CMMC Level 2 Compliance Pack

We built the CMMC Level 2 Compliance Pack because we watched too many engineering teams drown in NIST SP 800-171 Rev 2 controls. The requirement is clear: you must protect Controlled Unclassified Information (CUI) resident in nonfederal systems ^[1]. But the reality on the ground is a chaotic mess of manual spreadsheets, hand-written Azure Policy definitions, and evidence that falls apart the moment an auditor asks for a raw log export.

When you're a defense contractor, compliance isn't a checkbox; it's a technical implementation problem. You need to map 110 security requirements across 14 families to actual Azure Policy enforcement modes, endpoint baselines, and continuous monitoring workflows. Most teams try to solve this by copying JSON snippets from old blog posts or, worse, writing policy definitions by hand in the Azure portal. This approach guarantees drift. By the time you finish the mapping, Azure has patched a dependency, a new control family has shifted, or your PowerShell baseline breaks on a Windows Server 2019 node. You end up with a policy set that looks good in the portal but fails the self-assessment because the evidence collection doesn't actually prove the control is enforced.

We created this skill to eliminate the guesswork. It gives you a production-grade, multi-file workflow that automates the mapping, hardens your endpoints, and validates your policy plans before they hit production. If you're already using the Compliance Framework Pack for SOC2 or GDPR, you know the pain of framework mapping. CMMC is stricter, the controls are more granular, and the consequences of failure are existential for your contract pipeline.

The Real Cost of Manual Evidence Collection

Ignoring the technical debt in your compliance workflow costs more than just hours. It costs you contract awards, auditor trust, and engineering velocity. When you rely on manual evidence collection, you're asking your security team to export CSVs from Azure, screenshot Defender for Cloud dashboards, and paste them into a Word doc. This process is brittle. A single change in the Azure portal invalidates weeks of evidence gathering.

The financial impact is concrete. A stalled DFARS clause 7012 audit can delay revenue recognition for months. Every hour your engineers spend debugging a broken EPAC policy definition is an hour they're not shipping code. We've seen teams burn 40+ hours on a single control family because they didn't have a canonical mapping between the NIST requirement and the Azure Policy definition ID. They wasted time on semantic failures—policy sets that looked correct but didn't actually enforce the control due to a mismatched scope or a missing desired state strategy.

The cost of failure extends to downstream incidents. If your endpoint baseline doesn't enforce SMB signing or audit logging correctly, you're not just failing CMMC; you're leaving your CUI exposed to lateral movement. A gap in Control 3.13.5 (System Monitoring) isn't just a compliance finding; it's a blind spot that could lead to a data breach. When you're operating in a regulated environment, the cost of a finding is the cost of remediation under pressure, often involving overtime, external consultants, and reputational damage. You need a workflow that catches these issues before deployment, not after the auditor calls.

A Hypothetical Defense Contractor's EPAC Nightmare

Imagine a mid-sized defense contractor with 200 Azure endpoints handling CUI workloads. They need to achieve CMMC Level 2 compliance by the end of the quarter. Their security team starts by reviewing NIST SP 800-171 Rev 2 ^[2]. They see 110 controls. They decide to tackle them one by one in the Azure portal.

The first week is spent on password policies and audit logging. They write a PowerShell script to enforce complexity requirements, but they forget to test it against domain controllers. The script works on workstations but breaks the login flow for service accounts. They patch it, but now the audit logging isn't capturing the right events. They move on to firewall rules, writing a JSON policy definition for each rule. By the time they reach Control 3.13.5 (System Monitoring), they realize they have 50 policy definitions scattered across three management groups, with no hierarchical assignment structure. The enforcement mode is set to "DoNotEnforce" on half of them because they were too afraid to break production.

The evidence collection phase is a disaster. They need to prove that Defender for Cloud is collecting File Integrity Monitoring (FIM) data and that SQL auditing policies are active. They export KQL queries manually, but the queries are outdated. They miss the continuous export workflow, so the data isn't persisting to the Log Analytics workspace. When the self-assessment comes, the auditor asks for a raw JSON export of the policy assignments. The team panics because they've been tracking progress in a shared Excel sheet that hasn't been updated in two weeks. They fail the assessment by a margin of three controls, forcing them to restart the entire process.

This scenario is common because the gap between the NIST publication and the technical implementation is vast. The NIST document provides the "what" ^[3], but it doesn't give you the "how" for Azure Policy, PowerShell, or Defender for Cloud. You need a bridge. That's what this pack provides.

Automated Mapping, Hardened Endpoints, and Validated Policies

Once you install the CMMC Level 2 Compliance Pack, the workflow changes. You no longer start from a blank JSON file or a spreadsheet. You start with a canonical mapping that links CMMC Level 2 practices to NIST 800-171 controls and Azure Policy definition IDs. The cmmc-control-matrix.json file is your source of truth, ensuring that every control has a corresponding policy definition and evidence collection method.

The pack includes a production-grade EPAC Policy Set Definition (templates/cmmc-policy-set.json) that imports NIST SP 800-171 Rev 2 controls with the correct enforcement mode, desired state strategy, and hierarchical assignment structure. You don't have to guess about the policy set schema; it's already built and tested. The validator script (scripts/validate-policy-plan.sh) parses your policy plan JSON and checks for required fields like enforcementMode, importPolicyDefinitionGroups, and desiredState. If there's a structural or semantic failure, the script exits non-zero, stopping you from deploying a broken policy set.

Endpoint hardening is automated via the templates/endpoint-baseline.ps1 script. This PowerShell script enforces CMMC controls for password policy, audit logging, firewall rules, and SMB signing using native cmdlets. It's designed to run on Windows endpoints and integrates with your existing configuration management tools. You don't have to write the script from scratch; you just run it and verify the output.

Evidence collection is streamlined with the references/azure-defender-evidence.md guide. This curated guide provides KQL queries for FIM, SQL auditing policies, continuous export workflows, and data collection rule management. You can copy the queries directly into Defender for Cloud and verify that your evidence is being collected correctly. The examples/worked-assessment.yaml file shows you how to link controls to Azure Policy assignments, Defender queries, and remediation runbooks in a single, auditable document.

This workflow reduces the time to compliance from months to weeks. It eliminates the guesswork, prevents drift, and ensures that your evidence is accurate and complete. If you're also managing FedRAMP or ISO 27001 requirements, this pack integrates seamlessly with your existing workflows. You can use the FedRAMP Authorization Process Pack for cloud service provider requirements and the ISO 27001 ISMS Implementation Pack for broader information security management. The principles are the same: automate the mapping, validate the policies, and collect the evidence.

What's in the CMMC Level 2 Compliance Pack

• skill.md — Orchestrator skill guiding CMMC L2 compliance workflow, mapping NIST 800-171 controls to Azure Policy automation, endpoint baselines, and evidence collection. References templates/cmmc-policy-set.json, templates/endpoint-baseline.ps1, scripts/validate-policy-plan.sh, validators/cmmc-control-matrix.json, references/cmmc-nist800-171-controls.md, references/azure-defender-evidence.md, examples/worked-assessment.yaml, and tests/validate-policy-plan.test.sh.
• templates/cmmc-policy-set.json — Production-grade EPAC Policy Set Definition importing NIST SP 800-171 Rev 2, with enforcement mode, desired state strategy, and hierarchical assignment structure for defense contractor environments.
• templates/endpoint-baseline.ps1 — Hardened Windows endpoint configuration script enforcing CMMC controls for password policy, audit logging, firewall rules, and SMB signing using native PowerShell cmdlets.
• scripts/validate-policy-plan.sh — Executable validator that parses EPAC policy plan JSON, checks required fields (enforcementMode, importPolicyDefinitionGroups, desiredState), and exits non-zero on structural or semantic failures.
• validators/cmmc-control-matrix.json — Canonical mapping of CMMC Level 2 practices to NIST 800-171 controls and Azure Policy definition IDs for automated compliance tracking and gap analysis.
• references/cmmc-nist800-171-controls.md — Authoritative reference of critical NIST SP 800-171 Rev 2 security requirements mapped to CMMC Level 2 assessment objectives, including implementation guidance and control families.
• references/azure-defender-evidence.md — Curated guide on Defender for Cloud evidence collection, including KQL queries for FIM, SQL auditing policies, continuous export workflows, and data collection rule management.
• examples/worked-assessment.yaml — Worked example of a self-assessment evidence collection plan linking controls to Azure Policy assignments, Defender queries, and remediation runbooks.
• tests/validate-policy-plan.test.sh — Test harness that runs the validator against valid and invalid inputs to assert correct exit codes and verify policy plan integrity before deployment.

Ship Compliance, Not Spreadsheets

Stop wasting engineering hours on manual mapping and broken policy definitions. Upgrade to Pro to install the CMMC Level 2 Compliance Pack and ship a validated, automated compliance workflow. The tools are ready, the mappings are canonical, and the evidence collection is automated. Your next step is to install the skill and start enforcing controls, not guessing at them.