If you support CUI with a small staff, change control can feel like a tax on your day. Patches pile up, users want “just one quick tweak”, and your team still has to keep contracts moving.
For CMMC change management, the goal isn’t paperwork. It’s control. I want every change on CUI systems to be planned, approved, tested (when possible), and easy to prove later. When an assessor asks “show me”, I can point to clean tickets, clear approvals, and simple evidence.
Below is the practical process I use for small IT teams, whether you run Jira, Git, Intune, and a patch tool, or you’re working from a shared mailbox and a spreadsheet.
What CMMC Level 2 expects from change control (and what assessors ask for)
At Level 2, change management lives mostly inside configuration management. In plain terms, you need to manage changes to hardware, software, firmware, and configurations that touch CUI. That means you control the change before it controls you.
When I build a CMMC change management process, I anchor it to what an assessor will test: consistent execution and evidence over time. The DoD’s CMMC Level 2 Assessment Guide (PDF) is useful here because it shows the “Objective Evidence” mindset. They don’t want a perfect story, they want repeatable proof.
Two timing realities matter in February 2026:
- Many orgs still operate in the phased rollout period, but the bar is rising.
- Third-party assessments for Level 2 contracts are expected to be a bigger factor starting in late 2026, so I plan to keep 3 to 6 months of change evidence ready at all times.
I also keep documentation lean. In most small environments, I can stay audit-ready with:
- A short change management policy (1 to 2 pages)
- A change log (tickets or spreadsheet)
- A maintenance window calendar
- A rollback template
- A monthly change review note (even a saved agenda email works)
If I can’t show who approved a change, when it happened, and what I did if it failed, it’s not controlled. It’s just hope with a timestamp.
My lightweight CMMC change management workflow (tools or low-cost)
I like tools that create evidence without extra effort. For a “normal” stack, I use Jira or “ServiceNow-lite” ticketing, Git for config and scripts, and Intune or another MDM for Endpoint Security and Device Hardening. Patch tools (Windows Update for Business, Autopatch, RMM, or third-party patching) fill in the rest.
For a low-cost option, I’ve seen this work well:
- Shared mailbox (changes@company.com)
- One spreadsheet change log
- Any basic ticketing tool you already have (even a lightweight helpdesk)
Either way, I keep the workflow simple and repeatable:
- Request: Capture the change and business reason.
- Assess risk: Note CUI impact, downtime, and security risk.
- Plan + rollback: Decide how to undo it fast.
- Approve: Right approver based on risk.
- Implement: During a defined window.
- Validate: Confirm success and collect evidence.
- Close + learn: Record results and any follow-up.
Sample change ticket fields (small team, audit-friendly)
This table shows the fields I require to make tickets useful in an assessment.
| Change ticket field | Why it matters for CMMC Level 2 | Example |
|---|---|---|
| Change title | Quick traceability | “Intune BitLocker policy update for CUI laptops” |
| System(s) in scope | Defines boundary | “CUI enclave, M365 tenant, 12 endpoints” |
| Business reason | Shows intent, reduces “random” change | “Meet Device Hardening baseline” |
| Risk level | Drives approvals and testing | “Medium, user impact possible” |
| Security impact | Ties to controls | “Affects Endpoint Security settings” |
| Implementation steps | Proves planning | “Pilot 3 devices, then deploy” |
| Test plan | Evidence of validation | “Pilot success screenshots, event logs” |
| Rollback plan | Limits downtime | “Revert policy, restore snapshot” |
| Maintenance window | Predictable operations | “Sat 10 pm to 12 am” |
| Approver + date | Clear authorization | “IT lead approved 2/12/26” |
| Evidence links | Audit-ready | “Intune report, Git commit, ticket notes” |
| Post-change result | Success or lessons | “Success, no incidents” |
This structure works for Cloud Infrastructure changes, Office 365 Migration tasks, and even Data Center Technology updates like switch firmware, storage patches, or backup config changes.
Standard, normal, and emergency changes (with risk-based approvals)
Small teams need three paths, otherwise everything becomes “urgent” and your logs look chaotic.
1) Standard changes (pre-approved, low risk)
These are repeatable, proven, and documented once. I only classify a change as “standard” after I’ve run it successfully several times.
Examples: monthly Windows patching on a stable ring, routine certificate renewals, adding a user to a known group using an approved request form.
2) Normal changes (planned, reviewed)
This is the default. Most changes that affect CUI systems should land here, including Cloud Management adjustments, firewall rules, new SaaS integrations, conditional access updates, and infrastructure optimization work.
3) Emergency changes (fix-now, document fast)
Emergencies happen, especially with active exploitation, failed updates, or broken Restaurant POS Support during dinner rush. I still document them, just on a tighter timeline: approve quickly, implement, then complete the ticket within 24 hours with evidence and a post-change note.
Approval thresholds based on risk (practical for SMBs)
Here’s the model I use so approvals don’t stall your week.
| Risk level | Typical impact | Minimum approval | Extra requirements |
|---|---|---|---|
| Low | No downtime, no CUI boundary change | Change owner + peer review | Validate and record evidence |
| Medium | User impact or limited downtime | IT lead or designated approver | Pilot test when possible |
| High | Affects CUI boundary, auth, logging, encryption | IT lead + business owner | Written rollback, comms plan |
| Emergency | Active outage or security threat | On-call approver (fast) | Close-out review next business day |
When segregation of duties is hard (because your team is two people), I add compensating controls:
- Peer review in Git for scripts and config files (even if you’re the only admin, get a second set of eyes from another IT staffer or manager).
- Recorded approval in the ticket before implementation, or in an approval email saved to the ticket.
- Post-implementation review within 48 hours for medium/high risk changes.
- Admin activity logs (Intune, M365 audit logs, firewall logs) attached as evidence.
I treat this as part of being a Business Technology Partner, not “extra compliance work.” It protects the business when something goes sideways.
Rollback planning, maintenance windows, and the evidence you’ll be glad you kept
Rollback planning shouldn’t be a novel. I keep it to three parts: restore point, backout steps, and decision trigger.
- Restore point: snapshot, backup, export config, or Git tag.
- Backout steps: the minimum steps to return to the last known good state.
- Decision trigger: “If sign-in failures exceed X” or “If POS terminals can’t sync within 15 minutes”.
Maintenance windows matter even more for small teams because interruptions steal days. I prefer:
- A weekly window for standard patching and minor updates.
- A monthly window for bigger Cloud Infrastructure, Office 365, or firewall changes.
- For restaurants, I schedule Kitchen Technology Solutions changes after close, then I test at open with a short checklist.
For evidence collection, I avoid screenshots unless they help. Instead, I attach exports and logs:
- Ticket history and approvals
- Git commit or PR link
- Intune policy change record and compliance report
- Patch report showing deployment and success
- Backup job result and, when high risk, a restore test result
If you want a plain-English view of how Level 2 maps to real steps, I often point teams to CMMC 2.0 Level 2 requirements explained. For business owners who need the “why now” framing, how CMMC impacts small businesses helps set expectations.
Common pitfalls I see in CMMC Level 2 assessments
- Untracked changes made “directly in prod” with no ticket.
- Emergency changes that never get a next-day write-up.
- No rollback evidence, even for high-risk items.
- Approvals that aren’t traceable, like verbal ok’s with no record.
- Docs that don’t match reality, like an SSP that says one thing while Intune does another.
30/60/90-day implementation plan (small team pace)
| Timeframe | What I implement | Evidence I expect by the end |
|---|---|---|
| 30 days | Scope CUI systems, define change types, start ticketing | Policy draft, first 10 changes logged |
| 60 days | Risk approvals, rollback template, maintenance calendar | Pilot evidence, approval trails, sample rollbacks |
| 90 days | Metrics, monthly review, tighten SoD controls | 3 months of reports, trend lines, clean closures |
Conclusion: change control that supports security and speed
When I run CMMC change management the right way, my team moves faster because we stop re-learning the same lessons. The process stays light, but the evidence stays strong. That combination supports Cybersecurity Services, Secure Cloud Architecture, and Business Continuity & Security without turning my day into paperwork.
If you’re building IT Strategy for SMBs while handling CUI, start with the ticket fields and the risk approvals. Then keep three months of proof ready. Your future assessment, and your future self, will thank you.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.