CMMC Audit Readiness Checklist: 30 Items to Verify Before Your Assessment Date

Why CMMC Audit Readiness Matters More Than Ever

The Cybersecurity Maturity Model Certification program is now a contractual reality for defense contractors. With third-party assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs) now required for Level 2 and Level 3 certifications, the stakes of showing up unprepared have never been higher. A failed assessment does not just delay a certification — it can cost you a contract, damage your reputation in the Defense Industrial Base, and trigger a remediation cycle that takes months to resolve.

I have worked with dozens of defense contractors preparing for their assessments, and I can tell you with certainty: the organizations that pass on the first attempt are the ones that treated preparation as a disciplined, systematic process. This checklist distills that experience into 30 concrete items you should verify before your assessment date arrives. If you want deeper context on the overall preparation process, our post on how to prepare for your CMMC audit is a strong companion to this checklist.

Documentation and Policy Readiness

Assessors will spend significant time reviewing your written documentation. Gaps here signal gaps everywhere else.

1. System Security Plan (SSP) is current and complete. Your SSP must accurately describe your environment, all system components, boundaries, and how each NIST SP 800-171 control is implemented. An outdated or incomplete SSP is one of the most common reasons assessments stall. Review our guidance on SSP and POA&M as critical components of a strong security program.
2. Plan of Action and Milestones (POA&M) reflects current status. Every open deficiency must be documented with realistic milestones. Assessors expect to see an active, managed POA&M — not a document that was created once and never touched.
3. All required policies are written, approved, and dated. Access control, incident response, configuration management, media protection, personnel security, system and communications protection — every required policy domain must have a corresponding written policy.
4. Procedures align with your policies. Policies state what you do; procedures explain how. Assessors will look for both. A policy without a supporting procedure is an incomplete implementation.
5. Your CUI identification and handling policy is specific and enforced. Vague language about protecting sensitive data will not satisfy an assessor. Your policy must define what constitutes CUI in your environment, how it is labeled, and how it is handled at every stage of its lifecycle.
6. Configuration baseline documents exist for all in-scope systems. Every system in your CMMC boundary needs a documented security baseline that reflects your hardening standards.
7. Third-party and subcontractor flow-down documentation is in place. If you pass CUI to subcontractors, you must have written agreements demonstrating that CMMC and DFARS obligations flow down appropriately.

Access Control and Identity Management

Access control is consistently one of the most scrutinized domains in any CMMC assessment. These items must be airtight.

1. Least privilege is enforced and verifiable. Every user account — including service accounts and administrator accounts — should have only the permissions required to perform its function. Document the process and be prepared to demonstrate it.
2. Multi-factor authentication (MFA) is deployed for all CUI-accessible systems. MFA is not optional. If any user can access CUI with only a password, you have a finding waiting to happen.
3. Privileged account management controls are documented and active. Separate privileged accounts from standard user accounts. Log and monitor privileged activity.
4. Inactive accounts are disabled or removed on schedule. Pull your account audit logs and verify that accounts for terminated or transferred employees have been disabled. This is a straightforward check that assessors will perform.
5. Remote access is controlled, logged, and encrypted. VPN configurations, remote desktop policies, and session logging must all be in place and verifiable.

CUI Identification and Protection

If you cannot clearly define where your CUI lives and how it is protected, your assessment will be difficult. These checks are foundational.

1. Your CUI boundary is clearly defined and documented. You should be able to produce a network diagram and a written description of every location where CUI is stored, processed, or transmitted.
2. CUI is properly labeled in all formats. This applies to digital files, email, printed documents, and portable media. Inconsistent labeling is a recurring deficiency.
3. Data loss prevention (DLP) controls are configured and tested. Understand what data loss prevention tools are doing in your environment and verify they are actively protecting CUI from unauthorized exfiltration.
4. Portable media and removable storage controls are enforced. USB drives and external storage devices are a significant CUI risk vector. Policies and technical controls must address them.
5. CUI in cloud environments meets FedRAMP Moderate equivalency requirements. If you store or process CUI in a cloud service, verify that the provider is authorized at the appropriate level and that your configuration meets the requirements.

Incident Response and Audit Logging

Assessors want to see that you can detect, respond to, and document security events — not just that you have a plan on paper.

1. Your incident response plan has been tested within the last 12 months. A tabletop exercise or simulation counts. An untested IR plan is an unproven IR plan.
2. Audit logging is enabled on all in-scope systems. Authentication events, privilege escalations, file access to CUI, and system changes must all be logged. Verify retention periods meet requirements.
3. Log review processes are active and documented. Someone must be responsible for reviewing logs. That responsibility must be assigned, scheduled, and recorded.
4. Your DIBCAC reporting obligations are understood. For Level 2 and above, know your obligation to report incidents to the DoD Cyber Crime Center (DC3) within 72 hours of discovery.

Configuration Management and Vulnerability Management

Technical hygiene is highly visible during an assessment. These items address the controls assessors will verify directly.

1. Patch management is current and documented. Assessors will look at patch levels on in-scope systems. Critical and high-severity vulnerabilities should have documented remediation timelines that are actively tracked.
2. Vulnerability scans have been run recently and findings are addressed. Run authenticated vulnerability scans on all in-scope systems before your assessment. Document your findings and your remediation actions.
3. Endpoint protection is deployed and current on all in-scope systems. Verify that anti-malware is installed, updated, and actively running. Understand the basics of endpoint security and confirm your tools meet current standards.
4. Unauthorized software controls are in place. Application whitelisting or equivalent controls should prevent unauthorized software from executing in your CUI environment.
5. Your SPRS score is submitted and reflects your actual posture. Your Supplier Performance Risk System score must be on file and must be consistent with what your SSP documents. Discrepancies between your submitted score and your actual control implementation are a serious assessment risk.

Physical Security and Personnel Controls

CMMC is not purely a cybersecurity certification. Physical and personnel controls are assessed as well.

1. Physical access to CUI processing areas is controlled and logged. Badge access records, visitor logs, and escort policies must be in place for any physical space where CUI is handled.
2. Personnel security screening is documented. Background check requirements for personnel with access to CUI must be defined, conducted, and recorded.
3. Security awareness training records are current for all personnel. Every employee with access to CUI must have completed security awareness training within the required period. Training records must be accessible to assessors.
4. Workforce exit procedures revoke access promptly and verifiably. Termination checklists must document that accounts are disabled, credentials are revoked, and CUI access is removed when personnel leave.

Final Pre-Assessment Verification

In the final weeks before your assessment, these last items can mean the difference between a confident walkthrough and an emergency scramble.

1. Your evidence repository is organized and assessor-ready. Every control should map to specific evidence: screenshots, configuration exports, policy documents, training records, logs. Assessors should be able to navigate your evidence without needing to ask you to find things. Learn more about organizing your CMMC documentation so assessors can navigate it easily.
2. A mock assessment or pre-assessment review has been completed. Whether you conduct an internal walkthrough or engage a consulting firm, a structured pre-assessment review will surface findings you missed. Our CMMC, CUI & DFARS compliance services include pre-assessment readiness reviews designed specifically for this purpose.

Where Most Contractors Fall Short

In my experience, the items that most frequently trip up contractors are not the technically complex controls — they are the documentation gaps, the inconsistencies between written policies and actual practices, and the failure to verify that controls work as described. An assessor's job is to confirm that what you claim in your SSP is what actually exists in your environment. Every discrepancy is a potential finding.

If your team is working through NIST SP 800-171 for the first time, our overview of NIST SP 800-171 Revision 3 and its implications for CUI protection provides important context for understanding the current control requirements your assessor will be evaluating against.

Contractors in sectors like aerospace and defense face particular scrutiny given the sensitivity of the programs they support. Getting audit readiness right is not just about passing a certification — it is about demonstrating to your DoD customers that you are a trustworthy custodian of sensitive program information.

Take the Next Step Toward Assessment Confidence

Working through this checklist on your own is a valuable exercise, but nothing replaces a structured review by experienced compliance professionals who have seen what assessors actually look for. At Cleared Systems, we work with defense contractors at every stage of the CMMC journey — from initial gap assessments through pre-assessment readiness reviews and ongoing compliance support. If your assessment date is approaching and you want an expert set of eyes on your program before the C3PAO walks in the door, request a quote today or explore our engagement models to find the support structure that fits your organization.