CMMC Level 2 Evidence Binder in SharePoint, a folder structure, naming rules, and a weekly evidence habit that works

If your CMMC Level 2 plan lives in people’s heads, your audit will feel like a fire drill. I’ve watched small and mid-sized defense contractors spend weeks hunting for screenshots, exports, and tickets they swear exist.

A CMMC Level 2 evidence binder fixes that, but only if it’s built for real life. Evidence has to be findable, dated, owned, and reviewable, even when the usual IT person is out.

Below is the SharePoint evidence library blueprint I use, plus naming rules and a weekly habit that keeps evidence fresh without turning Fridays into panic.

What assessors actually check at CMMC Level 2 (and why “we have it” isn’t evidence)

CMMC Level 2 maps to the 110 requirements in NIST SP 800-171. In plain terms, it’s not enough to say you do MFA, patching, logging, training, or access reviews. You need repeatable proof that matches each practice statement and your scope.

When I build an evidence binder, I anchor it to assessor language, not internal nicknames. The best way to keep that alignment is to keep a copy of the official references handy, including the DoD’s assessment methods and what counts as acceptable artifacts. I point teams to the DoD CMMC Level 2 Assessment Guide and the underlying NIST SP 800-171 Rev. 2 publication and then I map evidence to each practice ID.

In February 2026, timing matters too. We’re in the rollout period where many Level 2 contracts still accept self-assessments, but third-party assessments ramp up as Phase 2 approaches in November 2026. That reality changes how strict you need to be with evidence hygiene, because “close enough” evidence rarely survives a detailed C3PAO review.

This is where my Small Business IT mindset helps. Whether I’m doing Office 365 Migration planning, Cloud Infrastructure work, or Cybersecurity Services like Endpoint Security and Device Hardening, the pattern is the same: document the control, capture the proof, show the review.

SharePoint evidence library blueprint (folder tree + settings that hold up)

I store evidence in one SharePoint document library per enclave (or per major boundary), not scattered across Teams chats and personal OneDrive. Then I use a consistent folder tree by NIST 800-171 family, because assessors think in families.

Here’s the ready-to-use folder tree:

• 00_Admin
  • Assessment_Plan_Scope
  • Evidence_Index_Control_Map
  • RACI_Roles
  • Tooling_System_Inventory
  • Meeting_Minutes_Security
• AC_AccessControl
• AT_AwarenessTraining
• AU_AuditAccountability
• CA_SecurityAssessment
• CM_ConfigurationManagement
• CP_ContingencyPlanning
• IA_IdentificationAuthentication
• IR_IncidentResponse
• MA_Maintenance
• MP_MediaProtection
• PE_PhysicalProtection
• PS_PersonnelSecurity
• RA_RiskAssessment
• SA_SystemServicesAcquisition
• SC_SystemCommunicationsProtection
• SI_SystemInformationIntegrity

Inside every family folder, I keep the same six subfolders (this reduces “where does this go?” debates):

• Policies_Procedures
• System_Settings_Screenshots
• Tickets_Change_Records
• Reports_Logs
• Training_Attestations
• Exceptions_POAM

Document library settings I recommend (Microsoft 365)

I keep the setup simple, then add structure where it pays off:

• Versioning: Major versions ON, keep at least 50 versions.
• Content approval: ON, so evidence can move from Draft to Approved.
• Default retention: Align to your contract and legal needs, but pick a rule and apply it consistently.
• Permissions: Break inheritance at the library. Limit contributors, keep broad read access out of CUI areas.
• Columns (metadata): Family, PracticeID, System, EvidenceType, Cadence, Owner, Approver, ReviewBy, CUI-Included (Yes/No).
• Views: “By PracticeID”, “Due for Review (next 30 days)”, “Draft Evidence”.

If you need a starting point for identity-related evidence (MFA, conditional access, account management), Microsoft’s own mapping is helpful, including the Microsoft Learn guidance for CMMC Level 2 Access Control.

This is also where I tie in Cloud Management and Secure Cloud Architecture decisions. Evidence is easier when your tenant is consistent.

File naming rules: one syntax, ISO dates, and examples that don’t rot

Folders help humans browse, but naming is what makes evidence searchable, sortable, and defensible. My rule: no spaces, no guessing, no cute names.

Standard naming syntax

{Family}.{PracticeID}_{YYYY-MM-DD}_{Cadence}_{System}_{ArtifactType}_{ShortDesc}_v{X.Y}_OWNER-{Role}.{ext}

Allowed characters: A–Z, a–z, 0–9, underscore _, hyphen -, dot .

Not allowed: spaces, commas, parentheses, ampersands, emojis, and “FINALfinal”.

Date format: ISO 8601 (YYYY-MM-DD). If you need time, use Thhmm (example: 2026-02-10T1430).

Examples (common artifact types)

Artifact type	Example file name
Policy (PDF)	AC.L2-3.1.1_2026-02-01_Annual_M365_AccessControlPolicy_Policy_v1.3_OWNER-COMP.pdf
Screenshot (PDF)	IA.L2-3.5.3_2026-02-03_Weekly_Entra_AuthMethods_Screenshot_v1.0_OWNER-ITSEC.pdf
Log export (CSV)	AU.L2-3.3.1_2026-02-05_Weekly_SIEM_AuditEvents_Export_v1.0_OWNER-ITSEC.csv
Ticket export (PDF/CSV)	CM.L2-3.4.1_2026-02-06_Weekly_Jira_ChangeTickets_Export_v1.0_OWNER-ITOPS.pdf
Training record (PDF)	AT.L2-3.2.1_2026-02-07_Monthly_LMS_SecurityTraining_Attestation_v1.0_OWNER-HR.pdf

This approach supports Infrastructure Optimization because it forces clean system naming and ownership. It’s the same discipline I use when I’m doing Restaurant POS Support and Kitchen Technology Solutions, the system changes, but proof and ownership still matter.

A weekly evidence habit (30 to 60 minutes) that keeps you audit-ready

I don’t ask teams to “do compliance.” I ask for a small weekly rhythm that produces evidence as a byproduct of normal ops.

RACI that works for SMBs

Task	R (Responsible)	A (Accountable)	C (Consulted)	I (Informed)
Collect weekly artifacts	IT/Sec Lead	Compliance Owner	System Owners	Leadership
Name, upload, tag metadata	Compliance Owner	Compliance Owner	IT/Sec Lead	Program Managers
Approve evidence items	Security Manager	Exec Sponsor	Compliance Owner	IT
Monthly evidence health review	Compliance Owner	Exec Sponsor	IT, HR, Facilities	All owners
Quarterly scope check	Compliance Owner	Exec Sponsor	Contracts, IT	Leadership

The 30 to 60 minute routine

• Mon (10 min): export logs or reports that rotate weekly (AU, SI).
• Tue (10 min): capture 2 to 3 screenshots for key settings (IA, AC, CM). Save as PDF so it can’t be edited.
• Wed (10 min): export closed tickets and changes (CM, IR).
• Thu (10 to 20 min): upload, apply metadata, set ReviewBy.
• Fri (10 min): approver reviews, marks Approved, and adds a brief approval note.

Then I do two bigger check-ins:

• Monthly (30 min): run the “Due for Review” view, replace stale screenshots, confirm owners still work here.
• Quarterly (60 min): validate scope boundaries, confirm where CUI lives, and confirm evidence matches the current architecture (this is where Digital Transformation projects often break old evidence).

POA&Ms and exceptions without poisoning your binder

POA&Ms belong in the binder, but they can’t become a hiding place. I keep them in Exceptions_POAM with strict rules: every item needs an owner, a due date, compensating controls, and links to the affected practice IDs. I also store closure evidence right next to the POA&M record, not “somewhere in email.”

If you’re unsure what the DoD considers a practice versus an assessment objective, the CMMC Model Overview helps keep language consistent.

Common audit pain I prevent early

I see the same failures repeat:

• Stale screenshots: I date them and set ReviewBy, then replace on schedule.
• Missing owner or approver: every file has OWNER-Role in the name and Owner metadata.
• Inconsistent control IDs: I use one canonical PracticeID format everywhere.
• Over-reliance on folders: folders are for families, metadata is for filtering and proof.
• CUI in the wrong place: evidence about CUI can exist outside the enclave, CUI itself should not. I treat that as Business Continuity & Security, not a paperwork issue.

Conclusion

A CMMC Level 2 evidence binder shouldn’t be a one-time project. It should be a living SharePoint library that makes your controls easy to prove, week after week.

If you want help setting this up inside Microsoft 365, I can fold it into my Technology Consulting approach, along with Managed IT for Small Business, Tailored Technology Services, and the IT Strategy for SMBs that keeps audits from derailing operations. The goal is simple: auditor-ready evidence that matches how you actually work.