CMMC Cybersecurity Audit for Defense Contractors
The Cybersecurity Maturity Model Certification (CMMC) program establishes mandatory third-party audit requirements for defense contractors seeking to handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) under contracts with the U.S. Department of Defense (DoD). A CMMC cybersecurity audit is not a voluntary self-assessment — at CMMC Level 2 and above, it requires evaluation by a certified third-party assessment organization (C3PAO) accredited through the Cyber AB (formerly CMMC Accreditation Body). This page maps the structure of CMMC audit requirements, the mechanics of the assessment process, classification distinctions across certification levels, and the operational tensions defense contractors encounter navigating the framework.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
CMMC is a DoD-mandated framework codified under 32 CFR Part 170, which was finalized through the CMMC 2.0 rulemaking published in the Federal Register in October 2024. The program governs the cybersecurity posture of the Defense Industrial Base (DIB) — a sector encompassing more than 300,000 companies that directly or indirectly support DoD acquisition programs.
A CMMC audit assesses whether a contractor's information systems meet the security requirements set out in NIST Special Publication 800-171 (for Level 2) or NIST SP 800-172 (for Level 3). The scope of any given audit is bounded by the contractor's assessment scope — the systems, facilities, and personnel that process, store, or transmit CUI or FCI subject to the applicable Defense Federal Acquisition Regulation Supplement (DFARS) clauses, principally DFARS 252.204-7012.
The audit's output is a scored assessment against 110 security practices drawn from NIST SP 800-171's 14 control families. Each practice is assigned a point value under the DoD assessment methodology; the maximum achievable score is 110 points. A contractor that scores below 110 may still be awarded contracts if a Plan of Action and Milestones (POA&M) is accepted, subject to level-specific thresholds established in the rule.
Core mechanics or structure
CMMC assessments operate through a structured three-phase cycle: pre-assessment preparation, on-site or remote assessment execution, and results submission to the DoD's Supplier Performance Risk System (SPRS).
Pre-assessment. The contractor defines its assessment boundary using a System Security Plan (SSP). The SSP must document each of the 110 NIST SP 800-171 practices, describe implementation status, and identify any practices addressed through a POA&M. C3PAOs use the SSP as the primary evidence artifact prior to fieldwork.
Assessment execution. A C3PAO team — composed of Certified CMMC Assessors (CCAs) credentialed through the Cyber AB — evaluates each practice using three evidence methods: examination (document review), interviews (personnel verification), and testing (technical validation). This tripartite methodology mirrors the assessment methods defined in NIST SP 800-53A Rev 5.
Scoring and submission. Each practice is scored as Met or Not Met. The final score is calculated using the DoD's weighted scoring methodology, where the 110 practices do not carry equal weight — certain high-impact practices receive greater negative point deductions when unmet. The final score is entered into SPRS, which is visible to contracting officers reviewing contractor eligibility.
Certification validity. A CMMC Level 2 certification issued by a C3PAO is valid for 3 years, with an annual affirmation requirement in which a senior company official attests to continued compliance. The affirmation process is documented under 32 CFR § 170.21.
Contractors navigating the broader landscape of cybersecurity audit service providers can reference the Cyber Audit Providers for categorized provider information.
Causal relationships or drivers
The CMMC program emerged directly from documented failures in the DIB supply chain to protect CUI. The Defense Science Board's 2013 report on cyber resilience identified systemic inadequacies in contractor-side information security. Subsequent DoD Inspector General audits revealed that contractors were self-attesting compliance with DFARS 252.204-7012 while maintaining SPRS scores as low as -203 — a score that indicates the majority of required practices were unimplemented.
The shift from self-attestation to mandatory third-party auditing at Level 2 is a direct regulatory response to this enforcement gap. The CMMC 2.0 restructuring (announced in November 2021) consolidated the original five-level model into three levels and eliminated third-party requirements at Level 1, but preserved and strengthened them at Level 2 for contracts involving the most sensitive CUI categories.
The Cybersecurity and Infrastructure Security Agency (CISA) and DoD jointly identified the DIB as a critical infrastructure sector in Presidential Policy Directive 21, which increased political pressure to close the self-attestation gap. The CMMC rulemaking also cross-references the Executive Order 14028 on Improving the Nation's Cybersecurity, which accelerated federal adoption of zero-trust principles and supply chain security requirements.
Classification boundaries
CMMC 2.0 defines three distinct levels, each with a different audit modality:
Level 1 — Foundational. Covers 17 practices derived from FAR 52.204-21. Assessment is annual self-attestation by a senior company official. No C3PAO is required. Applies to contractors handling FCI but not CUI.
Level 2 — Advanced. Covers all 110 practices from NIST SP 800-171. Assessment is a triennial third-party audit by a C3PAO for contracts involving prioritized CUI. A subset of Level 2 contracts may permit annual self-assessment when DoD determines the CUI involved is not high-value. The distinction between C3PAO-required and self-assessment-permissible Level 2 contracts is determined by the program office, not the contractor.
Level 3 — Expert. Covers 110+ practices, adding a subset of requirements from NIST SP 800-172. Assessment is conducted by the Defense Contract Management Agency (DCMA)'s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Level 3 is reserved for contractors on programs associated with the highest-priority DoD systems.
The classification boundary between Level 2 and Level 3 turns on whether the contract involves Advanced Persistent Threat (APT) risk — a determination made at the program acquisition level. Contractors cannot self-select into Level 3; the requirement flows from the contract itself.
For a broader orientation to how CMMC fits within the full spectrum of cybersecurity audit services, see the .
Tradeoffs and tensions
Cost versus compliance depth. A CMMC Level 2 third-party assessment by a C3PAO involves assessor fees, preparation costs, and potential remediation expenditures. The DoD's own regulatory impact analysis estimated average third-party assessment costs at approximately $105,000 per assessment for medium-sized contractors (32 CFR Part 170, Regulatory Impact Analysis, 2024). Smaller DIB companies — those with under 50 employees — face disproportionate burden, raising concerns about consolidation in the defense supply chain.
POA&M flexibility versus security assurance. The allowance for POA&Ms at Level 2 permits contractors to win and execute contracts while practices remain unimplemented. Critics argue this preserves risk in the supply chain; proponents argue it enables the DIB to maintain continuity while remediating findings. The tension is structural — absolute compliance at point-of-award would exclude a significant portion of the DIB workforce.
Cloud environments and boundary definition. Contractors using cloud service providers must ensure those providers hold a FedRAMP authorization at Moderate or High baseline if the cloud service processes CUI. Defining the boundary between contractor-controlled and CSP-controlled infrastructure is a persistent source of assessment disputes, particularly for Software-as-a-Service deployments.
Assessment standardization. The Cyber AB accredits C3PAOs but does not enforce a single standardized assessment procedure manual beyond the CMMC Assessment Process (CAP) document. Variation in assessor interpretation of practice requirements introduces inconsistency in scoring outcomes across different C3PAOs.
Common misconceptions
Misconception: CMMC certification belongs to the company.
Correction: CMMC certification is scoped to a specific assessment boundary — the systems and environments documented in the SSP. A company with multiple facilities or multiple enclaves may require separate assessments for each boundary. The certification does not automatically extend to newly acquired systems or subsidiaries.
Misconception: Passing a NIST SP 800-171 self-assessment guarantees Level 2 C3PAO certification.
Correction: Self-assessment and C3PAO assessment use different evidence standards. A contractor that scores 110 on a self-assessment may receive a lower score from a C3PAO that applies technical testing rather than accepting documentation alone. The Cyber AB's CAP document specifies that assessors must validate implementation, not merely document existence.
Misconception: CMMC applies only to prime contractors.
Correction: DFARS 252.204-7012 and the CMMC rule flow down to subcontractors at all tiers that handle CUI. A subcontractor providing a single software component that processes CUI is subject to the same CMMC level required by the prime's contract.
Misconception: A System Security Plan alone satisfies the assessment.
Correction: The SSP is a required artifact, but assessment also requires personnel interviews and technical testing. An SSP that describes compliant controls that do not exist in practice will result in Not Met findings and score deductions.
More context on how audit service providers in this sector are structured appears in How to Use This Cyber Audit Resource.
Checklist or steps (non-advisory)
The following sequence reflects the documented phases of a CMMC Level 2 third-party assessment as described in the CMMC Assessment Process (CAP) and 32 CFR Part 170:
- Define the assessment boundary — Identify all systems, components, and personnel that process, store, or transmit CUI. Document the boundary in the System Security Plan (SSP).
- Complete the SSP — Document implementation status for all 110 NIST SP 800-171 practices. Identify any practices addressed through a POA&M and set milestone dates.
- Select a C3PAO — Confirm the organization is verified on the Cyber AB Marketplace as an active, authorized C3PAO. Verify assessor credentials (Certified CMMC Assessors, CCAs, and Certified CMMC Professionals, CCPs).
- Conduct pre-assessment gap analysis — The contractor reviews its SSP against C3PAO readiness criteria. Some C3PAOs offer scoping calls prior to formal engagement; these are distinct from the billable assessment itself.
- Submit assessment request through Cyber AB — The C3PAO initiates the assessment record in the CMMC Enterprise Mission Assurance Support Service (eMASS) or equivalent DoD portal.
- Assessment execution — C3PAO team conducts examination, interview, and testing phases on-site or through secure remote means. Duration varies by organizational complexity; assessments for mid-size contractors typically span 3 to 5 business days of active review.
- Findings review and adjudication — The C3PAO delivers preliminary findings. The contractor may provide clarifying evidence during a defined processing period before scores are finalized.
- Score finalization and SPRS submission — The final score is recorded in SPRS. The contractor's score and certification status become visible to DoD contracting officers.
- POA&M tracking (if applicable) — Practices scored Not Met are tracked in the POA&M with 180-day closure deadlines for eligible items, per 32 CFR § 170.21(c).
- Annual affirmation — A senior company official submits an annual affirmation attesting to continued compliance with the certification requirements throughout the 3-year certification period.
Reference table or matrix
CMMC 2.0 Level Comparison Matrix
| Attribute | Level 1 — Foundational | Level 2 — Advanced | Level 3 — Expert |
|---|---|---|---|
| Practice count | 17 | 110 | 110+ (adds SP 800-172 subset) |
| Source standard | FAR 52.204-21 | NIST SP 800-171 Rev 2 | NIST SP 800-171 + SP 800-172 |
| Assessment type | Annual self-attestation | Triennial C3PAO (or self-assessment for non-priority CUI) | Triennial DIBCAC government-led |
| Assessing body | Senior company official | Cyber AB-accredited C3PAO | DCMA DIBCAC |
| Data type protected | FCI | CUI | High-value/APT-risk CUI |
| POA&M permitted? | No | Yes, with thresholds | No |
| Certification validity | 1 year (affirmation cycle) | 3 years + annual affirmation | 3 years + annual affirmation |
| Regulatory citation | 32 CFR § 170.14 | 32 CFR § 170.17 | 32 CFR § 170.20 |
| SPRS score required? | Yes | Yes | Yes |
| Estimated avg. assessment cost | Minimal (internal) | ~$105,000 (DoD RIA, 2024) | Government-funded |