I spent four years building identity verification pipelines with Onfido before joining Verifyfed. In that time, I have watched the same documentation failure play out across dozens of engagements: a contractor passes every technical control review, then gets a major finding during a CMMC Level 2 assessment because their onboarding records are incomplete, unsigned, or stored outside a FedRAMP-authorized boundary.
It is not negligence. It is a workflow gap. Nobody told the HR coordinator that a scanned passport in Google Drive is an audit finding waiting to happen.
This article walks through what CMMC Level 2 assessors actually examine when they pull an onboarding documentation package, where the 23-38% gap rate comes from in our tracking, and how a FedRAMP-authorized storage boundary solves the problem that policy memos alone never will.
What CMMC Level 2 Personnel Controls Actually Require
CMMC Level 2 maps to NIST SP 800-171, and the personnel security domain (PS) is where onboarding documentation lives. The relevant practices are PS.2.127 and PS.3.128. In plain terms: you must screen individuals before granting access to Controlled Unclassified Information (CUI), and you must protect CUI during and after personnel actions.
The practical implication for onboarding is that assessors want to see three things:
- Identity verification records showing that the individual's government-issued ID was validated before CUI access was granted
- Chain-of-custody documentation proving those records have not been altered since collection
- Boundary evidence confirming that identity data was stored in an authorized environment, not a personal Drive or a non-compliant SaaS tool
That third item is the one that trips up the most contractors. The identity verification itself may have been rigorous. The documentation gap is where it lived afterward.
What Assessors Look For: The Five-Document Checklist
Based on what we have seen across CMMC-AB assessments and DCSA audits, a complete onboarding identity package needs to contain five core elements. Not all of them are obvious.
1. Verified Identity Document Images With Extraction Metadata
The scanned image of the passport or driver license alone is not sufficient. Assessors want the extraction metadata confirming the document was machine-verified, not just visually reviewed by a coordinator. For Real ID-compliant licenses, that means NFC chip read data or OCR extraction with Machine Readable Zone validation. Confidence scores matter. A record showing a human glanced at a document is weaker than a record showing automated AAMVA cross-reference returning a match code. Significantly weaker.
2. AAMVA and SSA Verification Response Codes
AAMVA MVAConnect verification against the issuing state DMV confirms the document number and date of birth match an active record. SSA Consent-Based SSN Verification (CBSV) confirms the Social Security Number under 8 U.S.C. 1324a employment eligibility obligations. Both checks must produce a stored response code in the onboarding record, not just a verbal confirmation. In our tracking, missing SSA CBSV documentation accounts for roughly 40% of the individual finding categories we see across incomplete packages. Forty percent.
3. Liveness Check Result With Timestamp and Challenge Type
For contractors with remote or hybrid onboarding flows, the liveness check result needs to show the specific challenge type administered, the timestamp, and the outcome. Assessors are increasingly aware of injection attack vectors. A liveness record that shows only a pass or fail without challenge-type logging is a question mark, not an answer.
4. Chain-of-Custody Audit Log
Every access event on the verification record needs to be logged. Who opened it. When. What system. What action. A complete audit log makes reconstructing the chain of custody in 60 seconds rather than three weeks. That is the difference between a corrective action plan that delays a $2.4M task order by 38 days and a record that answers every assessor question on demand without manual reconstruction.
5. FedRAMP Boundary Attestation
Here is the one that surprises contractors. Assessors are starting to ask not just whether the record is complete, but where it lives. If the answer is your HR team SharePoint or a coordinator laptop backup, that is a finding. The identity verification record must be stored in a FedRAMP-authorized environment. Full stop.
Practical note: FedRAMP Moderate ATO is the floor for contractor identity data under CMMC Level 2 scope. Workday and Greenhouse are generally not authorized for this data category. If your onboarding files are living in your ATS, you have a boundary problem regardless of how good your verification process was.
Where the 23-38% Gap Rate Comes From
Our data shows 23-38% of onboarding files contain at least one documentation gap identified during DCSA or CMMC audit reviews. That is a wide range, and the spread reflects contractor size. Smaller shops operating on 50-100 onboarding events per year trend toward the high end. Larger operations with dedicated security officers and more formal processes trend lower.
The most common gaps, in order:
- Missing SSA CBSV response code (coordinator assumed I-9 plus E-Verify was sufficient)
- Identity documents stored outside FedRAMP boundary (Google Drive, SharePoint, local file share)
- No audit log showing who accessed the verification record and when
- Liveness check performed but not documented in the formal onboarding package
- AAMVA verification completed but response code not written to the system of record
Notice that none of these are gaps in the verification itself. The verification often happened. The documentation of it did not survive in a form assessors could accept.
How FedRAMP-Authorized Storage Satisfies the Boundary Requirement
The boundary requirement is the one contractors cannot fix with a policy update. You can write a new SOP instructing staff to store identity records in authorized environments. That does not retroactively authorize the environment the records are already living in.
FedRAMP Moderate ATO means the cloud environment has been assessed against 325 security controls derived from NIST SP 800-53. For identity data specifically, it means the storage layer, the access controls, the encryption at rest and in transit, and the audit logging have all been reviewed by a Third-Party Assessment Organization and approved by the authorizing official.
When Verifyfed stores a completed identity verification record, it goes into AWS GovCloud regions covered by our FedRAMP Moderate ATO from day one. The package includes verified document images, extracted data fields, AAMVA and SSA response codes, liveness check results, face-comparison scores, and the full access-and-transform audit log. Every element is written once, cryptographically signed, and accessible for on-demand export to an assessor without any manual reconstruction.
Not a feature. The answer to the boundary finding.
The 8-14 Day Onboarding Window and Why Documentation Breaks There
Federal contractor identity onboarding averages 8-14 business days per cleared hire. That timeline is not just about verification speed. It is about coordination across multiple systems that do not communicate with each other: the ATS, the HRIS, the background check vendor, the adjudication queue.
In our experience, documentation gaps almost always originate at handoff points. The coordinator completes AAMVA verification in one system, the response code stays in that vendor portal, and nobody exports it to the onboarding record before the hire starts. Days later, the record is incomplete. Weeks later, it is an audit finding.
The fix is workflow integration, not more checklists. When the AAMVA response code and SSA CBSV result are automatically written to the same FedRAMP-authorized record as the document images and liveness check, the complete package exists without any coordinator manually assembling it.
What the CMMC-AB Portal Export Actually Needs
For Level 2 assessments conducted through CMMC-AB, assessors typically request documentation exports via the portal or through direct evidence submission. The accepted format is a structured package. Not a folder of scanned PDFs.
Verifyfed audit-ready export generates a signed PDF with the complete verification record and a JSON manifest compatible with GRC platforms including Archer, ServiceNow GRC, and CMMC-AB assessment portals. The export runs in under 60 seconds for any hire in the system. No manual assembly. No coordinator spending a morning reconstructing what happened six months ago.
Contractors using Verifyfed typically go live in 8-14 days from contract signature to first verified record stored in FedRAMP boundary. The documentation package that would have taken three weeks to reconstruct under a manual process exists from the moment the hire completes verification.
Getting to First-Pass Assessment
First-pass on CMMC Level 2 assessment is not just about having good security practices. It is about demonstrating those practices through documentation that an assessor can examine in the time allocated.
Real talk: assessors are not trying to fail contractors. They are working through a defined evidence checklist. If the evidence exists in the right format, in the right place, with the right audit trail, the assessment moves forward. If it does not, the finding goes into the POAM and the remediation clock starts.
The difference between first-pass and a major finding is almost always documentation completeness, not technical control failure. Contractors we have onboarded onto Verifyfed report that their last DCSA or CMMC assessor review of identity verification records took under 30 minutes, compared to a multi-day evidence-gathering exercise under their prior process.
Auditor-ready means the package exists, it is complete, and producing it takes seconds, not days.
Preparing for a CMMC Level 2 assessment? Talk to us about closing your onboarding documentation gaps before assessors find them.