Well, the short answer is because you have to because they make you. Wait, evidence locker appears nowhere in the rule. You are making things up! We coined the termed, true, but call it a derived requirement. There are a couple places that drive Organizations Seeking Assessment (OSAs) to have a place where they gather evidence, and keep it. This has been the case all along under CMMC 2.0, but the new rule has made this even more important. The Department of Defense—on behalf of the Department of Justice— has now required OSAs to retain evidence for 6 years for both certification and self assessments, in §170.17(4). So what is an Evidence Locker? How do we use it, and what does it mean by artifacts, assessments, and retention?
Evidence Locker
The term “evidence locker” was coined by DCG staff to describe the collection of evidence (or artifacts) to complete a third-party CMMC assessment. In order to get a C3PAO to conduct your assessment, your organization must have a body of evidence (or evidence locker!) to submit. Every assessment objective needs at least one piece of evidence. These 320 (or more) artifacts must be consolidated and labeled in accordance with the standard naming convention provided by Defense Industrial Base Cyber Assessment Center (DIBCAC).
Previously, the CMMC community thought that evidence lockers were required only for these 3rd party assessments. However, the new 32CFR part 170 states that contractors will need evidence lockers (or a consolidated collection of artifacts) for every assessment, including self assessments. Self assessments? Self assessments are not required, but are best practice in accompanying the annual self affirmation. Because of the potential consequences of false self affirmations, some organizations hire C3PAOs to help with the self assessment, which increases confidence and security in the affirmation.
Artifacts
You should be able to show a screenshot, document, or artifact to accompany every assessment objective. (Assessment objectives are requirements tied to each control from 171A… if you are not looking at 171A you are not doing this right). At every level, it is important to keep artifacts, or evidence, as it shows immediate proof you’re taking action the way you say you are. Rather than saying “check if vulnerability scanner is up to date”, take a screenshot of the last time it was updated and place this in your evidence locker. By doing so, you protect yourself from any claims you’re not doing what you say you are, because you have evidence showing how you are doing it. When reviewing controls you should always think how can I prove this?
So now that we have our artifacts and we understand the severity of insufficient evidence, what should we do with it? Put it in an evidence locker! Every assessment, regardless of what kind, should have its own evidence locker. Save evidence as-is for the assessment and archive the evidence locker every time you do an assessment. Even if it is the same assessment you do every year to accompany the self affirmation, you need a 2024 version, 2025 version, and so on.
Assessment
While the rule does say that an annual self-assessment is only required for Level 1, at Level 2 you must complete an annual self-affirmation. You should never formally swear (or affirm) to continuing compliance without having something to back that up. This is not required in the rule at Level 2, but no one should accept the enormous risk of making a formal affirmation subject to federal criminal fraud penalties without an assessment. You may even decide that having an external entity conduct that self-assessment makes sense. "CMMC Level 2 self-assessment procedures as described in § 170.16(c)(1) require assessment in accordance with NIST SP 800-171A Jun2018, which if conducted properly will generate evidence." This assessment (fortunately) can generate a lot of evidence for our evidence locker. While it may be satisfactory to make a statement about checking evidence, rather than actually checking the evidence, if we check it now (and save it to our evidence locker!) it can save us from a lot of pain in the future. Instead of saying “check Active Directory”, take a screenshot of Active Directory at the time it needs to be examined.
Retention
We know we need the evidence, how to get it, and where to put it, but one of the most important pieces of this process is to retain it. Saving the evidence to the locker, and keeping the locker for six years is key. As stated previously, every assessment should have its own locker that isn’t touched for six years once the assessment is done. Every time there’s a new assessment, there’s a new locker. And we keep those lockers for six years.
Is this a lot of work? Undoubtedly. Is it doable? Yes, especially with an iterative process. This evidence collection and retention is also crucial for every level of CMMC, regardless of contractor size. By starting with taking self-assessments seriously, making a habit of doing the research, and keeping our evidence, it is possible to build a robust evidence locker. As long as these are kept for the six years, this can substantially protect contractors from accusations of false claims.