Tips for Your CMMC Audit

A compliance audit can be an intimidating undertaking, especially if you haven’t gone through one before! Here are some of our tips to help you get through your CMMC audit.

Provide the Minimum Amount of Information

Question: How do you respond if an auditor asks, “Do you employ the principle of least privilege?”

Answer: “Yes.”

It may seem silly, but short and sweet responses are best during audits. Only provide the minimum amount of information required to answer exactly the question which was asked. No more, no less.

Providing extraneous information is more likely to be detrimental than helpful. You’re not trying to hide anything, but you don’t need to give auditors a reason to dig deeper. The auditor will ask for additional information when they need it.

It's Okay to Ask Questions

Straight from the DoD’s CMMC Level 2 Self-Assessment Guide: “Is it possible to identify who enabled privileges at any particular time?” But what exactly is the auditor asking you? Who “enabled” privileges? What does that even mean?

If you don’t fully understand an auditor’s question, it’s perfectly acceptable ask for clarification. It’s better to understand exactly what the auditor is looking for than to answer the wrong question. In this case, the question may make more sense when worded as, “Can you determine who performed privileged functions during a given timeframe and what they did?”

Are you logging administrative processes? Can you associate those with a specific user/service/account? Can you pull up those logs in your SIEM? Yes. Yes, you can.

If You Don’t Know the Answer, Know How to Find It

Do you have every word of every single policy and procedure related to controlling CUI and FCI memorized? Of course not. It’s okay not to have all information in your mental cache, but it’s imperative to present yourself as having a thorough grasp of your organization's systems and processes during an audit. If you don’t know the answer to a particular question, show that you know where you would be able to locate the information.

For example, “I don’t know the answer of the top of my head, but I know we have that documented in [this policy/procedure] or I can contact [this person] as a point-of-contact who would be able to provide more detail. I can check and circle back if you’d like.” This demonstrates your knowledge of the overarching process, even if you’re currently blanking on the fine details.

Live Demos

Auditors will almost certainly request live demonstrations of systems to validate you’re are actually doing the work you say you are to meet controls (e.g., in your SSP and policies). Pull up a resource that best exemplifies how your organization meets the requirement being discussed. Once it’s up, only show information/systems specifically relevant to the question asked—not a full tour of the platform. Let the auditors ask for additional detail if they want it.

If you’ve ever done a live demo while standing in front of an audience, you know it’s inevitable that something won’t work as intended. Don’t panic! Your auditors will understand that Murphy’s Law is more like “Murphy’s 100% Universal Constant No-Question-Asked Foolproof Guarantee” when someone is looking over your shoulder. It’s okay to ask to take some time to sort out the issue and circle back. We’re only human, after all, and we're the ones who configured the systems.

Don’t Argue with Your Auditor

It seems like common sense, but it’s easy to get a little heated during an audit. You’ve spent hours upon hours and days and weeks and months preparing. You haven’t slept the last three nights. Now, you’re under the microscope, the stress is seeping out your pores, and the auditor says a requirement you thought you had in the bag isn’t satisfied. Resist the urge to scream!

There may be times where your understanding of a requirement differs from that of your auditor. Do. Not. Pick. A. Fight. With. Them. You will lose every time. Elaborate by saying, “My understanding of the requirement is…” and ask for clarification on their interpretation of the requirement. Approach the discussion with a collaborative mindset where you’re both trying to determine whether you’re meeting the intent of the rule.

Consider Working with an RPO

Don’t think of it as a get-out-of-jail-free card, but working with an RPO to prepare for your CMMC audit is a great way to ensure you have someone in your corner who fully understands the requirements. You and your team still need to know your environment, be able to communicate your setup, and provide demonstrations when requested, but an RPO can help you connect the dots between a specific requirement and your organization’s implementation. 

Many RPOs, including Triumvirate Cybersecurity, offer audit assistance as part of their services, which can take some of the pressure off. The earlier you start working with them, the more knowledgeable they’ll be about your unique circumstances and the more helpful they can be when you’re demonstrating compliance during an audit!

Our team has experience collaborating with customers during audits for numerous compliance frameworks, including CMMC and ISO 27001, and we're eager to help you get through yours!