SERIES: CMMC COMPLIANCE WITH OVERWATCH TOOLS — PART 1 OF 6

What "Real" CMMC Compliance Looks Like

142 L1 artifacts and 182 L2 artifacts, mapped — beyond the yes/no answers

Most small defense contractors who tell me they're CMMC Level 1 compliant have a spreadsheet with 15 yes/no answers and a generic Access Control Policy they downloaded six months ago. That's not a self-assessment. That's a checklist — and DoD knows the difference.

This is the first post in a series about how the Overwatch Tools L1 Turnkey and L2 CUI Enclave packages actually work. We're starting here because the rest of the series doesn't make sense until we agree on what "compliance" actually means. Spoiler: it isn't a row-by-row attestation that you've read NIST SP 800-171.

If you've already done a self-assessment and you're not 100% sure it would survive scrutiny, this post is for you. We're not here to shame you for what's on your hard drive today. We're here to show you what the standard actually is — and what it takes to meet it.

The Checklist Trap

The CMMC Level 1 model maps to 15 practices drawn from FAR 52.204-21 and NIST SP 800-171. The Level 2 model maps to all 110 practices in NIST SP 800-171. Because the practices are written as discrete, testable statements, it's easy to read them as checklist items — "do we limit information system access to authorized users? Yes." Done.

That reading is wrong, and it's wrong in a specific way. The CMMC assessment guides published by DoD make it clear that an assessor (or a DoD reviewer for L1, a C3PAO for L2 when the program requires it) is looking for three things on every practice: a policy that defines the requirement, a procedure that implements it, and evidence that it's actually being done. A "yes" answer to a practice question is the conclusion of an assessment, not the assessment itself.

This is where most small contractor self-assessments fall apart. The yes/no answers are there. The artifacts behind them aren't.

The gap between these two columns is where contracts get lost. DoD has been clear that L1 self-assessments are subject to government review at any time, and that material misrepresentation in the SPRS submission carries False Claims Act exposure. A contractor who can't produce evidence behind their score isn't in a defensible position. They're in a hopeful one.

What Real L1 Compliance Looks Like: 15 Practices, 142 Artifacts

The 15 practices live across six domains: Access Control (AC), Identification and Authentication (IA), Media Protection (MP), Physical Protection (PE), System and Communications Protection (SC), and System and Information Integrity (SI). They're the foundation. They're also where the checklist trap is most common, because the practices look simple on paper.

What the practices actually require — once you read the assessment guide and stop reading just the requirement statement — looks more like this:

• Policies — a written, approved statement of intent for each domain. Scoped to your environment, not a generic template.
• Procedures — the operational "how." How does account provisioning actually work in your M365 or Google Workspace tenant? Step by step, in writing.
• Configuration guides — the platform settings that implement the practice. Screen-by-screen, not "enable MFA somewhere."
• Evidence templates — what you collect to prove the procedure runs. User access reviews, account provisioning logs, media disposal records, visitor logs.
• Self-assessment documentation — the practice-by-practice scoring rationale, packaged and date-stamped.
• SPRS submission package — the score, the affirmation, and the supporting record.

The L1 Turnkey Package breaks those six categories into 142 specific deliverables, each tied to one or more of the 15 practices. Some examples of what that includes in practice:

• An Access Control Policy and an account management procedure that match what your platform actually does
• An Authentication Standard that defines password length, MFA requirement, and lockout thresholds — and a screenshot pack that shows those settings live
• A Media Disposal Record template, plus a procedure for what happens when an employee leaves and their laptop comes back
• A Visitor Log template and a Physical Access Control procedure scoped to your office (or the lack of one — remote-only operations get their own treatment)
• A Boundary Protection configuration guide for whichever firewall and router you're actually using, not a generic Cisco reference
• A Flaw Remediation procedure that says when patches get applied, who applies them, and where the record lives

None of this is exotic. All of it is what an L1 self-assessment is supposed to be backed by. The reason most small contractors don't have it isn't a skills gap — it's that nobody handed them the map.

What Real L2 Compliance Looks Like: 110 Practices, 182 Artifacts

Level 2 covers all 110 practices across 14 NIST SP 800-171 domains: AC, AT (Awareness and Training), AU (Audit and Accountability), CM (Configuration Management), IA, IR (Incident Response), MA (Maintenance), MP, PE, PS (Personnel Security), RA (Risk Assessment), CA (Security Assessment), SC, and SI. The L2 CUI Enclave Package maps those practices to 182 defined artifacts, including everything from the L1 picture above — plus the named deliverables that L2 specifically requires.

The L2 package is built around a dedicated CUI enclave model — a focused environment for handling Controlled Unclassified Information that sits separately from the rest of your business. That's the right shape for small contractors with limited CUI scope, because it keeps the 110 practices applied to a defined boundary instead of trying to apply them to your whole company. We'll go deeper on what an enclave actually looks like later in this series. For now, the takeaway is that the artifact list is built for that environment, not for an enterprise IT shop.

Why This Matters Now

L1: DoD can audit at any time

The L1 self-assessment isn't a one-time submission you forget about. The contractor's affirmation in SPRS is an ongoing claim. DoD has the authority to review L1 self-assessments — the supporting artifacts, the evidence, the SPRS score and what backs it — at any time. A request for documentation goes to a contractor whose folder structure looks like the "checklist" column above, and the conversation with the contracting officer gets uncomfortable fast.

"We have a spreadsheet" doesn't survive that conversation. "We have 142 mapped artifacts, an evidence locker, and a quarterly review log" does.

L2: the self-assessment window has a clock on it

For L2 programs eligible for self-assessment, the rule structure currently allows a defined self-assessment window before C3PAO assessment becomes required for those programs. Contractors who treat that window as a chance to do a paper self-assessment with no operational substance are setting themselves up to fail when the C3PAO arrives — because a C3PAO assessment is the "real compliance" column on steroids. They don't accept yes/no answers. They want the policy, the procedure, the configuration, the evidence, the review log, and they want it correlated.

An L2 self-assessment built on 182 mapped artifacts isn't just defensible today. It's the bridge to whatever comes next — including, if your program scope changes, a C3PAO assessment. A self-assessment built on a spreadsheet isn't.

Operational Framework, Not a Checklist

The practical difference between checklist compliance and real compliance comes down to one question: can you produce the evidence on demand, today, six months from now, and three years from now?

That's an operational question, not a documentation question. It requires:

• An evidence locker — a defined place where artifacts live, organized by practice, date-stamped, with version history. Both Overwatch Tools packages include this structure.
• Documented procedures — when does account review happen? Who runs it? Where's the output saved? In writing, not in someone's head.
• A review cadence — quarterly maintenance, annual self-assessment refresh, evidence collection on a schedule. Not "when we get around to it."
• Role clarity — for L2 in particular, the package defines roles for the Owner/Manager (signs policies, approves decisions, runs quarterly reviews), the IT Point Person (implements technical controls, maintains evidence), and the CUI User (follows procedures, reports incidents).

This is the framework difference. The packages aren't a stack of templates. They're operational frameworks that tell you what to do, when, and where the proof goes when you've done it. That's the part that survives an audit.

How the L1 Turnkey Delivers Real L1 Compliance

The L1 Turnkey Package is built specifically for small defense contractors handling FCI under DoD contracts who need a defensible self-assessment, not a checklist. What's in the package:

• 15 practices broken into 142 required artifacts — every policy, procedure, configuration guide, evidence template, and self-assessment document mapped explicitly to the practices they support
• Platform-specific templates for Microsoft 365 or Google Workspace — your choice, no translating enterprise documents
• All 8 device and network configuration guides — Windows, Mac, iOS, Android, home office network, small office network, and more
• 8 bi-weekly expert consultation sessions (1 hour each) — the structured arc that walks you from kickoff to SPRS submission
• Evidence locker structure and SPRS report package — date-stamped self-assessment documentation, ready for review
• Free 30-minute kickoff consultation

Most clients complete their Level 1 self-assessment in 2–4 weeks. Your timeline depends on your existing infrastructure and how quickly you can implement between sessions — but the artifacts and consulting cadence are designed to keep you moving.

How the L2 CUI Enclave Delivers Real L2 Compliance

The L2 CUI Enclave Package is built for small contractors who handle CUI under contracts eligible for annual self-assessment, who need a right-sized L2 environment without enterprise IT overhead. What's in the package:

• 110 practices broken into 182 defined artifacts — covering all 14 NIST SP 800-171 domains
• Pre-filled SSP, POAM framework, Risk Register, and evidence checklist — the named L2 deliverables, scoped to a small-business enclave
• Dedicated CUI enclave configuration guides for M365 GCC High or Google Workspace for Government — your choice of platform variant
• 12 bi-weekly expert consulting sessions — the L2 arc walks through scope, domain coverage, enclave implementation, SSP/POAM/Risk Register, and SPRS submission
• No enterprise IT required — no Active Directory, no SIEM, no full-time security staff. Designed for dedicated CUI-only Windows laptops or Chromebooks (we provide the templates and config guides; you provide the hardware).
• Time estimates on every task — implementable part-time over the engagement
• Free 30-minute kickoff consultation

The L2 package is a partner engagement: we provide the artifacts, the configuration guides, and the consulting. You implement, with our support. That's the only model that produces real compliance — because compliance lives in your environment, not in a template package on a vendor's server.

For Contractors Handling Both FCI and CUI: The Combined Stack

For a contractor handling both FCI (your main business operations) and CUI (a defined CUI enclave), the two packages stack. L2 doesn't replace L1 — your main business still operates under L1's 15 practices, and your CUI enclave operates under L2's 110. The combined annual investment is $5,990 for fully mapped, defensible compliance across both scopes.

That's a reference point, not a prescription. Many contractors only need L1 — and they still need real L1, not a checklist. The free consultation is where we figure out which scope applies to you.

The Bottom Line

The CMMC standard hasn't changed since the program was finalized. What's changed — and what's still changing — is the level of scrutiny applied to self-assessments, both at L1 (where DoD audit authority is real and exercised) and at L2 (where the path to C3PAO assessment is built into the rule structure for many programs). The contractors who do well in this environment aren't the ones with the cleverest spreadsheets. They're the ones whose self-assessments are backed by operational frameworks — policies that match procedures that match configurations that match evidence.

That's what 142 mapped L1 artifacts and 182 mapped L2 artifacts produce. Not paperwork for paperwork's sake. A defensible position.