Gridex Request a fit call →
CMMC Level 2 · Evidence Operations

Complete evidence, kept current.

Gridex operates the complete evidence record across all applicable CMMC Level 2 assessment objectives — owners, sources, dates, locations, what is on file, what is stale, and what is missing. We collect, chase, check, refresh, file, and package the record inside client-controlled systems. Your advisor judges adequacy. Your signing official signs. We do not determine compliance.

  • Monthly digest
  • Chase log
  • Evidence ledger
  • Signing package
Request a fit call →
In scope
All applicable
Rev. 2 assessment objectives tracked to sufficient evidence, its source, owner, and current status
Working status
3 facts
on file, stale, or missing — plus explicit decisions and inherited responsibilities
Sign-off
1 signature
a year — the affirmation, with a record behind it

Four things arrive. Nothing gets installed.

Delivered over email, in files your team already opens. No portal, no dashboard, no login.

Synthetic / illustrative preview: names, counts, statuses, dates, and sample files below are demonstration data, not a customer record.

The monthly digest

One email: what moved, what's stale, what's waiting on you. Minutes to read.

The chase log

Every ask, reminder, and escalation — timestamped. The record, not a promise.

The evidence ledger

Every applicable objective in scope — status, date, owner. A CSV; opens in Excel. Points into your own systems.

The executive one-pager

Distance from an assessment-ready package, what's blocking, what's next.

  • ON FILE
  • STALE
  • MISSING
  • — the only three words a status will ever use

Built around the boundaries, not in spite of them.

Three layers, never crossed

We organize the evidence. Your advisor or assessor judges adequacy. Your signing official signs. Gridex never determines compliance.

Your evidence never leaves your systems

Artifacts stay in your SharePoint, file server, and consoles. We hold metadata: names, dates, owners, statuses. No artifact — and no CUI — enters our systems.

Facts, not verdicts

No deliverable contains the words “compliant” or “pass.” An item is on file, stale, or missing — each with a date and an owner.

Evidence work has a calendar. We run it.

You nod twice a month. You sign once a year. Your staff answer short, specific asks — instead of owning a compliance project.

The spreadsheet was never the problem.

Across the defense industrial base, the tool of record for evidence is still a spreadsheet — and that's fine. A ledger is the right shape for this work. The failure is upstream: Gridex's current Rev. 2 operating model maps 110 requirements to 320 assessment objectives, and many depend on facts that can become outdated — training can lapse, an environment can change after a screenshot, or an export may need to be re-run after a configuration change.

Keeping documents current is a writing task. Keeping facts current is a chasing job — and in most contractors, it's nobody's actual job.

An operations firm, not a software vendor.

Gridex is a managed operations firm — we run the working layer of document-heavy, follow-up-heavy programs: client document intake for accounting firms, proposal and compliance-matrix operations for government contractors, evidence operations for CMMC. Automation is how the economics work; judgment is never delegated to it. Every status in the ledger traces to a named document, a date, and a person who confirmed it.

What buyers ask before starting.

Plain answers to the ones that come up most. Anything specific to your environment, we cover on the first call.

Does CUI enter Gridex systems?
The intended operating model keeps artifacts and CUI in your client-controlled environment while Gridex works from approved access and records metadata — names, dates, owners, locations, and statuses. We confirm the final workflow, access model, and responsibility boundary before onboarding.
Do you determine whether we're compliant?
No — and the service is built so we never have to. Statuses are facts: on file, stale, missing. Judgments of adequacy belong to your advisor or assessor; the affirmation belongs to your signing official. What we provide is the organized, current, traceable basis those two need.
We already have an MSP or a managed enclave. Is this redundant?
Different layer. Your MSP or enclave manages machines and produces technical evidence from its own stack. Someone still has to collect what it produces, chase what it doesn't cover, and keep the organization-side items current — training, policies, reviews, sign-offs. We run that layer alongside whoever runs your infrastructure, and your infrastructure vendors go on the chase list too.
What do we have to install or learn?
Nothing. Your team answers short, specific email asks. Deliverables are an email and attachments that open in Excel. If we ever send you something that requires training, that's a defect — tell us.
How does pricing work?
It's scoped on the shape of the work: how many assessment objectives are in play for your environment, how much of the evidence is inherited from providers versus produced by your own people, and how many people and vendors are being chased. We state it plainly on the first call. There are no seats, and nothing to license.
What do you actually commit to?
A recorded process — not a third party's behavior. Every ask, reminder, and escalation is logged with a timestamp in the chase log. We commit to running that process on schedule. We don't promise that a vendor answers or that an assessor is satisfied — no honest provider can. What you hold at the end of the year is the record of what your diligence looked like.

Tell us where the evidence record stands. We'll map the first operating cycle.

Request a CMMC fit call