CMMC Audit
Organizations that store, process, or handle Controlled Unclassified Information (CUI) from DoD are currently required to conduct self-assessments and report their cybersecurity maturity score to be eligible for U.S. Government Department of Defense (DoD) contracts.
Once the Cybersecurity Maturity Model Certification (CMMC) is fully implemented, many contractors will be required to undergo a cybersecurity audit from either a certified third-party or directly from the government in order to receive DoD contracts. Cybersecurity audits in general can be complex and challenging, but with preparation and a strategic approach, organizations can achieve success and avoid unnecessary setbacks.
Understanding CMMC 2.0 Compliance
Learn more about what CMMC 2.0 means for government contractors and how you can prepare your business.
What is a CMMC Audit?
Cybersecurity and the protection of sensitive data are paramount concerns for organizations of all sizes and industries. The DoD recognizes the need to ensure CUI is secured within the Defense Industrial Base (DIB) and created the Cybersecurity Maturity Model Certification (CMMC) framework.
The CMMC framework aims to enforce data security standards for the safeguarding of sensitive information and national security interests. The CMMC is a unified standard designed to evaluate and enhance the cybersecurity posture of DIB companies.
Once CMMC is fully implemented, certain DoD contractors that handle sensitive unclassified DoD information will be required to achieve a particular CMMC level as a condition of contract award. Once finalized, the CMMC audit will be a thorough assessment conducted by a Certified Third-Party Assessor (C3PAO) to evaluate adherence to the NIST cybersecurity controls outlined in the CMMC framework.
CMMC Maturity Levels
After difficulties in rolling out its originally proposed CMMC model, the DoD has announced the CMMC 2.0 program as the next iteration of the CMMC model. It streamlines requirements to three levels of cybersecurity maturity and aligns those requirements at each level with NIST cybersecurity standards.
Maturity Level 1
Organizations need to demonstrate basic cyber hygiene across 17 practices that represent the basic safeguarding requirements under FAR 52.204-21. It allows suppliers to self-attest to their compliance through annual self-assessments.
Maturity Level 2
Organizations need to demonstrate they have implemented the requirements of NIST SP 800-171, the same controls that were already required under the preexisting DFARS 252.204-7012 clause since 2017. This includes 110 practices along with the CMMC Maturity Level 1 requirements.
The DoD anticipates two different approaches to compliance which differ depending on the type of data processed, stored, or handled. Organizations that handle critical national security information will likely be required to undergo an audit by a C3PAO. In contrast, contractors who handle a subset of CUI that is not critical to national security may still perform a self-assessment.
Maturity Level 3
Organizations will need to demonstrate compliance with a subset of NIST SP 800-172, which provides the foundation and controls for a defense-in-depth protection approach. These additional practices must be complied with along with the CMMC Maturity Level 1 and Level 2 requirements. Organizations will be required to undergo a government-led assessment or audit every three years.
Who Needs CMMC Certification?
While the final regulations have not yet been published, it is likely that the following types of organizations will be required to seek a CMMC certification:
- Defense Contractors: Any organization that seeks to bid on DoD contracts, including prime contractors and subcontractors, will most likely need a CMMC certification with the maturity level specified in the contract.
- Suppliers and Service Providers: Organizations that provide goods or services to DoD contractors and handle CUI may also subject to CMMC assessments or audits. This includes various tiers of suppliers and service providers in the defense supply chain.
- Subcontractors: Subcontractors working on projects for prime contractors that involve DoD CUI or have flow-down clauses.
It's important to note that CMMC assessments are specific to organizations that are part of the defense industrial base and interact with the DoD. The level of CMMC compliance required depends on the nature of the organization's work, the type of information it handles, and its role in the defense supply chain.
The CMMC Audit Process: A Closer Look
When finalized, the CMMC audit process will be a thorough assessment conducted by a C3PAO to evaluate adherence to the NIST cybersecurity controls outlined in the CMMC framework. The audit process to date involves the following key stages:
- Preparation: Organizations Seeking Certification (OSCs) must undertake thorough preparations, including identifying the specific CMMC level required for their contracts and conducting a self-assessment against the relevant practices and processes.
- Selection of C3PAO: Organizations must engage a certified third-party assessor organization (C3PAO) to perform the audit. The C3PAO is responsible for conducting an in-depth evaluation of the company's cybersecurity practices.
- Document review: During the audit, the C3PAO reviews the organization's documentation, policies, and procedures related to cybersecurity. This step is crucial in assessing the maturity of the company's cybersecurity controls.
- On-site assessment: Depending on the CMMC level being pursued, the on-site assessment may involve interviews with personnel, examination of technical systems, and a review of physical security measures. This step aims to verify the implementation and effectiveness of the cybersecurity practices.
- Assessment report: Following the assessment, the C3PAO prepares a comprehensive report detailing the organization's adherence to the CMMC requirements, identifying strengths, weaknesses, and areas for improvement.
- Certification: Based on the assessment report, the C3PAO awards the organization a CMMC certification at the appropriate maturity level if it meets the required criteria. This certification is essential for bidding on DoD contracts that stipulate a specific CMMC level.
Are There CMMC Auditors?
Yes, there will be CMMC auditors once the program is official. The CMMC program involves a comprehensive audit process to assess and certify the cybersecurity maturity levels of organizations that are seeking CMMC certification. The audits will be conducted by certified third-party assessment organizations (C3PAOs) and certified individual assessors.
The involvement of certified auditors and assessment organizations in the CMMC process is essential to maintain the integrity and credibility of the certification program. Their role ensures that organizations within the DoD supply chain meet the required cybersecurity standards and are adequately prepared to handle cyber threats.
Who Conducts the CMMC Audit?
- CMMC Certified Assessors: CMMC assessors are qualified individuals or organizations authorized by the CMMC-AB to evaluate and assess organizations against the CMMC framework. They conduct on-site or remote assessments to determine if an organization meets the required cybersecurity practices and processes for certification.
- Certified Third-Party Assessment Organizations: C3PAOs are organizations authorized by the Cybersecurity Maturity Model Certification Accreditation Body (Cyber AB) to perform official CMMC assessments. They employ CMMC assessors and are responsible for conducting the assessments and issuing CMMC certifications to organizations that meet the requirements.
Who trains and manages the CMMC Auditors?
The Cyber AB is the official accreditation body for the CMMC program and the sole authorized non-governmental partner of the DoD to oversee the training, accreditation, and certification of CMMC assessors and organizations seeking CMMC certification. It plays a central role in establishing and maintaining the integrity of the CMMC ecosystem.
The primary mission of The Cyber AB is to authorize and accredit the C3PAOs that conduct CMMC Assessments.
Currently, The Cyber AB also manages the professional certification and training aspects of CMMC. This responsibility, however, will soon be separated from The Cyber AB as its own entity and will be known as the Cybersecurity Assessor and Instructor Certification Organization (CAICO).
The Cyber AB's support to CMMC is through a direct contract with the CMMC Program Management Officer (PMO) within the DoD.
What is the difference between CMMC and NIST 800-171?
CMMC is the assessment and certification program for DoD contractual cybersecurity requirements. When finalized and rolled out into contracts, CMMC will appear in contracts as DFARS clause 252.204-7021.
NIST SP 800-171 is the set of cybersecurity controls that are required to be implemented by DoD contractors through the DFARS 252.204-7012 clause, which has been around since 2017.
Defense contractors do not implement CMMC. They are required to implement the NIST SP 800-171 controls, and the CMMC program will be the assessment program to verify those controls have been implemented or not.
Tips to Prepare for a CMMC Audit
Preparing for a CMMC audit is crucial to ensure your organization's compliance with the required security standards. The CMMC framework is designed to enhance the cybersecurity posture of the entire defense supply chain. Here are some tips and best practices to help you prepare for a CMMC audit:
- Understand CMMC requirements: You are responsible for your own compliance and awareness of program details.
- Documentation and policies: Ensure you have comprehensive documentation of your cybersecurity policies, procedures, and practices. This includes security plans, incident response plans, risk assessments, and other relevant documentation. Make sure all documentation is well-organized and easily accessible for auditors. Develop and test an effective incident response plan that outlines how your organization will handle and mitigate cybersecurity incidents.
- Employee training: Train your employees on cybersecurity best practices and their roles in maintaining a secure environment. Human error is a common cause of security breaches.
- Network security & access control: Implement network security measures such as firewalls, intrusion detection/prevention (IDP) systems, and monitoring. Implement strong access controls to ensure that only authorized individuals have access to sensitive systems and data. This includes user authentication, authorization, and least privilege principles.
- Data encryption: Implement encryption for sensitive data both at rest and in transit. This helps protect data from unauthorized access.
- Vendor management: If you work with third-party vendors or contractors, ensure they also adhere to the requirements of CMMC. Their compliance will impact yours.
- Engage external experts: Consider hiring external cybersecurity experts to perform pre-audit assessments and provide guidance on achieving and maintaining compliance.
- Conduct readiness assessments: Conduct assessments to simulate an actual audit process. This can help you identify and address any gaps or issues before your official audit.
CMMC compliance is an ongoing process and maintaining a strong cybersecurity posture is recommended to ensure the security of your organization's data and systems.
How the Cloud Improves Your Cyber Resilience
Learn how cloud solutions can reduce your risk while delivering tangible business value and lowering your total cost of ownership.
Related Resources
Guide to Government Contracting
Get the information you need to successfully find win and manage government contracts.Learn More »
What is DCAA Compliance?
Learn more about DCAA compliance, and how contractors can reduce risk by avoiding and preparing for DCAA audits.Learn More »
Federal Government Contracting
Learn more about federal government contracts and where you can find them.Learn More »
Small Business Contracting
Discover how to find, win and deliver on small business government contracts.Learn More »
State & Local Contracting
Learn the basics of state and local government contracts and where you can find them.Learn More »
Types of Government Contracts
Learn about the four main types of government contracts that contractors encounter.Learn More »
Canadian Government Contracting
Learn more about the Canadian public sector market and how to find Canadian contracts.Learn More »
How to Win Government Contracts
Discover how to beat the competition and win more government contracts.Learn More »
Guide to Govcon Compliance
Learn why compliance should be top of mind for all government contractors.Learn More »
What is CMMC?
Learn more about the basics of Cybersecurity Maturity Model Certification (CMMC).Learn More »
What is ITAR Compliance?
Learn more about the International Traffic in Arms Regulations (ITAR) and who it applies to.Learn More »
Basics of FAR & CAS
Learn about the Federal Acquisition Regulation (FAR) and Cost Accounting Standards (CAS).Learn More »
What is a Teaming Agreement?
Discover how teaming agreements can help you reach your government contracting goals.Learn More »