How to Prepare for a CMMC Audit

Preparing for a CMMC Audit: What DoD Contractors Need to Know
Companies aiming for Department of Defense (DoD) contracts must demonstrate strong cybersecurity practices by achieving Cybersecurity Maturity Model Certification (CMMC). Successfully implementing CMMC leads to an official CMMC audit, which is a critical step toward earning preferred contractor status with the DoD. This guide will walk you through how to prepare effectively for a CMMC audit.

How to Prepare for a CMMC Audit in Five Straightforward Steps

Preparing for a CMMC audit can be complex due to the comprehensive requirements of CMMC Version 1.02 (March 2020). Following these five steps can help ensure a smooth and successful audit process:

1. Identify the Required CMMC Maturity Level: Determine which level of CMMC compliance your DoD contract demands.
2. Assess Your Current Cybersecurity Posture: Review all existing systems, architecture, and security controls to identify gaps.
3. Implement Required CMMC Practices: Apply all necessary practices across the applicable CMMC security domains.
4. Conduct a Preliminary Assessment: Perform an internal or third-party review to gauge readiness before the official audit.
5. Engage a Certified Assessor: Work with a certified CMMC assessor to formalize your audit and achieve certification.
   

The sections below will explore each step in detail, highlighting potential challenges and best practices. RSI Security is equipped to guide your organization through every stage of the CMMC audit process, ensuring full preparedness and compliance.

 

Step #1: Determine Which CMMC Maturity Level You Must Reach

The first and most critical step in preparing for a CMMC audit is identifying which Maturity Level your organization must achieve. CMMC has five levels, with each successive level introducing more advanced cybersecurity requirements. Understanding your required level ensures your controls align with DoD expectations.

Types of Information Covered:

• Federal Contract Information (FCI): Information provided or generated by the federal government related to contracts with state and non-state agencies. This information is sensitive and not intended for public disclosure.
• Controlled Unclassified Information (CUI): Sensitive information related to governmental operations or assets, such as technical manuals or defense plans. While protected, CUI is not formally classified.

Typically, CMMC Levels 1 and 3 correspond to the protection of FCI and CUI, respectively. Higher maturity levels require expanding baseline protections for both information types and implementing additional controls to defend against Advanced Persistent Threats (APTs) across all data.

Breakdown of Practice and Process Maturity Thresholds at Each Level

One of the features that makes CMMC unique is its progressive approach to cybersecurity maturity. Unlike other frameworks that require all controls to be implemented at once, CMMC uses five Maturity Levels, making preparation for a CMMC audit more structured and manageable.

Each level represents thresholds for Practice implementation and Process institutionalization, measuring how well security practices are integrated across systems and personnel. Here’s a breakdown by level:

• Level 1:  Basic Cyber Hygiene: 17 Practices. Processes must be “performed” but are not formally assessed. Focus: safeguarding Federal Contract Information (FCI).
• Level 2:  Intermediate Cyber Hygiene: Adds 55 Practices. Processes must now be formally “documented,” which will be assessed during a CMMC audit. Focus: preparing for Level 3.
• Level 3:  Good Cyber Hygiene: Adds 58 Practices. Processes are now “managed” and standardized across systems. Focus: fully protecting Controlled Unclassified Information (CUI).
• Level 4:  Proactive Cyber Hygiene: Adds 26 Practices. Processes must be “reviewed” thoroughly, focusing on mitigating Advanced Persistent Threats (APTs).
• Level 5:  Advanced/Progressive Cyber Hygiene: Adds 15 Practices. Processes require continuous “optimization” of all security controls. Focus: ongoing mitigation of APTs.

While Levels 4 and 5 share the same focus on APT mitigation, Level 5 emphasizes a forward-looking, continuous improvement process, going beyond review to active optimization. Understanding these thresholds is critical for ensuring your organization is fully prepared for a CMMC audit.

 

Request a Free Consultation

 

Step #2: Assess Your Existing, Mappable Cybersecurity Controls

The second critical step in preparing for a CMMC audit is assessing your organization’s current cybersecurity infrastructure. This helps identify which controls are already in place and which gaps must be addressed to meet CMMC requirements.

Most companies pursuing DoD contracts are part of, or entering, the Defense Industrial Base (DIB) sector. The DIB is one of 16 Critical Infrastructure Sectors deemed essential to national security by the Cybersecurity and Infrastructure Security Agency (CISA). Any organization that processes Covered Defense Information (CDI) under various regulations is considered part of the DIB.

For example, companies working with the DoD are typically bound by the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS clause 252.204-7012 sets standards for protecting CDI and reporting breaches, which directly inform the CMMC framework. These DFARS requirements also guided the framework that preceded CMMC..

 

NIST SP 800-171

Before the rollout of CMMC, companies in the Defense Industrial Base (DIB) were required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Understanding NIST compliance is essential for a smooth CMMC audit, as CMMC incorporates NIST SP 800-171 controls in full, along with additional cybersecurity practices.

Key elements of NIST SP 800-171 include:

• Requirement Families: Categories of controls focused on protecting Covered Defense Information (CDI). There are 14 Families, covering all CMMC Domains except AM, RE, and SA.
• Basic Requirements: Primary requirements under each Family. There are 29 total, with each Family containing at least one requirement.
• Derived Requirements: Secondary, more advanced requirements under each Family. There are 29 total, with all but two Families containing at least one Derived Requirement.
  

Many companies that have previously worked with the DoD are already NIST-compliant, as NIST SP 800-171 allows self-assessment and self-reporting. These existing controls can be mapped directly to CMMC with some adjustments, making NIST compliance a foundational step toward passing a CMMC audit.

 

Step #3: Implement Practices Up to Your Required Maturity Level

The next and arguably most critical step in preparing for a CMMC audit is implementing all required controls for your target Maturity Level. Levels 2 and 3 are often the most challenging, requiring adoption of 55 and 58 new practices, respectively.

Complexity increases with each Level. For instance, the 15 practices integrated at Level 5 may be more technically challenging than the 58 at Level 3. In addition, each Level requires that all Processes meet their respective maturity thresholds, making no Level “easy” to achieve.

Success in this step comes from understanding the full scope of controls, which are organized across 17 Domains and 43 Capabilities, encompassing 171 Practices in total. Viewing an entire Domain—such as the 27 practices for SC—helps organizations plan and implement the specific controls required for each Maturity Level (e.g., 2 SC practices for Level 1, 15 for Level 3).

Breakdown of All CMMC Required Practices by Cybersecurity Domain

The foundation of the CMMC framework builds on NIST SP 800-171 while adding three additional Domains and 61 Practices to address broader regulatory controls. Understanding the breakdown of Practices by Domain is essential for preparing for a CMMC audit.

CMMC Practices by Domain (Version 1.02):

• Access Control (AC): 4 Capabilities, 26 Practices, Manage user access and protect sensitive information. 
• Asset Management (AM): 2 Capabilities, 2 Practices, Inventory and manage physical and virtual assets. 
• Audit and Accountability (AU): 4 Capabilities, 14 Practices, Conduct internal audits, secure logging, and process data. 
• Awareness and Training (AT): 2 Capabilities, 5 Practices, Provide staff training regularly and after special events. 
• Configuration Management (CM): 2 Capabilities, 11 Practices, Manage system settings, remove defaults, and maintain configurations. 
• Identification and Authentication (IA): 1 Capability, 11 Practices, Control user accounts using measures like multi-factor authentication. 
• Incident Response (IR): 5 Capabilities, 13 Practices, Respond to cyber incidents, including data leaks and attacks, coordinated with Recovery (RE). 
• Maintenance (MA): 1 Capability, 6 Practices,  Regular updates and post-incident attention for assets and systems. 
• Media Protection (MP): 4 Capabilities, 8 Practices, Safeguard devices storing or processing media, including secure disposal. 
• Personnel Security (PS): 2 Capabilities, 2 Practices, Secure onboarding, retention, and termination procedures. 
• Physical Protection (PE): 1 Capability, 6 Practices, Implement physical safeguards for devices and protected areas. 
• Recovery (RE): 2 Capabilities, 4 Practices,  Ensure continuity and recovery protocols after cybersecurity events. 
• Risk Management (RM): 3 Capabilities, 12 Practices,  Monitor threats proactively and manage organizational risk. 
• Security Assessment (CA): 3 Capabilities, 8 Practices, Conduct internal threat and vulnerability assessments. 
• Situational Awareness (SA): 1 Capability, 3 Practices, Maintain awareness of the company’s cyber threat environment. 
• Systems and Communications (SC): 2 Capabilities, 27 Practices, Secure internal and external network communications. 
• System and Information Integrity (SI): 4 Capabilities, 13 Practice, Ensure security systems function correctly and are monitored regularly.

Implementing all 171 Practices to achieve Level 5 compliance is a significant undertaking. A clear understanding of each Domain’s Practices is critical for effective preparation and successful completion of a CMMC audit.

 

Step #4: Conduct an Internal or External CMMC Preliminary Audit

The next step in preparing for a CMMC audit is conducting a preliminary assessment of your systems. Performing a low-stakes, internal or external CMMC audit helps identify gaps that could hinder success during the official certification audit. Organizations can perform these assessments independently or engage a security advisory provider. Assessments may strictly follow CMMC requirements or take a broader approach, such as general vulnerability scans.

For instance, companies might conduct CMMC-focused penetration tests to evaluate staff readiness for Incident Response (IR) protocols, which also reinforces Awareness and Training (AT) and Recovery (RE) protections.

It is important to note that this preliminary step is not required by CMMC. The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) does not mandate pre-assessments before official certification. However, conducting a preliminary audit is considered a best practice that significantly improves preparedness for the final, high-stakes CMMC audit.

 

Step #5: Select a Certified Third Party Assessor Organization

The final step in completing a CMMC audit is selecting a certified third-party assessor organization (C3PAO) to conduct the official examination and report on their findings. The assessor’s evaluation is essential for achieving formal CMMC certification.

As the CMMC rollout continues, the CMMC Accreditation Body (CMMC-AB) has started approving C3PAOs for official assessments. RSI Security is currently pursuing C3PAO certification and, as an experienced NIST SP 800-171 compliance advisor, can guide your organization through the CMMC audit and implementation process. Our advisory services are tailored to meet your specific compliance needs and ensure readiness for certification.

 

Rethink Your CMMC Audit Process, Certification, and Security

Achieving full CMMC integration and certification can be complex. To prepare effectively for a CMMC audit, companies should first determine the required Maturity Level and assess existing cybersecurity controls. Next, any gaps should be addressed by implementing or acquiring the remaining necessary controls. Finally, organizations must evaluate their implementation to ensure readiness for the official audit.

Starting with an internal audit is highly recommended, as it helps identify issues early. However, some organizations may choose to proceed directly to an official C3PAO assessment to accelerate certification while still ensuring compliance and security.

To get started, contact RSI Security today!

 

Download Our CMMC Checklist