A Complete Level 2 Evidence
Package in 18 Hours

CMMC Level 2 preparation has a workstream that consumes more calendar time than almost any other: documentation and evidence. Building the artifact package an assessor will actually examine — policies, procedures, and evidence mapped to all 110 NIST SP 800-171 requirements — routinely takes weeks to months of senior staff or consultant time. It's the line item that quietly extends every CMMC timeline and breaks most CMMC budgets.

This case study covers an engagement where that workstream took 18 hours.

The organization

The client is a federal-focused technology company with fewer than 50 employees — squarely in the profile of the roughly 70% of the defense industrial base that qualifies as a small business. Like most small contractors, it had real security practices and real existing documentation, but nothing organized the way a C3PAO examines it: evidence scattered across systems, policies written for operations rather than mapped to control requirements, and no staff to spare for a months-long documentation project.

What the 18 hours covered

The engagement ran entirely inside PRISM, Risk Aperture's compliance assessment platform, across three phases:

Why the human-in-the-loop design matters

An evidence package is a set of claims you'll defend in front of an assessor. AI that silently asserts compliance is a liability in that room — which is why PRISM is built conservative by design. The AI does the information processing: reading documents, mapping them to requirements, drafting what's missing, proposing the links. A person makes every final call. The output isn't "the AI says you're compliant"; it's "your team approved this mapping, with the analysis done for them instead of by them."

That division of labor is precisely why the timeline collapses. The weeks-to-months in a traditional documentation engagement aren't spent on judgment — they're spent on reading, cross-referencing, formatting, and drafting. Those are the hours the AI absorbs. The judgment, which was always the valuable part, is what the 18 hours mostly consisted of.

What this engagement was — and wasn't

Precision matters in CMMC claims, so to be clear about scope: the 18 hours covered the documentation and evidence workstream — the package preparation that traditionally consumes weeks to months (stage 4 in our timeline guide). It did not include infrastructure remediation, which depends on an organization's starting posture, and it is not the C3PAO assessment itself, which only an authorized third party can perform.

That scoping is exactly why the result generalizes. Remediation time varies enormously between organizations; evidence-preparation time traditionally varies mainly with how much documentation exists and how many staff hours can be thrown at it. Making that workstream a function of AI processing plus human review — instead of staff availability — is what changes the planning math for any contractor, regardless of posture.

What it means for your budget and timeline

Two of the standard CMMC planning numbers change when the evidence workstream compresses:

• The documentation line item — typically $12,000–$60,000 of consultant labor (see the full cost breakdown) — becomes platform cost plus a day of internal review time.
• The schedule dependency on senior staff availability disappears. The people who would have spent weeks writing policies spend hours approving them, and the calendar stops being hostage to their bandwidth — which matters enormously when the Phase 2 queue math already controls your timeline.

There's a second-order effect, too: assessors price on friction, and a clean, consistently-mapped evidence package is the opposite of friction. Arriving at the C3PAO engagement with every control linked to reviewed evidence shortens the assessment and the back-and-forth around it.