Know which evidence needs review next and who must refresh it
A synthetic CMMC evidence calendar that schedules review and refresh according to evidence type, process cadence, system changes, and assessment needs.
Evidence-specific cadence instead of a blanket age rule
Event-driven triggers alongside fixed dates
Owner and provider workload visible by month
Assessment and annual-affirmation milestones included
Freshness follows the claim
An annual policy approval, a quarterly access review, a monthly log review, a training completion event, and a current configuration export prove different things. Their useful review periods therefore differ. The calendar starts from the process the organization says it performs.
Track changes that make the date irrelevant
A newly captured network diagram can become wrong tomorrow if the CUI boundary changes. The calendar must therefore include event triggers such as staff turnover, system migrations, new CUI flows, provider changes, policy changes, acquisitions, and new contract requirements.
- Next scheduled review date
- Change event that forces earlier review
- Owner or provider responsible for refresh
- Lead time needed to produce the evidence
- Assessment, POA&M, and affirmation milestones
Use the calendar to level the workload
Evidence programs fail when every item is rediscovered immediately before assessment. A planned calendar distributes work, exposes impossible concentrations, and gives providers enough lead time to produce reports and attestations.
What the working artifact can contain
| Evidence set | Owner | Normal review | Early trigger | Lead time |
|---|---|---|---|---|
| Access review record | IT lead | Quarterly | Role or identity-system change | 10 days |
| Training completion | HR lead | Annual + new hire | Training content or role change | 15 days |
| Network diagram | Security owner | Quarterly review | Boundary or architecture change | 20 days |
| ESP responsibility evidence | Vendor owner | Contract/report period | Provider or service change | 30 days |
Synthetic cadence example — not a universal CMMC schedule.
Concrete, client-owned operating records
Facts, not verdicts
Review dates are operational policy, not legal advice or assessor guarantees. Qualified reviewers should approve cadences for the organization and evidence types involved.
Frequently asked questions
Does CMMC require all evidence to be under 90 days old?
The DoD Level 2 guide does not establish one universal 90-day age limit for every evidence type. Recency should match the process, current environment, and assessment need.
What causes an early refresh?
Changes to people, systems, providers, policies, CUI flows, assessment scope, or the process represented by the evidence can trigger review before a scheduled date.
Source context
Bring the evidence state you actually have.
Gridex will map the operating work, the human judgment boundary, and the safest next step.