The companion episode of Status: Secure — Episode 015, Inheriting Control Drift — covered the slow, silent erosion of operational reality that no SIEM, no EDR, and no SOC ticket will ever surface. Control drift is a paper problem with contractual consequences. A control library certified clean in 2021 can be a hollow document by 2026, and the only people who learn it the hard way are the senior official who signed the affirmation and the board members named on the corporate filing.
If the podcast was the briefing on the threat, this Sitrep is the briefing on the fix. What follows is the validation sprint we run with our GovCon clients — the five-step protocol that converts a static SSP into a living control library before the C3PAO walks the floor.
From Paper Library to Living Library — The Operational Distinction
A System Security Plan is a document. A control library is an operational reality. The two are routinely confused, and the confusion is what gets contractors in trouble.
An SSP describes the controls you said you operated on the day it was written. A living control library is the system of record that proves those controls are still operating today — with named owners, current validation dates, and traceable evidence. The Department of Defense does not require you to maintain an SSP for the sake of having an SSP. It requires you to maintain compliance — which means the SSP is only useful if the operational reality behind it still matches.
Every control in a living library carries four pieces of metadata, and the absence of any one of them is a red flag the assessor will find:
- The governing policy. Every technical control maps upward to a written policy. If no policy governs the control, the control has no organizational mandate behind it.
- The enforcement mechanism. A GPO, a SIEM rule, a configuration baseline, a documented manual procedure. Whatever actually makes the control happen in the environment.
- The named owner. A specific individual — not a team, not a role, an individual — accountable for the control’s continued operation.
- The last validation date. When the control was last tested against the system as it operates today, not as it was designed three years ago.
If any control in your library is missing one of these four data points, that control is in drift. If the validation date is older than twelve months, that control is presumed stale until proven otherwise.
The Hidden Failure Modes in Your Current Control Library
Before you can fix the library, you have to find the failures. The podcast walked through four decay patterns. Here is how to detect each one inside your own environment.
The Orphan Custom Control
Senior engineers solve problems. The good ones write custom scripts, build bespoke GPOs, and stand up automations that elegantly satisfy NIST 800-171 controls in ways no off-the-shelf tool does. Then they leave for a prime contractor, take a promotion, or retire — and the control becomes an orphan.
Detection method:
Pull the list of scheduled tasks, custom scripts, and non-standard GPOs across your environment. For each one, identify who designed it, who currently maintains it, and where the runbook lives. Anything without a documented runbook and a currently-employed owner is orphaned.
Tool Migration Drift
You migrate from Splunk to Sentinel. From Cisco AnyConnect to a SASE provider. From RSA tokens to Duo. The migration plan accounts for the obvious mappings, but the bespoke detection rules, custom alert tunings, and edge-case configurations rarely survive the move. The control entry in the SSP still references the old tool by name.
Detection method:
Pull your asset inventory and compare it against the tools named in your SSP. Any tool named in the SSP that is no longer in production is a drift flag. Any tool in production not named in the SSP is also a drift flag — and likely an unauthorized addition to your CUI handling boundary.
System Security Plan Rot
Most contractors treat the SSP as a deliverable, not as a living document. It gets written for the initial assessment, then it sits in SharePoint until the next contract requires an update. Meanwhile, the environment changes weekly.
Detection method:
Open your SSP and check the revision history. If the last meaningful update is more than six months old and your environment has materially changed — new SaaS tools, decommissioned servers, identity provider changes, MFA platform changes, file share consolidations — the SSP is rotting. The C3PAO will document the gap as one of their first findings.
POA&M Zombies
The Plan of Action and Milestones is supposed to be a controlled, time-bounded list of accepted gaps with documented remediation paths. In practice, it becomes a graveyard. Items get logged, target dates get missed, status fields get updated to “In Progress” and stay there.
Detection method:
Open your current POA&M. Filter for items older than 180 days with a status of anything other than “Closed.” Every line in that filter is a zombie. Under the CMMC Final Rule, unclosed POA&M items beyond 180 days create eligibility problems on their own — and they are exhibits a False Claims Act plaintiff’s counsel will assemble for free.
// INCOMING TRANSMISSION
Status: Secure Episode 015 — Inheriting Control Drift: A Briefing for New Leaders, CMMC Annual Affirmations, and the November Phase 2 Deadline covers why control libraries decay through attrition, vision-first leadership, and tool migrations — and what executives must do before the C3PAO walks the floor.
INITIATE PLAYBACK »The Five-Step Control Library Validation Sprint
This is the operational sequence. It assumes you have a fully staffed compliance function and a CISO — if you do not, multiply each timeline by two and engage outside support, because Phase 2 begins November 10, 2026, regardless of your team’s bandwidth.
Step 1 — Establish the Source of Truth
Pick one location. One repository. One canonical list of every control your organization is required to operate, every control you have claimed to operate in SPRS, and every control you actually do operate. If you have a GRC platform, that is your source of truth. If you do not, a structured spreadsheet with version control is acceptable for the validation sprint — but plan to migrate to a platform before Phase 2.
The source of truth must include every control from NIST SP 800-171 mapped to its assessment objectives in NIST SP 800-171A. That is 110 controls and 320 assessment objectives. Anything less is incomplete.
Step 2 — Populate the Four Metadata Fields for Every Control
For each control, fill in the four fields described above: governing policy, enforcement mechanism, named owner, last validation date. Do not delegate this step to a single compliance lead working in isolation. The metadata must come from the operators who actually run the controls — system administrators, network engineers, identity administrators, security analysts. This requires a series of structured interviews, and those interviews are themselves a tribal knowledge capture exercise.
Expect 15 to 25 percent of controls to fail this step on the first pass. That is not a failure of the sprint — it is the data you needed to find.
Step 3 — Conduct Technical Validation, Not Just Document Review
A policy that says “all CUI is encrypted at rest” is a document. A screenshot from your file server showing AES-256 encryption enabled on the CUI repository is evidence. The C3PAO will ask for evidence, not for the policy that describes the evidence.
For every control in scope for your CMMC level, the validation sprint must produce:
- Current-state evidence (a screenshot, configuration export, log sample, or scan output dated within the validation period)
- A short narrative explaining what the evidence demonstrates
- A test result showing the control was operating as designed at the time of validation
This is where most paper-compliant contractors discover they are not actually compliant. The encrypted file share that policy describes turns out to be encrypted at the volume level but not at the object level. The MFA policy turns out to exclude a service account that holds privileged access to the CUI enclave. The boundary diagram in the SSP turns out to omit two SaaS tools that the marketing team onboarded six months ago.
Step 4 — Capture Tribal Knowledge Before the Next Resignation
Every senior operator on your team is a single point of failure for the controls they run. The goal of this step is to convert their institutional memory into documented runbooks that survive their departure.
For each named control owner, produce a runbook that documents:
- What the control does, in plain English
- How it is enforced (the script, the GPO, the configuration, the manual procedure)
- What it depends on (other systems, other controls, specific permissions)
- What breaks if it fails — and how that failure is detected
- Who the secondary owner is, trained and ready to take it over
The named secondary owner is not negotiable. If your CMMC Level 2 compliance depends on a single individual, your compliance posture has the same continuity profile as that individual’s resignation letter.
Step 5 — Build the Recurring Validation Cadence
The validation sprint is not a project. It is the first iteration of a permanent operational discipline. Schedule recurring validation reviews against each control on a cadence calibrated to risk:
- High-risk controls (access control, audit logging, system and information integrity): quarterly
- Medium-risk controls (configuration management, identification and authentication): semi-annual
- Lower-risk controls (physical protection, personnel security): annually
Build the cadence into the calendar before the validation sprint concludes. Without a recurring cadence, the library will drift again — and the next assessment will be the next surprise.
The Inherited Watch Protocol — A 30-Day Mandate for Incoming Leaders
Every incoming CISO, IT Director, and Compliance Officer arrives with a vision. The vision is usually good. The execution sequence is usually wrong.
The Inherited Watch Protocol codifies a simple rule: no incoming leader executes a modernization, simplification, or decommissioning initiative in their first 30 days. Those 30 days are reserved for a structured walkthrough of the control library they inherited.
The walkthrough has three deliverables, due to the CEO at the end of day 30:
- A status report on the current control library — every control marked operational, drifted, or unknown.
- A risk register identifying the controls in drift — ranked by impact on CMMC eligibility and on the Affirming Official’s personal exposure.
- A remediation plan — sequenced over the incoming leader’s first 90 days, prioritizing the controls whose decay most directly threatens the next affirmation cycle.
Building this protocol into the role’s offer letter signals two things to every incoming leader: that the organization takes the watch seriously, and that vision-first execution without inheritance discipline is not the culture they were hired into. The new commander does not change the watch order until they have walked the post with the person they relieved.
The Phase 2 Reckoning — Why This Matters in 180 Days
Phase 2 of the CMMC Final Rule takes effect November 10, 2026. Beginning that date, contracting officers will start including mandatory Level 2 certification requirements on solicitations that involve Controlled Unclassified Information. If your certification is current and your annual affirmation is honest, you remain eligible. If either condition fails, you are ineligible for award — and ineligible for option exercise on existing contracts.
The annual affirmation is the lever the Department of Justice will pull when a contractor’s controls have drifted. Under the Civil Cyber-Fraud Initiative, the DoJ has explicitly identified false certifications and inaccurate affirmations as triggers for False Claims Act enforcement. The 15 to 30 percent whistleblower share is real, and the most likely whistleblower is the new compliance lead who walked into a stale control library and recognized what they were looking at.
There is no version of this where waiting is the right move. The contractors who survive Phase 2 are the ones who built living control libraries in the spring and summer of 2026, validated them in the fall, and signed their affirmations honestly in the winter.
Execute the Standard
The control library does not maintain itself. The standard does not maintain itself. The watch does not stand itself.
If your team needs an outside perspective — an objective walkthrough of your current control library against the four metadata fields, an honest assessment of where the drift lives, and a remediation plan sequenced against the Phase 2 deadline — that is the work we do. Verify your security posture at watchur6.com/secure, or establish a secure line at watchur6.com/contact.
The November deadline is fixed. The work is what changes.