Evidence That Survives Scrutiny: What's in Your L1 and L2 Artifact Locker

When DoD audits a CMMC self-assessment, they don't ask whether you have an Access Control Policy. They ask to see the four most recent quarterly access reviews. If you don't have them, your policy is a piece of paper.

This is the single most misunderstood thing about CMMC compliance, and it's the reason a surprising number of self-assessments that look complete fall apart the moment someone with authority starts asking questions.

Most small contractors approach CMMC as a documentation exercise. Write the policies. Check the boxes. File the SPRS score. And to be fair, the policies are required — you can't pass without them. But the policies are the easy part. They're the part you can buy, download, or generate in an afternoon.

The hard part — the part that separates defensible compliance from a checklist on paper — is proving the policies are actually running. That proof is called evidence. And evidence is a distinct deliverable, not an afterthought you scramble to assemble the week before an assessment.

The "Policies Without Evidence" Problem

Here's where most weak self-assessments break: not at the policy step, at the evidence step.

A contractor writes an Access Control Policy that says privileged accounts are reviewed quarterly. Good. That's a real requirement, and the policy satisfies it on paper. But when an auditor reads that sentence, the very next thing they want to see is the records of those reviews. Who did them? When? What did they find? What changed as a result?

If those records don't exist — if the policy describes a process that was never actually performed and documented — then the policy isn't compliance. It's a statement of intent. And a statement of intent is not what an assessment is measuring.

That's the whole game. An assessor is not grading your writing. They're checking whether the controls described in your documentation are things your organization actually does — repeatedly, on schedule, with a paper trail. Evidence is how you prove it.

This is exactly why the structure Overwatch Tools delivers is built around evidence from day one, not bolted on at the end. Both packages give you the policies. What makes them defensible is everything that proves the policies are real.

What the L1 Evidence Locker Contains

The Turnkey CMMC Level 1 Compliance Package maps all 15 CMMC Level 1 practices into 142 required artifacts. A large share of those artifacts aren't documents you write once — they're operational records you generate and refresh as you run your business. That's the Evidence Locker: the organized, current, audit-ready home for the proof behind every practice.

The Locker organizes all of this automatically by domain, practice, and artifact — no manual folder management — tracks how complete your evidence is, and exports a date-stamped ZIP with the proper structure when you're ready to submit or respond to a request. The point isn't just storage. It's that when someone asks "show me," the answer is one click away instead of a frantic week of searching shared drives.

What the L2 CUI Enclave Package Delivers

Level 2 raises the stakes considerably. You're now protecting Controlled Unclassified Information across 110 practices mapped to 182 defined artifacts. At this level, "evidence" graduates from a folder of logs into a full operational framework — a set of named, structured deliverables that an assessor (and a future C3PAO) recognizes immediately.

These are not optional extras. They're the backbone of a defensible L2 self-assessment, and the L2 package delivers each one as a working artifact, not a blank template you have to invent from scratch.

Together with the dedicated CUI enclave configuration guides for Google Workspace for Government and Microsoft 365 GCC High, these deliverables form the complete operational picture an L2 self-assessment is supposed to produce. They prove the controls run — not just that the policies exist.

Pre-Filled vs. Blank: Why It Matters (Especially for the SSP)

This deserves its own section because it's where the most contractors quietly give up.

A blank SSP template is technically a "deliverable." It's also a trap. Faced with a hundred pages of empty structure asking them to describe, in assessor-grade language, how each of 110 practices is implemented in their specific environment, most small contractors freeze. The document sits at 12% complete for six months. Momentum dies. The whole L2 effort stalls on the one artifact that's supposed to anchor it.

A pre-filled SSP, structured around your actual platform and CUI enclave, flips that. Instead of starting from nothing, you're reviewing, confirming, and tailoring language that's already in place and already mapped to the practices. The difference between those two starting points is frequently the difference between an L2 program that finishes and one that doesn't.

The Records That Have to Stay Alive

Here's the part that catches people off guard: the static documents are only half the job. The other half is the ongoing operational records — and those are what an audit actually scrutinizes hardest.

A policy is a snapshot. Evidence is a stream. An assessor doesn't just want to see that you reviewed access once when you set everything up; they want to see the last four quarters of reviews. They want the monthly maintenance records. They want the training records that show this year's completions, not just the originals from launch day.

• Quarterly reviews — access reviews, policy reviews, and the owner/manager sign-offs that show leadership is engaged on a schedule.
• Monthly maintenance — the IT point person's record of patching, scanning, account management, and the small recurring tasks that keep controls operational.
• Ongoing logs — incident records, configuration changes, training completions, and visitor/access records that accumulate over time as proof the program is alive.

This is why both packages include defined roles and time estimates. The Owner/Manager signs policies and runs quarterly reviews. The IT Point Person handles monthly maintenance and evidence collection. The CUI User(s) follow procedures and report incidents. The framework tells each of them what to do and when — so the evidence stays current instead of going stale the moment the initial implementation is done.

Why This Approach Holds Up Under Scrutiny

For Level 1: DoD can audit any self-assessment, any time

A CMMC L1 self-assessment isn't a sealed envelope. The DoD reserves the right to audit any self-assessment, and a contracting officer or investigator can ask you to substantiate your SPRS score. When that happens, your defense isn't your policy binder — it's your Evidence Locker. The contractor who can produce dated access reviews, current training records, and remediation logs on request is in a completely different position than the one who can only point to a policy that says those things should happen.

For Level 2: self-assessments have to survive future C3PAO scrutiny

L2 self-assessment eligibility comes with a finite window. When that window closes, programs move toward third-party assessment, and the evidence you generated during your self-assessment years is exactly what a C3PAO will examine. Building a real SSP, a maintained POAM, a living Risk Register, and a disciplined evidence trail now means you're not reconstructing two years of "proof" from scratch later. You're handing over records that were defensible the day they were created.

In both cases the principle is identical: the documents establish what you intend to do, and the evidence proves you did it. Compliance that can't be proven isn't compliance — it's hope with a cover page.

The Packages at a Glance

Both packages are self-assessment based — no $50K+ C3PAO fees for eligible programs. They're a stack, not an either/or: L1 covers your FCI evidence framework, L2 covers your CUI evidence framework, and together they give you both.

The artifact set is the package. The evidence locker is the proof. Together, they're what an audit actually wants to see.