Automating CMMC Level 2 Evidence Collection: What APIs Can't Capture

If you are preparing for a CMMC Level 2 assessment, you already know the difference between having a policy and proving a practice. Unlike Level 1 self-assessments, CMMC Level 2 requires a Certified Third-Party Assessor Organization (C3PAO) to validate that your security controls are "habitual."

For most defense contractors, this creates a massive documentation burden. While GRC platforms can automate cloud infrastructure checks via API, they often fail to capture the CMMC Level 2 evidence required for on-premise systems, legacy applications, and user-facing workflows.

Automating CMMC evidence collection requires more than just connecting to AWS or Azure. It requires tools that can capture screenshots, validate system clocks, and document the actual implementation of controls across hybrid IT environments.

Why APIs Are Not Enough for CMMC Level 2

Most modern compliance automation tools rely exclusively on APIs. They connect to your cloud provider (AWS, Azure, Google Cloud) or your identity provider (Okta, Entra ID) and query configuration settings.

This approach works well for cloud-native startups pursuing SOC 2. It does not work well for defense contractors pursuing CMMC Level 2.

The gap exists for three reasons:

1. Hybrid Environments: Many contractors operate air-gapped labs, on-premise servers, or manufacturing environments that do not have public APIs.
2. Legacy Software: The specialized engineering and design software used in the DIB (Defense Industrial Base) often lacks the modern API endpoints required by GRC tools.
3. "Practice" vs. "Configuration": CMMC assesses whether a practice is performed habitually. An API can tell you a setting is enabled now. It cannot easily prove that a human administrator reviewed audit logs weekly for the past six months.

For these scenarios, C3PAO assessors expect visual evidence: screenshots of configuration panels, exports of log reviews, and recordings of workflow execution.

Which CMMC Controls Require Screenshots?

While APIs handle many controls, the following CMMC Level 2 practices frequently require manual evidence collection—usually in the form of screenshots—because APIs cannot reach the necessary systems or validate the human workflow.

1. Account Management (AC.L2-3.1.1)

The Requirement: Limit information system access to authorized users. The Evidence Gap: If you use legacy on-premise systems that are not connected to your central SSO (Single Sign-On), an API cannot verify user lists. Required Evidence: Screenshots of the local user management screen on specific servers or applications, showing the list of active accounts and the disabled status of former employees.

2. Configuration Management (CM.L2-3.4.1)

The Requirement: Establish and maintain baseline configurations and inventories of organizational systems. The Evidence Gap: MDM (Mobile Device Management) tools might track OS versions, but they rarely track the versioning of specific installed proprietary software. Required Evidence: Screenshots of the "About" or "Version" panel in specific engineering applications to prove they match the authorized baseline configuration.

3. Audit Logging (AU.L2-3.3.1)

The Requirement: Review audit logs. The Evidence Gap: Having logs is not the same as reviewing them. An API can prove logs are being generated; it cannot prove a human looked at them. Required Evidence: A screenshot of the SIEM dashboard or log viewer, typically showing the reviewer's account logged in, the query used to filter logs, and the system clock to prove the review happened on schedule.

4. System and Communications Protection (SC.L2-3.13.11)

The Requirement: Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. The Evidence Gap: An API might tell you encryption is "on," but it rarely confirms if the specific module is operating in FIPS mode. Required Evidence: Screenshots of the configuration UI specifically showing the "FIPS Mode: Enabled" setting or the specific cryptographic module version.

5. Media Sanitization (MP.L2-3.8.3)

The Requirement: Sanitize or destroy information system media containing CUI before disposal or release for reuse. The Evidence Gap: You cannot API-query a hard drive that has been wiped or destroyed. Required Evidence: Photos of physical destruction or screenshots of the sanitization software's "Job Complete" report, linked to the asset serial number.

What Do C3PAO Assessors Actually Look For?

When you present CMMC Level 2 evidence to an assessor, they are not just looking for a "pass." They are validating the integrity of the artifact itself.

We consistently see assessors reject evidence that lacks the following metadata:

• Context: The screenshot must show the full context, often including the URL bar or window title, to prove it is the production system and not a test environment.
• Timeliness: The system clock (date and time) must be visible in the screenshot to prove the evidence was gathered during the observation period.
• Completeness: Cropped screenshots are red flags. Assessors want to see the entire window to ensure nothing relevant (like an error message or a "Not Secure" warning) was hidden.
• Chain of Custody: Who took the screenshot? When was it taken? Can you prove it hasn't been altered?

Manual screenshots often fail these checks. Engineers forget to capture the system clock, crop images too aggressively, or save files with ambiguous names like evidence_final_v2.png.

Where Traditional CMMC Automation Stops

Most organizations attempt to solve this problem by buying a GRC platform, only to discover that 30-40% of their CMMC audit preparation work remains manual.

Feature	API-Based Tools (Drata, Vanta, etc.)	Automated Evidence Agents (Screenata)
Cloud Config (AWS/Azure)	Automated via API	Automated
SaaS Settings (Okta/Google)	Automated via API	Automated
On-Premise / Legacy Apps	Manual Upload Required	Automated via Agent
UI-Based Configurations	Manual Upload Required	Automated via Agent
Visual Verification (Screenshots)	Not Supported	Native Capability
System Clock Validation	Not Supported	Automated

Traditional GRC tools are excellent repositories for evidence, but they rely on humans to go fetch the visual proof for anything that doesn't have a modern API.

How to Automate the "Manual" Evidence

To close the gap between API capabilities and C3PAO expectations, organizations are deploying evidence automation agents. These tools work like a robotic user:

1. They login to the target system (e.g., a legacy firewall admin panel or an on-premise application).
2. They navigate to the required settings page (e.g., the user list or encryption config).
3. They capture a full-context screenshot, ensuring the system clock and URL are visible.
4. They timestamp and hash the image to establish a chain of custody.
5. They upload the evidence directly to your evidence repository or GRC platform.

This approach transforms CMMC audit preparation from a frantic, manual scramble into a consistent background process. Instead of asking engineers to stop working and take screenshots, the evidence is collected automatically on a schedule.

Conclusion

CMMC Level 2 is rigorous. The "examine" assessment method used by C3PAOs requires objective, verifiable evidence that your practices are habitual. While APIs can cover your modern cloud infrastructure, they cannot see what a user sees on a screen.

Relying on manual screenshots for the remaining controls introduces risk—risk of human error, risk of missed evidence, and risk of assessor rejection. By automating the collection of visual evidence, you ensure that your documentation is as robust as your security.

Learn More About SOC 2 Evidence Automation

For a complete guide to automating compliance evidence (including how these principles apply to frameworks like SOC 2), see our guide on automating SOC 2 evidence collection, which details the mechanics of automated screenshot capture.