Pass your CMMC audit with confidence using this guide. Learn how audits differ between CMMC levels, and get step-by-step tips from compliance experts on preparing and streamlining. Download a free audit checklist to stay on track.

Key Findings:

• CMMC audits become more complex at higher levels; Level 1 allows self-assessments, most Level 2 contracts require third-party audits, and all Level 3 contracts need a government-led audit.
• Preparing for a CMMC audit can take months to over a year, depending on the organization's size, security complexity, and existing cybersecurity posture.
• The actual CMMC audit typically takes at least six weeks for Level 2 and can take several months for Level 3.
• CMMC audit costs vary widely, ranging from $30,000 to $700,000 for Level 2 organizations, depending on the organization's size, complexity, and specific auditor.
• Compliance software can help automate and streamline key tasks in audit prep, like organization evidence, compiling documentation, and identifying security gaps.
  
  

What is a CMMC audit?

A CMMC audit checks if an organization’s cybersecurity meets CMMC standards. Third-party assessors handle most Level 2 and all Level 3 audits, while Level 1 organizations can do a self-assessment instead.

The Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) to set security requirements for contractors handling data like Federal Contract Information  (FCI) or Controlled Unclassified Information (CUI). In 2023, the DoD released the updated CMMC 2.0 framework. The update reduced the original five CMMC levels to three. Level 1 includes basic cybersecurity practices, Level 2 requires more advanced security measures, and Level 3 has the strictest requirements. Contractors must meet a specific CMMC level based on the project's needs and the data involved. To verify compliance, organizations must complete a formal audit that evaluates their cybersecurity against CMMC requirements.

The DoD uses "audit" and "assessment" interchangeably in its documentation and resources, which can create confusion. In professional contexts, an audit typically refers to a formal, third-party evaluation, while an assessment refers to an internal review.

Elliott Harnagel, Product and Compliance Strategist at Strike Graph, clarifies the terminology nuances: “In the DoD’s CMMC framework, ‘assessment’ and ‘audit’ mean the same thing. Both refer to an external review for Level 2 and Level 3 compliance. The terms change in meaning if the DoD includes the prefix “self.” For example, a ‘self-assessment’ means an organization can evaluate itself without a third-party auditor, a situation which applies to all Level 1 organizations and select Level 2 organizations.”

Who needs a CMMC audit?

Any organization that wants to bid on DoD contracts requiring CMMC compliance must go through a formal CMMC audit. For contracts that require only Level 1 compliance, the organization can submit a self-assessment. For Level 2 and Level 3 contracts, the organization needs a third-party audit.

“Defense contracts with the DoD are often worth six to eight figures,” says Paolo Marquez, Managing Director at New Wave Advisory LLP. “To secure one of these lucrative contracts, a contractor must show they meet the required cybersecurity standards by passing a CMMC audit and obtaining CMMC certification.”

Although many other certifications align with CMMC, Marquez emphasizes that organizations must still go through the CMMC certification process, even if they hold parallel certifications. Fortunately, organizations that already comply with certain frameworks may find achieving CMMC compliance easier. For example, contractors that meet FedRAMP (the Federal Risk and Authorization Management Program) requirements may have an advantage, as CMMC and FedRAMP share similar cybersecurity standards for organizations handling government data.

How do CMMC audits vary by level?

CMMC audits become more extensive, costly, and time-consuming at higher levels. A key difference is who conducts the audit. Level 1 organizations perform a self-assessment. Most Level 2 organizations require third-party audits, and all Level 3 contracts receive an audit from a government assessor.

CMMC Level 1 self-assessment

In a CMMC Level 1 self-assessment, contractors evaluate their compliance with CMMC requirements. They enter their results into the DoD’s Supplier Performance Risk System (SPRS) system. Unlike higher levels, Level 1 does not require a third-party audit. Organizations must complete a new self-assessment annually.

Here's an overview of how Level 1 self-assessments work:

Who performs the assessments and what they cover

The organization seeking compliance (OSC) performs the Level 1 self-assessment to demonstrate that its security meets all 15 Level 1 security requirements.

“The DoD doesn’t have a mandatory standardized template or require you to submit any formal documentation as part of the self-assessment itself,” says Marquez. “Instead, they ask you to score yourself against the Supplier Performance Risk System (SPRS).”

Scoring system and conditional compliance

“The SPRS is the DoD's official repository for supplier and product performance information,” explains Marquez. “Submitting your self-assessment score to the SPRS is a critical step because it informs the DoD of your organization's cybersecurity posture. Essentially, you're attesting to your compliance level, which is particularly important for companies handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).”

For CMMC Level 1, SPRS scores are binary; organizations simply indicate whether they have met each of the 15 security requirements by selecting "Yes" (compliant) or "No" (non-compliant).

Level 1 audits can’t result in “conditional compliance,” as can happen in Level 2 and Level 3 for organizations that partially meet requirements. To certify at Level 1, organizations must be fully compliant when submitting their SPRS score, selecting “Yes” for all 15 security controls.

Timeline and additional requirements

Level 1 organizations must complete a self-assessment annually. They also must submit a formal affirmation that declares their compliance status and asserts that the results are accurate.

While there are no specific documentation requirements for reporting the self-assessment, organizations can use the DoD’s Level 1 Assessment Guide as a reference. This guide explains the various ways an organization can comply with the 15 security controls and provides instructions for assessing each requirement.

CMMC Level 2 audit

For most CMMC Level 2 audits, a Certified Third-Party Assessment Organization (C3PAO) conducts it and scores how well the organization complies with the 110 Level 2 requirements. Some contracts allow self-assessments instead. Organizations must submit a new score every three years.

Here’s an overview of how CMMC Level 2 audits and Level 2 self-assessments work:

Who performs them

• Level 2 (C3PAO) contracts require Certified Third-Party Assessment Organization assessments or C3PAO assessments. The Cyber Accreditation Body (Cyber-AB) certifies these organizations and maintains a marketplace listing all approved C3PAOs.
• Level 2 (self-assessment) contracts allow organizations to perform a self-assessment instead of an external audit. These contracts are far less common and apply only to organizations handling Controlled Unclassified Information (CUI) that the Department of Defense (DoD) considers less sensitive.

What they cover

DFARS 252.204-7012, a Defense Federal Acquisition Regulation Supplement (DFARS) clause in DoD contracts, outlines the CMMC Level 2 requirements. They are identical to the 110 cybersecurity requirements from the National Institute of Standards and Technology (NIST), specifically from Special Publication 800-171 (NIST SP 800-171). These standards specifically focus on protecting Controlled Unclassified Information (CUI).

All Level 2 organizations handle CUI, but the DoD categorizes Level 2 contracts based on the sensitivity of the CUI involved. The key difference is that one type requires a third-party audit, while the other allows for self-assessment.

Scoring methods and conditional compliance

Level 2 contractors submit their results to the Supplier Performance Risk System (SPRS). Level 2 compliance uses a weighted scoring system where each of the 110 requirements have different scores based on their importance. Complying with some requirements adds one point, others add three, and some contribute five. Higher-value requirements contribute more to the overall score and reflect the most important cybersecurity practices.

The DoD implemented this scoring system to determine whether an organization meets enough requirements for conditional Level 2 compliance. To qualify, an organization’s total score must be at least 0.80 when divided by the 110 Level 2 requirements. However, certain security requirements must be met regardless of the final score. In simpler terms, conditional compliance means the organization has met at least 80% of the requirements.

To receive conditional compliance, an organization must submit a Plan of Action & Milestones (POA&M) detailing how it will close security gaps. Within 180 days, the organization must undergo a closeout assessment to confirm that all issues have been remediated.

Since CMMC requirements are extensive, even advanced organizations may have security gaps. Conditional compliance allows more qualified organizations to bid on Level 2 contracts while they work toward full compliance.

Timeline and additional requirements 

Level 2 organizations must complete an audit or self-assessment every three years.
Every year, they must submit a formal affirmation that declares they are still compliant.

The DoD’s Level 2 Assessment Guide provides detailed instructions and methodologies for both self-assessments and external audits. C3PAOs rely on this guide as a foundational resource for conducting assessments, and the DoD expects organizations to use it to evaluate their compliance with CMMC requirements.

CMMC Level 3 audit

For CMMC Level 3, a federal assessor evaluates whether the organization complies with Level 3 security requirements. Organizations must pass this audit every three years to remain compliant and eligible for Level 3 contracts.

Here’s an overview of how CMMC Level 3 audits work:

Who performs them and what they cover:

Before undergoing a CMMC Level 3 audit, an organization must first complete a CMMC Level 2 audit by a C3PAO for all systems within the Level 3 scope. The DoD will not accept a Level 3 assessment unless the organization receives full Level 2 compliance.

After receiving Level 2 certification from a C3PAO, the organization is eligible to receive a Level 3 assessment from a federal DIBCAC assessor. In the Level 3 audit, the assessor checks whether the organization complies with the CMMC Level 3 requirements, or the 24 advanced requirements from NIST SP 800-172.

Scoring methods and conditional compliance

For Level 3, each requirement is worth one point. An organization qualifies for conditional compliance if its assessment score, divided by the total number of Level 3 requirements, is 0.8 or higher and meets certain non-negotiable requirements.

To maintain conditional compliance, organizations must submit a Plan of Action & Milestones (POA&M) outlining how they will address any gaps. They must resolve all issues and pass a closeout assessment within 180 days.

Timeline and additional requirements

Level 3 organizations must complete an audit or self-assessment every three years.
Every year, they must submit a formal affirmation that declares they are still compliant. 

As with other levels, the DoD provides a specific assessment guide. Both organizations are preparing for compliance and assessors use the CMMC Level 3 Assessment Guide as a key resource. It outlines the types of evidence needed to meet the 24 additional Level 3 requirements and explains how assessors should test for compliance.

CMMC self-assessment vs. gap analysis

A CMMC self-assessment is a Level 1 or 2 evaluation where an organization reviews its controls, submits an SPRS score, and declares compliance. A gap analysis is an internal review to identify weaknesses and ensure readiness. Unlike a self-assessment, a gap analysis is optional but valuable.

Steps to prepare for a CMMC audit

To prepare for a CMMC audit, decide which level aligns with your target contracts and set a compliance timeline. Conduct a gap analysis, implement necessary security controls, and gather documentation. Select the right third-party assessor and complete the audit.

Here are the steps to prepare for a CMMC 2.0 audit. By following these steps, your organization can navigate the CMMC audit process efficiently and improve its cybersecurity posture for future contracts.

1. Determine your CMMC level and requirements
   Start by identifying which CMMC level applies to your organization based on the contracts you plan to bid on.
   
   “CMMC applies to DoD contracts,” says Marquez. “Since the certification process is costly, it’s crucial to position your organization to bid on the right contracts. First, determine which contract levels you’re likely to pursue. Then, assess the security requirements and the investment needed. DoD contracts are often worth six to eight figures, but if I were a VP of sales, I’d expect at least a ten times return on investing in CMMC.”
   
   Once you decide you want to be eligible for a CMMC-required contract, review the security requirements for that level and assess how they align with your existing cybersecurity practices. Establish a compliance timeline based on contract deadlines and work backward to plan your preparation depending on variables like your organization’s current security posture and which level you are aiming for.
   
   
2. Determine your scope
   Use the DoD’s online resources to define the systems, networks, and data that fall under CMMC requirements. Your scope includes any systems that store, process, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), as well as any systems connected to them.
   
   If possible, limit your CMMC scope to reduce compliance costs and simplify the audit process. Many organizations segment their networks to create an isolated environment for CMMC-relevant systems, keeping the rest of their infrastructure out of scope.
   
   You can use the DoD’s scoping guides to help define your scope.
   
   Here are the DoD’s scoping resources for each level: Level 1 Scoping Guidelines, Level 2 Scoping Guidelines, and Level 3 Scoping Guidelines.
   
   
3. Conduct a gap analysis and create a remediation plan
   “Most organizations at the CMMC level have an internal audit team that can conduct a self-assessment or gap analysis to determine how close they are to compliance,” says Marquez. “From there, they can develop a Plan of Action and Milestones (POA&M) to address any gaps and move toward full compliance.”
   
   Harnagel recommends using audit preparation as an opportunity to review overall cybersecurity practices.
   
   “It’s a good idea to wrap up evidence gathering with a self-assessment — an internal audit to check for any gaps,” Harnagel says. “Since you need to prepare the information anyway, it’s a great chance to conduct a thorough review and update policies as needed.”
   
   
4. Write a System Security Plan (SSP) and implement the required controls
   A System Security Plan (SSP) is a mandatory document that outlines how your organization meets CMMC security requirements. It serves as the foundation of your cybersecurity program and is a critical part of the audit process.
   
   Writing your SSP early in the compliance process helps clarify which controls are already in place and which still need implementation. Additionally, maintaining an up-to-date SSP is crucial for future audits — organizations must regularly review and update their SSP to reflect any system changes or new security measures.
   
   Many companies find it helpful to use templates from NIST SP 800-171 as a baseline, since CMMC Level 2 and Level 3 requirements align closely with NIST 800-171 and 800-172.
   
   After you identify gaps, follow your SSP and apply the necessary security measures to address your deficiencies.
   
   
5. Collect required evidence
   No matter your level, the core of CMMC audits and assessments is demonstrating how you comply with the relevant CMMC security controls.
   
   “The most important part of audit preparation is gathering your evidence ahead of time,” says Harnagel. “You need specific evidence for every control — whether it’s a screenshot of configurations, a security plan, or another document. Many organizations compile all their evidence into a single file for the auditor. If you show up to an audit without that preparation, the auditor won’t be happy.”
   
   
6. Engage a third-party assessor (if required)
   Organizations pursuing Level 2 or Level 3 certification must schedule an audit with their third-party assessor. Level 2 will need to hire a Certified Third-Party Assessor Organization (C3PAO), and Level 3 will need an assessor from the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
   
   Choosing the right assessor is an important decision that involves considerations like cost, availability, reliability, reputation, and more.
   
   “Choosing a C3PAO is similar to selecting any other audit firm,” says Harnagel. “Some companies treat it as a cost decision, looking for the cheapest option. Others pay more for firms that provide actionable recommendations. The audit marketplace is stratified this way — lower-cost firms often focus on checking the boxes, while higher-cost firms take a consultative approach and offer deeper insights.”
   
   Harnagel recommends word of mouth as the best way to find a reliable C3PAO. “Recommendations from your service provider or organizations that have already completed the process can be more reliable than a firm’s marketing page. It’s also important to distinguish between auditing and implementation. Some firms offer both, but many prefer to keep them separate to avoid conflicts of interest. If an auditor also provides consulting services, they may end up auditing their own work, which raises concerns for some organizations.”
   
   Marquez agrees and emphasizes the value of industry-specific experience when selecting an assessor. “Beyond cost, organizations should look for a C3PAO with experience in their industry. Ask about their work with similar organizations to understand what to expect.”
   
   Marquez also stresses the importance of early scheduling. “Working with a C3PAO is a collaborative process that may require participation from your engineering or GRC teams. If you reach out too late and they already have 100 clients ahead of you, you’ll be stuck waiting. Ensure that you reach out to your C3PAO at least 6 months ahead of time to ensure that there is sufficient preparation built into your CMMC process. Being proactive is key.”
   
   Harnagel says that reaching out early is particularly important for Level 3 organizations. Since Level 3 certification is still highly specialized, DIBCAC assessors are in limited supply.
   
   “If I were aiming for Level 3, I’d reach out to assessors early to secure availability,” he says. “In the early stages of CMMC 2.0, demand will be high, and scheduling could become a challenge. Over time, as renewal audits become routine, scheduling may become more flexible.”
   
   
7. Perform a mock audit
   Before the formal audit, conduct a mock audit to test your compliance readiness.
   Review all your documentation, test your security controls, and simulate interviews and walkthroughs. You can use the DoD’s self-assessment guides to help direct your process.
   
   Here are the DoD’s self-assessment resources for each level: Level 1 Assessment Guide, Level 2 Assessment Guide, and Level 3 Assessment Guide.
   
   
8. Undergo the CMMC audit
   Level 1 organizations must only complete a self-assessment and submit their SPRS score to the DoD.
   
   Level 2 and Level 3 organizations must work closely with their auditor. The assessor may conduct interviews, review logs, test controls, and evaluate security practices, policies, and controls. Organizations should prepare evidence in advance and ensure that key team members are available to answer questions about the framework.
   
   
9. Address assessment findings and remediate 
   If the assessment identifies deficiencies, start remediation immediately. Level 2 and Level 3 contractors that achieve at least 80% compliance may receive conditional approval but must submit a Plan of Action & Milestones (POA&M) and resolve any remaining deficiencies within 180 days.
   
   Level 1 organizations do not qualify for conditional compliance. They must be fully compliant at the time of assessment. However, the DoD allows unlimited self-assessments, giving organizations the opportunity to remediate and resubmit as needed.
   
   
10. Continuous monitoring and improvement  
    Becoming CMMC compliant is more than just checking a box. It makes you eligible for a contract, but it doesn’t guarantee that the DoD will hire you.
    
    “The DoD considers more than just compliance when selecting contractors,” says Marquez. “They pay close attention to how well companies meet the 17 domain requirements and whether they implement continuous security monitoring — an ongoing process of detecting, assessing, and responding to security threats in real time. Companies that actively improve and monitor their security posture show a stronger commitment to cybersecurity, making them stand out from the competition.”
    
    

CMMC audit task checklist

Our CMMC audit task checklist guides your organization through the certification process. It helps you track key tasks, address gaps early, and stay organized. With this checklist, you can streamline preparation, reduce delays, and confidently approach your audit.

CMMC audit prep checklist

Download our CMMC audit task checklist in Excel to stay organized and prepare for your next audit.

How long does a CMMC audit take?

A CMMC audit can take weeks or months, depending on the CMMC level, cybersecurity posture, and IT complexity. Expect six months for a Level 3 audit, and anywhere from a few months to six months for a Level 2. Level 1 self-assessments can be quick with well-documented evidence.

“Most level 2 audits take at least a few months,” says Marquez. “The audit process has four main steps. First, the C3PAO conducts detailed interviews with relevant internal team members. Second, you demonstrate how your security systems work. Third, you submit extensive documentation proving that you meet specific controls. Finally, you communicate the results to key stakeholders who rely on the CMMC report to understand your organization’s security posture.”

Marquez expects Level 3 audits to take significantly longer, potentially up to a year. He notes that several factors influence the timeline. “Your existing security posture, the complexity of your environment, and the assessor’s process all impact how long the audit takes.”

How long does it take to prepare for a CMMC audit?

Preparing for a CMMC audit can take months to a year, depending on your level, organization size, and security complexity. Level 2 typically requires at least six months, while Level 3 often takes a year or more to prepare for the audit.

According to Marquez, many variables affect how long it takes to prepare for a CMMC audit.  “If you have an internal team and a strong budget, you may need less time than an organization with fewer resources. The biggest factor is your existing security framework. If you already comply with many controls and have well-documented evidence, preparation will be faster. But if you need to implement advanced controls or gather missing evidence, the process could take several months.”

For most organizations, preparing for Level 3 audits takes longer than preparing for Level 2. “Level 3 is like Level 2 on steroids,” says Marquez. “It adds 24 more requirements from NIST SP 800-172, and some require complex implementations that can take significant time.”

Cost of a CMMC audit

A Level 2 audit costs $30,000 to $700,000, while Level 3 starts at $50,000 and can reach hundreds of thousands. Costs depend on your CMMC level, organization size, and assessor type. With CMMC 2.0 still new, exact pricing remains uncertain.

“From the company’s perspective, Level 2 CMMC audit costs vary widely,” says Marquez. “The cheapest I’ve seen was around $30,000, but costs often exceed $100,000. The highest I’ve seen was with a Big Four firm, which charged its client around $700,000.”

Marquez explains that four key factors influence the cost. “First, the size of the organization —larger companies with more systems and employees typically pay more. Second, the complexity of the IT environment — companies with diverse or legacy systems often require more effort to assess than those with modern, AI-driven infrastructures. Third, the current security compliance posture — meeting a control requirement doesn’t always mean a company has an advanced security posture; it could still be at a basic level. Finally, the C3PAO’s rate — costs depend on whether you work with a Big Four firm or a smaller firm.”

Harnagel says it’s difficult to accurately estimate the costs for CMMC 2.0 audits since the process is still new and no formal audits have taken place yet. “It’s especially hard to assess the cost of the audit itself, separate from the preparation and remediation expenses. For Level 3, we have almost no real data, so any estimate is just a guess at this point.”

In the final CMMC 2.0 rule, the DoD estimated the cost to be $44,445, but many experts believe this is a significant understatement, given how much CMMC 1.0 audits cost.

The cost of Level 1 self-assessments depends on the effort needed to collect evidence and implement controls. Since no assessor is required, costs are much lower. The DoD estimates $5,000 for the first assessment, with costs decreasing over repeated assessments.

How to streamline your CMMC compliance

Strike Graph provides flexible CMMC compliance software that helps you stay organized, gather evidence, and prepare for audits. Our platform lets you manage compliance efforts and build custom programs that fit your needs, including CMMC 2.0.

Strike Graph offers more than just compliance software. It’s a complete solution to streamline evidence collection, support multiple frameworks, and provide continuous monitoring to keep your organization ahead of regulatory changes.

What sets Strike Graph apart is our flexible compliance dashboard. We understand that every business has unique compliance needs, so we give you control while handling the background work to ensure everything runs smoothly. Easily create custom evidence to support controls across frameworks, and with our automated tools, pull and organize evidence effortlessly. Strike Graph’s CMMC compliance tool is built directly from DoD requirements, ensuring you start with the right standards from the beginning.

Verify AI, our intelligent automated compliance tool, takes it further by reviewing your evidence and flagging any issues before your audit, giving you extra assurance. For added peace of mind, our expert compliance team is ready to guide you at every step, reducing errors and ensuring you approach your CMMC audit fully prepared and confident.

Upgrade your compliance strategy today to stay ahead of changing regulations and ace your next CMMC audit.

CMMC audit FAQs

Get answers to common CMMC audit questions. Learn which organizations need an audit, how much it costs, and how to find a certified assessor. Clarify frequently misunderstood topics to navigate the compliance process with confidence.

What organizations need a CMMC audit?

Organizations need a CMMC audit to be eligible for DoD contracts requiring one. Level 2 and Level 3 organizations need a third-party audit. Level 1 organizations can submit an internal self-assessment.

How often do organizations need a CMMC audit?

Level 1 organizations must complete a self-assessment annually. Level 2 and Level 3 organizations must undergo a third-party audit every three years. All levels must submit an annual affirmation of compliance.

How to find Certified Third-Party Assessor Organizations (C3PAOs)

To find a C3PAO, visit the Cyber-AB marketplace. The Cyber-AB certifies C3PAOs and lists approved auditors in its online directory. You can also ask colleagues who have completed a CMMC audit for recommendations on C3PAOs.

Who manages the CMMC auditors?

Cyber-AB manages CMMC auditors (known as C3PAOS) for Level 2 audits. For Level 3 audits, the DoD oversees Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) auditors.