StealthTech
Preparing for a CMMC audit without knowing what assessors actually verify is one of the most common and avoidable mistakes in the defense contractor compliance space. The methodology is published. The evidence standards are documented. The domains and practices that generate the most findings are well understood by anyone who has been through the process or supported organizations that have. What’s missing, for most contractors, is a practical reference that translates the framework into concrete audit preparation tasks.
This checklist does that. It’s organized to mirror how a C3PAO assessor approaches an engagement — starting with the documentation package, moving through the domain-by-domain control verification, and ending with the operational and cross-domain items that many organizations address last and should address first. Use it as an audit preparation tool, an internal audit framework, or a gap verification reference before the formal C3PAO engagement begins.
Pre-Audit Documentation Package
Before any interview or technical testing occurs, assessors review the documentation package. The quality and completeness of what arrives at this stage shapes how the rest of the assessment proceeds. A complete, well-organized package signals a mature program. Gaps in this package generate investigative questions that a thorough package would have pre-empted.
The System Security Plan is the first and most heavily referenced document. Confirm it accurately describes the current assessment boundary with a specific written narrative, not a high-level summary. Confirm the network diagram embedded or referenced in the SSP reflects current architecture including all boundary controls, vendor access paths, and cloud environment connections. Confirm every in-scope system appears in the system inventory with asset type, function, owner, and operating system documented.
Confirm every external connection is described including the specific systems connected, the nature of the connection, and the controls governing it. Confirm control implementation descriptions are specific enough that a reader unfamiliar with the environment could locate and verify what’s described — not general statements that the control exists, but descriptions of where it’s implemented, how it’s configured, and what evidence of its operation looks like.
The POA&M should reflect honest compliance status. Any known gaps are documented with specific owners, concrete interim mitigation measures, and realistic target dates. Items previously open and now remediated are closed with evidence references. The POA&M has a history that spans more than the last 30 days.
Policy documents are signed, dated, and version-controlled. They cover all 14 NIST SP 800-171 domains and describe how the organization actually operates rather than how it would ideally operate. Policies that describe requirements the organization doesn’t currently follow are a liability in interviews, where assessors will ask staff about the policies governing their work.
The evidence library is organized by control family, contains artifacts spanning a period of time rather than a single assessment preparation window, and is accessible for production during the assessment. Confirm it includes configuration exports, access review records, training completion logs, log review documentation, vulnerability scan histories with remediation records, change management logs, incident response exercise records, and vendor access authorization documentation.
Access Control Audit Checklist
Access control generates more assessment findings than any other domain. Verify each item with technical examination, not self-reporting.
Confirm that every account with access to in-scope systems is in the user directory and was provisioned through a documented authorization process. Spot-check accounts against the access authorization records — every account should have a corresponding authorization. Accounts without documented authorization are a finding regardless of whether the access holder is a legitimate employee.
Confirm MFA enforcement through the identity provider configuration, not through policy review. Query the directory service directly to identify accounts without MFA enrollment. Specifically check service accounts, vendor accounts, shared accounts, recently provisioned accounts, and break-glass accounts — the categories most likely to be missed by MFA policies that focus on standard named users.
Confirm privileged accounts are separate from standard user accounts. Administrators should not perform standard user activities from accounts with elevated privileges. Confirm privileged access management controls are in place and producing access logs showing privileged session activity.
Confirm remote access pathways are limited to documented, authorized methods. Every remote access connection that doesn’t appear in the SSP external connections section is a scope finding. Confirm session encryption is enforced on all remote access pathways without exception.
Confirm access reviews were conducted within the last review period specified in policy. Produce the dated records from those reviews showing who conducted them, which accounts were reviewed, what was found, and what action was taken on inappropriate access discovered. A policy that requires quarterly access reviews without records showing they occurred is an unmet control.
Confirm access revocation timeliness for recent terminations. Pull termination records from HR for the past 90 days and compare termination dates against account disable dates in the directory. Delays between termination and account revocation are findings proportional to the duration of the gap.
Confirm mobile device access policies are enforced technically through a mobile device management solution, not just stated in policy. Unenrolled devices accessing CUI systems through mobile platforms are a gap.
Identification and Authentication Audit Checklist
Confirm unique identification for every user, process, and device. Document the specific accounts or mechanisms through which this is implemented and the controls preventing anonymous or shared access to CUI systems.
Confirm password policy configuration at the system level — minimum length, complexity requirements, history enforcement, and account lockout thresholds — is consistent with CMMC requirements and documented in the SSP. Policy that isn’t enforced technically isn’t implemented.
Confirm authenticator management procedures cover initial authenticator issuance, regular rotation, immediate revocation when compromise is suspected, and protection of authenticators in storage and transit. Confirm there are no default vendor passwords remaining on any in-scope system — this is a technical verification, not a policy acknowledgment.
Audit and Accountability Audit Checklist
Audit logging is the domain where the gap between having infrastructure and having a program is most visible. Verify at the system level, not the documentation level.
Confirm audit log generation is configured on every in-scope system. Review logging configuration on representative systems from each system type in scope — servers, workstations, network devices, cloud instances. Default logging configurations frequently don’t capture the event categories CMMC requires. Verify the event types captured against the requirement: logon and logoff events, object access, policy changes, privileged function use, and system events at minimum.
Confirm log storage capacity is sufficient and monitored. Verify that alerts are configured to notify responsible staff before storage capacity is exhausted and before log retention periods expire.
Confirm log integrity protection — logs are written to storage that in-scope system administrators cannot modify or delete. Separate log storage or SIEM with appropriate access controls satisfies this. In-scope system administrators who can also modify or delete logs is an integrity protection gap.
Confirm log review is operational. Produce records of log reviews conducted within the last review period specified in policy — who reviewed, what was examined, what was found, and what actions were taken. Review records that exist only for the period immediately preceding the audit signal a process that was activated for assessment purposes rather than operating continuously. A managed cybersecurity program that provides documented log review on a defined schedule produces this evidence as a natural byproduct.
Configuration Management Audit Checklist
Confirm documented baseline configurations exist for each system type in scope. Baselines are specific to the system type — not generic security standards references — and reflect current configuration requirements.
Confirm deployed configurations match documented baselines through technical examination, not policy review. Run configuration compliance scans against a representative sample of in-scope systems from each type. Document the discrepancy rate and the remediation process for systems found out of compliance.
Confirm change management records exist for system changes made since the last assessment or baseline establishment. Every significant configuration change on in-scope systems should have a corresponding change record showing authorization, implementation, and post-implementation verification. Changes without records are either undocumented authorized changes or unauthorized changes — both are findings.
Confirm deny-listing or allow-listing controls for software execution are implemented or, where full implementation isn’t yet in place, compensating controls and a POA&M item document the current status. Unauthorized software found on in-scope systems without documented exception is a finding.
Confirm that in-scope systems have unnecessary services, ports, protocols, and functions disabled. Review network scans and system configuration reports for services running that aren’t documented as required for system function.
Incident Response Audit Checklist
Confirm the incident response plan covers CUI-specific scenarios including the 72-hour DoD reporting requirement under DFARS 252.204-7012. The plan should name specific personnel for each response function, not just reference roles that may not be clearly assigned.
Confirm the incident response capability has been tested. Produce records of a tabletop exercise or equivalent conducted within the last 12 months showing scenario, participants, findings, and follow-up actions taken. An untested incident response plan is an unimplemented control regardless of documentation quality.
Confirm incident records exist for any security incidents that occurred since the last assessment. Those records should show how incidents were detected, how they were classified, what containment and recovery actions were taken, and whether DoD reporting obligations were triggered and fulfilled.
Confirm personnel with incident response responsibilities know their role. In interviews, they should be able to describe the escalation path from initial detection through containment and notification without consulting the plan document.
Risk Assessment Audit Checklist
Confirm periodic risk assessments were conducted within the schedule specified in policy. Produce the risk assessment report or records from the most recent assessment showing scope, methodology, findings, and disposition of identified risks.
Confirm vulnerability scanning covers all in-scope systems. Produce scan results from the most recent scan cycle showing coverage of the full in-scope asset inventory. Gaps in scan coverage — systems in scope that don’t appear in scan results — are findings regardless of the reason for the gap.
Confirm vulnerability remediation is tracked against documented SLAs. Pull the findings from the last vulnerability scan and compare against current system patch levels to verify remediation has occurred within the committed timeframe. Open critical and high findings beyond their SLA window are findings in both the Risk Assessment and System and Information Integrity domains. Our guide on CMMC and NIST 800-171 critical controls covers vulnerability management requirements in depth.
System and Communications Protection Audit Checklist
Confirm boundary protection controls are technically enforced between the CUI environment and external networks, and between the CUI environment and the general corporate network. Produce firewall rule documentation and network scan results confirming the boundary controls function as the SSP describes. A network diagram showing segmentation that doesn’t exist in the actual network configuration is a finding that technical testing will surface.
Confirm CUI encryption in transit through protocol inspection. Review network configurations, application settings, and cloud service configurations to verify that CUI-carrying communications use FIPS-validated encryption and that unencrypted protocols for CUI transmission are disabled or blocked.
Confirm cloud environments hosting CUI operate under FedRAMP Moderate authorization or equivalent. Document the specific service authorization, the services covered, and the configuration decisions that keep CUI within the authorized environment boundary. CUI that has spilled into commercial-tier cloud services not covered by a FedRAMP authorization is a scope and control finding simultaneously.
Confirm network access controls prevent unauthorized devices from connecting to the CUI environment. 802.1X, network access control solutions, or equivalent technical controls should be documented and verified through configuration review.
Awareness and Training Audit Checklist
Confirm training completion records cover all personnel with access to CUI systems within the last 12 months. The records should be specific — named individuals, training content, completion date — not aggregate counts. Pull the current user directory for in-scope systems and cross-reference against training completion records. Users with system access but no training completion record are a finding.
Confirm training content addresses CMMC-relevant topics including CUI identification and handling, phishing awareness, incident reporting procedures, and acceptable use of CUI systems. Generic security awareness training that doesn’t address CUI-specific requirements satisfies the general awareness requirement but may not satisfy the CUI handling requirement.
Confirm role-specific training for personnel with security-related responsibilities. System administrators, incident responders, and privileged users should have training documentation that goes beyond the general awareness program. Our guide on building a continuous compliance program covers how training programs operate in mature compliance environments.
Remaining Domain Checklist Items
Physical protection controls are in place and documented for facilities housing in-scope systems. Physical access is limited to authorized personnel through technical controls — badge access, biometrics, or equivalent — not just policy. Visitor access is controlled and logged with records showing who visited, when, and who escorted them.
Media protection covers CUI on removable media from creation through destruction. Confirm media handling procedures are followed in practice, that CUI media is marked appropriately, and that sanitization or destruction records exist for media that has been disposed of.
Personnel security requirements are met for personnel with CUI access — background screening appropriate to the sensitivity of the role has been completed and documented, and formal offboarding procedures ensure immediate access revocation and retrieval of CUI materials from departing personnel.
Maintenance activities on in-scope systems are performed by authorized personnel with records of maintenance activities. Remote maintenance sessions are controlled, monitored, and logged. Maintenance accounts used by vendors are disabled between use periods rather than remaining active persistently.
Security assessment activities — the internal review function that evaluates whether controls remain implemented and effective between formal C3PAO assessments — are occurring on a documented schedule and producing records that demonstrate the compliance program is actively maintained rather than dormant between assessment cycles.
Third-Party and Vendor Audit Checklist
Vendor relationships within the CUI environment receive specific assessor attention because third-party access is a primary attack vector against defense contractors. Confirm all vendors with access to in-scope systems are documented in the SSP. Confirm vendor access is governed by contracts that specify security requirements, incident notification obligations, and the right to audit. Confirm vendor accounts are subject to the same MFA and least-privilege requirements as internal accounts. Confirm vendor access is reviewed on a defined schedule and revoked when the vendor relationship or project ends. Our detailed guide on how third-party vendors affect your CMMC compliance covers the vendor audit scope comprehensively.
For organizations using managed IT services providers, specifically confirm that the provider’s activities within the CUI environment are documented in the SSP, that their access is governed by CMMC-aligned contract terms, and that the evidence of their control activities within scope is accessible for the compliance documentation package.
Interview Preparation Checklist
Personnel interviews are where documentation gaps become conversation gaps. Confirm that personnel with security responsibilities can describe how they execute those responsibilities without consulting reference materials. System administrators should be able to describe the MFA implementation and what accounts it covers. Incident responders should be able to walk through the response procedure from detection to notification. Help desk personnel should be able to describe the access provisioning and revocation process. Management should be able to describe the risk assessment process and how findings connect to compliance decisions.
Personnel who sound rehearsed rather than knowledgeable signal pre-assessment briefing rather than genuine role clarity. Genuine preparation involves making sure personnel understand their responsibilities throughout the compliance program, not briefing them in the week before the assessment. A compliance program built for continuous operation produces personnel who can answer assessor questions naturally because their responsibilities are part of how they work every day.
Conclusion: The Audit Checklist Is a Diagnostic, Not a Destination
A CMMC audit checklist tells you what to look for. What you find when you look — and what you do about it before the formal assessment arrives — is what determines certification outcomes. Organizations that work through this checklist six months before their C3PAO assessment and address every item they find unresolved arrive at the assessment with documented, verified, evidenced controls. Organizations that work through it the week before arrive with a list of things they didn’t have time to fix.
If your organization is planning its CMMC compliance journey, contact Stealth Technology Group today at (617) 903-5559 or visit the website to learn how modern cybersecurity infrastructure can accelerate your path toward certification readiness.
