Preparation Checklist for a CMMC Audit

In 2019, the Department of Defense (DoD), together with Johns Hopkins University Applied Physics Laboratory (APL) and the Carnegie Mellon University Software Engineering Institute (SEI), began reviewing existing cybersecurity standards. Their goal was clear: to combine these practices into a single, unified cybersecurity framework to protect the DoD supply chain. This framework is now known as the Cybersecurity Maturity Model Certification (CMMC). Although the CMMC is still being fully developed, select DoD contractors are expected to undergo CMMC audits as early as this year. If you’re a government contractor, there’s no time to wait. Use this CMMC audit preparation checklist to get ready and ensure your organization meets all requirements.

What is a CMMC Audit?

It’s important to note that the CMMC framework is still under development, so some details may change by the time CMMC audits officially begin.

Here’s what we know so far:

The CMMC was created to streamline cybersecurity practices and help contractors along the DoD supply chain maintain compliance. It applies to organizations that handle:

• Federal Contract Information (FCI): Information provided by, or created for, the U.S. Government that is not publicly available. 
• Controlled Unclassified Information (CUI): Information that requires safeguarding or dissemination controls under laws, regulations, and government-wide policies.
  

The framework consolidates the best practices from widely recognized security standards, including:

• NIST 800-171 
• NIST 800-53 
• RMF 
• ISO 9000 
• SANS 
• CMMI 
• DISA STIGs 
• FIPS 140-2 
• ISO 27001 
• AIA NAS9933 
• FICO 
• FedRAMP 
• Gartner
  

The CMMC Accreditation Body is currently developing processes for auditor training, certification, and organizational audits. At this time, no official CMMC auditors have been appointed, and certification is not yet available.

However, as new Requests for Proposals (RFPs) roll out next year, CMMC certification will become a requirement for eligible contractors. Currently, Level 1 CMMC requirements have been finalized, so organizations can start preparing for this level immediately.

 

Assess your CMMC compliance

 

The Five Levels of CMMC

The Department of Defense (DoD) structures contracts according to risk profiles. Each Request for Proposal (RFP) will specify a required CMMC level, and contractors must provide proof of certification to submit a bid.

Here’s a breakdown of the five levels:

• CMMC Level 1 – Performed:
  17 controls must be applied based on 48 CFR 52.204-21. All DoD contractors are required to complete these tasks. There are no process maturity requirements at this level. 
• CMMC Level 2 – Documented:
  72 controls (including Level 1 controls) must be applied. This level requires proper documentation of processes, such as Standard Operating Procedures (SOPs), policies, and plans. 
• CMMC Level 3 – Managed:
  130 controls (including Level 2 controls) must be applied, along with compliance with NIST SP 800-171 requirements. Contractors must follow a process maturity model and maintain existing policies and procedures. 
• CMMC Level 4 – Reviewed:
  156 controls (including Level 3 controls) must be applied. Companies at this level are expected to take a proactive approach to cybersecurity, including defenses against Advanced Persistent Threats (APTs). 
• CMMC Level 5 – Optimized:
  171 controls (including Level 4 controls) must be applied to achieve full process maturity and optimized cybersecurity. This level ensures comprehensive protection against APTs and secures the entire organization. 

Who needs which level?

• Levels 1 and 2 typically apply to contractors who do not handle Controlled Unclassified Information (CUI). This includes most resellers and contractors who do not store government information on their networks, aside from HR data or purchase orders. 
• Levels 3 and 4 are for contractors handling CUI, especially sensitive data that could be reverse-engineered by foreign adversaries. Compliance aligns closely with NIST SP 800-171 controls. 
• Levels 4 and 5 involve highly sensitive CUI, such as information on weapons testing or manufacturing schematics. Implementing these controls can be costly but provides the highest level of cybersecurity assurance.
  

By understanding these levels, your organization can prioritize CMMC audit preparation based on the sensitivity of the information you handle and the requirements of upcoming DoD contracts.

CMMC Audit Checklist

Regardless of your level, the CMMC released 7 steps you can follow to begin preparations for an audit of your own. They are:

Task #1 – Define CUI Specific to the Contract and Identify Its Location

The first step in preparing for a CMMC audit is to identify your Controlled Unclassified Information (CUI) environment. This means understanding where CUI is:

• Stored 
• Processed 
• Transmitted
  

Once you’ve mapped your CUI environment, you can define the systems, services, and processes that align with NIST SP 800-171 controls.

To assess your compliance level or risk, the federal contracting official for the prime contractor must clearly define the CUI for their subcontractors. This ensures all parties understand what information requires protection and how it should be handled.

 

Task #2 – Identify Applicable NIST 800-171 Controls

After defining your CUI environment, the next step in preparing for a CMMC audit is to identify which systems, services, and processes fall within the scope of NIST SP 800-171 controls. This determination depends on whether a system stores, processes, or transmits CUI.

For organizations with simple network structures, these controls typically apply across the entire organization. In contrast, segmented CUI environments only require controls to be applied to specific sub-networks that handle sensitive information. By clearly mapping which controls apply to each part of your environment, you can streamline your CMMC audit preparation and reduce unnecessary effort.

 

Task #3 – Create Policies, Standards, and Procedures

Every contractor faces a unique compliance landscape, and policy requirements will vary depending on the level of risk. Effective CMMC audit preparation begins by identifying the various regulations and compliance frameworks that govern your organization, including:

• Domestic and international cybersecurity and privacy laws
• Industry-specific regulations
• Legally binding contracts
  

Documentation is critical to maintaining compliance. Your organization should develop a clear, hierarchical structure that outlines:

• Policies
• Standards
• Controls
• Procedures
  

All documents should be written clearly, follow a logical order, and explicitly delineate all compliance requirements. Well-structured documentation not only supports a CMMC audit but also informs decision-making and helps manage risks related to purchasing, staffing, and organizational management.

 

Task #4 – Operationalize Policies and Standards to Implement CMMC Controls

This stage is where planning turns into action.

By applying NIST SP 800-171 controls to your policies and standards, your organization can determine the steps needed to achieve and maintain CMMC compliance.

It is essential to clearly assign responsibility for each CUI control to specific individuals or teams. Clearly defined roles ensure that controls are properly implemented and reduce the risk of miscommunication or oversight during a CMMC audit.

 

Task #5 – Document the CUI Environment

At this stage, your goal is to record all controls and known deficiencies within your CUI environment. Proper documentation is a critical part of CMMC audit preparation.

You will need to create two primary documents:

• System Security Plan (SSP): The SSP provides detailed information on the who, what, when, why, and where of your CUI environment. It includes details about the people, technology solutions, and processes involved in managing CUI. 
• Plan of Action & Milestones (POA&M): The POA&M identifies all control deficiencies under NIST SP 800-171. CMMC refers to this as a “risk register.”
  

To pass a CMMC audit, both documents must be complete and accurate. Auditors will request access to the SSP and POA&M early in the assessment. Incomplete or missing documentation can lead to noncompliance and may carry significant legal and contractual consequences.

 

Task #6 – Leverage Controls to Assess Risk and Maturity Across Technology and Business Processes

There is no one-size-fits-all methodology for risk assessment. Different approaches work better depending on your organization’s technology infrastructure and business processes. The key is selecting the methodology that best fits how your organization operates.

The CMMC framework recognizes several accepted methodologies, including:

• NIST SP 800-37
• ISO 31010
• OCTAVE
• FAIR
  

These methodologies help you evaluate how effectively your controls have been implemented and how much risk mitigation has been achieved. Organizations can mix and match controls as needed, as long as the goal is to reduce overall risk and demonstrate maturity during a CMMC audit.

Task #7 – Utilize Metrics from Control Execution to Identify Areas for Improvement

Once your CMMC controls are implemented, it’s essential to continuously monitor their performance. Tracking these metrics allows your organization to build a long-term dataset that can be used for analysis, optimization, and ongoing compliance.

Over time, this data helps identify areas of the business that need improvement. To make this process effective, establish Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) that are relevant to your organization’s technology, processes, and CUI environment.

By using these metrics, you can proactively address gaps and demonstrate continuous improvement during a CMMC audit.

 

CMMC Level 1 Requirements

While the frameworks for higher CMMC levels are still being finalized, Level 1 requirements are based on the standards DoD contractors have followed since 2016. These requirements focus on basic cybersecurity hygiene and access controls, and they form the foundation for a successful CMMC audit.

The 17 Level 1 controls include:

1. Authorized User Access: Only authorized users should access information and systems. Use strong passwords or PINs, protect devices, and disable accounts when employees leave.
2. Least Privilege Access: Assign most accounts “user” status and limit “admin” rights to a few select individuals. Users should only access transactions and functions they are authorized to execute.
3. Network Separation: Keep company networks and devices separate from external business or home networks. Only company devices should access federal contracts.
4. Data Sharing Restrictions: Prevent sensitive data from being shared outside the contract. Ensure cloud storage and documents are restricted, and sensitive information is not publicly posted.
5. Individual Accounts: Each employee should have a separate account to ensure access is limited to approved personnel.
6. Device Authentication: All devices should have unique usernames and passwords, ideally with two-factor authentication enabled.
7. Data Disposal: Destroy all data on devices before disposal—shred documents, overwrite drives, and securely dispose of mobile devices and thumb drives.
8. Physical Security: Restrict devices, servers, and data storage to private areas. Ensure only authorized individuals can access high-level information.
9. Visitor Monitoring: Track visitor activity through check-ins, badges, or security escorts, especially in larger organizations.
10. Sign-In/Sign-Out Procedures: Maintain audit logs for all physical access. Cameras should monitor entrances and exits where feasible.
11. Restricted Security Access: Limit the ability to unlock doors or disable security systems to a select group of individuals.
12. Network Privacy: Keep company networks private, restrict external traffic via firewalls, and prevent unauthorized internet access.
13. Internet Separation: Ideally, internal networks should not connect to the internet. Use subnetworks or third-party hosting for publicly accessible systems.
14. System Updates: Automatically download and install all system updates and patches on devices.
15. Antivirus Protection: Use antivirus programs to prevent malicious code from accessing sensitive information.
16. Firewall & Threat Protections: Enable subscription-based antivirus and firewall services that automatically update when new releases are available.
17. Regular Antivirus Scans: Configure antivirus software to perform a full system scan at least weekly.
    

These Level 1 controls serve as the foundation for higher-level CMMC compliance and ensure your organization is audit-ready. By implementing and documenting these controls, contractors can demonstrate a baseline level of cybersecurity during a CMMC audit.

 

Get Prepared with RSI Security

The Cybersecurity Maturity Model Certification (CMMC) was created to provide clear guidelines and an audit framework for contractors working with the Department of Defense (DoD). As more details about CMMC audits and frameworks become available, the best way to get started is by implementing Level 1 controls if you haven’t already.

It’s important to note that CMMC specifies what practices contractors must implement, but not how to implement them. That’s where RSI Security can help.

Our team has deep expertise in all controls that support CMMC compliance, and we can guide your organization through CMMC audit preparation, regardless of the certification level you are pursuing.

Ready to take the next step? Contact RSI Security today to secure your business and improve your chances of winning DoD contracts.

Download  Our CMMC Checklist