Supporting Documentation and Procedures for Access Control Compliance

Eric Marquette

Welcome back to CMMC Unlocked. I’m Eric Marquette, and I’m joined as always by my co-host Paul Netopski. Today we’re digging into something that, honestly, trips up more contractors than just about anything else: the documentation side of Access Control. Paul, before we get too deep, I want to lay the groundwork a bit. When we’re talking about supporting documents for Access Control under CMMC, we mean some really core items—Access Control Policies, your Access Control Lists, and of course user access logs. These aren’t just paperwork; they’re absolutely central to how an assessor is going to know you’re not just saying you’re compliant, but actually living it, day-in and day-out. Would you agree?

Paul Netopski

Yeah, absolutely Eric. And you know, it’s one thing to say, “We use role-based access,” but unless you’ve got that documented—like with actual user provisioning forms and, say, a role matrix showing who gets access to what—no assessor is going to take your word for it. In my experience, missing or messy documentation is the number one cause of delay or even failing an assessment, no exaggeration. If you don’t have periodic access review reports or records showing onboarding and offboarding decisions, you’re, well, let’s just say: you’re rolling the dice with your compliance status.

Eric Marquette

Right, and let’s not forget—access control isn’t just a one-off thing, it’s really ongoing. We had an example kind of like this—Ruby, from one of the firms we worked with, actually shared a story last month I thought was just spot-on. She talked about this small defense contractor, not a huge shop, who everyone thought would be swimming upstream trying to get through a CMMC Level 2 assessment. And what got them over the finish line? Not an expensive tech upgrade. It was that they had every single one of their access review reports sorted, labeled, and available. Their logs actually told a story: who was granted access, who was removed, even notes on review outcomes. Assessors walked in and, in Ruby’s words, “couldn’t poke a hole in a single record.” It made the whole process almost—dare I say it—pleasant.

Paul Netopski

That’s the dream, right? And honestly, it’s not just luck, it’s a result of making sure your supporting documents actually match your policies in practice. If you’ve got access control policies, you also gotta have matching documentation—ACLs, change logs, approval records—that prove you’re following through. And, for companies that want to sleep at night, those periodic access reviews are the ace in the hole come audit time. If you’re listening and haven’t seen your own role-based access matrix in the last six months, time to dig it up. Or create one. Now’s fine.

Paul Netopski

So let’s get practical, Eric. Procedures are where a lot of organizations trip up, not because they don’t have any, but because what they do have isn’t written down, or it’s just sort of tribal knowledge. When we talk “core access control procedures,” we’re talking onboarding and offboarding users. Who gets approved, who signs off on what, and how you’re actually tracking those approvals in real time. If your process is just, “We notify IT when someone leaves”—that’s not gonna cut it. You want detailed steps, documentation of every approval, and logs for both access grants and revocations. And you want it in writing. Preferably organized.

Eric Marquette

And let’s be honest, this isn’t just for big companies. Even smaller contractors, maybe a dozen people, still need these written procedures—because that’s what assessors expect, regardless of your size. One best practice we’re seeing, and Paul, maybe you’ve run across this even more than I have, is using automated tools to log every access change. So if Joe in accounting gets added to the CUI server, the system records it. If he leaves, the offboarding gets logged, too. These tools don’t just make life easier, they make it so much simpler to generate the evidence an assessor will want. What’s your experience been there?

Paul Netopski

Yeah, automation is huge, Eric. I mean, I might be showing my age, but I remember when people tracked this kind of stuff in—like—an actual physical logbook. Moving to an automated system, where every access grant or revocation is timestamped and archived, it’s almost like having a permanent memory. And if something gets missed, it stands out much more obviously. But here’s a quick warning to listeners: one of the biggest pitfalls I see is with undocumented privilege changes. Say IT gives someone elevated access for a temporary project, but forgets to formally log it or remove the rights afterward—that’s a jackpot for a negative assessment finding. You need change management, every change documented, and regular reviews to make sure nothing slipped through the cracks.

Eric Marquette

Absolutely, and that’s not even just a compliance box-ticking thing. If privilege changes aren’t tracked, it’s a security gap, right? Attackers love stale privileged accounts. A regular review process—maybe monthly or at least quarterly—means you can actually catch those before they become a real problem. And yes, you do have to document the review itself. Otherwise, as we talked about in Episode 4 with managed providers, these “invisible” changes can burn you during an assessment. So if your procedures aren’t up to date or you’re just assuming the tech is capturing everything for you… double-check.

Eric Marquette

Alright—so we’ve got our policies, our logs, our procedures… but it’s really about showing how all of that lines up with CMMC and NIST SP 800-171 requirements. Paul, I think this is where a lot of folks start to panic: the whole mapping thing, right? What’s your take on making that connection for assessors?

Paul Netopski

Yeah, mapping is everything here. I always recommend having a cross-reference matrix—something that literally connects each control in CMMC or NIST SP 800-171, say for Access Control, to the exact policy, procedure, or log that covers it. If your documentation says, “Periodic access reviews are performed quarterly,” show me the logs attached to that policy. The best assessments I’ve seen, Eric, are where this linkage is so clear that you answer assessor questions before they can even finish asking them. It streamlines not just the audit itself, but your team’s confidence too.

Eric Marquette

Yeah, and you know, I actually had a situation not too long ago—a company was prepping for their assessment and their access control logs looked okay, but when the assessor asked, “Which policy covers this quarterly review?” they instantly pulled up their cross-reference table and went, “Here’s our AC-2 procedure, here’s where the logs match, and that’s the revision date.” Assessors literally stopped looking for more gotchas after that, because it was just all right there, organized, cross-linked. I’m not saying you won’t get follow-up questions—assessors are nosy by nature—but when the mapping is tight, the process is so much smoother.

Paul Netopski

Right, and honestly, if folks don’t have that cross-reference matrix yet, it’s worth starting small. Begin with Access Control, tie every document you have—policy, procedure, log—to its control, and gradually build from there. It’s the best way to spot gaps before your assessor does. And it’s something we’ve discussed in a few previous episodes—documentation should tell the story of compliance, not be a pile of paperwork you hand over and hope for the best. Building those bridges between requirements and artifacts is how you pass with confidence, not just luck.

Eric Marquette

Couldn’t say it better myself, Paul. Well that’s probably a good point for us to wrap up today’s episode. Next time we’ll be moving onto how to maintain that documentation over time—because compliance isn’t a “one and done” thing, as anyone who’s survived more than one audit can attest. Paul, always a pleasure. Thanks for your insight.

Paul Netopski

Thanks Eric, looking forward to our next deep dive. Cheers everyone, and stay secure out there.

Eric Marquette

Take care everyone, see you next time on CMMC Unlocked.