CMMC – How to Start

When a business or team is tasked with the expectation of delivering CMMC readiness, the standard method is to find the big spreadsheet of controls, and then start marking it up. This approach makes perfect sense, but as you work through, it quickly becomes unwieldy.

• Not every control can be completed by the same team.
• They request “evidence,” but what in the world do they want to see?
• How are we to convert generic controls into actionable requirements?
• What does “good” look like?
• How do we know if what we’re doing will pass an audit?

If you’re asking yourself these questions, you’re not alone. In fact, what starts as a spreadsheet with a long list of controls, quickly turns into multiple sheets, and additional documents with policies and procedures. And when you dig into what the auditors are looking for, they are looking for multiples things, for each control.

This leaves many teams with a long list of documents that may or may not actually pass audit, and a lot of question.

Having worked through this process many times before, I have searched the deepest, darkest corners of the Internet for solutions. This isn’t new. Lots of businesses are facing the same hurdles and asking the same questions, and yet, the various tools and templates I’ve found have left me even more lost and confused.

This is one of the controls, in fact, it’s the first control. It seems pretty basic, right? Hopefully, we’re all doing this. But, other than checking the box, what is required from this one control?

The policy must explicitly define:

• Who may request access
• How access is approved
• The principle of least privilege
• Account types (user, admin, service)
• Prohibition of shared accounts
• Requirements for MFA
• Requirements for unique identifiers
• How often access is reviewed

This must detail, step-by-step:

• Joiner Process
  • Who submits user creation requests
  • Required information (role, department, access needed)
  • How IT validates the request
  • How access is provisioned
  • Tickets or forms required
• Mover Process:
  • Revalidating permissions when employees change roles
  • Updating distribution/security groups
  • Notifying IT of access changes
• Leaver Process:
  • Same-day termination requirements
  • Disabling accounts (Ad, Entra, SaaS, VPN)
  • Revoking MFA tokens and applications access
  • Documenting completion in ticketing system

• All user accounts must be tied to a real, documented human.
• All service accounts must be documented and justified.
• No account may remain active after the employee termination date.
• MFA must be enforced on all remote and privileged access.
• Admin work must be done with separate privileged accounts.
• A complete user access review must occur at least annually, ideally quarterly.

1. User Access List
   • Must include:
     • Full name
     • Department
     • Role
     • Access level
     • Privileged access (Y/N)
     • Account type (user, admin, service)
     • Status (active/disabled)
     • Date created
     • Date reviewed
2. Identity Provider Export
   • From AD / Entra ID / Okta:
     • Full list of identities
     • Group/role membership
     • Last login
     • MFA Status
     • Disabled Accounts
   • Assessors compare these side-by-side with your user access list.
3. JML (Joiner/Mover/Leaver) Artifacts
   • Examples
     • Ticket for most recent user created
     • Ticket for most recent user terminated
     • Approval records
     • Timestamp showing account disablement aligned to HR termination date
4. Screenshots / System Configuration Evidence
   • AD or Entra ID OU Structure
   • Provileged groups (Domain Admins, Global Admins) showing no non-admin users
   • MFA enforcement policy
   • Conditional access rules
5. Audit Logs (if applicable)
   • Logs showing successful and failed login attempts
   • Logs showing last logins for admin accounts
6. Policy + Procedure Documents
   • Access Control Policy
   • User Account Management Procedure
   • Privelged Access Policy (or integrated into Access Policy)
7. Access Review Records
   • Quarterly or annual access review report
   • Evidence showing managers validated user access
   • Remediation steps for any incorrect access

• Disabled employees still have active SaaS accounts
• No documented joiner/mover/leaver process
• No quarterly or annual access reviews
• Shared admin credentials
• Admin accounts used for daily office work
• MFA enforced for some users, but not all
• Service accounts with excessive privileges
• No evidence that any process is being followed.

If you’re anything like me, you did not read the words “Limit information system access to authorized users,” and somehow come to the conclusion that you would likely need hundreds of pages of documentation / evidence for just this one control. Now that you know, how can you keep track of all that in an Excel spreadsheet? Don’t worry, though. There are only 109 more controls left to go.

I have searched and searched for a better way to not only track the creation and collection process, but also for how to work through it with the auditors. I have tested many tools, and somehow, they have always been lacking. This is why I finally created my own solution. And then I recreated it, repeatedly, until it made the process not only more organized, and repeatable, but more straight forward and auditable.

This application has helped me make sense of mountains of paperwork and confusion, and I believe it can do the same thing for you.