Compliance, Cybersecurity / / , , , ,

On July 22, 2025, the Department of Defense took a major step toward finalizing its long-anticipated 48 CFR (DFARS) rule implementing the Cybersecurity Maturity Model Certification (CMMC). The rule was officially submitted to the Office of Information and Regulatory Affairs (OIRA) for interagency review.

This submission marks the last checkpoint before the rule is published in the Federal Register and becomes binding on contractors. Once cleared by OIRA, DoD can move forward with inserting the updated DFARS requirements into new solicitations and contracts.

What Comes Next

  • OIRA Review: OIRA cleared it on August 25, 2025. 
  • Federal Register Publication: The rule will be published in the Federal Register along with an official effective date. Federal regulations generally become enforceable within 1 to 60 days of publication.
  • Contract Implementation: Contractors can expect DFARS clauses referencing the CMMC requirements to begin appearing in solicitations as early as late 2025.

Why It Matters

This milestone carries real implications for defense contractors. Once the rule takes effect, companies that lack a CMMC-certified environment may find themselves ineligible to win or execute DoD contracts. It won’t be enough to have plans in place—contracting officers will need assurance that sensitive Department of Defense work is performed within a secure, certified environment.

For many small and mid-sized businesses, this could mean the difference between maintaining a foothold in the Defense Industrial Base or being locked out of future opportunities. Companies that have delayed compliance run the risk of being passed over in favor of competitors who are audit-ready.

Final Thought

For defense contractors, this is the clearest signal yet that CMMC compliance is no longer optional or “someday.” With the rule in OIRA’s hands, the countdown to enforcement has begun. Contractors handling Controlled Unclassified Information (CUI) should ensure their NIST 800-171 controls are implemented, documented, and verifiable inside a certified environment.

DoD’s 48 CFR Final Rule Reaches OIRA Review & is Cleared Read More »