CMMC Compliance Audit Guide

This article is written based on CMMC version 1.02, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.

Cybersecurity Maturity Model Certification (CMMC) is the verification method being used to increase the security of the Department of Defense’s supply chain, as an extension of the Defense Federal Acquisition Regulations System (DFARS) to protect DoD information.

One of the major differences between these two systems is that DFARS allows contractors to assess their own security posture, while CMMC requires independent audits from authorized third parties.

A contractor's failure to achieve the required CMMC 2.0 level will eventually prevent that contractor from working on DoD contracts, and most likely across other Government agencies in the future.

In this guide, you'll learn the role of a CMMC auditor, how your organization can prepare for and audit, and best practices for CMMC compliance.

If you have more questions about the CMMC audit process? Want to learn how we help DoD contractors can meet all NIST 800-171 requirements and comply with DFARS 252.204-7012, 7019 and 7020 in as little as 14 days? Our CMMC advisors are here to help.

Call 612-428-3008 or contact us online to discuss your compliance needs with one of our security experts.

What is a CMMC audit?

A CMMC audit assesses an organization’s cybersecurity posture, performed by third-party assessment organizations (C3PAOs) belonging to the CMMC Accreditation Body (CMMC AB).

Many C3PAOs are still in training, and the number of organizations within the Defense Industrial Base (DIB) is in the hundreds of thousands, so it may be some time before an organization receives an audit by a C3PAO, but that doesn’t mean preparing today should be ignored.

Organizations currently subject to DFARS, Prime contractors, the Defense Contract Management Agency (DMCA), and legal teams can ask for proof of NIST 800-171 compliance today.

It’s expected that CMMC 2.0 compliance will go into effect in May 2023 and be in DoD contracts by July 2023. Auditors will be in high demand once they become available, so contractors need to start this process as soon as possible. (Learn more: Who needs to be CMMC compliant?)

What does a CMMC auditor do?

An authorized CMMC auditor may conduct several types of audits, depending on the CMMC maturity level and cybersecurity standards the contractor is attempting to achieve.

The complexity of this process and the contractor’s involvement can vary greatly, especially when the auditor performs multiple audits.

Assessors can help contractors on their journey toward CMMC 2.0, although they won’t be allowed to grant certification to those Organizations Seeking Certification (OSCs). Here are some areas to focus on, before your CMMC compliance audit.

  • Data Checks: A CMMC auditor uses the data check to identify the types of information that an organization processes. This audit can determine the correct level of CMMC maturity for the organization.
  • Cyber Health Checks: A cyber health, or cyber resilience, check assesses the organization's overall security posture. This check facilitates the implementation of the CMMC practices and processes..
  • Staff Awareness Checks: A staff awareness check is part of the cyber health check, but auditors usually assess the security training of an organization's staff with particular care. This type of audit becomes more common with higher maturity levels.
  • Domain and Capabilities Audit: The CMMC model includes a series of controls for each maturity level. As their name implies, CMMC Auditors will audit the domain and capabilities appropriate for the organization's CMMC 2.0 level.
  • Process Integration Audit. This audit determines how well an organization has integrated security capabilities into its culture. This audit ultimately determines if the organization has reached the required CMMC maturity level and is the only audit type allowing a C3PAO to award certification.

How do I prepare for a CMMC audit?

The CMMC-AB authorizes Registered Provider Organizations (RPOs) to provide the consulting and support that contractors need to meet their new obligations under CMMC.

RPOs are trusted by the CMMC-AB, as they have been trained in CMMC methodologies. Contractors can thus simplify the auditing process by partnering with an RPO.

The basic steps of preparing for a CMMC audit include determining the maturity level your organization requires, assessing its current security posture, and establishing a security roadmap for achieving the required maturity level.

Determine your organization’s CMMC required certification level

The process of preparing for a CMMC audit is highly dependent on the specific maturity level your organization requires.

For example, a DoD contractor that won't be working with Controlled Unclassified Information (CUI) may need to do very little to prepare for an audit, besides basic safeguarding practices. On the other hand, contractors who handle highly sensitive information may need to implement many additional security controls to achieve their required CMMC certification.

The latest release, CMMC 2.0, includes three maturity levels with progressively greater requirements.

Assess your organization’s current state of security

Understanding your organization's current security state is the next step in preparing for a CMMC audit.

If you’ve been diligent in complying with DFARS 252.204-7012 by fully implementing NIST SP 800-171, because your organization handles CUI, you likely have less work to do to achieve CMMC Level 2 compliance.

Otherwise, you'll typically need to complete a thorough assessment of your organization's current security posture to determine the specific steps needed to achieve and maintain the required CMMC maturity level.

It's still a good idea to assess your current procedures to ensure your organization isn't missing any security controls, even if you only need a low-level CMMC.

Something can slip through the cracks since contractors were previously responsible for assessing themselves under NIST SP 800-171.

Establish a security roadmap and strategic plan.

The final step in preparing for a successful CMMC assessment is to create a roadmap of the process for becoming CMMC compliant before the audit.

This roadmap should include the procedures for implementing the required security measures and protocols.

Start with the scheduled date for the audit and work backward to determine the deadlines for each step. Ensure you allow additional time to resolve unexpected complications, which is common for CMMC.

The wait times for audits will be long until the necessary number of C3PAOs becomes trained and comfortable in their roles.

You don't want to add to the delay in obtaining certification by leaving essential tasks incomplete.

8 Recommended Best Practices

The following eight practices can help your organization prepare for a CMMC audit.

1. Identify CUI specific to the contract

In addition to identifying CUI, you also need to determine its storage location, how it's processed and where it's transmitted.

You also need to identify the processes, services, and systems within the scope of DFARS 252.204-7012/NIST SP 800-171. This information describes your CUI environment, which auditors will closely scrutinize during the audit.

The contracting official for the DoD will define CUI in the contract for the prime contractor, who is then required to provide that definition in its contracts to subcontractors.

Your contracting official or prime contractor should be able to provide further guidance on whether a particular data set qualifies as CUI.

2. Identify the NIST 800-171 controls that apply to your CUI environment

Once you've defined your CUI environment, you can identify the processes, systems, and services in that environment that are within the scope of NIST SP 800-171.

This identification process will be based on CUI's storage, processing, and transmittal. NIST SP 800-171 defines 110 CUI controls across 14 domains.

You must then identify the controls that apply to your environment. In the case of simple, flat networks, all of these controls will probably apply to your entire organization.

For a segmented CUI environment like cuick trac™, most controls should apply only to specific sub-networks rather than every system in your organization's IT infrastructure.

3. Develop policies, procedures, and standards to address CMMC compliance requirements

This process involves identifying all the laws and regulations that apply to your organization's contract.

Applicable laws can include domestic and international cybersecurity and data privacy laws, industry-specific regulations, and contract requirements from both partners and clients.

This practice requires significant due diligence to find the requirements for your company's specific situation.

4. Document controls, policies, procedures, and standards

Your system for documenting these requirements should build on supporting components, resulting in a hierarchical structure that provides strong governance.

This system should also manage requirements with an approach that integrates documentation into implementing these tasks. This strategy will help provide an understanding of the documentation that helps an organization make well-informed decisions regarding security risks, including management involvement, staffing resources, and technology purchases.

Contractors often view data governance as an obstacle rather than an asset, failing to properly scope documentation. However, such documentation must be concise and written, while showing a CMMC compliance requirement is adequately met.

Avoid writing a single policy document that attempts to meet all documentation requirements, including high-level security concepts, configuration, and work assignments.

This approach will only serve to create confusion across all operations.

5. Implement the appropriate NIST 800-171 and CMMC controls

Implementing these standards involves operationalizing your organization's cybersecurity and data privacy programs by combining people, processes and technology correctly.

Addressing the applicable NIST 800-171 and CMMC requirements by implementing the necessary actions allows an organization to bring its policies and procedures to life.

This step also includes identifying the parties responsible for each CUI control, along with the roles and responsibilities of each team member.

This approach ensures that requirements don't fall through the cracks or are implemented improperly due to a misunderstanding on the part of the individuals responsible for those controls.

6. Document the CUI environment, including its controls and known deficiencies

This step populates the Plan of Action and Milestones (POAM) and System Security Plan (SSP) with details specific to your organization.

The POAM is essentially a list of NIST SP 800-171 control deficiencies that currently exist for the organization. The SSP documents the people, processes, and technologies comprising the CUI environment and the location for this information.

These are living documents central to documenting a NIST SP 800-171 compliance program, so they must be regularly updated to reflect changes in the CUI environment.

They're also key documents for the CMMC audit, so an auditor will ask for them early in this process.

Failure to provide these documents is considered non-compliant with CMMC, resulting in negative consequences such as a False Claims Act (FCA) violation.

7. Use the controls to assess the maturity and risk of business and technology processes.

Many methodologies currently exist for helping an organization manage risk, including FAIR, ISO 31010, OCTAVE, and NIST 800-37. These methodologies share common traits such as the requirement to assess the implemented controls' effectiveness and the extent to which those controls reduce risk and demonstrate maturity level.

No system for assessing business and technology processes can ever be perfect, so it's important to select the one that best matches how an organization functions.

As a result, the CMMC auditors may accept a separate risk methodology for making operational, strategic, and tactical decisions, since each methodology has its pros and cons for a particular application.

The end goal of defining and achieving the desired level of risk-taking is the most important thing to remember with this practice.

All phases of the Secure Development Lifecycle (SDLC) must manage risk, whether the solution you’re developing is an application, service, or system.

The scope of this process must include the SDLC’s direct assets in addition to those of its supporting components. In some cases, this can include the assets of third-party providers that relate to the availability, confidentiality, integrity, and safety aspects of data protection.

8. Use metrics to identify areas of improvement for the controls.

Gathering metrics is a key task in monitoring CMMC controls.

Metrics provide a snapshot of a control’s performance for a particular instant in time, but they also provide broader benefits such as analyzing long-term trends. Your organization can use this trend analysis to identify ways of improving its security posture.

This process requires you to define the Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) with critical importance to your organization, which can provide valuable insight into its security controls.

The KPIs and KRIs of each organization primarily depend on the priority of each control, which is affected by factors such as contractual and regulatory obligations.

Pass your CMMC audit with cuick trac™ — your compliance solution

Not sure where to start regarding CMMC audit preparation and risk management? Do you lack the time, money, and resources to build and manage your company’s CMMC compliance strategy?

Our team of certified cybersecurity professionals and engineers has your back.

Our team of NIST security experts spent years engineering cuick trac™ — the most affordable, practical, and secure compliance solution that helps contractors, manufacturers, engineers, and any service providers who works with the Department of Defense (DoD) and the Federal Government protect their Controlled Unclassified Information (CUI), improve their cyber hygiene, and meet CMMC audit cybersecurity requirements.

Cuick trac™ is a secure virtual environment for handling, storing, and processing CUI that also includes the documentation needed to comply with NIST SP 800-171 requirements.

In addition to our pre-configured, CUI enclave our team can also provide a cybersecurity risk assessment of your company’s people, processes, and technology to identify your CMMC risks.

Interested in learning why so many small to medium size defense contractors choose cuick trac™ as their DFARS 252.204-7012 & NIST SP 800-171 compliance solution?

Contact us online or schedule a cuick trac™ demo today.

Part of the most relevant industry groups and committees

Get a 30-minute demo from a cuick trac™ product expert

You've made it this far, now let us show you why cuick trac™ will be the smartest decision you'll make this year.

Schedule a quick product tour
See how we can secure your CUI in less time, with less effort, and more features than any other DFARS compliance products in the market.
Cuick trac™ is a privately hosted, managed, & secure CUI enclave for organizations who need to comply with NIST 800-171 & CMMC 2.0, Level 2.
© 2022 cuick trac™. All rights reserved.