Here’s another fable written to show the full impact of this deep dive into CMMC compliance.
The Story
I remember when we first blocked time for it: a simple recurring meeting. There was no elaborate process, just intentional time set aside to validate what we believed was working.
At first, it felt unnecessary. Then it didn’t.
In the first week, we focused on alerts. We pulled a recent security alert from our SIEM and walked it through end to end. We were using tools like Microsoft Sentinel and Defender, and on the surface everything looked right. The alert triggered as expected, and the ticket was created in our PSA.
But when we followed the process all the way through, the weak spots became obvious. Ownership was not completely clear. Context was missing. The response was slower and less precise than we had assumed. Nothing failed, but it was not as solid as it needed to be.
That became the pattern.
The next week, we shifted to endpoints. Using Microsoft Intune and Defender for Endpoint, we checked a handful of devices for their actual state—not reports, not dashboards, but real-time status. One device had not checked in. Another had drifted slightly out of compliance. Again, nothing catastrophic, but the drift was there. Once you see drift, you cannot unsee it.
That was the moment the weekly cadence stopped feeling optional. It became the way we kept the environment honest.
What we were doing each week was straightforward:
- Review logs, alerts, endpoints, and access.
- Identify issues and correct them.
- Validate whether controls were performing the way we believed they were.
The real problem was not the work itself. The problem was proving consistency. If someone had asked, “Show me that you have been doing this consistently for the last six weeks,” we would have struggled.
We were doing the work, but we were not capturing it in a way that told a clear story. That realization changed our approach: weekly cadence without tracking creates confidence in the moment, but tracked cadence creates evidence over time. Those are not the same thing. The fix was not adding heavy process, but by making progress visible.
What We Track Each Week (Without Turning It into Bureaucracy)
We kept things simple, but intentional. Every weekly validation gets captured in a way that answers three questions.
What was checked?
What was found?
What was done about it?
When we trace a log source, we document which system we validated and whether the data flow was intact. If something was broken, we note it. If it was fixed, we capture that too.
When we review an alert, we record which alert we walked through, how it was handled, and whether anything needed to be improved in the response process.
When we check endpoints, we list the devices we spot-checked and note any drift, even if it was minor.
Over time, that builds a simple but powerful record. Not a checkbox exercise but a narrative of control performance.
Where We Actually Track It
Some use their ticketing or PSA system, like ConnectWise or Autotask. Each weekly validation becomes a ticket or a structured activity tied to a recurring cadence. The benefit here is accountability. Work gets assigned. Work gets closed. Work gets tracked.
More mature teams often use GRC or compliance platforms. Something like a control register where weekly tasks are tied directly back to specific CMMC or NIST controls. This gives you traceability from activity to requirement.
We use both our PSA system and GRC Platform to get the best of both worlds.
Others may use tools, like Planner, Lists, or even SharePoint.
There isn’t a single “right” answer, but there is a wrong one. If your tracking lives in scattered notes, personal notebooks, or meeting conversations that disappear… you don’t really have tracking, you just have memory.
What “Good” Tracking Actually Looks Like
The biggest shift we made was moving away from treating completed as the goal. A completed task tells you very little on its own; like what was checked, what was discovered, or what changed as a result. We started tracking outcomes; which gave us a record of the work itself, the analysis behind it, and the improvement that followed.
We moved from “Reviewed alerts” to “Reviewed alert ID X in Defender. Response time was 45 minutes. Ownership was unclear at first, so we updated the assignment rules to route future alerts directly to security operations.”
That is meaningful evidence. It shows the activity, the analysis, and the corrective action. Assessors don’t want to know simply that you looked, but that you understood what you found and acted on it.
Consistent weekly tracking creates visibility. It helps you spot patterns, prove progress, and see where drift is happening.
That is when tracking stops being administrative and starts becoming useful. The question shifts from “Are we compliant?” to “Are we improving?”
A simple rolling four-week view is usually enough to show how many issues were found, resolved, or carried forward.
Tying Tracking Back to Ownership
Tracking breaks down quickly when ownership is unclear. We learned that early, when the weekly record was treated as a shared artifact that everyone touched but no one truly owned.
The result was predictable: some weeks were documented well, others were not, and follow-up actions too often faded without clear accountability.
So, we changed the model. Every weekly validation item now has a named owner… not only for completing the check, but for documenting what was found and making sure follow-up actions are created and tracked. That level of accountability changes the question from “Did we check it?” to “Can we prove what we saw and what we did about it?”
The Real Purpose of Tracking
At first, tracking feels like just another task to stay organized. Over time, you realize it serves a much larger purpose… it becomes your evidence story.
When an assessor asks how you maintain controls week to week, you do not point to a policy alone. You show the cadence; week after week of validation, issues identified, and corrective actions taken. That is what demonstrates that the environment is not static, but actively managed.
That is the difference. CMMC is not asking whether you can pass an assessment once. It is asking whether you can sustain a standard, and weekly tracking is how you prove that you can.
Next week, we’ll shift from the weekly cadence to the monthly tasks that help keep CMMC evidence, reviews, and accountability on track over time.
Questions about CMMC certification? Contact Hill Tech Solutions.
