Whether you're still in the planning stages of your CMMC compliance journey, or you've already started preparing, you're probably wondering what you can expect during your CMMC assessment when the time comes.
If you're a Defense Industrial Base (DIB) contractor or subcontractor, you know the Cybersecurity Maturity Model Certification (CMMC 2.0) Final Rule mandates assessment and compliance requirements to achieve CMMC certification.
Failing to get certified could jeopardize your existing Department of Defense (DoD) contracts or make you ineligible for new ones.
In this article, we’ll explore the importance of the CMMC assessment within the regulation’s framework and what you can expect an independent auditor to ask during your on-site evaluation.
With this information, you’ll be able to gather the necessary documentation and train your team on what to prepare for so that you’re ready to green light your CMMC certification.
Why Do I Need To Get Audited For CMMC Certification?
CMMC 2.0 draws on several different existing federal cybersecurity regulations and guidelines, including National Institute of Standards & Technology (NIST), Defense Federal Acquisition Regulation Supplement (DFARS), and earlier versions of CMMC.
Since these cybersecurity standards were already on the books, organizations within the Defense Industrial Base (DIB) were already supposed to be following those cybersecurity requirements.
The problem was that the regulations lacked teeth and the necessary oversight to ensure the proper security controls were in place to protect federal contract information (FCI) and controlled unclassified information (CUI).
So, the government decided to change the way that it awards DoD contracts to DIB organizations in order to establish a verification system to strengthen the federal supply chain.
Under CMMC 2.0, which went into effect Dec. 16, 2024, DoD suppliers and subcontractors must now undergo an assessment as a way to prove compliance in order to maintain their contracts or to be considered for new ones.
Under the regulation, businesses are split into three assessment and compliance levels depending on the type of federal FCI or CUI data they handle, process, or share. Those levels determine the security requirements and the type of assessment each business must get.
Related Article: CMMC Rule Approved: Next Steps For Compliance
For instance, Level 1 businesses must satisfy 17 basic CMMC cyber hygiene practices that align with Federal Acquisition Regulation (FAR) and perform an annual self-assessment to obtain certification.
Level 2 businesses must implement more security controls aligned with NIST SP 800-171 in order to meet the compliance requirements. They also require tougher assessment standards.
Most Level 2 DIB primes and their subcontractors will need to be assessed every three years by a certified third-party assessor organization (C3PAO).
Level 3 businesses must meet the most stringent security requirements, which includes additional controls from NIST SP 800-172. In addition, these contractors must be assessed every three years by federal auditors through the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
What Does A CMMC Assessment Cover?
Your audit will depend on your specific CMMC assessment level.
That being said, all of the assessments will generally cover the same broad categories to determine the effectiveness of your security controls intended to protect FCI and CUI.
Related Article: 5 Questions To Pinpoint Your Required CMMC Level
Those categories include:
Documented policies & procedures:
What are the policies you have in place to ensure the security and integrity of the federal data you store, process, or transfer? For instance, do you have a comprehensive incident response plan in place?
What are your policies and procedures for backing up, transmitting, storing, or deleting files? Do you know which of your staff is authorized to handle CUI, and have you educated them on dissemination, access, and storage controls?
What employee training are you providing to ensure that your team is educated on new and emerging cybersecurity threats to protect your data, devices, and systems?
A key part of your audit will be a review of your system security plan (SSP). This comprehensive document, which details your security framework, controls, and compliance measures, is required for certification.
Related Article: CMMC Step 4: SSP Documentation–What’s Your CMMC Compliance Evidence?
The thoroughness of your documentation will be critical to your ability to prove CMMC compliance during your audit. Along with interviewing members of your staff and viewing demonstrations of security features, your documented policies and procedures will be serve as proof of your compliance.
A managed IT service provider (MSP) can help you develop and implement the required documents if you don't already have these in place, or conduct a comprehensive review of your existing policies.
Related Article: Do I Need A Managed IT Service Provider To Meet CMMC Requirements?
Technical Controls:
What data encryption, network security, and system access measures have you implemented?
Do you have the right access controls in place for authentication and identify verification to limit access to your data and systems to authorized users?
Do you have an endpoint detection and response system to identify devices connecting to your network and detect any unusual behavior from those devices?
Have you implemented robust data encryption tools, a security information and event management system (SIEM) for active threat detection and remediation, or next-generation firewalls?
These and other security guardrails, along with your policies and procedures, will provide the backbone of your compliance efforts toward CMMC certification.
Level 2 businesses must meet 110 NIST SP 800-171 security requirements for protecting CUI within their environments.
Most Level 2 organizations will be required to get audited every three years by a certified third-party assessor organization (C3PAO). Keep in mind that businesses can't use the same C3PAO to both prepare them for and conduct their CMMC audit.
Level 3 businesses are required to meet the most stringent requirements, including security controls aligned with NIST SP 800-172. Level 3 contractors and subcontractors will need to have their CMMC cybersecurity measures assessed by the government every three years.
What To Expect From Your CMMC C3PAO Audit
During your audit, representatives from the C3PAO will come to your location to interview key members of your organization and evaluate your policies, procedures, physical and virtual security controls, network access, and other parts of your organization that handle, store, or transfer FCI or CUI.
The purpose of the audit is to ensure that you’re doing everything possible to safeguard the sensitive government information you’re responsible for protecting.
C3PAO assessors won’t pore over your actual government contracts or rifle through your files hunting for CUI and FCI.
As a Level 2 business, it's important that you and your chosen assessor reach an agreement on the parts of your environment that will be included within your CUI scope before your official audit.
Auditors will look to see how well you’re able to show your CMMC readiness, as well as explain and demonstrate the security controls you’ve implemented to minimize security risks and meet compliance.
Related Article: CMMC Step 2: How A Gap Analysis Can Help You Find Your Security Risks
They’ll do this in several ways, including observing staff following the security measures; interviewing employees to gather information about specific controls; reviewing your documented policies, procedures, and training materials; and evaluating your in-scope network boundary and CUI data flow diagrams, among other ways.
Your audit success will depend on the evidence you have to prove compliance.
Questions You Can Expect The Assessor Will Ask During Your CMMC Audit
Access controls:
What controls have you implemented to restrict access to your data and systems?
Systems configuration:
What guardrails have you implemented to ensure that your systems, hardware, software, and other parts of your infrastructure are running securely and functioning as they should?
Incident response:
What cybersecurity policies, tools, procedures, and other resources have you adopted in the event of a cyber incident?
Data security:
How are you protecting the FCI and CUI you store, process, or transmit?
Active network monitoring, threat detection, and endpoint detection and response are some of the cybersecurity tools that can help safeguard the sensitive federal data you handle.
Authentication:
What safeguards do you have in place to verify user identity to prevent unauthorized access to your data, devices, and network?
Be aware that for your CMMC assessment, auditors won’t be allowed to accept documents that are incomplete or in draft form. So, make sure your documents are in order and finalized before your audit takes place.
You should also know that certain documents will require a signature line. In this case, you’ll need to ensure that the person responsible for implementation signs off on the document and that any revisions are approved by the appropriate authority.
Awareness and training:
What employee security awareness training do you provide to educate staff not only on new and emerging cyber threats, but also on how to properly use or enforce the CMMC security controls you’ve adopted?
Documentation:
What evidence—including your written policies, procedures, and processes—do you have to show as proof that you’ve met the CMMC compliance requirements?
The Bottom Line With CMMC Audits For Level 2 Businesses
The best way to increase your chances of a successful audit is to make sure that your organization is fully prepared with not only the required security controls in place, but also the right documents that demonstrate CMMC compliance.
If not, you could end up losing valuable time and money with a failed audit requiring further remediation and documentation.
You should also be aware that a C3PAO audit won’t happen in a day. In fact, small and medium-sized businesses can expect such assessments to take at least one to two weeks to complete.
For large enterprises with complex systems, the CMMC assessment process can take months. Also, with a limited number of assessors, you should start preparing now.
If you’re nowhere near ready for your CMMC assessment, don’t panic—you’re not alone.
If you're not sure if you have the right documentation in place, or you need help drafting an incident response plan, system security plan (SSP), or other required documents necessary for CMMC certification, we can help.
As an MSP, Kelser is experienced in getting businesses like yours compliant with various industry regulations, including NIST and CMMC.
Our CMMC Certified Professional (CCP) can provide expert guidance to ensure you have the right policies, procedures, and documents ready to go for your audit.
Click the button to reach out to us. We’ll respond quickly and set up a chat to discuss where you are in your CMMC journey and see how we can help guide you to a successful outcome.
