CMMC Compliance Audit
CMMC Compliance Audit Checklist
The U.S. Department of Defense’s (DoD’s) Cybersecurity Maturity Model Certification (CMMC) and its compliance challenges are best assessed with a CMMC compliance audit checklist. Using a CMMC compliance audit checklist to prepare for a CMMC compliance audit helps bring order to the process and streamlines remediation efforts.
Organizations are advised to use a CMMC compliance audit checklist before working with a CMMC Registered Provider Organization (RPO), which will perform a more comprehensive assessment to confirm that everything is in order for CMMC certification. Following are several key elements of a CMMC compliance audit checklist.
Understand What Is Involved in the CMMC Certification Process
A CMMC compliance audit checklist should include descriptions of exactly what is required for compliance at each of the three CMMC 2.0 maturity levels. This requires an in-depth review as there is more than just the number of practices at each level. For instance, at Level 2, there are 110 practices within NIST SP 800-171, but there are 320 total assessment objectives that must be met.
Identify, Assign, and Engage Internal Stakeholders
The number of stakeholders involved in the process will vary based on the size of an organization and the level of maturity certification it will pursue. At a minimum, an organization needs to have an executive sponsor, an information technology (IT) contact, an information security representative, a representative from the facilities management team, and a human resources representative to run an effective CMMC compliance audit. Internal teams can be augmented by a registered provider organization (RPO). An RPO can be found in the Cyber-AB Marketplace.
Determine the Maturity Level Required
The required maturity level is driven by the types of information that an organization stores and uses. Organizations that work with federal contract information (FCI) can meet compliance requirements by achieving a maturity Level 1 certification. The requirements for Level 1 include 17 controls from NIST SP 800-171. Level 1 requirements are aligned with the requirements in FAR 52.204-21.
Level 2 is for those primary contractors and subcontractors that handle controlled unclassified information (CUI)—either currently or plan to do so in the future. To secure contracts that contain the DFARS 252.204-7012 clause, organizations must achieve a Level 2 certification, which is also aligned with NIST SP 800-171. The most difficult maturity level certification is Level 3. This is a requirement only for large prime integrators. Level 3 certification requirements also include a subset of controls from NIST SP 800-172.
Document Where FCI and CUI Exist
To understand where FCI and CUI exist within the organization, it is necessary to completely document the people, technology, and facilities that store, process, and share sensitive data, as well as the systems that are used to protect it. Protection includes isolating systems with FCI and CUI with physical systems (e.g., gates, locks, guards, access badges) and logical separation (e.g., firewalls, VLANs). To accurately identify all instances of FCI and CUI, create a data flow diagram, a network diagram, a facility diagram, and an organizational chart.
Conduct Gap Analysis
A gap analysis should be used to assess areas of weakness. This can be conducted by an internal team or a third party. The gap assessment should include a review of all documentation to discover any deficiencies in policies, procedures, or reporting for people, processes, physical security, systems, and applications. Upon completion of the gap analysis, a report should summarize the findings and highlight areas that require remediation.
Measure Performance In Each Practice Area
Each practice area within the scope of the desired maturity level must be documented, with special care taken to evaluate areas with multiple assessment objectives. Because the assessment objective is what an assessor will review during the assessment, documentation of performance should be well-organized to make it easy to correlate performance documentation with assessment objectives.
Create a Plan Of Action and Milestones (POA&M) and a System Security Plan (SSP)
When deficiencies are identified through gap analysis or performance assessments, any practices not meeting the requirements should be addressed in a POA&M. This should be coupled with an SSP that describes the information system boundaries and documents how NIST SP 800-171 security requirements will be implemented.
According to CMMC 2.0, some practices may be incomplete at the time of the certification assessment if they will be addressed via POA&Ms. However, this is limited to those practices with a value of one point in the Department of Defense’s Supplier Performance Risk System or SPRS. As a frame of reference for this scoring, security controls that could lead to significant network exploitation are worth five points.
How Do You Perform a CMMC Compliance Audit?
For each practice, there are three potential assessment methods. To prepare for a CMMC compliance audit, all three methods should be considered. The CMMC compliance audit will evaluate each practice using at least two of the three assessment methods.
1. Examine the assessment objects to determine if the required information is available, then review it for errors, omissions, or inconsistencies. The assessment objects include:
- Document-based artifacts
- Mechanisms, such as hardware, software, or firmware protections
- Activities, such as protection-related actions that involve people
2. Interview individuals to help the assessor understand the environment, answer questions, or gather evidence
3. Test assessment objects under specific conditions to confirm that actual behavior aligns with expected behavior
A CMMC compliance audit is an effective way to accurately assess the current state of an organization to help identify the steps that need to be taken to become compliant. Following is an outline of an approach for a CMMC compliance audit.
1. Kickoff stage, where your organization should:
- Identify points of contact across departments, including IT, security, human resources, facilities, and operations
- Share an overview of the CMMC framework with key stakeholders and the extended team that will support the CMMC compliance audit
- Provide the assessment team with guidance for formulating questions they should be asking about how data is managed and protected
- Determine what information will need to be shared as part of the CMMC compliance audit, such as password enforcement policies or security training materials
- Define the process for making this information available to appropriate stakeholders
- Develop a schedule for assessments and interviews
2. Interviews with key personnel who can attest that specific controls have been met, which should include notes about relevant artifacts that validate the attestation
3. Interview analysis to enable initial scoring and verification of the artifacts to confirm that requirements are met
4. Report on the outcomes of the CMMC compliance audit should be released to the leadership team and any other stakeholders with a request for them to review and provide feedback prior to submission of the final report, which should include:
- Executive summary with an overall compliance breakdown according to maturity level
- DFARS Interim Scoring Rule with the score to be uploaded to the Supplier Performance Risk System (SPRS)
- Key observations and recommendations for remediating compliance gaps
- Detailed analysis of the organization’s performance in each practice
5. Presentation and discussion of the CMMC compliance audit results, key compliance findings, and next steps
A recommended timeline for a CMMC compliance audit is:
- Week one
- Hold a kickoff meeting
- Confirm scope and objectives
- Identify stakeholders and points of contact across the organization
- Start collecting and reviewing artifacts
- Weeks two and three
- Review the security framework
- Conduct interviews and follow-ups
- Analyze the data
- Gather outstanding artifacts
- Weeks four and five
- Write and distribute a draft report
- Engage leadership and stakeholders in a review of the findings and solicit their feedback
- Incorporate feedback into the next draft of the report
- Week six
- Issue the final draft report
- Conduct a review of high-level findings with leadership and stakeholders
- Obtain sign-off from leadership team
- Begin work to remediate compliance gaps
How Much Does a CMMC Compliance Audit Cost?
Experts agree that the CMMC certification costs for CMMC 2.0 should be significantly lower than those of CMMC 1.0. This is because CMMC 2.0 streamlines requirements for all levels. In addition, contractors at Level 1 and some Level 2 certifications only require self-assessments instead of third-party assessments by a CMMC Third-Party Assessor Organization, otherwise known as a C3PAO.
The cost of a CMMC compliance audit depends upon the size of an organization and the desired level of certification. The costs of a CMMC compliance audit include the following:
This includes the time required for CMMC compliance audit preparation, including planning, budgeting, training, and documentation. It also includes the time that personnel require to perform these tasks, which can be completed by internal staff or third-party consultants.
The process of identifying and closing gaps in CMMC compliance is necessary for obtaining certification. These remediation expenses can include the cost of upgrading infrastructure, facilities, and related technologies.
Remediation costs include upgrades for hardware like servers and individual computers, as well as upgrades for IT security software like firewalls and email applications.
A CMMC compliance audit requires a significant amount of time on the part of company executives, managers, IT support staff, business partners, and others.
For organizations that need to attain the higher Level 2 and Level 3 for CMMC 2.0 compliance, they require a formal assessment from a C3PAO.
CMMC also requires time and money to maintain technology and perform ongoing cybersecurity preparedness activities, after a contractor obtains its certification.
What Does the CMMC Compliance Audit Process Consist Of?
As noted, any organization that wants to bid on and service contracts for the Department of Defense must obtain CMMC certification at the appropriate level. To verify qualification, the organization must undergo a CMMC compliance audit that includes the following steps.
Step 1: Business Scope Determination
It is a common misunderstanding among organizations seeking certification (OSCs) that CMMC certification is an entity-level certification, not just a systems-level technical certification. In this first step of a CMMC compliance audit, it is necessary to identify the entity that’s applying for certification. This can involve unraveling a complex structure with multiple Commercial and Government Entity Program (CAGE) codes. To streamline the CMMC compliance audit process, business scope can be defined around a specific line of business or business unit that works on federal projects and has the requisite qualifications.
Step 2: Technical Scope Determination
Called Authorization Boundary in other certifications (e.g., FedRAMP), technical scope can include everything from laptops, desktops, and printers to a subset of the organization’s network and data backups. During the technical determination phase, the scope of these technical elements is established by creating an inventory that includes an explanation of each component’s connections to FCI and CUI.
Step 3: Assess cybersecurity programs
This part of the CMMC compliance audit requires an explanation of what cybersecurity systems and processes are in place to protect sensitive data. It can also include simplified regulations, such as the International Traffic in Arms Regulations (or ITAR) and more stringent ones, such as the Risk Management Framework or RMF variants that include classified facilities with program-specific Joint Special Access Program Implementation Guide or JSIG requirements.
Step 4: Review of cybersecurity controls
An in-depth review of controls should leverage approved test cases from the CMMC-AB and NIST SP 800-171 Assessment Guide. This review of cybersecurity controls should focus on the technical scope as this is where FCI and CUI are stored, managed, and shared.
Step 5: Verify cybersecurity controls
Following a review of cybersecurity controls that are in place, it is necessary to verify that they perform as expected. This requires an in-depth evaluation of each of the cybersecurity controls to confirm that they are implemented and deployed correctly.
Step 6: Review of POA&Ms
This step involves reviewing existing POA&Ms and, possibly, generating additional ones. This allows the organization to plan for non-critical deficiency remediation.
Step 7: Issuance of the certification
After POA&Ms are closed, the final step in the CMMC compliance audit is the report and certification.
Other items to consider with the CMMC compliance audit process are:
- Cyber resilience checks to identify any weaknesses across the IT ecosystem, including:
- Hardware and software inventories
- Staff awareness levels
- Industry threat landscape
- Data mapping
- Physical security
- Data checks
- Domain and capabilities assessment
- Process Integration evaluation
- Staff cybersecurity awareness assessments
Five Tips to Prepare for a CMMC Compliance Audit
1. Assess maturity and risk across business and technology processes, to assess how well cyber security systems are performing.
2. Develop policies and procedures to meet compliance requirements.
3. Maintain CUI environment documentation that includes information regarding various processes, technology, and people in a CUI environment.
4. Operationalize the security policies into step-by-step procedures.
5. Use control implementation and execution metrics to identify areas that need improvement.
Benefits of a CMMC Compliance Audit
As with any initiative that forces an organization to assess its cybersecurity posture, a CMMC compliance audit does have significant upside. The controls set forth in CMMC 2.0 reflect cybersecurity best practices that help an organization protect its data and systems from today’s steady stream of cyberthreats and risk.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 28th November, 2022