Most small defense contractors start their CMMC Level 2 journey in Excel. It is free, every team already has it, and the first 30 controls look manageable in a spreadsheet. Six months later the same spreadsheet is the single biggest reason their C3PAO assessment is going to slip.
This is not a sales pitch against Excel. Excel is a fantastic tool for the work it was designed for. CMMC Level 2 is not that work, and the cost of finding out the hard way is measured in months of remediation and a delayed contract award.
The shape of the problem
NIST 800-171 Revision 2 defines 110 security controls across 14 control families. A defensible CMMC Level 2 assessment needs the following on every one of those controls:
| Per-control artifact | Why an assessor wants it |
|---|---|
| Implementation narrative | Establishes the control is actually in place, not aspirational. |
| Evidence (policy, screenshot, config, log) | Independent proof the narrative reflects reality. |
| Responsible party | Names a human accountable for the control. |
| Last review date | Demonstrates the control is maintained, not point-in-time. |
| POA&M reference if "Other than satisfied" | Tracks remediation timeline + scoring impact. |
If you store this in a single workbook, that workbook is 110 rows by at least 5 high-cardinality columns. The moment the second person edits it, two well-documented failure modes start eating your assessment readiness.
Failure mode 1: history disappears
Excel does not track row-level history. SharePoint version history is file-level. When the assessor asks "what did you have in place for AC.L2-3.1.5 on the date of this audit log entry from last March?", a spreadsheet cannot answer that question.
The workaround most teams reach for is dated backups. By month three of preparation, the SharePoint folder has 40 copies of CMMC_Tracker_v17_FINAL_juan_edits_final2.xlsx and nobody is sure which one matches the SSP narrative they submitted last week.
A real assessor will not accept "we think it was this one". They will accept a system that shows them the exact value of the field on the exact date, with the user who last touched it.
Failure mode 2: scoring is computed by humans
SPRS scoring is mechanical: each unsatisfied control deducts a known number of points from the 110 baseline. Some controls are 1 point, some 3, some 5. The math is in the DoD assessment methodology document. It is easy for a computer and tedious for a human.
In Excel, the score is whatever the person who updated the workbook last said it was. We have audited eight prospect spreadsheets in the last year. Five had scoring errors of more than 10 points in either direction. One showed a 110 (perfect) with three controls marked "Not Implemented" in the same row. That is not an Excel limitation, it is a human-in-the-loop limitation. A purpose-built GRC platform makes the math an invariant: the score is a function of the control statuses, recomputed on every save.
Failure mode 3: POA&M is a sticky note
Plan of Action and Milestones is the most expensive failure mode because the DoD treats it as a contract artifact, not a tracking spreadsheet. Each open POA&M has a milestone date, a responsible party, a resource requirement, and a remediation status. When the milestone slips, the POA&M needs to be updated, and the change needs to be visible to the DoD CIO via SPRS.
Excel cannot enforce that a POA&M row has a milestone, a date, and a status. Excel cannot prevent a milestone from sliding without an audit trail. Excel cannot push the updated POA&M shape to SPRS. By the time a C3PAO sees an Excel-managed POA&M list, half the entries are stale and the assessor is now in remediation conversation instead of validation.
Ready to talk?
30 minutes. Founder-led. No slides. Walk away with a clearer view of your CMMC posture, either way.
Book a demoReply within 1 business day · ES/EN · or email us directly.
Failure mode 4: the assessor-friendly export does not exist
CMMC assessors do not want your spreadsheet. They want the SSP narrative, the POA&M shape, the evidence per control, and a way to navigate it without learning your tab structure. Building this export by hand at the end of the preparation cycle takes a week of founder time. Building it from a system that already enforces the shape takes a click.
This is the single biggest reason teams that picked Excel in month one re-platform in month five: the export problem is not solvable without reshaping the underlying data, and reshaping the data means losing the history you just spent five months building.
When Excel is actually fine
We are not saying nobody should ever touch Excel for CMMC.
- A subcontractor pursuing CMMC Level 1 (17 practices, self-assessment) can absolutely manage it in a workbook. The artifact volume is low and the assessor is yourself.
- A consultant doing initial gap analysis can use Excel as a scratchpad before formalizing the data shape.
- An organization that has already completed Level 2 and is in maintenance mode can keep some auxiliary tracking in Excel as long as the system of record is elsewhere.
The pattern that does not work: Excel as the system of record for a Level 2 assessment, with the SSP and POA&M living downstream of the workbook.
What we built instead
Readyline GRC was built specifically because every prospect we talked to was doing some version of the failure modes above. The system enforces:
- Row-level history on every control, every POA&M, every evidence link.
- Automatic SPRS scoring from control statuses, recomputed on save.
- POA&M lifecycle (open, in progress, remediated, closed) with milestone tracking.
- SSP generation from the control narratives, so the SSP and the tracker are the same data viewed two ways.
- One-click assessor binder export (PDF) in the shape C3PAOs expect.
If you want to test the math against your own SPRS state, our SPRS calculator is free and runs in the browser. No login.
Related reading
- NIST 800-171 Rev 2 vs Rev 3 explained — the standard your CMMC L2 assessment is currently scored against.
- How to build an SSP without a consultant — practical guide to the SSP shape assessors want.
- Readyline GRC vs Excel — the side-by-side, if you want the comparison table without the narrative.