CMMC 2.0 Ticketing: What Evidence the Assessor Will Want from Your Service Desk

<h2>The Scenario: The 3:00 AM Incident</h2> <p>It is 03:00 hours on a Tuesday. A contractor’s workstation exhibits anomalous outbound traffic to an unknown IP address. The Service Desk receives the alert. The ticket is created, triaged, and escalated to Tier 2. The incident is contained within 45 minutes. The system is restored. The contractor goes back to work.</p> <p>On paper, this is a successful incident response. It demonstrates operational maturity. It shows that your team can detect and mitigate threats.</p> <p>However, during a CMMC 2.0 Level 2 assessment, the third-party assessor will not ask if the incident was resolved. They will ask for the immutable log of that incident. They will demand to see the timestamp of ticket creation, the identity of the agent who opened it, the sequence of status changes, the notes documenting the investigation, and the final closure justification. If these records are stored in a personal email inbox, a shared spreadsheet, or a disconnected local file, the finding is non-compliant.</p> <p>The assessor’s mandate under CMMC 2.0 is to verify that your System Security Plan (SSP) is not just a document, but an operational reality. For federal contractors, the service desk is the primary interface between operations and security. It is the source of truth for Incident Response (IR), Change Management, and System Monitoring. If your ticketing system cannot produce a forensic-grade audit trail, you cannot pass the assessment.</p> <h2>The Core Requirement: Immutable Audit Trails</h2> <p>CMMC 2.0 incorporates the security requirements from NIST SP 800-171. Specifically, controls such as AC-2 (Account Management), AU-2 (Audit Events), AU-3 (Content of Audit Records), and IR-4 (Incident Handling) rely heavily on the integrity of your logging mechanisms.</p> <p>The assessor will look for evidence that your ticketing system prevents unauthorized modification of records. This means:</p> <ul> <li><strong>Creation Timestamps:</strong> The system must record the exact date and time a ticket is created, including the timezone.</li> <li><strong>User Attribution:</strong> Every action taken on a ticket must be linked to a unique user account. Shared login credentials are a critical finding.</li> <li><strong>Status Change Logs:</strong> The system must log every transition from Open to In Progress to Resolved. It must capture who made the change and when.</li> <li><strong>Content Integrity:</strong> Comments, attachments, and internal notes must be stored in a way that prevents retroactive alteration without detection.</li> </ul> <p>If your service desk uses a tool that allows agents to delete comments or change historical timestamps, you are in violation of AU-12 (Audit Generation) and AU-9 (Protection of Audit Information). The assessor will flag this as a major finding.</p> <h2>Specific Evidence Chains for Key Controls</h2> <p>To prepare for the assessment, you must map your ticketing workflows to specific CMMC 2.0 controls. Here is the evidence chain the assessor will request for the most common service desk operations.</p> <h3>1. Incident Handling (IR-4, IR-5, IR-6)</h3> <p>The assessor will select a sample of incidents from the past 12 months. For each sample, they will request:</p> <ul> <li>The initial ticket creation record.</li> <li>The timeline of escalation steps.</li> <li>The root cause analysis documented in the ticket.</li> <li>The evidence of containment and eradication.</li> <li>The post-incident review notes.</li> </ul> <p>If the ticket lacks detailed notes, or if the notes were added after the fact without a timestamp, the finding stands. The assessor needs to see that the incident was handled according to your documented procedures, not ad hoc.</p> <h3>2. Change Management (CM-3, CM-7)</h3> <p>Service desks often handle change requests for user access, software installation, and configuration updates. The assessor will examine change tickets to verify:</p> <ul> <li><strong>Approval Workflow:</strong> The ticket must show evidence of approval from the appropriate authority (e.g., System Administrator, Security Officer).</li> <li><strong>Risk Assessment:</strong> The ticket must document the risk assessment performed before the change was implemented.</li> <li><strong>Rollback Plan:</strong> The ticket must include a documented rollback plan, even if it was not executed.</li> <li><strong>Verification:</strong> The ticket must show evidence that the change was verified as successful after implementation.</li> </ul> <p>A change ticket that simply states "Updated user permissions" without supporting documentation is insufficient. The assessor needs to see the reasoning and the authorization.</p> <h3>3. System Monitoring (SI-4, SI-12)</h3> <p>Service desk tickets often originate from monitoring alerts. The assessor will trace these tickets back to the monitoring system. They will verify that:</p> <ul> <li>The ticket references the specific alert ID from the monitoring tool.</li> <li>The investigation steps taken by the service desk are documented.</li> <li>The resolution confirms that the monitoring alert was false positive, or that the underlying issue was remediated.</li> </ul> <p>If the ticketing system is disconnected from the monitoring system, the assessor will question the timeliness and accuracy of your incident detection.</p> <h2>Operational Gaps That Cause Failures</h2> <p>Most CMMC 2.0 failures related to ticketing are not due to a lack of technology, but due to poor operational discipline. The following gaps are common:</p> <ul> <li><strong>Use of Personal Email:</strong> Agents receiving incident reports via personal email and manually creating tickets later. This breaks the chain of custody and creates gaps in the audit trail.</li> <li><strong>Lack of Standardization:</strong> Different agents using different fields, notes, and workflows. This makes it difficult for the assessor to verify consistency.</li> <li><strong>Retention Policies:</strong> The ticketing system automatically deletes tickets after 90 days. CMMC 2.0 requires retention of records for the life of the contract plus three years, or as specified by your contract's records-retention requirements.</li> <li><strong>Access Control:</strong> Allowing agents to delete tickets or modify historical records. This violates the integrity requirement.</li> </ul> <h2>How to Prepare Your Service Desk</h2> <p>Preparation for a CMMC 2.0 assessment is not a last-minute activity. It requires ongoing operational alignment. Here is a practical checklist for service desk managers:</p> <ol> <li><strong>Audit Your Current System:</strong> Does your current ticketing tool provide immutable logs? Can it export forensic-grade reports? If not, evaluate solutions like OpsTicket, which is designed for federal CLINs and SLA-backed delivery.</li> <li><strong>Enforce Unique User Accounts:</strong> Ensure every agent has a unique login. Disable shared accounts immediately.</li> <li><strong>Standardize Workflows:</strong> Create mandatory fields for incident classification, severity, and resolution notes. Make it impossible to close a ticket without completing these fields.</li> <li><strong>Configure Retention Policies:</strong> Set your ticketing system to retain records for the required duration. Do not rely on manual backups.</li> <li><strong>Conduct Internal Mock Assessments:</strong> Select a sample of tickets from the past year and review them as if you were the assessor. Look for gaps in the audit trail.</li> </ol> <p>The goal is to make compliance a byproduct of your daily operations, not a separate activity. When your service desk operates with strict adherence to audit trails, CMMC 2.0 evidence collection becomes far more reliable.</p> <h2>The Bottom Line</h2> <p>CMMC 2.0 assessors are looking for evidence, not promises. Your service desk is the frontline of your information security posture. The tickets you create, the notes you write, and the logs you maintain are the primary evidence of your compliance. Ensure your ticketing system supports immutable, detailed, and accessible audit trails. If it does, you will have the audit trail an assessor expects. If it does not, you will face findings that could impact your contract performance and future eligibility.</p> <p>For federal contractors, the path to compliance is operational precision. Start with your service desk today.</p>