Back to Learning CenterOngoing Compliance

CMMC Continuous Monitoring: How to Maintain Compliance After Certification

Certification is the starting line, not the finish. Here's how to build a continuous monitoring program that keeps your CMMC posture strong between assessments.

What Is Continuous Monitoring in CMMC?

Continuous monitoring (ConMon)is the ongoing process of reviewing, maintaining, and verifying your cybersecurity controls after achieving CMMC certification. It's not optional — it's a specific NIST 800-171 requirement (CA.L2-3.12.3) that mandates organizations "monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls."

CMMC Level 2 certification is valid for 3 years, but that doesn't mean you can implement controls once and forget about them. You're required to submit an annual affirmationconfirming your controls are still effective, and your reassessment will verify that they've been maintained throughout the certification period.

Why Continuous Monitoring Matters

Without active monitoring, controls degrade over time. This is called compliance drift— and it's the most common reason organizations struggle during reassessment. Controls that were fully implemented two years ago may no longer be effective due to:

  • Personnel changes — new hires may not follow established procedures, key security personnel leave
  • Infrastructure changes — new systems, cloud migrations, network changes that alter your CUI boundary
  • Vendor changes — ESPs losing FedRAMP authorization, changing service providers, new SaaS tools in scope
  • Threat landscape evolution — new vulnerabilities, attack vectors, or compliance updates

Without ConMon, organizations routinely discover during reassessment that controls they implemented 2 years ago are no longer effective.By then, remediation is urgent and expensive. A ConMon program catches drift early when it's easy to fix.

Building a Continuous Monitoring Program

1

Define review frequencies per control family

Not all controls need the same review cadence. Technical controls like Audit & Accountability need monthly attention, while Personnel Security may only need annual review. Set frequencies based on how quickly each control type can drift.

2

Assign control owners

Each control family needs a responsible person who reviews evidence, confirms controls are still effective, and escalates issues. Without clear ownership, reviews don't happen.

3

Establish evidence review cycles

Define what "current" evidence looks like for each control. A vulnerability scan from 12 months ago is stale. Training records from the last quarter are current. Set expectations and track when evidence was last reviewed.

4

Track review status across all controls

Every control should have a clear status: Current (reviewed within its frequency window), Due Soon (approaching review deadline), or Overdue (past its review date). This gives you an at-a-glance health score.

5

Monitor compliance health continuously

Aggregate your review statuses into an overall compliance health score. This tells you at any moment whether your organization is on track or drifting. A dropping health score is an early warning system.

How Bedrock CMMC Automates ConMon

Bedrock CMMC's ConMon dashboard handles all of this automatically. Set review frequencies per requirement family, and the system tracks which controls are current, due, or overdue. Your compliance health score updates in real time as reviews are completed or evidence expires.

See a live compliance dashboard

Recommended Review Frequencies by Domain

These are recommended starting points — adjust based on your organization's risk profile and how quickly each control type can change in your environment.

Monthly
Audit & Accountability (AU)

Log review and audit monitoring are continuous activities

Monthly
System & Information Integrity (SI)

Patching, AV updates, and vulnerability scanning are ongoing

Monthly
Configuration Management (CM)

Change tracking and baseline monitoring are continuous

Quarterly
Access Control (AC)

Access reviews, privilege audits, and account management

Quarterly
Identification & Authentication (IA)

MFA effectiveness, password policy compliance

Quarterly
Risk Assessment (RA)

Vulnerability scanning results and risk posture updates

Quarterly
System & Communications Protection (SC)

Network segmentation, encryption, and boundary monitoring

Semi-Annual
Incident Response (IR)

Test IR plan annually, review incidents quarterly

Semi-Annual
Security Assessment (CA)

Periodic control effectiveness assessments

Annually
Awareness & Training (AT)

Training completion tracking and content updates

Annually
Physical Protection (PE)

Physical access reviews and facility changes

Annually
Personnel Security (PS)

Screening policies and termination procedures

Annually
Maintenance (MA)

Maintenance procedures and tool controls

Annually
Media Protection (MP)

Media handling and sanitization procedures

Evidence That Stays Current

Not all evidence has the same shelf life. Some artifacts need regular refresh, while others remain valid for longer periods. Common evidence types that need ongoing attention:

Refresh Monthly

  • Vulnerability scan results
  • Audit log review records
  • Patch management reports
  • AV/malware scan logs

Refresh Quarterly

  • Access review results
  • Configuration baseline checks
  • Account privilege audits
  • Network diagram updates

Refresh Annually

  • Security awareness training records
  • Incident response test results
  • Risk assessment reports
  • Policy and procedure reviews

Update When Changed

  • System Security Plan (SSP)
  • Network architecture diagrams
  • Asset inventory
  • ESP documentation

Bedrock CMMC's evidence library stores artifacts per control and tracks when each was last reviewed. When evidence passes its review window, the ConMon dashboard flags it as due or overdue — so you always know which evidence needs refreshing.

Common ConMon Pitfalls

×
Treating it as a checkbox exercise

ConMon isn't about checking boxes — it's about verifying controls are actually working. Rubber-stamping reviews without examining evidence defeats the purpose.

×
Not updating the SSP when controls change

Your SSP must reflect current reality. Infrastructure changes, new tools, or process updates all require SSP revisions. Assessors compare your SSP to what they observe.

×
Ignoring POA&M items between assessments

Open POA&M items don't go away. They need active remediation and progress tracking. Stale POA&Ms signal to assessors that your ConMon program isn't working.

×
Not monitoring ESP compliance changes

Your External Service Providers' compliance status can change. If an ESP loses its FedRAMP authorization, your controls that depend on it are immediately affected.

×
No single source of truth

Spreadsheets, shared drives, and email threads fragment your compliance data. When assessment time comes, you can't quickly demonstrate that controls have been maintained.

Frequently Asked Questions

What is continuous monitoring in CMMC?

Continuous monitoring (ConMon) is the ongoing process of reviewing and maintaining your cybersecurity controls after achieving CMMC certification. Required by CA.L2-3.12.3, it ensures controls remain effective between your triennial assessments. ConMon includes evidence reviews, vulnerability scanning, configuration auditing, and policy updates on a scheduled basis.

How often do CMMC controls need to be reviewed?

There is no single frequency — it depends on the control family and your organization's risk profile. Technical controls like Audit & Accountability (AU) and System & Information Integrity (SI) typically need monthly review. Access Control (AC) and Configuration Management (CM) are often quarterly. Less dynamic families like Personnel Security (PS) may be reviewed annually. The key is defining and following a consistent schedule.

What is a CMMC annual affirmation?

A CMMC annual affirmation is a formal statement by a senior official in your organization confirming that your cybersecurity controls remain in place and effective. This must be submitted annually to the SPRS (Supplier Performance Risk System) between triennial assessments. Failure to affirm can result in loss of your CMMC certification.

What happens if my controls drift out of compliance between assessments?

Compliance drift puts your certification at risk. If controls are no longer effective, you should document the gaps in a POA&M and remediate them promptly. Significant drift discovered during your annual affirmation or reassessment could result in loss of certification and inability to perform on DoD contracts.

Do I need software for CMMC continuous monitoring?

It is not strictly required, but manually tracking review schedules, evidence freshness, and compliance health across 110 controls and 14 domains is extremely error-prone. ConMon software like Bedrock CMMC automates review scheduling, tracks evidence expiration, and calculates compliance health scores so nothing falls through the cracks.

Continue Learning

POA&M Management Guide

How to create and manage Plans of Action & Milestones — the 180-day remediation window and what assessors expect.

Read Guide

ESP Management Guide

Managing External Service Providers in your CMMC scope — CUI handling, FedRAMP, and control inheritance.

Read Guide

Keep Your CMMC Certification Strong

Bedrock CMMC's continuous monitoring dashboard tracks review schedules, evidence freshness, and compliance health across all 14 domains — so you're always assessment-ready.

Start Free Trial See the Platform