Keep evidence current between assessments and affirmations
Managed CMMC evidence maintenance across owners, providers, changing systems, annual affirmations, and the next assessment cycle.
Full applicable-objective status coverage
Evidence-type-specific refresh cadences
Change-trigger review after people, vendor, system, or boundary changes
Monthly digest plus a client-owned chase record
Readiness decays because the organization changes
A policy may remain accurate for months while a configuration export, access review, training completion record, vendor attestation, or network diagram becomes outdated after one operational change. Evidence maintenance therefore cannot use a single universal age rule.
Gridex assigns a cadence based on what the evidence is intended to prove and the process the organization says it performs. A monthly activity needs recurring proof. A stable policy needs controlled versioning and event-driven review.
The operating loop
Each cycle starts with items due for refresh and changes reported since the last review, then moves through requests, returns, quality checks, filing, blocked-item escalation, and executive review.
- Refresh dates are tied to the underlying process, not a blanket marketing rule.
- Technical evidence is requested from the people or providers who operate the technology.
- Organization evidence is requested from HR, facilities, procurement, leadership, and other owners.
- The ledger records evidence state without claiming MET, pass, or certification.
Prepared for the annual signature and the next assessment
Annual affirmation does not itself require an annual evidence upload, but the affirming official attests to continuing compliance. A current evidence record gives that official a visible basis for questions, exceptions, and follow-up instead of an unsupported annual scramble.
Concrete, client-owned operating records
Facts, not verdicts
Gridex maintains evidence operations. Gridex does not implement controls, determine MET, calculate an authoritative assessment result, perform a C3PAO assessment, or sign an affirmation.
Frequently asked questions
Is every artifact required to be less than 90 days old?
No universal DoD rule makes every artifact expire at 90 days. Freshness should match the evidence type, process cadence, system changes, and assessor expectations.
Can this work with our existing GRC or SharePoint?
Yes. Gridex operates the evidence process around the client’s existing repository and tools rather than requiring a replacement platform.
Does this replace our MSP or vCISO?
No. Their technical operation and judgment remain in place. Gridex coordinates and maintains the evidence record across all responsible parties.
Source context
Bring the evidence state you actually have.
Gridex will map the operating work, the human judgment boundary, and the safest next step.