Recurring Managed Service

Keep evidence current between assessments and affirmations

Managed CMMC evidence maintenance across owners, providers, changing systems, annual affirmations, and the next assessment cycle.

01

Full applicable-objective status coverage

02

Evidence-type-specific refresh cadences

03

Change-trigger review after people, vendor, system, or boundary changes

04

Monthly digest plus a client-owned chase record

Readiness decays because the organization changes

A policy may remain accurate for months while a configuration export, access review, training completion record, vendor attestation, or network diagram becomes outdated after one operational change. Evidence maintenance therefore cannot use a single universal age rule.

Gridex assigns a cadence based on what the evidence is intended to prove and the process the organization says it performs. A monthly activity needs recurring proof. A stable policy needs controlled versioning and event-driven review.

The operating loop

Each cycle starts with items due for refresh and changes reported since the last review, then moves through requests, returns, quality checks, filing, blocked-item escalation, and executive review.

  • Refresh dates are tied to the underlying process, not a blanket marketing rule.
  • Technical evidence is requested from the people or providers who operate the technology.
  • Organization evidence is requested from HR, facilities, procurement, leadership, and other owners.
  • The ledger records evidence state without claiming MET, pass, or certification.

Prepared for the annual signature and the next assessment

Annual affirmation does not itself require an annual evidence upload, but the affirming official attests to continuing compliance. A current evidence record gives that official a visible basis for questions, exceptions, and follow-up instead of an unsupported annual scramble.

What the work produces

Concrete, client-owned operating records

Maintained evidence ledger
Refresh and expiration calendar
Documented chase and escalation log
Change-trigger register
Monthly executive digest
Assessment or affirmation preparation export
Responsibility boundary

Facts, not verdicts

Gridex maintains evidence operations. Gridex does not implement controls, determine MET, calculate an authoritative assessment result, perform a C3PAO assessment, or sign an affirmation.

Questions buyers ask

Frequently asked questions

Is every artifact required to be less than 90 days old?

No universal DoD rule makes every artifact expire at 90 days. Freshness should match the evidence type, process cadence, system changes, and assessor expectations.

Can this work with our existing GRC or SharePoint?

Yes. Gridex operates the evidence process around the client’s existing repository and tools rather than requiring a replacement platform.

Does this replace our MSP or vCISO?

No. Their technical operation and judgment remain in place. Gridex coordinates and maintains the evidence record across all responsible parties.

Primary references

Source context

Start with one bounded scope

Bring the evidence state you actually have.

Gridex will map the operating work, the human judgment boundary, and the safest next step.

Review monthly deliverables →