How to Prepare for CMMC Deadline? CMMC Audit Checklist

Preparing for CMMC Compliance

In spite of there being some speculation about DoD delaying the rulemaking, CMMC 2.0 compliance will be inevitable in the times to come. Since we are currently chasing the timeline of the compliance deadline of October 2025, companies need to strategically think about how they can get certified. If you are wondering how to prepare for CMMC and achieve compliance, we will walk you through the process and help you with a CMMC audit checklist.

By some estimates, it can take around 18 months for organizations to achieve compliance with CMMC. With this timeline in mind, it would help to start preparing for the CMMC audit now so that the deadline of October 2025 can be met. Since CMMC will be mandatory for all DoD contracts, organizations in the DoD supply chain or those wanting to bid on future DoD projects must start planning for CMMC audit and certification soon. 

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed for all contractors and subcontractors in the DoD supply chain so that they maintain the required level of cybersecurity maturity. The goal of CMMC is to help protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that might be exposed to organizations working on DoD contracts.  

CMMC was first introduced in January 2020, and the earliest version is known as CMMC 1.0. The latest version is CMMC 2.0 and is still in the rulemaking phase. However, it is expected to roll out in the coming months, and organizations must be prepared to comply with the new CMMC rules.

What CMMC Level Do I Need?

There are different CMMC levels, each defining how defence contractors should handle FCI and CUI while aligning with the required cybersecurity maturity to protect sensitive information. CMMC 1.0 had 5 maturity levels. CMMC 2.0 has been streamlined to have 3 maturity levels.

The maturity levels are progressive with each higher level having increasingly stringent cybersecurity requirements. While contractors handling low-sensitivity data will need lower CMMC levels, the highest levels apply to organizations that handle sensitive CUI of high priority. 

As mentioned earlier, CMMC 2.0 is in the rulemaking phase. Once CMMC 2.0 is officially rolled out, DoD will specify the required level in solicitation and in any RFIs. 

Below is a breakdown of the CMMC levels including how the levels apply to organizations. This will give you some insights into which CMMC level would apply to you based on the information you handle as part of DoD contracts.

CMMC 1.0 Certification Levels

CMMC 1.0 framework was deemed as complex. Also, the cost associated with implementing CMMC 1.0 was higher making it challenging for SMBs in the DIB. Thus, CMMC 2.0 is being introduced to streamline the framework and its levels. The cost of achieving compliance is also expected to be lower compared to CMMC 1.0. The table below shows a breakdown of CMMC 2.0 certification levels.

CMMC 2.0 Certification Levels

CMMC Training for Contractors 

The CMMC framework can be daunting for SMBs, even though CMMC 2.0 is being rolled out with the aim of streamlining the requirements and assessments. Even with the revised framework, planning the cybersecurity activities to achieve compliance can be a mammoth task. 

Hence, contractors who are looking to get certified need some guidance to get started. Contractors also need support at each step of implementing cybersecurity controls and demonstrating compliance to get CMMC certified. 

Below are some steps contractors can take to educate themselves about CMMC and seek appropriate guidance.

CMMC Audit Checklist

A CMMC audit evaluates the cybersecurity posture of an organization. It is performed by a C3PAO (Certified Third-Party Assessment Organization) accredited by the CMMC Accreditation Body (CMMC-AB). 

There are an estimated 300,000+ organizations that need to be certified. Since C3PAOs are still in the training phase, it might be some time before an organization has access to a C3PAO for an audit. However, it is recommended that organizations start preparing for an audit. This way, they can speed up the process of compliance and get certified before the CMMC 2.0 deadline. 

Below is an 8-step CMMC audit checklist to help you get started.

Step 1: Identify the type of information that needs to be protected.

Identify the FCI, CUI, and CDI that will need to be handled as part of the DoD contract. In addition to the information itself, you will also need to determine how the information would be processed, stored, and transmitted since the CMMC auditor will evaluate this information closely.

The information that needs to be protected will be defined in the contract information of the DoD project. If you are unsure whether the data you handled qualifies as CUI or CDI, you can get information from the contracting official for DoD (or the prime contractor if you are a subcontractor).

Step 2: Identify the controls to be implemented.

Since CMMC is related to controls specified in DFARS and NIST SP 800-171, you will need to identify the systems, processes, and services that are in the scope of these frameworks. 

For these systems, processes, and services, you will need to identify the controls that are applicable. The controls to be applied will also depend on the type of data being handled and the target CMMC level.

Step 3: Identify the regulatory requirements to address CMMC compliance.

You will need to identify the domestic and international laws and regulations applicable to your organization in the context of the DoD contract. This includes cybersecurity regulations, industry-specific regulations, data privacy and protection laws, etc. 

Step 4: Create relevant documentation.

Documentation is important from the perspective of a CMMC audit. The controls being implemented, policies, and procedures need to be adequately documented. Documentation will not only help in providing the necessary information to the CMMC auditor but will also be useful in making organizational decisions about managing risks. 

Step 5: Implement the cybersecurity controls.

Implementing cybersecurity controls applicable to the organization will require aligning people, processes, policies, etc. It will be a step to improve the cybersecurity maturity and be ready for the CMMC audit. 

To implement appropriate NIST SP 800-171 and CMMC controls effectively, identify the right people in charge of each environment in scope and define roles and responsibilities related to implementing controls and measuring their effectiveness. 

Step 6: Create POA&M and SSP.

Sometimes, it might not be possible to implement all applicable NIST SP 800-171 and CMMC controls. In this case, the control deficiencies need to be documented in a POA&M (Plan of Action and Milestones). The POA&M is a time-bound document and will have an action plan to address the control deficiencies within 180 days of the assessment.  

Similarly, you will also need to create a System Security Plan (SSP) which will detail how each control will be useful for improving the cybersecurity posture. Both POA&M and SSP are important documents that a CMMC auditor will check.

Step 7: Evaluate the effectiveness of the implemented controls.

You can choose an appropriate risk management methodology to get a better view of security risks and evaluate how the implemented controls would reduce or remove the identified risks. Any third-party risks also need to be taken into account and the effectiveness of the controls needs to be determined. 

Step 8: Monitor and improve controls.

Tracking key metrics is an effective way to monitor CMMC controls. Metrics can also help understand long-term trends that can help in identifying areas of improvement. You will need to identify Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) relevant to your organization and the controls being implemented. The KPIs and KRIs will also depend on the regulatory and contractual requirements. 

A reliable service provider such as I.S. Partners can help you conduct CMMC audits and assessments and prepare for certification. 

CMMC Audit Checklist

Scoping for CMMC Compliance

Properly scoping CMMC implementation is crucial to manage costs. Companies should only scope CMMC levels and controls to parts of their environment that actively handle CUI data for DoD contracts. One strategy is to establish a “CMMC enclave”—an environment segregated from the rest of the company’s systems that is specifically designated to store, process, and transmit controlled defense information.

“By narrowing the scope of CMMC to just an enclave, companies can drastically reduce expenses compared to applying controls company-wide. They avoid securing systems that don’t process CUI while still achieving necessary certifications. The segmented model contained to a CMMC enclave gives clear boundaries for targeting compliance resources only where absolutely necessary,”

– Joe Ciancimino, CISA, CRISC, and director at I.S. Partners.  

Companies preparing for CMMC audits should analyze their data flows to identify where CUI is handled and make strategic decisions to limit the scope. Over-scoping CMMC puts companies at risk of taking on excessive and redundant security controls, blowing budgets and timelines. Scoping matters, and getting it right pays dividends in cost savings and efficient certifications.

What Does The CMMC Auditor Check?  

CMMC audit can be performed by an authorized CMMC auditor. A CMMC auditor will conduct audits depending on the CMMC level applicable and the contractual requirements. 

A CMMC auditor will perform the audit but they are not authorized to issue CMMC certification. Below are some of the major responsibilities of a CMMC auditor. 

1. Performing data checks

CMMC auditors will perform data checks to identify the type of information (FCI, CUI, CDI) that the organization handles. This is a critical step in the audit since the CMMC level depends on the type of information being handled. It will eliminate any confusion regarding the level and save time and cost in implementing the appropriate controls. 

2. Evaluating cyber resilience 

A CMMC auditor will help evaluate the existing cyber resilience of the organization which would provide a baseline for implementing CMMC controls. Typically, auditors will check for weaknesses in physical security, hardware, software, data mapping, etc. in the context of the threat landscape. They will also advise on the best approach to implement CMMC controls. 

3. Assessing the security training of the staff

The security training and cybersecurity awareness of the staff has a huge impact on the cybersecurity posture. The staff’s security awareness is even more important for higher CMMC levels. An auditor will check the awareness levels as well as look at how training is provided to the staff. 

4. Assessing domains and capabilities

A CMMC auditor will check which domains are applicable for CMMC certification. They will also help identify the capabilities required for implementing controls in each domain. 

5. Auditing process integration

Process integration is an important consideration in CMMC audit since it is a reflection of the cybersecurity maturity. It is an important step in achieving CMMC certification and a C3PAO will also perform this assessment before granting the certification. 

How Much Does CMMC Cost?

The CMMC certification cost depends on several factors such as:

• The size and complexity of the organization
• CMMC level applicable 
• C3PAO charges
• The current level of cybersecurity maturity

Higher CMMC levels incur a higher cost. In addition to the certification charges, there is a cost involved in carrying out risk assessment and implementing controls. Implementing controls requires personnel engagement as well as investment in tools and technologies. 

CMMC 2.0 is expected to roll out and there is some indication from DoD that the cost of CMMC 2.0 would be significantly lower. The DoD plans to release a comprehensive cost analysis for each level of CMMC 2.0 as part of the rulemaking. This will bring more clarity to the estimated cost. 

Since several factors impact CMMC cost, cost estimations can vary. Typically, the cost of CMMC can be anywhere between $20,000 to $200,000. However, in some cases, the cost for Level 1 certifications could be as low as $3,000. It is best to contact a trusted service provider to get a cost estimation depending on your specific requirements.

However, do remember that CMMC is a recurring cost since organizations need to go for certification every three years. There is also the cost attached to annual assessments. Also, the C3PAO charges can vary. Hence, it’s a good idea to get quotes from multiple third-party assessors and choose based on the cost as well as the services offered.

CMMC audit cost can also be a significant investment. However, I.S. Partners provides comprehensive audit services which include gap assessments and compliance readiness to help you prepare for certification. 

In conclusion, preparing for the inevitable CMMC 2.0 compliance is a strategic endeavor that organizations must take seriously. Achieving compliance doesn’t happen overnight and will require an understanding of the CMMC levels, relevant legislation, and the ability to implement and document cybersecurity controls. The outlined CMMC audit checklist and understanding of the certification process can serve as a valuable guide in this journey. 

Looking towards service providers that can offer expert help, such as I.S. Partners, can be an efficacious approach in navigating these complex requirements. Remember, starting early, staying informed, and remaining proactive are the keys to a successful audit and achieving CMMC compliance before the October 2025 deadline.

FAQs About CMMC Audit

About The Author

Anthony Jones

Anthony has over 20 years of experience and has worked with a variety of industries, including Health Care Insurance, Banking and Financial Services, Information and Analytics, Telecom, and Utilities. Anthony has extensive knowledge in IT Security consulting; he is also a Certified Information Systems Auditor (CISA), and Project Management Professional (PMP) designation holder with expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans and cultivate longstanding client relationships. Anthony’s area of expertise consists of MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance Banking and Financial Services, Manufacturing and Utilities. Prior to joining IS Partners, LLC Anthony spent 12 years with PWC as a Senior Manager in Business Risk Solution (BRS) Practice advising Fortune 100 financial services, manufacturing, Insurance and utility companies. Anthony graduated Saint Joseph’s University. Anthony received his MBA from SJU Haub School of Business.
Anthony Jones frequently blogs for I.S. Partners, LLC.