Comprehensive Guide to Preparing for CMMC Audit Readiness Assessment

This guide provides detailed instructions and considerations for gathering the necessary information to effectively use the AI-Powered Audit Readiness Assessment tool within the CMMC Dashboard and, more broadly, to prepare for your CMMC journey. The more thorough and accurate the information you provide to the AI, the more insightful and actionable its assessment will be.

You can find official CMMC information on the official CMMC AB website and the DoD CMMC Program page.

I. System Description

This section requires a detailed overview of the systems that are in scope for CMMC. The goal is to paint a clear picture of your IT environment that handles, stores, or transmits Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

Key Information to Gather:

1. Network Infrastructure:

   • Topology Overview: Briefly describe your network layout (e.g., segmented LAN, WAN connections, DMZ).
   • Devices: List key network devices (routers, switches, firewalls – include make/model if known). Consider tools like Nmap for network discovery.
   • Wireless Networks: Detail any Wi-Fi networks, their security protocols (WPA2/3, EAP type), and whether they handle CUI.
   • Remote Access: How is remote access facilitated (VPN type, portals)?

2. Servers:

   • Types: Physical servers, virtual machines (VMs). Specify hypervisor if applicable (e.g., VMware vSphere, Microsoft Hyper-V).
   • Operating Systems: List OS versions (e.g., Windows Server 2019, Ubuntu 20.04 LTS).
   • Roles: Describe the function of key servers (e.g., Domain Controllers, File Servers, Database Servers, Application Servers, Web Servers).
   • Cloud Servers: If using IaaS (e.g., AWS EC2, Azure VMs), detail these as well. Refer to AWS Security Best Practices or Azure Security Center.

3. Endpoints:

   • Types: Workstations (desktops), laptops, mobile devices (smartphones, tablets if they access CUI).
   • Operating Systems: List OS versions (e.g., Windows 10/11, macOS Monterey, iOS 15, Android 12).
   • Company-owned vs. BYOD: Specify policy for device ownership.

4. Cloud Services (PaaS, SaaS):

   • Providers: Name specific cloud providers (e.g., Microsoft 365 GCC High, AWS GovCloud, Salesforce Government Cloud).
   • Services Used: List key services used that process or store CUI (e.g., SharePoint Online, Exchange Online, Azure SQL Database, specific SaaS applications).
   • FedRAMP Authorization: Note if services are FedRAMP authorized (and at what level). See the FedRAMP Marketplace.

5. Security Tools & Technologies:

   • Perimeter Security: Firewalls, Intrusion Detection/Prevention Systems (IDS/IPS).
   • Endpoint Security: Antivirus/Anti-malware, Endpoint Detection and Response (EDR), Host-based Intrusion Prevention (HIPS).
   • Data Loss Prevention (DLP): Any DLP solutions in place.
   • Security Information and Event Management (SIEM): If used, specify the product. The CMMC Dashboard can help you track evidence from these tools.
   • Vulnerability Scanners: Tools used for vulnerability scanning.
   • Encryption: Mention use of full-disk encryption, email encryption, data-at-rest/in-transit encryption methods.

6. Software & Applications:

   • List critical applications used to process, store, or transmit CUI/FCI, especially custom-developed applications.
   • Mention how software is updated and patched.

Example Snippet for AI Input: "Our core infrastructure includes Cisco Catalyst switches and Palo Alto Networks firewalls segmenting our internal network from a DMZ. We utilize Windows Server 2022 for Active Directory, file services (DFS), and a SQL Server 2019 database backend for our ERP system. Endpoints are primarily Windows 11 Pro workstations with BitLocker enabled, managed via Microsoft Intune. CUI is frequently handled within our Microsoft 365 GCC High environment, specifically SharePoint Online and Exchange Online. Security tools include CrowdStrike Falcon (EDR), Nessus for vulnerability scanning, and Splunk Cloud for SIEM. The CMMC Dashboard is used for overall project tracking."

II. Current Cybersecurity Practices & Policies

Describe your existing cybersecurity measures, implemented controls, and any documented policies or procedures. The key here is not just what you do, but how formally it's done and if it's documented and consistently applied. Our CMMC Dashboard Policy Templates can help you formalize these.

Key Information to Gather:

1. Access Control:

   • How are user accounts created, modified, and disabled? (See our Access Control blog post for more.)
   • Password policies (length, complexity, history, lockout).
   • Use of Multi-Factor Authentication (MFA) – where is it enforced? (Admin access, remote access, cloud services).
   • Principle of Least Privilege – how is it implemented? Role-Based Access Control (RBAC)?
   • Regular access reviews – are they performed? How often?

2. Audit & Accountability:

   • Are audit logs generated for systems handling CUI? What types of events are logged? (Relevant blog: Audit & Accountability).
   • How are logs protected and reviewed? Log retention period?

3. Configuration Management:

   • Are baseline configurations established for systems? How are changes managed and approved?

4. Identification & Authentication:

   • How are users uniquely identified and authenticated?

5. Incident Response:

   • Do you have an Incident Response Plan (IRP)? Is it documented? Tested?
   • How are incidents reported and handled?

6. Maintenance:

   • How is system maintenance (patching, updates) performed? Is it scheduled?

7. Media Protection:

   • How is CUI on removable media (USB drives, external HDDs) protected, controlled, and disposed of?

8. Physical Protection:

   • Controls for physical access to facilities, server rooms, and areas where CUI is handled.

9. Risk Management:

   • How are risks identified and assessed? Is there a formal risk assessment process?

10. Security Assessment:

    • Do you conduct periodic security assessments or vulnerability scans? The CMMC Dashboard AI tool can be your first step.

11. System & Communications Protection:

    • Network segmentation, boundary protection (firewalls), encryption of CUI in transit and at rest.

12. System & Information Integrity:

    • Malware protection, system monitoring for unauthorized changes, flaw remediation processes.

13. Security Awareness Training:

    • Is training provided to employees? How often? What topics are covered? (See our blog on Awareness & Training).

14. Policy Documentation:

    • Crucially, list any formal, written policies you have. (e.g., "We have a documented Access Control Policy, Incident Response Plan, and Acceptable Use Policy. These are reviewed annually.")
    • If policies are informal or not documented, state that. You can use the CMMC Dashboard templates to create them.

15. Evidence of Practices:

    • Think about how you would prove these practices to an auditor. (e.g., "Access reviews are documented in quarterly reports," "MFA enforcement is confirmed via Azure AD logs," "Training completion is tracked in our LMS.") Even if not explicitly asked for by the AI, this mindset helps frame your descriptions. The CMMC Dashboard's Evidence Manager helps organize this.

Example Snippet for AI Input: "We enforce MFA using Duo for all remote access and administrative logins. User access is provisioned based on roles defined in our Access Control Policy (reviewed annually, generated via CMMC Dashboard). System logs are collected by Splunk and reviewed weekly for anomalies, with a 90-day retention. We conduct quarterly internal vulnerability scans and patch critical vulnerabilities within 30 days. Our Incident Response Plan is tested via tabletop exercises twice a year. While we have a documented Media Protection policy, our process for tracking CUI on USBs is currently being formalized. Employee security awareness training is mandatory upon hiring and annually thereafter."

III. Operating Environment

Detail where your systems operate and any specific characteristics of these environments relevant to security.

Key Information to Gather:

1. Physical Locations:

   • On-premise data centers/server rooms: Describe physical security (access controls, surveillance, environmental controls).
   • Office locations where CUI is handled.

2. Cloud Environments:

   • Providers & Regions: (e.g., AWS us-gov-west-1, Azure Government Virginia).
   • Service Models: IaaS, PaaS, SaaS.
   • Shared Responsibility: Briefly acknowledge understanding of shared responsibility model with CSPs.
   • Specific Services: (e.g., "CUI is stored in Azure Blob Storage with customer-managed keys and accessed via Azure App Service configured with VNet integration.")

3. Hybrid Setups:

   • Describe how on-premise and cloud environments are connected and interact, especially concerning CUI flow.

4. Remote Work Environment:

   • If applicable, how is CUI protected in remote work scenarios? (e.g., company-issued laptops, VPN requirements, VDI).

Example Snippet for AI Input: "Our primary servers are located in an on-premise data center with biometric access controls and 24/7 surveillance. We leverage Microsoft Azure Government for specific applications handling CUI, utilizing Azure Key Vault for encryption key management. Remote employees connect via a Fortinet VPN client on company-managed laptops, managed through our CMMC Dashboard's asset tracking (conceptual feature)."

IV. Data Handled (Especially CUI/FCI)

Focus on the types of sensitive information your systems process, store, or transmit, and how this data is managed throughout its lifecycle. Refer to our KB article "What is CUI?" for definitions.

Key Information to Gather:

1. Types of CUI/FCI:

   • Be specific if possible (e.g., technical drawings, engineering specifications, contract performance reports, personally identifiable information related to government contracts).
   • Mention if you handle specific CUI categories (e.g., Export Controlled, NOFORN).

2. Data Identification & Marking:

   • How is CUI/FCI identified within your systems and documents?
   • Are there procedures for marking CUI in accordance with DoD guidelines (e.g., CUI Basic, CUI Specified markings)?

3. Data Storage:

   • Where is CUI/FCI stored? (Specific servers, cloud storage locations, databases, SharePoint sites).
   • Encryption at rest: Is it applied? What type?

4. Data Transmission:

   • How is CUI/FCI transmitted internally and externally?
   • Encryption in transit: (e.g., TLS/SSL for web, S/MIME for email, FIPS-validated VPNs).

5. Data Access & Flow:

   • Briefly describe who accesses CUI/FCI and for what purpose.
   • Illustrate a typical data flow path if complex.

6. Data Disposal/Destruction:

   • Procedures for securely disposing of CUI/FCI on physical media and digital systems.

Example Snippet for AI Input: "We handle CUI in the form of technical specifications and schematics related to DoD contracts. This data is identified through manual review and marked with 'CUI' headers/footers. It's primarily stored on encrypted network shares and in a dedicated SharePoint Online site collection within our GCC High tenant. All external transmission of CUI uses FIPS 140-2 validated encrypted email or secure file transfer portals. Obsolete hard drives containing CUI are physically destroyed by a certified vendor, tracked in the CMMC Dashboard's evidence logs."

---

By thoroughly gathering and providing detailed information in these four areas, you will enable the AI Audit Readiness tool to give you a much more accurate and helpful initial assessment of your CMMC posture. Ready to put this preparation into action? Try the AI Audit Readiness Assessment in the CMMC Dashboard now! Good luck! `

I. System Description

... By thoroughly gathering and providing detailed information in these four areas, you will enable the AI Audit Readiness tool to give you a much more accurate and helpful initial assessment of your CMMC posture. Good luck!