CMMC Audits: A Comprehensive Guide
EXECUTIVE BRIEF
On December 16th, defense contractors can start exploring the CMMC marketplace and scheduling 3rd-Party Assessment Organizations (C3PAOs) to conduct their triennial CMMC audit. This article details:
- The three different assessment methods (examine, interview, and test)
- The two types of certification you can achieve (conditional and final)
- Expectations of an MSP leading up to and during your audit
While the audit process can appear daunting, with proper planning, organization, and additional support (either in-house or with an MSP), you'll be on track to ace your CMMC audit and bid on new defense contracts with confidence!
Dig deeper and learn more about the CMMC audit process below!
Scoping the Assessment
Before a Level 2 (C3PAO) assessment, the Organization Seeking Assessment (OSA) must specify the CMMC Assessment scope. Assets that fall into the following four categories have to be included in your assessment scope:
- Controlled Unclassified Information (CUI) Assets: Assets that process, store, or transmit CUI.
- Security Protection Assets: Assets that provide security functions or capabilities to the OSA’s CMMC Assessment Scope.
- Contractor Risk Managed Assets: Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place. Assets are not required to be physically or logically separated from CUI assets.
- Specialized Assets: Assets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment.
What Does a CMMC Assessment Team Do?
The primary deliverable for your assessment team is a report that highlights your organization’s adherence, or lack thereof, to the practices required for Level 2 (C3PAO) certification. Your assessment team is comprised of at least two CMMC Certified Assessors (CCAs):
- Lead Assessor: Your Lead Assessor is tasked with determining which assessment methods (examine, interview, and test methods) will best evaluate your environment to determine satisfaction of controls.
- Secondary Assessor: The Secondary Assessor supports the lead in the assessment of your environment.
Additionally, there will also be an individual performing a Quality Assurance function. Rather than evaluating your environment, the team member tasked with Quality Assurance conducts a quality review report on the assessment team.
Your assessment team will review what you have identified as “in scope” for your assessment. They verify that all controls of NIST SP 800-171A Rev2 are met and ensure the expected behavior detailed in your policies or procedures match the actual behavior of your activities and mechanisms when applied.
The assessors have three main assessment methods:
- Examine
- Interview
- Test
The assessors determine the level of effort needed to support the determination that a CUI requirement has been satisfied. Learn more about each assessment method below.
Documentation Review
Examining documents and safeguards helps provide the assessment team with evidence of intent. Make sure all paperwork being examined is in its final form, as working drafts will not be accepted. Documentation review can include, but is not limited to:
- Policies and procedures
- Training materials
- System-level and network diagrams
Personnel Interviews
Interviews with individuals or groups help the assessors identify what the contractor believes to be true about their systems or activities. This method helps determine if the contractor has implemented adequate resources, training, and planning for the team to perform the required CMMC practices.
Testing and Validation
The testing method is used to determine what has and has not been implemented within the organization. While not all practices require testing, the assessment team will determine which practices or objectives need demonstration.
Reporting Their Findings
Once the assessment is done, the assessment team will draft an assessment report to be filed into e-MASS. The report will highlight the in-scope assets, the testing methodology, and the assessment finding for each CMMC practice. The three possible findings are:
- Met
- Unmet
- Not applicable
Once the report is finished. An individual performing Quality Assurance will review the report, verify the accuracy, and affirm the way in which the assessment was administered. This report will be the basis of whether the assessment team grants certification (conditional or final) or not.
Issuing CMMC Certification
The CMMC Assessment team can issue two different types of certification: Conditional and Final. Here are how the two break down:
|
Conditional Level 2 (C3PAO) |
Final Level 2 (C3PAO) |
|
Given when: Contractor has MET the six identified key cybersecurity controls and earned at least 80% of the total cybersecurity score possible. The contractor has placed the NOT MET controls into a Plan of Action and Milestones (POA&M) document. |
Given when: The contractor has MET and demonstrated compliance with all 110 security controls and 320 objectives listed in NIST SP 800-171a Rev2. |
|
Next Steps: The contractor has 180 days to remediate the NOT MET controls listed in their POA&M document AND pass a POA&M Closeout Assessment. If the contractor passes the close-out assessment, they will achieve Final Level 2 (C3PAO) certification. If they fail, they will lose their conditional certification status. |
Next Steps: The contractor’s CMMC status is valid for three years. However, annual statements of affirmation are required from a designated Affirming Official within the organization. |
Performing Follow-Ups (If Required)
Two types of follow-ups can occur after achieving conditional or final certification status. These include:
- POA&M Closeout Assessment
- Applicable to conditional certification only
- Must be completed within 180-days of your conditional certification status being posted. This assessment must be administered by an authorized or accredited C3PAO.
- DCMA DIBCAC Investigation
- Applicable to final and conditional certification
- The DoD has the right to conduct an additional assessment of your organization under 48 CFR 252.204-7020. If their findings show you are not meeting or sustaining your compliance stature, their assessment takes precedence over your CMMC certification status.
How to Prepare for a CMMC Audit
Once you've identified what maturity level your organization is targeting, it’s time to begin preparing for your audit. This is the most critical stage of your compliance journey. Take your time and bring in external support if you feel your organization needs it.
Most organizations need at least six months to prepare for their CMMC audit, though we tell our customers to allot 9-12 months to be safe. Three key components to your preparation plan should be:
- Assess/review your current IT infrastructure and documentation against NIST SP 800-171a Rev2 standards
- Develop your remediation plan
- Conduct a mock audit ahead of your official audit
Collecting Documentation
One aspect of the CMMC audits that can catch contractors by surprise is the amount of documentation needed to pass your assessment. Each control/objective should have a corresponding policy or procedure tied to it.
The most important piece of documentation needed for your CMMC audit is your System Security Plan (SSP). This is your organization’s comprehensive guide to how you secure sensitive information. How important is it? It's mentioned 145 times in the NIST SP 800-171a Rev2 requirements and is not allowed to be listed on your POA&M document. Your SSP needs to detail how your organization implements and uses the controls listed in NIST SP 800-171a Rev2 and be routinely updated as tools, policies, and procedures are modified.
Conducting a Pre-Assessment / Mock Audit
Going through the audit process can be nerve-wracking and intimidating. One way to settle nerves before your official audit is to conduct a pre-assessment evaluation or “mock audit.” This is where you have someone internally or externally who has the knowledge of what the CMMC audit will look like come in and do a run through of an official audit.
C3PAOs (more on them below) can help conduct these pre-assessment evaluations ahead of your official assessment. The caveat is, the C3PAO who works with your organization before your official assessment cannot be the same one who conducts your official assessment. Additionally, your Managed Service Provider (MSP) may be able to provide a pre-assessment evaluation as well.
Selecting a CP3AO
Once you feel comfortable with your IT infrastructure and positioning against NIST SP 800-171a Rev2 controls, it’s time to select your CMMC 3rd Party Assessment Organization (C3PAO).
You're going to be spending a lot of time with your assessors, so it’s important to choose a C3PAO you can build a rapport with. We highly recommend our customers take the time to interview at least three C3PAOs.
The Cyber AB is the accrediting body for C3PAOs, they have a list of certified and candidate C3PAOs on their website.
What Happens During a CMMC Audit
While the audit process is daunting, it's a fairly straightforward process. The auditor will review what you have identified as in-scope and will come up with a plan to evaluate and verify your policies, mechanisms, and actions. As for interviews, most C3PAOs will work with you and your team’s schedules for interviews (within reason).
There are few surprises your C3PAO can throw at you, since your organization has reported what's in scope. But the more organized your organization is, the smoother the audit process will be.
What Are Common Findings in a CMMC Audit?
If you don't have an extensive background working on the compliance side of IT, you may be surprised by the sheer level of documentation required for your audit. So make sure to really evaluate the scoping and assessment guides to ensure you have all the documentation needed (i.e. System Security Plan).
What’s the Role of a Consultant in a CMMC Audit?
If your Managed Service Provider (MSP) processes, stores, or transmits CUI or Security Protection Data (SPD), the services provided by your MSP must be included in your assessment scope and will be assessed during your audit.
At ISI, we make sure to have members of our team available during your audit to explain or demonstrate the implementation of any tools or activities our team provides.
How To Interpret the Results of a CMMC Audit
Once your audit is complete, your assessment team will upload the results of your audit into eMASS. The good news is you will probably know where your organization stands before the assessment team leaves the building. That said, there are three possible outcomes from your C3PAO audit:
- Final Certification
- Conditional Certification
- Fail
Certification is the goal, but if you fail your audit, that doesn't mean you can't go through the process again. At that point, we’d highly recommend working with an MSP to ensure you re-embark on your compliance journey with the expert support your organization requires.
Next Steps after a CMMC Audit
If you achieve Final Level 2 (C3PAO) certification status, congratulations! Go out there and start bidding on new contracts with confidence!
If you achieve Conditional Level 2 (C3PAO) certification status—which is no small feat—there is an extra step. You will need to remediate any unmet controls or objectives listed in your POA&M document AND pass a POA&M Closeout assessment within 180 days. In the mean time, you can be awarded contracts with a conditional status. But it's critically important to work on your remediation plan during this time.
How Often Are CMMC Audits Required?
Level 2 and Level 3 assessments occur every three years. In between audits, an Affirming Official from your organization has to submit a yearly statement of affirmation confirming your business is still implementing the necessary CMMC practices and sustaining your compliance posturing. Level 1 Self-Assessments are required annually.
Prepare for Your CMMC Audit with ISI
Partner with ISI for your CMMC compliance and audit journey! With over 300 years of combined industrial security experience and three Registered Practitioners on our team, ISI offers unmatched expertise in managing complex federal regulations. Contact us today to learn more about how we can assist you in achieving and maintaining CMMC compliance.
Schedule a call with one of our advisors.
FAQs about CMMC Audits
When is an audit mandatory?
A CMMC audit is mandatory in three instances:
- Your organization works on DoD contracts and generates, stores, or processes Controlled Unclassified Information (CUI).
- The Request for Proposal requires Level 2 (C3PAO) certification for award.
- You are currently Level 2 (C3PAO) certified but there has been a change to your CAGE code.
Who audits CMMC?
Audits are conducted by CMMC 3rd-Party Assessment Organizations (C3PAOs), which are accredited by an independent organization called the Cyber AB.
Additionally, each Organization Seeking Assessment (OSA) will be audited by an assessment team. The assessment team is composed of at least two people: a lead CMMC Certified Assessor (CCA) and a secondary CCA.
The assessment team will also be joined by CCA for quality assurance. The individual fulfilling the quality assurance role is not part of the assessment team and is there to manage the C3PAO's quality assurance reviews “for each assessment, including observations of the Assessment Team's conduct and management of CMMC assessment processes.”
How long does a CMMC assessment take?
The assessment timeline varies depending on the level of preparedness, internal organization, and staff availability of the Organization Seeking Assessment (OSA). As a baseline, you should expect the assessment to take about one full work week (5 days, 40 hours).
What is the cost of an audit?
Prices for an audit will vary depending on the C3PAO. However, it appears $30,000 has been a good baseline for organizations to budget for their audits.
Can you refuse an audit?
NO! You cannot refuse an audit. The audit is a requirement for achieving Level 2 (C3PAO) certification. If you're a defense contractor that currently handles Controlled Unclassified Information or plans on bidding on RFPs that have a Level 2 (C3PAO) certification requirement, you will need to undergo a CMMC audit to be awarded future contracts.
Th DoD has a right to waive CMMC requirements on contracts—but the waiver applies to the contract in its entirety, not to individual contractors.
At what point do you need an audit?
There are a couple of different ways to answer this question. In terms of your business, you will need to go through an audit ahead of being awarded a contract that has a Level 2 (C3PAO) certification requirement. When will that be? That’s where it gets tricky.
Technically, Level 2 (C3PAO) certification requirements will be rolled out in Phase 2, which will be sometime in Q2 2026. That said, the DoD has the right to accelerate this timeline during Phase 1 (Q2 2025) for contracts handling particularly sensitive information. While this shouldn’t affect most contracts, it is something to look for in 2025 contract proposals, which is why businesses should start their compliance journey sooner rather than later.
What happens if you fail a CMMC audit?
Failing your CMMC audit means you won't get Level 2 (C3PAO) certification, which soon will be required to receive new defense contracts. On top of that, it could damage your business’ reputation within the DIB. Primes want to ensure their defense supply chain is secure—failing your audit may have a negative, tangible impact on building trust and relationships with primes. So while it may feel like there is a shot clock counting down, it’s important to take your time and be intentional during the readiness stage of your compliance journey.
