What is a CMMC audit and how to prepare for one


The Cybersecurity Maturity Model Certification (CMMC) is replacing the previous cybersecurity self-assessment process known as DFARS (Defense Federal Acquisition Regulations System), which made businesses contracted to work with the Department of Defense (DoD) responsible for their own compliance. CMMC certification is achieved through external auditing, and failing will result in your business being unable to work with the DoD as a contractor, or even bid on contracts.

Read this CMMC audit guide to learn more about CMMC compliance, levels, and how to prepare for your CMMC audit.

What is CMMC compliance?

CMMC, now on version 2.0, is a new certification program for all DoD contractors who work with Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It comprises three different levels that gauge a business’s cybersecurity hygiene from Basic to Advanced.

Unfortunately, the DoD found too many of their contractors to be DFARS noncompliant, resulting in several data leaks and compromises in recent years. The new program will involve a mandatory third-party certification in the form of the CMMC Audit.

Who needs CMMC certification?

Any company contracted to work with the DoD that handles CUI or FCI in any capacity is required to comply with the National Institute of Standards and Technology (NIST) 800-171 regulations outlined in DFARS. If your business has worked with CUI or FCI in the past, the groundwork for complying with the lower levels of CMMC may already be there.

CMMC consists of three levels of security clearance. If you’re a small business that handles FCI or a minimal amount of CUI, the new compliance requirements outlined in CMMC should largely match your previous DFARS obligations, which means you’re already well on your way to complying with CMMC.

If you’re a large business that regularly deals with CUI, you will need to upgrade your security. The DoD will assign you a CMMC level based on the amount of government information your organization handles. It will then be up to you to meet the CMMC requirements outlined by that level and seek out an audit to officially achieve your certificate.

💻 To learn more about the three CMMC levels and who needs to be CMMC compliant, read our article Cybersecurity Maturity Model Certification (CMMC 2.0).

What is a CMMC audit?

A CMMC audit is an assessment of your business’s cybersecurity by an accredited CMMC third-party assessment organization (C3PAO). Since CMMC is still in development, the CMMC Accreditation Body (CMMC AB), composed of volunteers working independently of the DoD, is also still developing as an organization. This means it will still be some time before third-party assessments will be available, as assessors are still in training. While dates seem to always be changing, it’s estimated that all companies that contract with the DoD will need to reach CMMC compliance by 2025.

But don’t breathe a sigh of relief just yet — preparing for a CMMC audit will take a lot of time, and the number of organizations within the Defense Industrial Base (DIB) is in the hundreds of thousands. When audits become available, they’ll be in seriously high demand, so it’s important to get the process started right away.

Preparing for a CMMC audit

To help contractors meet the new CMMC obligations, the DoD authorizes Registered Provider Organizations (RPOs) to provide CMMC consulting and support. RPOs are trained in CMMC methodologies and trusted by the DoD to provide CMMC audit preparation. Partnering with an RPO will simplify and accelerate the auditing process and get you ready for an audit by a C3PAO.

Here are the steps to preparing for a CMMC audit:

 – Determine your CMMC certification level

How you prepare for your audit depends entirely on the level of CMMC certification you require. Small businesses that don’t work with CUI may need to do very little, whereas larger entities will have to implement a long list of additional security requirements in order to achieve CMMC compliance.

Level 1 is the lowest level and is required for contractors who handle Federal Contract Information (FCI), which is information not intended for public release but is not considered sensitive. This level includes basic safeguarding requirements and is intended for contractors who do not generally deal with Controlled Unclassified Information (CUI).

Level 2 is required for contractors who handle FCI and also involves intermediate safeguarding requirements. This level may apply to contractors who are further along in their cybersecurity maturity journey and who have more complex needs than those at Level 1.

Level 3 is required for contractors who handle CUI and involves more advanced safeguarding requirements. This level includes all of the practices in Levels 1 and 2, as well as additional security controls to protect CUI.

Also note that if a company needs to comply with CMMC requirements, they will typically be informed by their contracting officer or the prime contractor they are working with on a DoD contract. The contracting officer is responsible for ensuring that all contractors working on a particular contract meet the necessary cybersecurity requirements, including CMMC compliance.

 – Assess your current state of security

The next step is understanding your current state of security by doing a CMMC security gap assessment. If you are already following all of the previous NIST 800-171 requirements, and you only need a certification of Level 1–2, you may have very little to do to become compliant.

Complete a thorough assessment of your current state of cybersecurity to determine what steps you need to take to achieve and maintain CMMC compliance. Even if you only need low-level certification, it’s still important to assess your current procedures to ensure nothing has slipped through the cracks. Since you were previously responsible for assessing yourself, there could be requirements you didn’t know you were missing or protocols that need updating.

 – Establish a security roadmap

Based on your results, what do you need to do to achieve a successful audit? Create a roadmap of the steps you need to take to become compliant in time for your CMMC audit.

This may require that you develop a System Security Plan (SSP): A System Security Plan is a key document that outlines an organization’s security practices and procedures. Contractors should develop an SSP that documents how they are meeting the CMMC requirements.

Ensure you are able to get protocols and security measures in place in time for your CMMC audit by working backward from the time you need to be assessed. Give yourself extra time in case you experience complications along the way. There could be long wait times for audit appointments, and you don’t want work to be delayed due to a certification failure along the way.

 – Implement the required security practices

Once you have your roadmap or System Security Plan and have identified the security gaps for compliance, the next step would be to implement the required security practices for your targeted CMMC level.

For example, for CMMC Level 1, you must implement the 17 basic cybersecurity hygiene practices as defined in the CMMC model and for Level 2, you need to implement all 110 controls of NIST SP 800-171.

 – Conduct periodic assessments

Once you’ve implemented the required security practices, if there is some time before your official CMMC audit, it would be a good idea to conduct periodic assessments to ensure that your security practices continue to meet your CMMC level requirements. This can help identify any potential issues or gaps that can happen over time and address them before a formal audit is conducted.

 – Select an authorized C3PAO

Now that you’re ready for an official CMMC audit, it’s time to select an authorized CMMC Third-Party Assessment Organization (C3PAO) to conduct their formal assessment. It is important to choose a qualified and experienced C3PAO to ensure an accurate and fair assessment. You can find certified C3PAO’s on the Cyber AB website.

Get prepared with a COUPLE of GURUS

As we have RP’s (Registered Practitioner) on staff, we can ensure your organization is ready to pass the CMMC audit, whether you are applying for Level 1 or Level 3.

Contact a COUPLE of GURUS and we can get started to prepare you for your CMMC audit.