Hill Tech Solutions has passed the CMMC Level 2 C3PAO assessment! We're proud to play our part in creating a more secure Defense Industrial Base community.

Need IT Support?
WE CAN HELP!

CMMC Compliance Workshop Wednesday: Deep Dive – The Annual Cadence That Proves You’re Still Accountable

Share This Post

After the initial assessment, quarterly testing, and established routines, a quieter but heavier pressure begins to set in: the realization that passing an assessment was not the finish line, but only a point in time.

The real question becomes what happens in the years between.

The Story

Right after our assessment, we felt a real sense of accomplishment. The environment had been tested, the controls validated, and the evidence reviewed. Our cadence was in place, with weekly, monthly, and quarterly activities helping keep everything running, aligned, and tested.

On paper, everything was exactly where it needed to be. But the longer we operated in that steady state, the more a different question began to surface. It did not come from an assessor or an external source. It came during one of our internal leadership discussions.

“If someone asked us today to prove we are still compliant, could we do it?”

That question changed how we thought about our cadence. Until then, we had focused on keeping controls running, testing them quarterly, and maintaining monthly alignment. But those activities did not fully answer the question of accountability over time or force us to view the entire environment the way an external assessor would.

That is where annual cadence became important. We started with the attestation requirement because, in CMMC, the years between third-party assessments are not empty space. Organizations must affirm that they remain compliant with the controls they were assessed against. That affirmation is not a simple checkbox. It is a statement of responsibility that your environment still operates as expected, your controls remain effective, and your evidence can still stand up to scrutiny.

At first, attestation seemed like it might be a formality. We had built the environment correctly, established our cadence, and continued doing the work. But the more we examined it, the clearer the standard became: attestation is not based on what you believe is true. It is based on what you can still prove.

So, we changed our approach. Instead of treating attestation as an annual administrative task, we treated it as an internal re-assessment. Not a full recreation of the original assessment, but a deliberate exercise to confirm that everything we had built was still in place, still functioning, and still producing evidence.

We began by revisiting our policies to ensure they still reflected how the organization actually operated. Processes evolve, teams change, and tools get updated. Without intentional review, even strong documentation can drift from reality.

For each policy, we asked one question: if an assessor compared this document to our environment today, would it match?

Sometimes the answer was yes. Other times, we found small gaps: an improved process that was never documented, or a responsibility that had shifted but was never reassigned. None created immediate failure, but each showed slow drift from alignment.

Next, we turned to evidence. During the initial assessment, collection was structured and time-bound, with artifacts for every control and requirement. Over time, though, evidence can become fragmented if it is not consistently maintained.

So, we approached it like an assessor by selecting controls and asking the team to produce evidence on demand, without curation or advance preparation.

The exercise revealed more than expected. The evidence existed, but it was often harder to retrieve than it should have been. It lived across systems, owners, and patterns. The control was working, but the proof was not as accessible or consistent as needed.

In CMMC, functioning controls are not enough. You must demonstrate them. That realization helped us refine how we collect, store, and organize evidence throughout the year, so attestation confirms proof already in place instead of triggering a scramble to rebuild it.

From there, we moved into control validation. Quarterly cadence had taught us to test individual controls under pressure, while annual cadence pushed us to step back and evaluate the system as a whole: how controls connect, whether dependencies still hold, and whether inherited responsibilities remain clear.

We reviewed our Customer Responsibility Matrix and shared controls, especially where external providers were involved, to confirm whether anything had changed and whether our assumptions were still valid.

That review reinforced an important point: compliance is not static, particularly in environments that rely on third-party platforms. Services change and features evolve, so assumptions from the assessment cannot simply carry forward unchanged. Annual cadence forces you to verify that.

Finally, we returned to the attestation itself. By then, it no longer felt like a standalone requirement, but the result of the work we had just completed: policies aligned, evidence accessible, controls confirmed, and dependencies re-evaluated. The attestation became a reflection of reality, not merely a statement of intent, and that distinction matters.

Where Annual Cadence Changes Everything

Annual cadence answers the question no other cadence fully can: after a year of change, are you still the compliant organization you were on assessment day?

Continuous, weekly, monthly, and quarterly activities all help keep the environment running, aligned, and tested. Annual cadence is where you step back and validate the full picture. It is where you apply the same standard an external assessor would.

In the years between third-party assessments, that discipline matters. Attestation is not optional. It is a formal statement that you remain compliant, reflecting your organization’s integrity and commitment to protecting the data you are responsible for.

What To Change

Do not treat annual cadence as a once-a-year event. Build toward it throughout the year. Use it to confirm that policies still match reality, evidence is organized and accessible, controls work together as a system, and dependencies or inherited responsibilities remain clear. Above all, treat attestation as a statement of what you can prove, not what you assume to be true.

When you sign it, you should be able to support it immediately, without rebuilding evidence, adding explanations, or making exceptions.

The Question That Matters

At the end of our first true annual cycle, we came back to a familiar question, but with a different perspective.

If we were assessed again tomorrow, without preparation, would we still pass?

That is the question that annual cadence is meant to answer. Compliance is not something you prove once; it is something you continue to earn through consistency, validation, and accountability. Between assessments, that proof lives in the attestation you are prepared to stand behind.

Questions about CMMC certification? Contact Hill Tech Solutions.

More To Explore