From Point-in-Time Attestation to Always-On Control State
Author: Leonard Esere, Senior Cybersecurity Engineer, AeoliTech
Date: April 2026
Classification: Public
Abstract
The CMMC Level 2 assessment cycle is three years. But the DFARS 252.204-7012 obligation to protect Controlled Unclassified Information (CUI) is permanent — it does not pause between assessments. And the 2025 CMMC rule (32 CFR Part 170) adds annual affirmation: a senior company official must affirm each year that the 110 security requirements remain in place. These obligations, taken together, mean that compliance is not a state you achieve and maintain until the next assessment — it is a posture you demonstrate continuously.
This whitepaper examines why continuous monitoring is operationally superior to point-in-time attestation, how Azure Policy and Microsoft Defender for Cloud Secure Score provide the technical foundation, how Microsoft Sentinel analytics rules translate 800-171 control families into automated alerts, what Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) a mature CMMC program should track, and how to design dashboards that serve different audiences — CEO/board, CISO/security leadership, and program/project managers. It covers drift alerting, quarterly POA&M review cadence, and explains how AeoliTech's Evidence Vault tier within PolicyCortex operationalizes this always-on posture.
Table of Contents
1. Why Continuous Monitoring Beats Point-in-Time Attestation
2. The Regulatory Case for Always-On Compliance
3. Azure Policy and Defender for Cloud Secure Score
4. Microsoft Sentinel Analytics Rules Mapped to 800-171
5. KRIs and KPIs for a CMMC Program
6. Dashboard Design by Audience
7. Drift Alerts: Detection to Remediation
8. Quarterly POA&M Review Cadence
9. The Evidence Vault Tier: AeoliTech's Continuous Monitoring Model
10. Implementing Continuous Monitoring: A Practical Roadmap
11. Conclusion
12. About the Author
13. References
1. Why Continuous Monitoring Beats Point-in-Time Attestation
Point-in-time attestation — the practice of conducting a compliance assessment on a specific date and treating the results as valid until the next assessment cycle — is a useful baseline. It tells you where you stood at a moment in time. But it provides no information about what happened in the 1,095 days between assessments.
Consider what changes in three years at a typical mid-size DIB contractor:
- Engineers turn over; new staff provision resources without security review
- Microsoft and AWS release hundreds of platform updates, some of which alter default security configurations
- The organization onboards new SaaS tools, some of which touch CUI boundary systems
- New contracts bring new scoping requirements and additional CUI data flows
- Vendors and subcontractors are added to the supply chain, expanding the attack surface
The gap between assessment and reality:
A 2024 analysis of CMMC assessment outcomes found that organizations relying solely on periodic assessments typically experienced 15–25 significant configuration drift events per month — many of which would constitute findings if discovered during an assessment. By the time the next assessment cycle begins, the distance between the assessed state and the actual state can be enormous.
Point-in-time attestation also creates perverse incentives: organizations invest heavily in looking compliant for the assessment and then let controls decay until the next cycle approaches. This is not security — it is security theater.
What continuous monitoring provides:
| Capability | Point-in-Time | Continuous Monitoring |
|---|---|---|
| Control state visibility | At assessment date only | Real-time, always |
| Drift detection | Not possible | Within minutes to hours |
| Evidence quality | Stale by definition | Current, timestamped |
| Incident correlation | Not available | Integrated with SIEM |
| Annual affirmation support | Manual, stressful | Automated, routine |
| Cost of remediation | High (large gaps accumulate) | Low (small gaps addressed quickly) |
| Assessor confidence | Low (historical snapshot) | High (continuous data) |
2. The Regulatory Case for Always-On Compliance
Three regulatory obligations, taken together, make continuous monitoring not just best practice but necessary:
DFARS 252.204-7012 requires contractors to implement NIST SP 800-171 in all information systems that process, store, or transmit CUI. The word "implement" is present-tense — the controls must be operational at all times, not just during assessment windows.
CMMC 2.0 Annual Affirmation (32 CFR § 170.22): A senior company official must affirm compliance annually. The affirmation must be accurate — submitting a false affirmation is a violation of the False Claims Act. Accurate affirmation is impossible without continuous visibility into control state. An official who signs an affirmation based on a three-year-old assessment has no basis for knowing whether the statement is true.
DFARS 252.204-7021 (CMMC Contract Requirement): Contractors must maintain the required CMMC level throughout contract performance. "Maintain" means continuously — certification status lapses not only if an assessment expires, but also if the organization fails to submit its annual affirmation.
The liability geometry:
`
False Claims Act liability ──→ Requires accurate affirmation
↓
Accurate affirmation requires knowledge of current control state
↓
Knowledge of current control state requires continuous monitoring
↓
Continuous monitoring is not optional; it is legally necessary
`
3. Azure Policy and Defender for Cloud Secure Score
Microsoft Defender for Cloud is the primary continuous monitoring platform for Azure-hosted CUI environments. Its two core mechanisms — Regulatory Compliance assessments and Secure Score — provide complementary views of control posture.
Regulatory Compliance in Defender for Cloud
When the NIST SP 800-171 Rev. 2 initiative is assigned in Azure Policy and Defender for Cloud's continuous export is configured to a Log Analytics workspace, the Regulatory Compliance blade shows a real-time compliance percentage per control family. This is updated on an 8-hour evaluation cycle.
Compliance states tracked:
| State | Meaning | Action |
|---|---|---|
| Passed | Resource meets the policy definition | No action; log as evidence |
| Failed | Resource violates the policy definition | Alert; trigger remediation |
| Not Applicable | Policy does not apply to this resource type | Document exclusion rationale |
| Exempt | Resource is explicitly exempted | Requires CISO approval; logged |
Secure Score as a Leading Indicator
While Regulatory Compliance maps to specific NIST controls, the Secure Score provides a broader posture metric. The score is calculated as a weighted average across security controls, with maximum scores assigned by risk weight:
| Security Control | Max Score | Maps to NIST 800-171 |
|---|---|---|
| Enable MFA | 10 | 3.5.3, 3.5.4 |
| Secure management ports | 8 | 3.1.3, 3.13.1 |
| Apply system updates | 6 | 3.14.1 |
| Remediate vulnerabilities | 6 | 3.14.1 |
| Remediate security configurations | 4 | 3.4.1, 3.4.2 |
| Manage access and permissions | 4 | 3.1.1, 3.1.5 |
| Enable encryption at rest | 4 | 3.13.8 |
| Encrypt data in transit | 4 | 3.13.8 |
| Restrict unauthorized network access | 4 | 3.13.1, 3.13.5 |
| Enable endpoint protection | 2 | 3.14.2 |
| Enable auditing and logging | 1 | 3.3.1 |
Continuous Secure Score monitoring KQL query:
`kql
// Track Secure Score trend over 90 days
AzureActivity
| where OperationNameValue contains "Microsoft.Security/securescores"
| where ActivityStatusValue == "Success"
| extend ScoreDate = todatetime(TimeGenerated)
| project ScoreDate, Properties
| summarize LatestScore = arg_max(ScoreDate, Properties) by bin(ScoreDate, 1d)
`
A Secure Score above 70% is generally associated with adequate CMMC Level 2 hygiene; scores below 60% typically indicate multiple failing controls. However, Secure Score is a leading indicator — it should be used alongside per-control compliance percentages, not as a substitute.
Multi-Cloud Secure Score
For organizations with AWS or GCP workloads, Defender for Cloud's CSPM multi-cloud connector extends the Secure Score to AWS accounts and GCP projects. This provides a unified posture view across all cloud environments — essential for accurate scope determination and comprehensive monitoring.
4. Microsoft Sentinel Analytics Rules Mapped to 800-171
Microsoft publishes a CMMC 2.0 Solution in the Microsoft Sentinel Content Hub. This solution includes pre-built analytics rules that use Defender for Cloud regulatory compliance data as their signal source, alerting when policy compliance falls below defined thresholds.
How the analytics rules work:
The CMMC analytics rules query the SecurityRegulatoryCompliance table in Log Analytics. They evaluate compliance percentages per control family and generate incidents when the percentage drops below the configured threshold (default: 70% within a 7-day window).
`kql
// CMMC 2.0 Sentinel Analytics Rule: Access Control compliance drop
SecurityRegulatoryCompliance
| where TimeGenerated > ago(7d)
| where InitiativeName contains "NIST 800-171"
| where ControlName startswith "3.1"
| summarize
PassedCount = countif(ComplianceState == "PASSED"),
FailedCount = countif(ComplianceState == "FAILED")
by ControlName, bin(TimeGenerated, 1d)
| extend CompliancePercent = (PassedCount * 100.0) / (PassedCount + FailedCount)
| where CompliancePercent < 70
| project TimeGenerated, ControlName, CompliancePercent, FailedCount
| order by CompliancePercent asc
`
Pre-built analytics rules in the CMMC 2.0 Solution:
| Rule Name | Control Domain | Alert Threshold |
|---|---|---|
| CMMC Access Control Compliance Drop | 3.1.x | < 70% in 7 days |
| CMMC Audit & Accountability Gap | 3.3.x | < 70% in 7 days |
| CMMC Configuration Management Drift | 3.4.x | < 70% in 7 days |
| CMMC ID & Authentication Failure | 3.5.x | < 70% in 7 days |
| CMMC System Integrity Degradation | 3.14.x | < 70% in 7 days |
| CMMC Privileged Access Anomaly | 3.1.6 | Any privileged role change |
| CMMC Audit Log Deletion Attempt | 3.3.1 | Any log deletion event |
Custom analytics rule for high-value control drift (3.5.3 — MFA):
`kql
// Alert when MFA-disabled accounts are detected
SigninLogs
| where TimeGenerated > ago(1h)
| where AuthenticationRequirement == "singleFactorAuthentication"
| where AppDisplayName has_any ("VPN", "SSH", "Admin", "CUI")
| where ResultType == 0 // Successful sign-in without MFA
| project
TimeGenerated,
UserPrincipalName,
AppDisplayName,
IPAddress,
Location,
ConditionalAccessStatus
| extend
ControlViolation = "3.5.3 - MFA Not Enforced",
Severity = "High"
`
Rule management best practices:
Analytics rules should themselves be version-controlled as YAML or JSON files in the same Git repository as policy-as-code definitions. Sentinel's az sentinel alert-rule CLI or ARM template deployment enables GitOps-style rule management, ensuring that every rule change is reviewed, approved, and auditable.
5. KRIs and KPIs for a CMMC Program
A mature CMMC continuous monitoring program distinguishes between Key Risk Indicators (KRIs) — leading indicators of control failure risk — and Key Performance Indicators (KPIs) — lagging measures of compliance program effectiveness.
Key Risk Indicators (KRIs)
KRIs provide early warning. When a KRI exceeds its threshold, it indicates that a control is at risk of failing before it actually fails.
| KRI | Threshold | Control Domain | Measurement |
|---|---|---|---|
| MFA enrollment rate (all CUI-boundary users) | < 98% → Risk | 3.5.3 | Graph API: credential registration report |
| Privileged account count (admin roles) | > 5 global admins → Risk | 3.1.1, 3.1.5 | Graph API: directory role members |
| Failed login attempts (per user per hour) | > 5 → Risk | 3.1.8 | Sentinel: SigninLogs |
| Unpatched critical vulnerabilities (CUI systems) | > 0 at 15+ days → Risk | 3.14.1 | Defender for Endpoint: exposure score |
| Non-compliant resources (by policy initiative) | > 5% of resources → Risk | Multiple | Azure Policy compliance API |
| CUI data exfiltration indicators | Any → Critical | 3.1.3, 3.13.x | Defender for Cloud: alerts |
| Days since last POA&M review | > 90 → Risk | 3.12.2 | Manual tracking / calendar |
| Stale evidence in vault (> 30 days old) | > 2 controls → Risk | 3.12.4 | Vault manifest automation |
Key Performance Indicators (KPIs)
KPIs measure how well the compliance program is functioning over time.
| KPI | Target | Measurement Cadence | Source |
|---|---|---|---|
| Overall CMMC control compliance percentage | > 95% | Weekly | Azure Policy / Defender for Cloud |
| Secure Score | > 75% | Daily | Defender for Cloud |
| Mean time to detect drift (MTTD) | < 4 hours | Monthly average | Sentinel incident timestamps |
| Mean time to remediate (MTTR) | < 48 hours | Monthly average | Sentinel incident closure timestamps |
| Open POA&M items | < 10 | Monthly | POA&M tracker |
| POA&M items closed on schedule | > 90% | Quarterly | POA&M tracker |
| Evidence collection coverage | 100% of auto-collectable controls | Weekly | Vault manifest |
| C3PAO assessment readiness score | > 85% | Quarterly | Internal mock assessment |
| Annual affirmation submitted on time | 100% | Annual | SPRS submission record |
6. Dashboard Design by Audience
Effective continuous monitoring requires dashboards calibrated to their audience. The same underlying data — Azure Policy compliance states, Sentinel incidents, POA&M status — should be presented very differently to a CEO, a CISO, and a project manager.
CEO / Board Dashboard
The executive audience needs strategic risk visibility without operational noise. Three metrics dominate:
`
┌─────────────────────────────────────────────────────┐
│ CMMC COMPLIANCE POSTURE — APRIL 2026 │
├─────────────────┬─────────────────┬─────────────────┤
│ OVERALL SCORE │ OPEN RISK │ NEXT MILESTONE │
│ 94.2% │ 3 HIGH ITEMS │ Annual Affirm │
│ ▲ 1.8% MoM │ (↓ from 7) │ Due: Oct 2026 │
├─────────────────┴─────────────────┴─────────────────┤
│ CONTRACT RISK: LOW — No open SPRS findings │
│ REGULATORY CHANGE: NIST Rev.3 transition watch │
└─────────────────────────────────────────────────────┘
`
CEO dashboard elements:
- Overall compliance percentage with month-over-month trend
- Count of High/Critical open risk items
- Next regulatory milestone (affirmation, assessment, contract)
- Single contract risk indicator (Green/Yellow/Red)
- Brief on any regulatory changes (e.g., NIST Rev. 3 transition)
CISO / Security Leadership Dashboard
The CISO needs operational control — visibility into where controls are failing, what the trend is, and what the team is doing about it.
| Domain | Compliance % | Trend | Open Items | MTTD | MTTR |
|---|---|---|---|---|---|
| Access Control (3.1) | 96.4% | ▲ | 2 | 1.2h | 18h |
| Audit & Accountability (3.3) | 100% | → | 0 | N/A | N/A |
| Config Management (3.4) | 89.1% | ▼ | 5 | 3.1h | 61h |
| ID & Authentication (3.5) | 98.7% | ▲ | 1 | 0.8h | 4h |
| System & Comms Protection (3.13) | 91.2% | → | 3 | 2.4h | 32h |
| System & Info Integrity (3.14) | 93.8% | ▲ | 2 | 1.9h | 29h |
CISO dashboard additional elements:
- Heatmap of controls by compliance percentage (red/yellow/green)
- Sentinel incident trend (7-day, 30-day)
- Top 5 non-compliant resources with assigned owners
- Evidence vault health (last collection dates, stale items)
- POA&M aging (items by age: < 30 days, 30-60 days, > 60 days)
Program Manager / Project Dashboard
The PM dashboard focuses on actionable tasks: what needs to be done, by whom, and by when.
| Action Item | Control | Assigned To | Due Date | Status |
|---|---|---|---|---|
| Enable diagnostic logging on 3 VMs | 3.3.1 | Cloud Engineering | Apr 30 | In Progress |
| Update Conditional Access to block legacy auth | 3.5.1 | Identity Team | May 5 | Pending |
| Patch CVE-2026-xxxx on prod DB | 3.14.1 | Platform Team | Apr 28 | Overdue |
| Conduct quarterly POA&M review | 3.12.2 | Compliance Officer | Jun 30 | Scheduled |
| Collect physical access evidence for 3.10.1 | 3.10.1 | Facilities | May 15 | Pending |
PM dashboard additional elements:
- Gantt view of POA&M milestones
- Evidence collection calendar (what is due this week)
- Assessment countdown (if an upcoming C3PAO assessment is scheduled)
- Weekly compliance percentage change per owner
7. Drift Alerts: Detection to Remediation
A drift alert is triggered when a resource that was previously compliant becomes non-compliant, or when a new resource is provisioned without meeting policy requirements. The detection-to-remediation workflow must be fast, documented, and traceable.
Drift alert lifecycle:
`
Control state evaluated (every 8 hours or triggered by resource change)
↓
Compliance state change detected: Compliant → NonCompliant
↓
Sentinel incident created with:
├── Resource ID
├── Policy definition violated
├── Control ID mapped
├── Compliance state before/after
└── Timestamp
↓
Logic App playbook triggered:
├── Notify assigned control owner (Teams / email)
├── Log to evidence vault: "Drift Event — [Control ID] — [Resource]"
├── Open POA&M item if not auto-remediable
└── Trigger Azure Policy remediation task (if applicable)
↓
Resolution:
├── Auto-remediation succeeds → Close incident; log remediation evidence
└── Auto-remediation fails → Escalate; assign human remediation task
↓
Post-incident:
├── Root cause documented in incident record
├── Evidence of resolution stored in vault
└── MTTR recorded for KPI tracking
`
Drift severity classification:
| Severity | Definition | Response Time | Example |
|---|---|---|---|
| Critical | CUI data exposure risk; MFA disabled; audit logging deleted | < 1 hour | Audit log deletion detected; public IP on CUI VM |
| High | Control required by DFARS 7012; directly impacts SPRS score | < 4 hours | Encryption disabled on storage with CUI; admin account without MFA |
| Medium | NIST 800-171 control degraded but not critical | < 24 hours | Stale privileged account; missing diagnostic logging on non-CUI VM |
| Low | Best practice deviation; no direct control impact | < 72 hours | Resource without required tags; deprecated TLS 1.1 on internal API |
8. Quarterly POA&M Review Cadence
A Plan of Action & Milestones (POA&M) is required by NIST SP 800-171 (control 3.12.2) and the CMMC assessment process. It documents how the organization plans to address identified gaps. Under 32 CFR Part 170, CMMC Level 2 POA&M items must be closed within 180 days of the conditional CMMC status date.
Quarterly review structure:
Month 1 of Quarter (Q-Open):
- Pull all open POA&M items from tracker
- Verify current status with assigned owners
- Confirm or update milestone dates
- Identify any items at risk of missing the 180-day closure window
- Report status to CISO dashboard
Month 2 of Quarter (Q-Mid):
- Review progress on items scheduled to close this quarter
- Escalate stalled items to CISO/COO
- Trigger additional remediation resources for at-risk items
- Update continuous monitoring thresholds if new gaps have been identified
Month 3 of Quarter (Q-Close):
- Verify closure of all items scheduled to close this quarter
- Collect closure evidence for each closed item and store in vault
- Update SPRS if applicable (for L2 self-assessment organizations)
- Brief executive leadership on quarterly posture change
POA&M item lifecycle:
| Field | Description |
|---|---|
| Item ID | Unique identifier (e.g., POA&M-2026-001) |
| Control ID | NIST 800-171 requirement (e.g., 3.3.1) |
| Gap Description | What is currently deficient |
| Milestone 1 | Interim milestone with date |
| Milestone 2 | Interim milestone with date |
| Completion Date | Final closure target (must be ≤ 180 days from conditional status) |
| Responsible Owner | Named individual accountable |
| Evidence of Closure | Reference to vault artifact |
| Status | Open / In Progress / Closed |
The quarterly cadence maps to the KPI: 90%+ of POA&M items must close on schedule. Items that slip should trigger a root cause analysis — is the assigned owner adequately resourced? Is the gap more complex than initially scoped? Is vendor support needed?
9. The Evidence Vault Tier: AeoliTech's Continuous Monitoring Model
AeoliTech's Evidence Vault tier within PolicyCortex is the operational implementation of continuous compliance monitoring for CMMC organizations. It extends the basic policy-as-code enforcement layer with persistent, timestamped evidence collection and continuous control state monitoring.
Evidence Vault tier capabilities:
| Capability | Description | Value to Organization |
|---|---|---|
| Continuous collection | Azure Policy, Graph API, AWS Config, Defender pulls on scheduled cadence | Always-current evidence; no pre-assessment sprint |
| Control state heatmap | Real-time visual of all 110 controls by compliance percentage | CISO dashboard; instant visibility |
| Drift alert routing | Incidents routed to control owners with context and remediation steps | MTTD < 4 hours; MTTR < 48 hours |
| POA&M integration | Open items from Sentinel incidents auto-populate POA&M tracker | No manual gap-to-POA&M transcription |
| Evidence API | C3PAO-ready package generation: select controls, export artifacts | Assessment prep compressed by 60–80% |
| Annual affirmation support | Pre-populated affirmation data report for senior official review | Affirmation process takes hours, not days |
| Regulatory update monitoring | PolicyCortex team monitors NIST, DoD, and Azure/AWS policy changes | Policy library stays current automatically |
Readiness-to-Evidence Vault progression:
Organizations typically engage AeoliTech in one of three postures:
| Stage | State | PolicyCortex Service |
|---|---|---|
| Readiness | No formal CMMC program; gaps unknown | Gap assessment; scoping; initial policy deployment |
| Remediation | Gaps identified; POA&M in progress | Policy-as-code enforcement; automated remediation; POA&M management |
| Evidence Vault | Controls implemented; continuous monitoring active | Vault population; dashboard delivery; C3PAO package generation |
The Evidence Vault tier is the steady state: a continuously populated, always-current repository of compliance evidence, supported by real-time monitoring and automated drift response. Organizations in this tier arrive at CMMC assessments — and annual affirmation deadlines — already ready.
10. Implementing Continuous Monitoring: A Practical Roadmap
For organizations transitioning from point-in-time attestation to continuous monitoring, the journey is practical and sequential:
Phase 1: Foundation (Weeks 1–4)
- Assign NIST SP 800-171 Rev. 2 initiative to all CUI-boundary subscriptions
- Configure Defender for Cloud continuous export to Log Analytics workspace
- Deploy CMMC 2.0 Sentinel solution (workbook + analytics rules)
- Establish baseline: export initial compliance state for all 110 controls
Phase 2: Alert Coverage (Weeks 5–8)
- Customize Sentinel analytics rule thresholds based on current compliance percentages
- Configure alert routing to control owners via Logic App playbook
- Integrate with existing ticketing system (ServiceNow, Jira) for incident management
- Deploy Graph API evidence collection scripts
Phase 3: Evidence Vault (Weeks 9–12)
- Structure evidence vault in Azure Blob Storage (WORM + RBAC)
- Configure automated daily/weekly collection jobs
- Map collected artifacts to control objectives
- Build initial evidence manifest per control
Phase 4: Dashboard Delivery (Weeks 12–16)
- Deploy CEO/CISO/PM dashboards (Power BI or Sentinel workbooks)
- Configure KRI threshold alerts
- Establish POA&M quarterly review cadence
- Train stakeholders on dashboard interpretation
Phase 5: Continuous Operation (Ongoing)
- Weekly evidence quality checks (staleness, completeness)
- Monthly KPI review with CISO
- Quarterly POA&M review
- Annual affirmation preparation (< 1 week with Evidence Vault in place)
- Respond to platform policy changes (new Azure Policy definitions, AWS Config rules)
11. Conclusion
The question of continuous monitoring versus point-in-time attestation is not an academic debate — it has direct legal and operational consequences. Annual affirmation under CMMC requires knowing that controls are in place right now, not that they were in place at the last assessment. False affirmation exposes senior officials and organizations to False Claims Act liability. Drift between assessments creates CUI exposure risk that can result in contract termination, notification obligations, and reputational damage.
Continuous compliance monitoring — powered by Azure Policy, Defender for Cloud, Microsoft Sentinel, and automated evidence collection — eliminates the gap between compliance posture and compliance knowledge. When every control is evaluated on an 8-hour cycle, when every drift event triggers a sub-4-hour alert, and when evidence is collected continuously into a structured vault, the entire character of the compliance program changes: from reactive to proactive, from stressful to routine, from opaque to transparent.
AeoliTech's Evidence Vault tier within PolicyCortex is the fastest path to this posture for DIB contractors who cannot afford to build this infrastructure from scratch. The organizations we have brought to Evidence Vault steady state report not just better assessment outcomes, but a qualitatively different relationship with their own compliance program: they know where they stand, at all times, without asking.
About the Author
Leonard Esere is a Senior Cybersecurity Engineer at AeoliTech with extensive experience designing and implementing security architectures for federal contractors and national laboratory environments. He holds a DoD Secret clearance and a DoE Q clearance, has contributed to security assessments at the MITRE Corporation, and led the Authorization to Operate (ATO) evidence vault architecture for a major LANL engagement. He also served as the security engineering lead for Frontier supercomputer PCI DSS compliance. Leonard specializes in translating complex regulatory requirements — NIST 800-171, CMMC, FedRAMP — into automated, scalable technical implementations.
References
1. DoD CIO. About CMMC — Assessment Requirements, Affirmation, and POA&M. https://dodcio.defense.gov/CMMC/about/
2. Microsoft. Cloud Secure Score in Microsoft Defender for Cloud. November 2025. https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls
3. Microsoft. CMMC – Azure Compliance Offerings (analytics rules and workbook). https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-cmmc
4. NIST. Special Publication 800-171 Revision 2: Protecting Controlled Unclassified Information. February 2020. https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
5. Summit 7 Systems. CMMC Incident Response (IR) with Azure Sentinel. March 2020. https://www.summit7.us/blog/azure-sentinel
6. GovCon Wire. Understanding the DFARS 252.204-7025 Compliance Requirement. December 2025. https://www.govconwire.com/articles/payam-pourkhomami-govcon-expert-dfars-cmmc-compliance
7. Modus Advanced. DFARS 252.204-7012: How New CMMC Requirements Transform Defense Contractor Compliance. July 2025. https://www.modusadvanced.com/resources/blog/dfars-252204-7012-how-new-cmmc-requirements-transform-defense-contractor-compliance
8. Microsoft. Regulatory Compliance details for NIST SP 800-171 R2 – Azure Policy. February 2026. https://learn.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-171-r2
9. CMMC.com. CMMC 3.0: What We Know About NIST 800-171 Rev 3. June 2025. https://www.cmmc.com/newsroom/cmmc-3-0
10. Tech Community. Log Analytics Workspace for Azure 800-171 Initiative. August 2022. https://techcommunity.microsoft.com/discussions/microsoftsentinel/log-analytics-workspace-for-azure-800-171-initiative/3597794
© 2026 AeoliTech. All rights reserved. Contact AeoliTech to schedule a continuous monitoring assessment and Evidence Vault deployment for your CMMC program.