In this Article

• Learn about the most common findings we find identity in CMMC Gap Analyses.
• Learn how your organization can avoid these gaps on your path to CMMC.

#1. You Don’t Have Enough Documentation.

As IT and compliance become more complex, documentation of processes and management becomes increasingly important.

The technical implementation could be stellar, but without the policies and procedures to support it, you’ll have difficulty achieving other goals you need to meet to achieve CMMC, like fully managing incident response and configuration management. Lacking documentation for current policies and procedures also significantly complicates the process of managing and documenting further changes to your organization’s cyber environment.

Documentation is helpful during preparation for CMMC, especially during the Gap Analysis phase. If you don’t already have ample documentation for all policies and procedures, this will likely be a sizable part of remediation.

Having proper policies and procedures is also important for achieving CMMC Level 3 and above during the CMMC Assessment phase. At this level, two out of three types of acceptable proof — interview, testing, or observation — are required to validate each control; documentation will prove invaluable.

Also keep in mind that any documentation procedures will need to be both implemented and matured to pass CMMC Level 3, meaning that it is already an effective and established part of your organization’s compliance strategy.