PlainAudit
Start assessment

CMMC Audit Preparation Checklist: 90-Day, 6-Month, and 12-Month Plans by Starting Maturity

security audit preparationc3paoevidence collection

Your contracting officer just confirmed CMMC Level 2 will be required for your contract recompete, and the realistic preparation window is 6 to 12 months. A generic seven-step list isn’t much use at that point — you need to know what to do this month, what to defer, and what gets you failed when the C3PAO arrives. This checklist organizes audit prep by where you actually are, what assessors actually do, and the evidence you actually need.

Quick read Find your starting maturity: no existing framework (12 months), SOC 2 or ISO 27001 in place (6 months), or fully remediated and entering the documentation-and-evidence phase (90 days). Skip ahead to the section that matches. The 90-day sprint applies regardless of starting maturity once your technical controls are in place.

Where You Actually Are: Three Starting Positions

Audit preparation effort scales with your starting maturity. Three positions cover most contractors:

  • Position 1 — baseline IT, no framework. Firewalls, antivirus, no formal documentation, no compliance certifications. The realistic total preparation timeline is 12–18 months. Typical gap count for a 15–125 person contractor: 40–70 of the 110 controls not fully implemented at first assessment.
  • Position 2 — SOC 2 Type II or ISO 27001 in place. Control overlap with NIST 800-171 Rev 2 is approximately 40–60% for SOC 2 and roughly 80% for ISO 27001, per multiple practitioner sources. Realistic timeline: 6–12 months. The new work concentrates on CUI-specific items (marking, handling, 72-hour incident reporting) and on the CMMC-specific organization of controls.
  • Position 3 — remediation largely complete, entering documentation and evidence. Technical controls are in place, the System Security Plan is in draft, and you’re 3 months from a target assessment date. This is the 90-day sprint phase.

Pick your position before reading the next sections. The 12-month and 6-month plans differ; the 90-day sprint is the same regardless of how you got there.

The 12-Month Plan (Position 1: No Framework Yet)

For contractors starting from baseline IT, the preparation phases are:

  1. Months 1–3: Scope, gap assessment, SSP outline. Identify which systems handle Controlled Unclassified Information (CUI) and define the assessment boundary. The scope decision is the highest-leverage early decision because an enclave strategy — isolating CUI into a segmented portion of your network — can substantially reduce in-scope assets compared to scoping the entire enterprise. Run a gap analysis against all 110 NIST SP 800-171 Rev 2 requirements. Begin drafting the SSP.
  2. Months 3–9: High-impact remediation. Close 5-point and 3-point gaps first — these cannot be POA&M’d. Typical technology investments: FIPS-validated encryption (data at rest and in transit), MFA across all CUI access paths, SIEM with at least 90 days of audit log retention, EDR on systems that handle CUI. Develop the 30+ policies the 14 control families require.
  3. Months 9–12: Documentation, evidence collection, mock assessment. Finalize the SSP (typically 60–150 pages including network and CUI data flow diagrams), build evidence packages organized by control family, and run an internal or consultant-led mock assessment 3–6 months before the planned C3PAO engagement.
  4. Final 3 months: C3PAO selection, scheduling, evidence finalization. Established C3PAOs on the CyberAB Marketplace book out 6–9 months in advance, which is why selection happens before the final-evidence phase, not after.

The 6-Month Plan (Position 2: SOC 2 or ISO 27001 Already in Place)

With an existing framework, you already have most of the document architecture and many of the controls. The gap concentrates on CMMC-specific items.

  1. Month 1: Crosswalk against NIST 800-171 Rev 2. Map your existing control implementations to the 110 requirements. Identify which controls transfer cleanly, which need adaptation (different scope, different evidence), and which are net-new. ISO 27001 organizations typically find 15–25 net-new controls; SOC 2 organizations typically find 40–65.
  2. Months 1–3: Remediate the deltas. Common CMMC-specific work: CUI marking and handling procedures, asset categorization into the five CMMC categories (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, Out-of-Scope Assets), 72-hour cyber incident reporting to the DoD per DFARS 252.204-7012, and FIPS-validated cryptographic modules where your existing framework allowed any approved algorithm.
  3. Months 3–5: Documentation alignment. Restructure or supplement existing documentation to match NIST’s organization rather than the Trust Services Criteria or Annex A organization. The SSP needs to read against NIST 800-171’s 14 control families because assessors use that structure.
  4. Month 6: Mock assessment, evidence package, C3PAO finalization. Mock assessments cost $5,000–$15,000 with a qualified Registered Practitioner Organization (RPO) and typically uncover 5–15 issues that would have failed the real assessment.

The Final 90-Day Sprint (Position 3: Documentation and Validation Phase)

The 90-day sprint is the same regardless of how long the broader preparation took. Run it on a structured weekly cadence; document everything; assume the assessor will ask for a specific item the day they walk in.

Weeks 1–4: SSP Finalization and Documentation Lockdown

  • Finalize the System Security Plan. The SSP describes how the organization implements each of the 110 controls and is the document assessors review first. Sections expected: system boundary description, network diagrams, CUI data flow diagrams, asset inventory by category, per-control implementation narratives, roles and responsibilities. What assessors look for in an SSP covers the depth they expect in each section.
  • Approve and date every policy. “Dusting off” an old policy — updating the date without updating content — is one of the most common assessment failures. Policies must reflect actual practice and have been reviewed within the documented review cycle.
  • Lock the network diagram. The diagram must reflect actual production state, not aspirational architecture. Assessors compare it against what they observe during the Test phase; mismatches fail the boundary control.

Weeks 5–8: Evidence Package Assembly

Organize evidence by control family with clear mapping to each of the 110 requirements. Assessors do not search for evidence — if you cannot produce it on demand, the control is marked NOT MET. The package should include, at minimum:

  1. System Security Plan (current, reviewed, approved)
  2. Plan of Action & Milestones (POA&M) with closure deadlines if applicable
  3. Network diagrams showing CUI boundary and segmentation
  4. CUI data flow diagrams — how CUI enters, moves through, is stored in, and exits your systems
  5. Asset inventory by CMMC category (hardware, software, cloud services)
  6. Policies per control family (one minimum, often more)
  7. Configuration baselines and change logs
  8. Audit logs (at least 90 days, ideally longer)
  9. Security awareness and role-based training records
  10. Incident response plan plus documented test or tabletop results
  11. Vulnerability scan results from the last 30–90 days
  12. Risk assessment documentation

Weeks 9–12: Interview Prep and Test Validation

  • Walk every responsible person through the controls they own. During the Interview phase, the IT admin who says “I think we have that configured” instead of “here’s how we configure and monitor it” signals weak implementation regardless of what the SSP says.
  • Run a final Test pass: attempt access without MFA, verify encryption is active on CUI assets, confirm audit logs capture the right events, verify patch levels match the baseline.
  • Close any 1-point POA&M items you intend to remediate before assessment day; the assessor will see what’s open versus closed and the closed-recent pattern raises questions.

What Assessors Actually Do: Examine, Interview, Test

The three methods come from NIST SP 800-171A. A control passes only if it passes all three:

  • Examine: assessor reviews documentation — SSP, policies, procedures, configuration files, log samples, training records. A policy without supporting procedure detail fails Examine.
  • Interview: assessor talks to IT staff, system administrators, management, and end users. They ask questions like “walk me through what happens when you detect a security incident” or “show me how you provision a new user account.” Staff who can’t describe controls in their own area fail Interview.
  • Test: assessor actively verifies controls — tries to log in without MFA, checks encryption settings on a sample asset, reviews actual audit logs against the documented retention policy. This is where on-paper compliance fails most often.

A readiness quiz can approximate Examine and partially Interview — it cannot Test. That’s why a mock assessment with someone who can actually try to break the controls (with permission) is the single highest-value pre-assessment activity.

Five Mistakes That Fail Real Assessments

Common Mistake 1 Policy without implementation. The most common gap assessment finding. Organizations have a written incident response plan but have never tested it. The IR policy says “quarterly tabletop exercises” and there are no records of any. Test the plan, document the exercise, file the report — otherwise the policy fails the Test method.
Common Mistake 2 Network diagram doesn’t match reality. The SSP describes a segmented CUI enclave, the assessor walks the network, and finds a shared printer crossing the boundary or a VPN that bridges segments. Walk your own network with the diagram in hand before the assessor does.
Common Mistake 3 Evidence scattered across email and personal folders. The assessor asks for evidence of a control and the team has to search SharePoint, OneDrive folders, and someone’s laptop. If evidence cannot be produced promptly, the control is marked NOT MET regardless of whether the implementation actually exists.
Common Mistake 4 Staff can’t explain controls they own. Often happens when CMMC preparation was done by external consultants without knowledge transfer. The remedy is internal practice: have your IT admin walk through five randomly-selected controls in a mock-interview format.
Common Mistake 5 POA&Ms for 3- or 5-point controls. POA&Ms are permitted only for 1-point (limited impact) controls, and only when the overall SPRS score is at least 88. A POA&M against a 5-point control means the control was never eligible for deferred implementation; the assessment fails on that control. Remediate fully or accept the score deduction; do not document a 3- or 5-point gap as a POA&M.

Before Audit Day: One Final Check

The goal of audit preparation is no surprises. A C3PAO assessment that confirms what you already know is a successful assessment. New findings on assessment day usually trace back to a step in this checklist that was skipped or shortcut. If you want a structured baseline of your current state across all 14 control families, the CMMC readiness assessment walks each domain, produces an estimated SPRS score, and identifies which gaps would cost the most points — the right input to your remediation queue. For context on what the engagement itself looks like, the C3PAO assessment is typically 3–5 days on-site, and the 12–18 month total timeline breaks down by starting maturity.

Disclaimer: This checklist is an educational starting point, not legal, audit, or compliance advice. It is not a substitute for a formal CMMC readiness assessment by a C3PAO or Registered Practitioner Organization (RPO). Your SPRS score must be calculated and submitted by your organization — this guide does not submit SPRS scores. Consult an RPO for formal assessment readiness guidance specific to your environment.

Related tools

CMMC Readiness Quiz

Estimate your SPRS score and CMMC Level 2 readiness across all 14 NIST 800-171 control domains.

CMMC L2 Assessment Kit

The CMMC Level 2 documentation kit for small defense contractors who want to drive their own self-assessment. 14 NIST 800-171 policies, SSP, POA&M, SPRS worksheet, and mapping matrix. $249.

← More cmmc level 2 readiness guides