Compliance Status
Compliance Status and Certification Roadmap
Confluence page header
Page title: Compliance Status and Certification Roadmap
Parent: ISMS Home
SCM variant: isms-management (primary)
isms-security (full access — CISO maintains)
isms-all-staff: NOT visible
isms-it-staff: NOT visible
Page owner: CISO
Last reviewed: [DATE]
Next review: Quarterly update — full refresh at annual management review
Purpose of this page
This page answers the question that management, the board, commercial directors, and contracting authorities most frequently ask: where does the organisation stand, right now, against each of its compliance obligations, and what needs to happen to maintain that standing?
It is structured so that a director preparing for a bid submission, a customer security questionnaire, a contracting authority meeting, or a board update can find a current and authoritative answer within five minutes without navigating the technical evidence filing structure.
The CISO updates the certification status table and the CISO quarterly commentary every quarter. The roadmap and investment sections are updated when new information changes the timeline — a new contract award, a certification body notification, a CMMC programme update, or a budget decision. The page is formally reviewed and confirmed at the annual management review (EV-A01).
Three things to understand before reading:
Currency and lapse are not the same thing. A certification can lapse before its nominal expiry date if evidence maintenance has slipped — for example, a Cyber Essentials certificate is valid for 12 months from the assessment date, but if the underlying controls have drifted from the assessed state, the certification is technically still current but would not survive a CE Plus technical verification. The CISO's quarterly commentary will flag any case where currency is at risk regardless of the nominal expiry date.
Compliance posture is a spectrum, not a binary. "CMMC Level 2 compliant" means something precise only when qualified by a current assessment date, a current SPRS score, and a current POA&M status. Management presenting the organisation as CMMC Level 2 compliant to a contracting officer will be tested against the SPRS database. This page gives the current SPRS score alongside the certification status so both can be accurately represented.
The roadmap has commercial consequences. Certification lapses affect bid eligibility — typically within 30 days of lapse for government contracts. Investment decisions deferred from one quarter to the next have a compounding effect on readiness for assessments. The investment decisions section of this page is not a CISO wish list; it is a risk-quantified set of choices with consequences attached.
Section 1 — Current certification posture
Status as of [DATE]. Updated quarterly.
Overall compliance posture indicator
OVERALL POSTURE: [Fully Current / One Certification Approaching Renewal /
Action Required / Management Decision Overdue]
Last updated: [DATE] by [CISO name]
Certification status table
CERTIFICATION AND OBLIGATION STATUS TABLE
Status key:
✅ Current — certification valid; evidence maintained; no action required
⚠️ Action needed — certification valid but renewal preparation required,
or evidence gap identified that requires attention
🔴 Decision needed — management decision required; action affects status
❌ Lapsed — certification has lapsed or will lapse without immediate action
─────────────────────────────────────────────────────────────────────────────────────────────
FRAMEWORK / OBLIGATION STATUS VALID UNTIL LAST ASSESSMENT NEXT EVENT DETAIL
─────────────────────────────────────────────────────────────────────────────────────────────
ISO 27001:2022 ✅ Current [DATE] Stage 2: [DATE] Surv. audit 1: §1.1
Surv. 1: [DATE] [DATE]
Cyber Essentials ✅ Current [DATE] Self-assessment: Renewal due: §1.2
[DATE] [DATE]
Cyber Essentials Plus ⚠️ Action [DATE] CE+ technical: CE+ technical §1.3
needed [DATE] [DATE — 6 weeks]
CMMC Level 2 ⚠️ Action Annual Self-assessment: Annual §1.4
(Self-assessment) needed affirmation [DATE] affirmation due:
[DATE]
CMMC Level 2 🔴 Decision N/A Not yet C3PAO §1.5
(C3PAO certification) needed assessed assessment:
[DATE — planned]
NIST SP 800-171 SSP ✅ Current Living doc Last full Annual review: §1.6
review: [DATE] [DATE]
DEFSTAN 05-138 — ✅ Current Contract Evidence pack: Contracting §1.7
[Contract ref 1] end [DATE] [DATE] authority review:
[DATE]
DEFSTAN 05-138 — ⚠️ Action Contract Evidence pack Profile 1 gap: §1.8
[Contract ref 2] needed end [DATE] [DATE — 14 [Supplier
months ago] assessment
outstanding]
DFARS §252.204-7012 ✅ Current Annual Affirmed: Annual §1.9
(Annual affirmation) affirmation [DATE] affirmation due:
[DATE]
UK GDPR / DPA 2018 ✅ Current Ongoing ROPA reviewed: Annual review: §1.10
(DPO registration) [DATE] [DATE]
─────────────────────────────────────────────────────────────────────────────────────────────
Section 1.1 — ISO 27001:2022
CERTIFICATION DETAILS
Certification body: [Name — e.g. BSI / LRQA / DNV / Bureau Veritas / specify]
Certificate number: [Number — as it appears on the certificate and on the
certification body's public lookup]
Scope of certification: [The scope statement as it appears on the certificate —
must match the scope in the ISMS scope statement]
Certificate issued: [DATE — Stage 2 certification date]
Certificate valid to: [DATE — 3 years from certification date]
CERTIFICATION CYCLE EVENTS
Stage 2 initial certification: [DATE] — [passed / [N] nonconformities resolved]
Surveillance audit 1: [DATE] — [passed / [N] nonconformities / scheduled]
Surveillance audit 2: [DATE] — [scheduled / not yet scheduled]
Recertification audit: [DATE] — [scheduled / not yet scheduled]
CURRENT STATUS
Certificate valid: Yes
All prior nonconformities closed: Yes / No — [N] outstanding [describe]
Evidence maintained on schedule: Yes / No — [describe any gap]
Scope change since certification: Yes [describe] / No
NEXT EVENT: Surveillance Audit [1 or 2] — [DATE]
Preparation begins: [DATE — 8 weeks before audit]
Evidence pack to be compiled by: CISO by [DATE — 4 weeks before]
Management pre-audit briefing: [DATE — 2 weeks before]
Estimated audit duration: [N] days on-site
MANAGEMENT PREPARATION OBLIGATIONS:
Directors who may be interviewed: [names]
Topics certification body typically raises with management:
• What is your role in the ISMS? (ISO 27001 clause 5.1)
• When did you last review the information security policy?
• What decisions did you make at the last management review?
• How do you know whether the ISMS is effective?
Briefing from CISO: [DATE — 1 week before audit]
Duration: 30 minutes
COMMERCIAL RELEVANCE:
Contracts requiring ISO 27001 certification: [list or "none formally required
but cited in [N] bid submissions in [YEAR]"]
Customer questionnaires citing ISO 27001: [N] in past 12 months
Certificate verification link: [certification body public lookup URL]
Section 1.2 — Cyber Essentials
CERTIFICATION DETAILS
Certification body: [IASME / CREST / Alcumus ISOQAR / specify]
Certificate number: [Number — verify at ncsc.gov.uk/cyberessentials/search]
Certificate issued: [DATE]
Certificate valid to: [DATE — 12 months from assessment date]
SCOPE
The CE certificate covers: [scope as stated on the certificate]
This matches the ISMS scope: Yes / No — [if No: describe discrepancy and plan]
CURRENT STATUS
Certificate valid: Yes / No — [if No: see Action Required section]
Days to expiry: [N] days — [Green if >90 / Amber if 30–90 / Red if <30]
Underlying controls confirmed current: Yes / No
RENEWAL PROCESS
Self-assessment questionnaire opens: [DATE]
Questionnaire submission deadline: [DATE — allow 2 weeks before expiry]
CISO prepares questionnaire: [DATE — 4 weeks before submission]
Management sign-off on submission: [required: Yes / No]
If Yes: [describe — most organisations the CISO signs CE questionnaire]
Expected assessment outcome: [Straightforward renewal / potential referral
for [specify issue — e.g. Windows 10 EOL, MFA gap]]
COMMERCIAL RELEVANCE:
Government contracts requiring CE: [N — list if known]
"Cyber Essentials required" appears in bids: [frequently / occasionally / rarely]
CE lapse impact on live contracts: [describe — e.g. "Contract [ref] requires
CE as a standing obligation — lapse would trigger a breach notification
to the contracting authority within [N] days"]
EVIDENCE THAT THE UNDERLYING CONTROLS ARE MAINTAINED:
Firewalls: EV-F03 (rule review) — last review [DATE] — [passed / findings]
Secure configuration: EV-D20 (quarterly audit) — last review [DATE]
User access control: EV-D05 (MFA report) — last report [DATE]
Malware protection: EV-D32 (coverage) — current coverage [%]
Patch management: EV-D07 (patch register) — Critical compliance [%]
Section 1.3 — Cyber Essentials Plus
CERTIFICATION DETAILS
Certificate number: [Number]
Certificate valid to: [DATE]
CE Plus assessor: [CREST-certified body name]
CE Plus covers the same scope as CE basic but includes an on-site or
remote technical verification conducted by the certification body's
assessor. The assessor connects to sample devices, runs configuration
checks, tests AV detection, and verifies patch levels in real time.
CURRENT STATUS
Certificate valid: Yes / ⚠️ Approaching expiry — [N] days
Technical assessment scheduled: [DATE]
Assessment type: On-site / Remote — [specify]
WHAT THE TECHNICAL ASSESSOR WILL VERIFY:
The following items are tested directly by the assessor — not self-declared:
1. External port scan of our internet-facing IP addresses
(any open management ports will be found — see FC-01 / EV-F03)
2. Internal scan of a random sample of CUI-scope devices (5–10 devices)
checking: AV active; signatures current; OS patched; firewall active
3. EICAR test on sample devices (confirms real-time AV detection)
4. Browser security on sample devices (MFA prompt confirmed)
5. Account checks on sample devices (no default accounts; complexity met)
PRE-ASSESSMENT PREPARATION (CISO manages — management awareness only):
External port scan conducted by IT Operations: [DATE scheduled]
All Tier 1 Critical patches within SLA: [current status — %]
AV coverage 100%: [Yes / No — if No: see Amber items in EV-D32]
MFA coverage 100%: [Yes / No — if No: see EV-D05]
MANAGEMENT QUESTION AT CE PLUS:
The assessor occasionally asks a management representative to confirm the
scope of the certification and to affirm that the questionnaire answers are
accurate. Preparation: review the scope statement and confirm it covers
the systems used for the relevant contracts.
Section 1.4 — CMMC Level 2 self-assessment (annual)
WHAT THE ANNUAL SELF-ASSESSMENT IS
CMMC Level 2 requires every organisation handling Controlled Unclassified
Information (CUI) under DoD contracts to annually assess their cybersecurity
posture against all 110 NIST SP 800-171 Rev 2 controls, submit a score to
the DoD's Supplier Performance Risk System (SPRS), and have a senior company
official affirm the accuracy of the assessment.
This is not optional and not delegable. The senior official affirmation creates
personal liability under the False Claims Act for the signatory if the score
is knowingly inaccurate.
CURRENT SELF-ASSESSMENT STATUS
Assessment date: [DATE]
SPRS score submitted: [N] / 110
SPRS submission date: [DATE]
Senior official: [Director name, role]
Affirmation signed: [DATE]
Next annual assessment: [DATE — within 12 months of prior assessment date]
Next affirmation due: [DATE — must be submitted before this date]
SPRS SCORE EXPLAINED
A score of 110 means all 110 controls are fully implemented.
Every unimplemented control reduces the score by its weighted point value.
Our current score of [N] reflects:
Controls fully implemented: [N]
Controls with open POA&M items: [N]
Controls not applicable (with justification): [N]
What this score means commercially:
DoD contracting officers check the SPRS database before contract award.
A score below 110 does not automatically disqualify us from contracts,
but contracting officers may ask about the gaps.
A score of [N] is [competitive / slightly below the typical threshold
contracting officers look for / requires explanation].
OPEN POA&M ITEMS AFFECTING THE SCORE
Control | Gap description (plain English) | Target close | Risk level
─────────────────────────────────────────────────────────────────────────────────
[3.13.3] | [VoIP not fully integrated into | [DATE] | Low
| management VLAN documentation] | |
[3.14.7] | [Behavioural detection — current EDR | [DATE] | Moderate
| platform partially addresses this; | |
| upgrade required for full compliance] | |
[Add rows] | | |
MANAGEMENT OBLIGATIONS THIS YEAR
Action 1 — Internal self-assessment (CISO leads, management participates):
Scheduled: [DATE]
Management involvement: [N] hours — interview by CISO on management
governance controls; review of CISO briefing paper on assessment results
Action 2 — Senior official affirmation sign-off:
Briefing from CISO: [DATE — 1 week before signature]
Signature required by: [DATE]
Signatory: [Director name]
Note: This date is non-negotiable — SPRS must be updated before the
contractual deadline. If the signatory is unavailable, the CISO must
be informed at least 3 weeks in advance to arrange an alternative.
Action 3 — SPRS update:
CISO submits after affirmation is signed
Confirmation of submission filed at: EV-E → CMMC → SPRS Submissions → [YYYY]
Section 1.5 — CMMC Level 2 C3PAO certification (triennial)
WHAT C3PAO CERTIFICATION IS
For organisations under contracts that require CMMC Level 2 certification
(as opposed to self-assessment), a CMMC Third-Party Assessment Organisation
(C3PAO) listed on the Cyber AB marketplace must conduct an independent
assessment every three years. A score of 110 at the time of assessment
results in a CMMC Level 2 certificate. If there are open POA&M items, a
conditional certificate may be issued with conditions that must be closed
within an approved timeframe.
CURRENT STATUS
C3PAO certification: [Not yet obtained — planned / Obtained [DATE] / Conditional]
C3PAO organisation: [Name — must be listed on cybermarketplace.net]
Certificate issued: [DATE — if obtained]
Certificate valid: [DATE — 3 years from assessment date]
Current contract requirement: [Contracts [ref] require C3PAO certification
by [DATE] / No current contract explicitly requires C3PAO — self-assessment
sufficient / Assessment required at next contract renewal in [DATE]]
🔴 MANAGEMENT DECISION REQUIRED
The C3PAO assessment is scheduled for [DATE]. This is [N] months away.
At the current POA&M close rate, [N] controls will still have open items
at the assessment date. This means the assessment will produce a conditional
certificate rather than a full certificate, unless the following actions
are completed:
Action required: [Plain English — e.g. "complete the EDR upgrade
to close the 3.14.7 gap"]
Cost if not yet approved: [£X — see Investment Decisions section below]
Deadline for action: [DATE — must be complete before C3PAO assessment]
Decision needed from: [Director name / management collectively]
Decision deadline: [DATE — [N] weeks before assessment]
If this action is not completed by [DATE]:
The assessment will proceed with the open POA&M item.
Outcome: conditional certificate with a condition requiring 3.14.7 closure
by [DATE — typically 90 days post-assessment for low-risk items].
Commercial consequence: [contracts requiring full Level 2 certificate will
be affected / contracting officer will see the conditional status in the
Cyber AB portal].
CISO recommendation: [Approve the EDR upgrade investment (see Section 3)
before the assessment date. The cost of the upgrade (£[X]) is lower than
the commercial risk of a conditional certificate in a competitive bid
environment.]
C3PAO ASSESSMENT PREPARATION TIMELINE
[DATE — T minus 16 weeks]: Confirm C3PAO engagement and assessment dates
[DATE — T minus 12 weeks]: Evidence pack compilation begins (CISO)
[DATE — T minus 8 weeks]: Evidence pack complete; CISO internal review
[DATE — T minus 6 weeks]: Management pre-assessment briefing
[DATE — T minus 4 weeks]: Pre-assessment evidence submitted to C3PAO
[DATE — T minus 2 weeks]: POA&M confirmed current and accurate
[DATE — T minus 1 week]: Final evidence quality check; IT access prepared
[DATE]: C3PAO assessment begins
[DATE — T plus 2 weeks]: Assessment report expected
[DATE — T plus 3 weeks]: CISO presents results to management
WHAT THE C3PAO WILL DO
Day 1–2: Document review (Examine method)
The assessors will review the SSP, SoA, POA&M, and key evidence items.
They will check that the SSP accurately describes what the system does
and how controls are implemented. Discrepancies between the SSP and the
actual implementation are the most common finding.
Day 2–3: Interviews (Interview method)
Assessors will interview: CISO, IT Manager, at least one Director
(for management governance controls — clauses 3.12.1 through 3.12.4),
and operational staff.
Director interview topics (30–45 minutes):
• Your role in the ISMS and information security governance
• How you receive information about the organisation's security posture
• The management review process and what decisions you make
• Your understanding of the CMMC affirmation you signed
• How you ensure the POA&M is being actively managed
Day 3–4: Technical testing (Test method)
Assessors will test controls directly on sample systems:
Access control, MFA, AV, patch levels, network segmentation,
logging configuration, backup restoration, encryption verification
Day 4–5: Findings consolidation and preliminary results
MANAGEMENT INTERVIEW PREPARATION:
CISO will brief Directors attending the C3PAO interview [DATE — 1 week before].
Directors should be able to speak to: what the ISMS is; their role in it;
the management review; how they make security decisions; and what they
affirmed when they signed the CMMC affirmation. Specific technical
knowledge of controls is not required — governance knowledge is.
Section 1.6 — NIST SP 800-171 System Security Plan
SSP STATUS
The NIST SP 800-171 SSP is the Confluence ISMS space itself — not a
separate document. The SSP is a living document updated continuously.
A PDF export is generated for external audiences (C3PAO, contracting officers).
Current SSP version: [Version — or "Confluence page history [DATE]"]
Last full review: [DATE]
Last significant update: [DATE — describe what changed]
Significant change since last C3PAO assessment: Yes / No
[If Yes: describe — e.g. "Cloud hosting migration in Q[N] changed the
system environment description; SSP updated [DATE]"]
SSP update SLA: within 30 days of any change to the system boundary,
control implementation, or architecture. Overdue updates: [N] — [describe]
EXTERNAL SSP EXPORT
Last PDF export: [DATE]
Filed at: EV-E → NIST 800-171 → SSP Exports → [DATE]
Reason for export: [C3PAO pre-assessment / contracting officer request / annual]
Next export due: [Before C3PAO assessment — [DATE]]
Section 1.7 — DEFSTAN 05-138 — [Contract Reference 1]
CONTRACT DETAILS
Contract reference: [MOD contract number]
Project / programme: [Name]
Contracting authority: [DE&S / DIO / Prime contractor / specify]
Contract start: [DATE]
Contract end: [DATE — note any extension options]
DEFSTAN profile: Profile [0 / 1 / 2] — as specified in contract schedule
Named security contact
at contracting authority: [Name, email, phone]
COMPLIANCE STATUS
Evidence pack currency: Current — last compiled [DATE]
Profile [N] gaps: [None / N open items — describe]
Contracting authority
notified of any incidents: [None in past 12 months / [N] notifications — describe]
Last contracting authority
security review: [DATE — or "None requested to date"]
Next review scheduled: [DATE — see DEFSTAN Assessment Calendar below]
NOTIFICATION OBLIGATIONS — LIVE OBLIGATIONS UNDER THIS CONTRACT:
24-hour notification clock (DEFSTAN):
Triggers: any security incident affecting OFFICIAL information;
any named personnel change for individuals with OFFICIAL access;
any significant change to security architecture
Current CISO notification contact: [name and 24/7 number]
Contracting authority notification contact: [name and 24/7 if available]
Clock management:
The 24-hour clock runs from the moment of discovery — not when the
incident is confirmed. If you become aware of anything that might be a
security incident on this contract before the CISO is aware: call the
CISO immediately. The CISO manages the notification process.
CONTRACT SECURITY SCHEDULE STATUS:
Security schedule in current contract: Yes / No — [if No: see Action Required]
Security schedule version: [version / date]
Scheduled for update at renewal: [Yes — renewal [DATE] / No]
Section 1.8 — DEFSTAN 05-138 — [Contract Reference 2]
CONTRACT DETAILS
Contract reference: [MOD contract number]
Project / programme: [Name]
Contracting authority: [Specify]
Profile required: Profile 1
⚠️ ACTION REQUIRED
The evidence pack for this contract was last compiled [DATE — 14 months ago].
A DEFSTAN Profile 1 evidence pack should be refreshed annually, and this
one is now significantly out of date.
Specific issue: [Supplier name] who handles OFFICIAL data under this contract
has not been assessed in [N] months. The DEFSTAN Profile 2 §Supplier Security
requirement (if Profile 2 applies) or the general supply chain obligation (if
Profile 1) requires that sub-contractors with OFFICIAL access are assessed.
This does not affect our compliance status today — the contracting authority
has not requested an assessment in the past [N] months. However, if the
contracting authority requests an audit or a tender renewal arises, an
outdated evidence pack is a material compliance gap.
ACTION: CISO to refresh the evidence pack by [DATE — 6 weeks from now].
Supplier assessment for [supplier name]: CISO to schedule by [DATE].
Management action required: None — awareness only / [describe if decision needed].
Section 1.9 — DFARS §252.204-7012 annual affirmation
DFARS STATUS
DFARS §252.204-7012 (Safeguarding Covered Defense Information) applies to
all contracts involving covered defence information (CDI) including CUI.
Contractors must maintain the security requirements of NIST SP 800-171 and
must report cyber incidents to DoD via the DIBNet portal within 72 hours.
Contracts in scope: [List contract references / "All DoD-related contracts"]
Annual affirmation: [DATE — last affirmed]
Next affirmation due: [DATE]
Affirmed by: [Director name, role]
DIBNet account holder: [CISO name — portal account maintained]
72-HOUR REPORTING REQUIREMENT:
If a cyber incident occurs affecting CDI or CUI on any DFARS-scoped contract:
The CISO has 72 hours from discovery to submit a report via DIBNet.
This clock runs 24/7 including weekends.
Management's role in this process:
1. CISO calls the Director immediately on discovery
2. Director confirms awareness and confirms notification should proceed
3. CISO submits the DIBNet report (Director does not need to submit)
4. Director receives a copy of the submission for their records
DIBNet portal access: CISO maintains the credentials. Out-of-band access
(via personal mobile) is confirmed tested as of [DATE].
MALICIOUS SOFTWARE REPORTING:
If malicious software is discovered on systems processing CDI, it must
be preserved (not simply removed) and reported. The CISO manages this.
Do not direct IT staff to "clean up" an infected system without CISO
involvement — evidence preservation is a DFARS requirement.
Section 1.10 — UK GDPR and DPA 2018
DATA PROTECTION STATUS
ICO registration: ZA[NNNNNN] — [organisation name]
Registration renewed: [DATE]
Next renewal: [DATE — annual]
DPO appointed: [Yes — [DPO name] / No — DPO not required: [brief reason]]
ROPA (Record of Processing
Activities) last reviewed: [DATE]
DATA BREACH OBLIGATIONS:
72-hour notification to ICO if a personal data breach meets the reporting
threshold (likely to result in risk to individuals' rights and freedoms).
Relevant to compliance posture: any cyber incident affecting our systems
may also involve personal data (employee records, customer contact data,
supplier data). The CISO assesses the personal data dimension of every
incident. A DFARS-reportable CUI incident is often also an ICO-reportable
personal data breach — both clocks may run simultaneously.
ICO notification account: CISO holds credentials; accessible from personal
mobile without dependency on internal infrastructure. Tested: [DATE].
GDPR-RELEVANT SUPPLIER CONTRACTS:
Data Processing Agreements (DPAs) in place: [N of N required — [%]]
Outstanding DPAs: [N suppliers — [supplier names] — status: [negotiation / pending]]
If a DPA is not in place and the supplier processes personal data: this is
a UK GDPR Article 28 compliance gap and a potential ICO enforcement risk.
CISO is managing outstanding DPAs — management notification if any supplier
refuses to sign within 60 days.
Section 2 — CISO quarterly commentary — compliance posture
[DATE] — Q[N] [YYYY]
Replace this section each quarter. The example below illustrates the expected depth.
The organisation's overall compliance posture is [stable / improved / requires attention] this quarter. All active certifications remain current. The most significant compliance event this quarter was [describe — e.g. "the successful renewal of our Cyber Essentials certificate following the assessor's confirmation that our patch compliance had returned to target after the Q[N] regression"].
Three items require management attention this quarter:
The C3PAO assessment is now [N] months away. The CISO's assessment of readiness is that we will achieve a full certificate if the EDR platform upgrade is completed before the assessment date. If the upgrade is not approved at the next management review, the assessment will proceed but the certificate is likely to be conditional. The investment decision is described in Section 3.
The DEFSTAN evidence pack for [Contract ref 2] is overdue for refresh. This does not affect current compliance status, but it creates a risk at the next contract renewal or contracting authority review. The CISO will complete the refresh within 6 weeks without management involvement, but the outstanding supplier assessment for [Supplier name] requires management awareness because it identifies a supply chain gap that may become a formal finding at the contracting authority review.
The CMMC senior official affirmation is due on [DATE]. The CISO will provide a pre-signature briefing at least 2 weeks before the deadline. The SPRS score is expected to be [N] at submission — this represents a [improvement / reduction / no change] from the prior year's submission of [N].
No certifications are at risk of lapse within the next 90 days without known cause. The next scheduled assessment event is [certification / assessment type] on [DATE].
Section 3 — Investment decisions required
Compliance investments are presented here when a gap, an upcoming assessment, or a certification requirement creates a cost decision that management must make. Each investment is linked to a specific compliance obligation and a specific risk consequence of deferral.
How to read this section
Each investment entry answers four questions: what is the compliance obligation driving this investment; what is the cost and scope; what happens if management approves it; and what happens if management does not. The CISO's recommendation is stated plainly. Management makes the decision.
Investments in this section are sequenced by urgency — the most time-constrained decisions appear first.
Investment 1 — EDR platform upgrade to close CMMC 3.14.7 gap
COMPLIANCE OBLIGATION
NIST SP 800-171 control 3.14.7: identify unauthorised use of organisational
information systems.
Current status in SoA: Partially Implemented
POA&M entry: PM-[YYYY]-[NNN]
SPRS impact: this control's partial implementation reduces our score by [N]
points from the maximum 110. Current score: [N]. With this control closed: [N+N].
THE GAP IN PLAIN TERMS
Our current security platform logs all events on our systems and sends them
to our monitoring service (SIEM). What it cannot currently do reliably is
detect an attacker who has gained access using legitimate credentials and is
using normal Windows tools to move through our network. This type of attack —
where the attacker looks like a real user — is the dominant technique used
against defence contractors today. We detect it through our monthly log
review, but that means detection could be up to 30 days after the event.
The upgrade would reduce that detection window to under 2 hours.
WHAT THE INVESTMENT INVOLVES
Replace [current platform] with [proposed platform — or "next-generation
behavioural detection capability"] which uses machine learning to detect
anomalous behaviour patterns rather than known malware signatures alone.
Cost: £[X] one-time implementation
£[Y] per year (replaces existing £[Z] per year)
Net additional annual cost: £[Y-Z]
Implementation: [N] weeks — IT Operations [N] engineer-days
Data migration: [describe — existing alerts, exclusions]
Timeline: Must be complete by [DATE — [N] weeks before C3PAO assessment]
WHAT APPROVAL ACHIEVES
Compliance: 3.14.7 moves from Partially Implemented to Implemented
SPRS score increases from [N] to [N+N] at next annual assessment
POA&M item PM-[YYYY]-[NNN] is closed
C3PAO assessment proceeds with 110 controls implemented —
full certificate expected rather than conditional
Security: Attacker-in-progress detection time: 30 days → under 2 hours
Provides the behavioural detection that is now standard
expectation in defence supply chain security assessments
WHAT DEFERRAL MEANS
If not approved before [DATE — 8 weeks from now]:
The C3PAO assessment proceeds with the POA&M item open.
Expected outcome: conditional CMMC Level 2 certificate.
Condition: close 3.14.7 within 90 days of assessment.
Commercial consequence: [contracts that require a full (not conditional)
CMMC certificate will see the conditional status in the Cyber AB portal.
In competitive bids, a conditional certificate may disadvantage us against
competitors holding full certificates.]
The upgrade would still need to happen — just post-assessment under
condition rather than pre-assessment. The cost is the same. The commercial
risk is higher.
OPTIONS FOR MANAGEMENT
Option A: Approve now at full cost — full certificate expected at C3PAO
Option B: Approve in principle for [next budget cycle] — conditional
certificate at C3PAO; close within 90-day condition window
Option C: Decline — open POA&M item accepted; conditional certificate accepted;
requires formal risk acceptance (CISO to prepare)
CISO RECOMMENDATION: Option A
The cost difference between Options A and B is zero. The commercial risk
difference is material. Option A is the recommended course.
DECISION NEEDED BY: [DATE — [N] weeks to allow implementation before assessment]
DECISION FROM: [Director / management collectively]
BUDGET LINE: [IT Security / ISMS / specify]
Investment 2 — DEFSTAN Profile 2 gap assessment — [Contract ref 2]
COMPLIANCE OBLIGATION
DEFSTAN 05-138 Profile 2 §Supplier Security
Contracting authority: [Name]
Contract reference: [Ref]
THE GAP IN PLAIN TERMS
Our DEFSTAN evidence pack for [Contract ref 2] lists [Supplier name] as a
sub-contractor with access to OFFICIAL data. Profile 2 requires that we
have assessed that supplier against Profile 1 minimum requirements. We have
not done this — the prior assessment is [N] months old and did not cover
all Profile 1 requirements.
This is not currently a formal finding — the contracting authority has not
requested an audit. However, the contract renewal is scheduled for [DATE]
and the contracting authority has indicated they will conduct a security
review as part of the renewal process.
WHAT THE INVESTMENT INVOLVES
Commission a DEFSTAN Profile 1 security assessment of [Supplier name]
using [internal CISO resource / external specialist — specify].
If internal: [N] CISO days — estimated [DATE] completion
If external: [£X] — [preferred supplier / to be procured] — [N] weeks
WHAT APPROVAL ACHIEVES
Profile 2 §Supplier Security gap closed before contract renewal review
DEFSTAN evidence pack refreshed and accurate
No finding at contracting authority review
WHAT DEFERRAL MEANS
If not completed before contract renewal review [DATE]:
Risk of a contracting authority finding at the renewal review
Potential requirement to remediate within a contracting authority
specified timeframe (which may be shorter than our preferred timeline)
Possible contract condition imposed on the renewal
OPTIONS FOR MANAGEMENT
Option A: Approve CISO internal resource allocation — [N] days in [MONTH]
Option B: Commission external specialist — £[X] — faster completion
Option C: Defer — accept risk of finding at renewal review
CISO RECOMMENDATION: Option A
The assessment is within CISO capability and the timeline is sufficient.
External specialist is only needed if the CISO resource is unavailable.
DECISION NEEDED BY: [DATE]
DECISION FROM: CISO resource authorisation — [IT Manager / CISO / Director]
Investment 3 — ISO 27001 surveillance audit preparation — external specialist review
[Use this template for any investment required ahead of a planned external audit.
Populate with the specific gap, cost, and timeline relevant to your situation.
Delete this section if no pre-audit investment is currently required.]
COMPLIANCE OBLIGATION
ISO 27001:2022 Surveillance Audit [1/2] — [DATE]
Certification body: [Name]
THE GAP
[Describe the specific gap the investment would address — e.g. "The prior
surveillance audit identified a minor nonconformity relating to the supplier
security assessment process. The certification body indicated they will
follow up at Surveillance Audit 2. The CISO has assessed that a one-day
external specialist review of the supplier assessment process and the
remedial actions taken would provide independent confirmation that the
nonconformity has been adequately addressed."]
[Complete remaining fields using the same format as Investments 1 and 2]
Section 4 — CMMC contract obligations register
Every active contract with a CMMC-related security obligation is recorded here. This register is the management reference for understanding which contracts carry which obligations, so that commercial decisions are made with compliance implications understood.
CMMC CONTRACT OBLIGATIONS REGISTER — as of [DATE]
─────────────────────────────────────────────────────────────────────────────────────────────────────
CONTRACT | PRIME / DIRECT | CUI INVOLVED | CMMC LEVEL | SELF-ASSESS | C3PAO | DFARS
REF | WITH DoD? | TYPE | REQUIRED | SUFFICIENT? | REQUIRED?| CLAUSE?
─────────────────────────────────────────────────────────────────────────────────────────────────────
[Ref 1] | Direct with DoD | Technical CUI | L2 | Yes (annual) | By [DATE]| Yes
[Ref 2] | Prime contractor| ITAR / EAR | L2 | Yes (annual) | No | Yes (flow-down)
[Ref 3] | Prime contractor| No CUI | L1 only | Annual | No | No
[Ref 4] | Direct with DoD | UCNI | L2 | Yes (annual) | By [DATE]| Yes
─────────────────────────────────────────────────────────────────────────────────────────────────────
NOTES ON SPECIFIC CONTRACTS:
[Contract Ref 1]:
The contract award document specifies CMMC Level 2 certification (C3PAO
assessment) as a condition of performance. The contracting officer has
indicated the C3PAO certificate must be obtained by [DATE]. The C3PAO
assessment is scheduled for [DATE] — see Section 1.5 for status and
preparation timeline.
[Contract Ref 2]:
This is a prime contractor relationship. DFARS flows down from the prime
to us as a sub-contractor. The prime requires annual evidence of our CMMC
self-assessment results. We provide: our current SPRS score, our assessment
date, and confirmation that a POA&M is in place for any open items. The
prime does not have direct access to our SPRS entry but may request a
copy of our self-assessment summary. Next submission due to prime: [DATE].
UPCOMING CONTRACT RENEWALS WITH CMMC IMPLICATIONS:
Contract | Renewal date | Current CMMC req | Expected CMMC req at renewal | Action needed
────────────────────────────────────────────────────────────────────────────────────────────
[Ref 3] | [DATE] | L1 self-assess | L2 self-assess likely | Gap analysis by [DATE]
[Ref 4] | [DATE] | L2 self-assess | L2 C3PAO possible | Monitor CMMC rule changes
NEW BID PIPELINE — CMMC IMPLICATIONS:
The commercial team should notify the CISO before submitting any bid that
involves CUI, defence systems, or DoD prime contracts. The CISO will confirm
whether the bid's CMMC obligations are within our current certification posture.
A bid that requires C3PAO certification before contract commencement, and
where our C3PAO assessment has not yet been completed, is a bid that carries
compliance delivery risk. The CISO must be consulted before the compliance
section of the bid response is submitted.
WHAT TO TELL A CONTRACTING OFFICER WHO ASKS ABOUT OUR CMMC STATUS:
"We have completed our annual CMMC Level 2 self-assessment. Our current
SPRS score is [N]. The assessment was conducted on [DATE]. We have a Plan
of Action and Milestones for [N] open items. Our C3PAO assessment is
[scheduled for [DATE] / has been completed — certificate number [N]]."
Do not: volunteer information about specific control gaps before the CISO
has confirmed what can be disclosed. The CISO can prepare a briefing note
for any specific contracting officer conversation.
Section 5 — DEFSTAN assessment calendar
The DEFSTAN assessment calendar maintains the schedule of contracting authority reviews, evidence pack refresh obligations, and personnel security events across all active DEFSTAN contracts. It is updated when new contracts are awarded, when a contracting authority announces a review, or when a contract ends.
How DEFSTAN assessments work
Unlike ISO 27001 (where a certification body conducts scheduled audits) and Cyber Essentials (where the annual questionnaire is the primary assessment), DEFSTAN compliance is assessed by or on behalf of the contracting authority on their schedule. This means:
Some contracts will never have a formal site assessment — the contracting authority relies on the evidence pack, the security schedule in the contract, and the notification obligations. Other contracts, particularly those at Profile 2 or involving OFFICIAL-SENSITIVE information, may involve a site visit from a contracting authority security officer or a delegated assurance body.
You will typically receive at least two weeks' notice of a contracting authority security assessment. When notice is received, the CISO should be informed within 24 hours. The CISO manages the preparation and the assessment itself; management involvement is typically limited to a brief meeting with the contracting authority representative to confirm governance arrangements.
DEFSTAN events calendar — [YEAR]
DEFSTAN EVENTS CALENDAR — [YEAR]
Colour guide:
🟢 Scheduled and prepared — no action required
🟡 Scheduled — preparation in progress
🔴 Overdue or at risk — action required
📋 Administrative — no assessment risk; routine obligation
QUARTER 1 — [MONTH TO MONTH]
[DATE] 📋 [Contract ref 1] — Annual evidence pack refresh
Action: CISO refreshes evidence pack; no management involvement required
Status: 🟢 Complete / 🟡 In progress / 🔴 Overdue
Evidence filed at: EV-E → DEFSTAN → [Contract ref] → Evidence Pack [YYYY]
[DATE] 🟡 [Contract ref 2] — Contracting authority security review (notified [DATE])
Format: Document review and [site visit / video call] — [N] hours
Attendees: CISO + [IT Manager] + [Director if requested]
Topics expected:
• DEFSTAN Profile [N] compliance evidence
• Supplier sub-contractor assessment status
• Incident notification record review
• Personnel security — any clearance changes
Preparation: CISO leads — evidence pack compiled by [DATE]
Management briefing: [DATE — 3 days before]
Status: 🟡 Preparation in progress
QUARTER 2 — [MONTH TO MONTH]
[DATE] 📋 [Contract ref 1] — Personnel security annual check
Action: CISO cross-references Zone 3 access list against clearance register
Confirm: no individual has OFFICIAL access with a lapsed or unrenewed clearance
Status: 🟢 Scheduled
[DATE] 📋 [Contract ref 3] — Contract renewal — security schedule update required
Action: CISO prepares updated security schedule for commercial team
Management action: Commercial director to ensure security schedule is included
in renewal documentation — do not execute the renewal without the schedule
CISO deadline to provide updated schedule to commercial team: [DATE — 4 weeks before renewal]
Status: 🟡 CISO to prepare
QUARTER 3 — [MONTH TO MONTH]
[DATE] 🔴 [Contract ref 2] — Supplier assessment overdue
[Supplier name] — last assessed [DATE — 14 months ago]
Action: CISO to schedule assessment; see Investment Decisions Section 3
Impact on contracting authority review: material gap if review occurs before completion
Status: 🔴 Overdue — see investment decision
[DATE] 📋 [Contract ref 1] — Named personnel notification
[Staff member name] is on secondment returning [DATE]
Confirm: their OFFICIAL access is still appropriate; no notification required
Action: CISO confirms with Facilities / IT Operations; no management action
Status: 🟢 Routine
QUARTER 4 — [MONTH TO MONTH]
[DATE] 📋 [All contracts] — Annual DEFSTAN evidence review
Action: CISO reviews all active DEFSTAN evidence packs
Confirms: all packs are current; all profile requirements met
Reports to: management review (input to EV-A01)
Status: 🟢 Scheduled
[DATE] 🟡 [Contract ref 4] — New contract — evidence pack creation required
This contract was awarded [DATE]. An initial evidence pack must be compiled
within [N] weeks of award as a contractual obligation.
Action: CISO to compile; IT Manager to confirm technical controls current
Status: 🟡 In progress — target completion [DATE]
DEFSTAN personnel security events
Personnel events that trigger DEFSTAN notification obligations are tracked here separately from the assessment calendar, because they arise unpredictably and have a fixed 24-hour notification window.
DEFSTAN PERSONNEL SECURITY EVENT LOG — [YEAR]
[DATE] — [Staff name] — [Event: departure / clearance renewal / role change]
Action taken: CISO notified contracting authority [DATE] at [TIME]
Notification reference: [ref from contracting authority if provided]
Status: Complete
[DATE] — [Contractor name] — SC clearance renewed
Action: No notification required (renewal does not trigger obligation)
CISO confirmed with contracting authority: [if done] / Not required
Status: Complete — no action
[UPCOMING DATE] — [Staff name] — SC clearance due for renewal
CISO tracking: reminder in calendar [DATE — 3 months before expiry]
Action if not renewed: remove from Zone 3 access before expiry;
notify contracting authority within 24 hours of any access change
Status: 🟡 Monitoring — no action required yet
WHAT TRIGGERS A DEFSTAN NOTIFICATION:
Yes — notify within 24 hours:
Any named individual with OFFICIAL access departing the organisation
Any SC or DV-cleared individual's clearance expiring without renewal
and they retain OFFICIAL access
Any security incident affecting OFFICIAL data
Any significant change to security architecture affecting OFFICIAL systems
Any sub-contractor change affecting a sub-contractor with OFFICIAL access
No — notification not required:
SC/DV clearance renewal (no change to access or personnel)
Internal role change where OFFICIAL access level is unchanged
Staff on approved leave (access suspended; not terminated)
If uncertain: call the CISO. The cost of an unnecessary notification is
a brief email. The cost of a missed notification is a contract compliance
breach.
Section 6 — 18-month compliance roadmap
The roadmap provides management with a forward view of compliance obligations across all active frameworks, so that resource and budget decisions can be sequenced correctly. Events closer than 90 days are in the current CISO quarterly commentary (Section 2). This roadmap covers the 3–18 month horizon.
18-MONTH COMPLIANCE ROADMAP — from [DATE]
MONTH 1–3 (immediate horizon — see quarterly commentary for detail):
[Already covered in Section 2 — cross-reference only]
Key events: [list — e.g. CE renewal, CMMC affirmation due]
MONTH 3–6:
[DATE] ISO 27001 Surveillance Audit [1/2]
Preparation: evidence pack due [DATE]; management briefing [DATE]
Investment: [none required / Investment 3 — see Section 3]
Management time: [N] hours (briefing + potential interview)
Risk: [low — no outstanding nonconformities / moderate — [describe]]
[DATE] CMMC Annual Self-Assessment and SPRS Update
CISO leads; Director affirmation required by [DATE]
Expected SPRS score: [N] (if Investment 1 is approved by [DATE])
[N] (if Investment 1 is not yet complete)
MONTH 6–9:
[DATE] Cyber Essentials Plus Technical Assessment
Pre-work by CISO: external port scan, patch compliance check, AV coverage
Management involvement: [minimal — scope confirmation if requested]
Risk: [low — all CE controls confirmed / describe any amber items]
[DATE] DEFSTAN [Contract ref 2] Contracting Authority Review
Evidence pack required: current
Supplier assessment gap ([Supplier name]) must be resolved before this date
Management involvement: brief attendance at review meeting if requested
MONTH 9–12:
[DATE] C3PAO Assessment — CMMC Level 2
This is the most significant compliance event in the 18-month horizon
Full preparation timeline: see Section 1.5
Investment 1 (EDR upgrade) must be approved and implemented by [DATE]
Management interview: [Director name] — preparation briefing [DATE]
Expected outcome: full certificate (if Investment 1 approved) /
conditional certificate (if Investment 1 deferred)
[DATE] Annual Management Review
Inputs required: all EV-A inputs; DEFSTAN evidence review; CMMC results;
certification status for all active frameworks
Outputs required: objectives for [YEAR+1]; risk acceptances; investment
decisions; policy re-approvals; CMMC affirmation
Duration: 120 minutes minimum
MONTH 12–15:
[DATE] ISO 27001 Surveillance Audit 2 [if applicable — remove if SA1 was in months 3–6]
[Describe if applicable]
[DATE] [Contract ref 3] Renewal — CMMC Level 2 self-assessment now expected
The prime contractor has indicated that contract renewals from [YEAR]
will require Level 2 self-assessment evidence rather than Level 1.
Gap analysis required by: [DATE]
CISO to assess whether this changes our SPRS reporting obligations: [DATE]
MONTH 15–18:
[DATE] CMMC Annual Self-Assessment ([YEAR+1] cycle)
[Routine annual obligation — no special preparation anticipated unless
architecture changes have occurred]
[DATE] Cyber Essentials Annual Renewal ([YEAR+1])
Questionnaire preparation and submission — no significant risk anticipated
[DATE] ISO 27001 Recertification Audit [if applicable — 3-year cycle]
This is a full re-assessment, equivalent in scope to the Stage 2 initial
certification. Preparation begins 6 months in advance.
Investment requirements: to be assessed at [YEAR+1] management review.
Note this in the management review agenda for [YEAR] to ensure preparation
is resourced before the 6-month preparation window opens.
PLANNING ASSUMPTION FOR BUDGET AND RESOURCE:
Security assessment events in the next 18 months: [N]
Events requiring Director time: [N events — estimated [N] hours total]
Events requiring budget decision: [N — Investment 1: £[X]; Investment 2: £[X]]
Events where current posture is at risk: [N — describe]
Events where current posture is robust: [N]
Section 7 — What to say when asked about compliance
A practical reference for Directors, commercial leads, and bid managers who are asked about compliance status by customers, contracting authorities, auditors, or potential partners. These are the accurate answers — not marketing language and not evasive non-answers.
WHEN ASKED: "Are you ISO 27001 certified?"
Accurate answer:
"Yes. We hold ISO 27001:2022 certification issued by [certification body].
Certificate number [N]. The certificate is valid until [DATE]. The scope
covers [brief scope description]. You can verify the certificate at
[certification body public lookup URL]."
Do not say: "We are working towards ISO 27001" (unless that is actually the
case). Do not say "We have ISO 27001 equivalent controls" — this is not
the same as certification.
─────────────────────────────────────────────────────────────────────────────
WHEN ASKED: "What is your CMMC Level?"
Accurate answer:
"We have completed our CMMC Level 2 annual self-assessment. Our SPRS score
is [N]. The assessment was dated [DATE]. Our C3PAO assessment [has been
completed — certificate number [N] / is scheduled for [DATE]]."
Do not say: "We are CMMC Level 2 certified" unless you hold a C3PAO
certificate. Self-assessment is not certification. The distinction matters
to DoD contracting officers.
─────────────────────────────────────────────────────────────────────────────
WHEN ASKED: "Have you had any security incidents?"
Accurate answer (standard):
"We have not had any incidents requiring regulatory notification in the past
[N] months / We had [N] incidents in [period] which were reported to [DoD
/ ICO / contracting authority] within the required timeframe. The root cause
has been addressed."
Do not disclose incident details beyond what was in the formal notifications
without CISO review of what can be shared.
─────────────────────────────────────────────────────────────────────────────
WHEN ASKED: "Are you DEFSTAN 05-138 compliant?"
Accurate answer:
"We comply with DEFSTAN 05-138 Profile [N] for our current MOD contracts.
Our evidence pack was last reviewed on [DATE]. The applicable profile
for [specific contract context] is Profile [N]."
Note: DEFSTAN compliance is contract-specific. Do not claim Profile 2
compliance for bids where only Profile 0 or 1 has been assessed.
─────────────────────────────────────────────────────────────────────────────
WHEN ASKED IN A BID: "Do you hold Cyber Essentials?"
Accurate answer for the bid response:
"Yes. Cyber Essentials certificate number [N], valid until [DATE]. Scope:
[as stated on the certificate]. Issued by [certification body]."
Note: confirm the scope on the certificate covers the systems relevant to
the bid before including this in a response. The CISO can confirm.
─────────────────────────────────────────────────────────────────────────────
WHEN A CONTRACTING AUTHORITY ASKS UNANNOUNCED ABOUT OUR SECURITY POSTURE:
First response: "Thank you for raising this. Our CISO is the best person
to provide you with accurate and complete information. May I have our CISO
contact you directly? They can arrange a briefing that covers exactly
what you need."
Do not: attempt to answer detailed questions about controls, gaps, or
incidents from memory. The CISO maintains the accurate and current position
and can provide documentation to support any statement made.
Why this matters: a verbal statement that contradicts our documented
compliance position — even if made in good faith with imperfect recollection
— creates a credibility problem when the documentation is later reviewed.
Directing the contracting authority to the CISO is not evasion; it is
accurate and appropriate.
Version and review
| Version | Date | Prepared by | Approved by | Key changes |
|---|---|---|---|---|
| 1.0 | [DATE] | CISO | [Director name] | Initial publication |
Page owner: CISO · Review cycle: Quarterly update; annual full review at management review · SCM: isms-management · Questions: [ciso@organisation.com]