GIGO: Garbage In, Garbage Out: Why Documentation Can Make or Break Your CMMC Success

GIGO was first used in the 1960s when computer engineers understood that computers would process whatever you give them! If you input unreliable information, your output will inevitably be unreliable as well.  

When it comes to cybersecurity and CMMC compliance, GIGO still rings true. You can have great tools and well-intended practices, but if your documentation doesn’t back it up, you simply will not pass the assessment. At Agile IT, we’ve seen time and again that documenting your controls is just as important as implementing the controls themselves. 

For contractors in the Defense Industrial Base (DIB) solid documentation isn’t a check-the-box formality. It is the actual proof that your security program is real, repeatable, and aligned with the CMMC framework. 

Documentation: The Unsung Hero of Your CMMC Assessment

CMMC assessments are based on three things: examination, interviews, and testing. While interviews show what staff know and testing shows what works in practice, documentation is what proves intent. It tells the assessor, in black and white, what your organization set out to do and how you do it. 

The kicker? Only finalized documents count. Drafts won’t pass—they’re considered unofficial and will crash your assessment if relied on for evidence. 

What Assessors Are Really Looking For

Assessors aren’t trying to catch you off guard. They’re looking for two things: 

• Adequate evidence – the right documentation 

• Sufficient coverage – enough proof to show full implementation

That typically means a mix of documentation, process artifacts, and observed behavior. It’s not about perfection—it’s about consistency and clarity. If you already read our blog about the difference between process controls and technical controls, you understand that more than half of CMMC Level 2 compliance relies on process controls. 

Documentation You Can’t Afford to Miss 

Here are the key document types that form the backbone of CMMC compliance: 

• Policies, Processes, and Procedures: These are essential for meeting many security requirements in both CMMC Levels 1 and 2. For Level 1, while not explicitly required, policies like access control are helpful for consistency and clarity. 

• For Level 2, documentation of access practices (e.g., policies, SSP) is explicitly required. 

• System Security Plan (SSP): A must for Level 2+. It defines your system boundaries, security controls, and how everything connects. No current SSP = no assessment. 

• Plan of Action and Milestones (POA&M): Your remediation roadmap—what’s broken, how bad it is, what you’re doing to fix it, and when. It is important to note that not all controls are permitted in the POA&M. 

• Training Records: Show who’s been trained and on what—especially for insider threat awareness. 

• Incident Response Plan: Prove that your team knows what to do when things go wrong. 

• Data Flow Diagrams: Help scope your environment and show how FCI and CUI move through your systems. 

• Audit Logs: These prove you’re watching your environment and capturing the right details: timestamps, IPs, user IDs, and event types. 

• Physical Access Logs: Badge readers, sign-in sheets—anything that tracks physical entry and exit to sensitive areas.

Where Documentation Breaks Down (And What It Costs You) 

Even with good intentions, poor documentation is a common cause of failed assessments. Here’s what often goes wrong: 

• Missing or outdated info: Logs that don’t reflect current users or infrastructure can be interpreted as a lack of implementation, even if the process exists. 

• Relying on drafts: Working docs don’t count. Only finalized, endorsed policies qualify. The assessor should be able to verify the document is accurate and officially approved. 

• No leadership sign-off: If a policy lacks management’s stamp of approval, it’s as good as unofficial, implying immaturity in your security practices. 

• Undefined parameters: If your scan frequency or logging thresholds aren’t clearly stated, you will most definitely get a “NOT MET.” 

• Uncorrelated logs: Collecting logs isn’t enough—you have to correlate them to detect threats; simply having a log of data is unremarkable.

Poor Documentation = Poor Outcomes 

In CMMC Level 2, your score starts at 110 points. Each failed practice deducts between 1 and 5 points. Even one missing assessment objective can sink your result. 

While it’s possible to qualify for conditional certification if you score above 88, high-weighted practices can’t be deferred to your POA&M. For the ones that can, fail to remediate them within time (180 days) and your conditional status disappears. 

Oh—and everything gets uploaded to eMASS. While assessors don’t keep your documents, they do submit parts of your evidence, which you must retain for six years. 

Make Documentation Work for You

Here’s how to turn documentation into a compliance asset—not a liability: 

• Maintain clear, comprehensive policies and procedures across your environment. 

• Review and update regularly to match your current operations and risks. 

• Enforce access control using least privilege and make sure it’s logged. 

• Deploy MFA for all privileged access—and document it. 

• Define your audit logging strategy, and make sure logs are protected, correlated, and reviewed. 

• Secure management buy-in with visible signatures or digital endorsements. 

• Train employees regularly to recognize threats and escalate issues. 

• Encrypt CUI in transit and at rest, especially in remote work scenarios. 

• Use standardized templates and tools that align with CMMC and eMASS formats.

Bottom Line: Documentation Is Your Best Defense

Cybersecurity is a daily effort. Documentation is the evidence that it’s happening. Done right, it supports your security posture, streamlines assessments, and keeps you eligible for contracts in the DIB. Done poorly, it erodes your credibility—even if your controls are solid. 

At Agile IT, we don’t just prepare you for the assessment—we prepare you for success. That starts with helping you build documentation that’s clear, current, and capable of passing muster the first time. Reach out today to find out how we can help you!