A CMMC audit is the moment a defense contract stops being a promise and becomes a test. The good news: for most small suppliers it is far more predictable than the headlines suggest.
However, most guides on this topic either drown you in assessor jargon or hand you a vague checklist. This one is different. Specifically, it walks the assessment from scoping to result, shows what the C3PAO actually looks at, and points to where most of your evidence already lives in Microsoft 365.
Notably, you do not need a compliance team to follow it. The steps are written in plain language, and most of the proof an assessor wants is sitting in the tenant you already pay for.
In short, treat this as a map of the whole assessment. By the end you will know which level you face, how the day runs, what to gather, and how to walk in ready rather than hopeful.
Not sure your business is ready for a CMMC audit?
Wintive gets US small defense contractors audit-ready on the Microsoft 365 they already own. We confirm your level, map the controls to your tenant, build the evidence an assessor will ask to see, and rank the gaps by real risk. The price is a flat monthly fee per user, with no long contract and no setup cost.
📅 Book a Free 30-Min Call | 💬 Chat on WhatsApp | See Our Plans →
๐งญ CMMC audit: the short answer
A CMMC audit checks that a defense contractor actually meets the security controls its contract requires. At Level 1 you self-assess 17 practices and attest once a year; at Level 2 a certified third party, a C3PAO, reviews all 110 controls against evidence every three years. Most of that evidence lives in Microsoft 365 already. Prepare by confirming your level, scoring yourself honestly first, and closing the real gaps before the assessor arrives.
First, the plain version. A CMMC audit is a structured check that your security controls are in place and working, not just written down. The depth depends entirely on your level.
Notably, the two levels are very different jobs. Level 1 is a self-assessment you run and sign. Level 2 is a formal assessment by an outside, certified assessor.
Crucially, an audit rewards preparation, not panic. The contractors who score themselves honestly months ahead almost always pass; the ones who scramble the week before rarely do.
Above all, the assessment is not designed to trip you up. It checks a known list of controls, so the contractors who treat it as a project rather than an exam almost always come out ahead.
๐ What a CMMC audit actually is
So, what are we really talking about? CMMC stands for Cybersecurity Maturity Model Certification, and the Department of Defense runs it to protect its supply chain. The rules sit on the official DoD CMMC program site.
Importantly, the audit does not invent new rules. It verifies the controls in NIST 800-171, the standard your contract already points to. The assessment simply confirms you meet them.
Above all, an audit is about evidence, not opinions. You do not say a control is in place; you show it. As a result, the work before the assessment is mostly gathering proof you can hand over.
Therefore, think of the audit as a conversation backed by records. The assessor asks how you handle a control, and you point to the setting, the policy, and the log that prove it.
In short, a CMMC audit is verification, not a surprise quiz. You already know the questions, because they are the controls in the standard. Your job is to make the answers easy to find.
Therefore, the more organised your records, the shorter the assessment. An assessor who can find each answer quickly moves faster and trusts what they see, which works in your favour.
๐ช Level 1 self-assessment versus a Level 2 audit
Next, the split that decides everything. Which kind of CMMC audit you face comes down to the data you handle.
Specifically, if you only hold Federal Contract Information, you are Level 1: you self-assess 17 basic practices and attest annually, with no outside assessor. If you hold Controlled Unclassified Information, you are Level 2: a C3PAO reviews all 110 controls.
Notably, most small subcontractors are Level 1, which is far lighter than the word audit suggests. The panel shows who runs each one.
Therefore, confirm your level in writing before you prepare for anything. Preparing for a Level 2 assessment when you only need Level 1 wastes months and money.
In short, the level sets the whole shape of the job. Get it confirmed from your contract or your prime first, and everything after it becomes far simpler to plan.
Notably, the gap between the two levels is mostly evidence and oversight, not difficulty. Level 1 trusts your own attestation, while Level 2 asks an independent expert to confirm the same kind of controls in person.
๐ฃ๏ธ How a CMMC audit works, step by step
So, how does the assessment actually run? It follows a clear sequence, whether you self-assess or bring in a C3PAO.
Specifically, you scope what is in play, write a System Security Plan, score yourself against the controls, log any gaps in a plan to fix them, and then, for Level 2, the assessor reviews it all. The staircase shows the order.
Importantly, the assessment day itself is the shortest part. The months of value are in the preparation that comes before it.
Therefore, do not leave scoping vague. A tight boundary around where sensitive information lives keeps the whole assessment smaller and cheaper.
In short, the order matters as much as the work. Each step feeds the next, so a clean scope and an honest self-score make the assessment itself almost an anticlimax.
Therefore, treat each step as a deliverable you can finish and set aside. Working the sequence in order means nothing is left to improvise on the day the assessor arrives.
๐ What a CMMC audit assessor checks
Here is what most guides skip: where the assessor actually spends time. The controls are not weighted evenly.
Specifically, access control and system protection carry the most checks, followed by identification, logging, and configuration. A few families hold the bulk of the work, so that is where to focus first.
Notably, the assessor wants to see each control three ways: the setting, the policy behind it, and the evidence it runs. The chart shows where the checks concentrate.
Therefore, prepare in priority order, not alphabetically. Closing the heavy families first removes the most risk and the most assessment friction.
In short, the assessor is methodical, not mysterious. Knowing which families carry the weight lets you spend your preparation time exactly where it counts.
Notably, the assessor also checks that your controls are consistent, not just present. A setting that is on for some users and off for others reads as a gap, so uniformity matters as much as the control itself.
Therefore, apply each control tenant-wide rather than to a handful of accounts. Consistent enforcement is both easier to evidence and exactly what the assessor expects to see.
๐ข Where your CMMC audit evidence lives
This is the part the platform vendors would rather you missed. If you run Microsoft 365, most of your audit evidence already exists inside it.
Specifically, identity and access sit in Entra ID, encryption and data protection in Purview, threat alerts in Defender, and device control in Intune. So a large share of the proof is one export away.
However, the gaps that remain are usually policies and evidence rather than missing tools. The matrix shows where each kind of proof lives.
Wintive insight. The costliest mistake we see before an assessment is a small contractor buying a standalone compliance platform to collect evidence they already hold. For the technical controls, Microsoft 365 is the evidence: sign-in logs, conditional access, encryption status, audit logs, and alert history all export straight from the tenant. The real gaps are almost always written policies, an owner for each control, and a tidy place to keep the proof. A focused readiness review of the tenant produces most of the evidence package for a fraction of a new platform, and it is exactly what our Master Audit delivers.
In short, you likely own the evidence already. Map each control to where it lives in Microsoft 365 first, and you turn a daunting evidence hunt into a short export-and-organise job.
๐ The SSP and the plan to fix gaps
Next, the two documents every CMMC audit revolves around. The first is the System Security Plan, the SSP.
Specifically, the SSP describes your environment and how you meet each control. It is the map the assessor reads first, so a clear, current one sets the tone for the whole assessment.
Then comes the POA&M, the plan of action and milestones. It lists any control not yet fully met, with an owner and a date to close it.
Importantly, a POA&M is not an admission of failure. At Level 2 a limited number of gaps can be closed within a set window after a conditional result, so a tracked plan is part of a normal assessment.
Therefore, keep both documents alive, not frozen. An assessor expects the SSP to match what they see in the tenant, so update it whenever a setting changes.
In short, the SSP says what you do and the POA&M says what is left. Together they turn a wall of controls into a story an assessor can follow and trust.
Therefore, write the System Security Plan for a reader who does not know your business. The clearer it explains how each control works in your environment, the fewer questions the assessor needs to ask.
๐ท What a CMMC audit costs and how long it takes
Of course, owners want the numbers. Costs vary widely, so treat these as rough US ranges rather than a quote.
Notably, the biggest variable is your level. A Level 1 self-assessment is mostly your own time over a few weeks. A Level 2 assessment adds a certified assessor fee and any move to GCC High.
Importantly, the hidden cost is preparation time. Gathering evidence and writing policies takes longer than the assessment itself, so starting early is what keeps the total down.
| Level | Rough effort | What drives the cost |
|---|---|---|
| Level 1 (FCI) | A few weeks, mostly your time | Self-assessment, no assessor fee |
| Level 2 (CUI) | Several months of preparation | C3PAO fee, GCC High, evidence work |
Therefore, the cheapest path is almost always to self-check honestly before anyone external is involved. Every gap you close early is one the assessor never bills you to revisit.
In short, preparation is the lever on cost. The contractors who start months ahead pay less and pass sooner than the ones who wait for a deadline to force their hand.
In short, the assessor fee is only one line on the bill. The bigger numbers are the preparation time and any move to GCC High, so an early, honest self-check is the cheapest insurance you can buy.
๐ Pass, conditional, or fail
So, how does a CMMC audit end? At Level 2 there are three outcomes, and a conditional result is more common than a clean pass.
Specifically, a full pass means your score meets the bar with no open gaps. A conditional pass means minor gaps remain, with a set window to close them. A fail means key controls are missing and you remediate, then retest.
Notably, a conditional result is not a failure. With a tracked plan, most contractors close the window and convert it into a pass. The diagram shows the three paths.
Therefore, do not treat a conditional outcome as a setback. It simply means a handful of items need finishing on a clock you can plan around.
In short, the goal is a pass you can defend, with any leftover items tracked to a date. Walk in with honest scores and a live plan, and even a conditional result lands as a win.
Notably, the result is recorded and tied to your contract, so it is worth getting right the first time. A clean evidence package and an honest self-score are what turn the assessment day into a formality rather than a test of nerve, however high the stakes may feel.
๐ชค Common CMMC audit mistakes
Meanwhile, a few mistakes trip up small contractors again and again. First, many assume Level 2 when their contract only needs Level 1, and over-prepare for months.
Furthermore, some buy a compliance platform before checking what Microsoft 365 already proves, then pay twice. Others leave scoping loose, which quietly drags the whole assessment wider and more expensive.
Finally, a frequent trap is treating the SSP as a one-time document. An assessor expects it to match the live tenant, so a stale plan undermines otherwise solid controls.
Therefore, confirm your level, scope tightly, use the evidence you already own, and keep your documents current. As a result, you avoid the four most expensive mistakes in one move.
In short, the pattern behind every audit mistake is the same: treating the assessment as an event instead of a project. Prepare steadily and the day itself rarely surprises you.
Above all, do not wait for a contract to force the work. The controls stay stable even as the rules evolve, so the preparation you do now keeps its value rather than resetting later.
๐๏ธ Your first 30 days to audit-ready
Finally, here is how to begin without boiling the ocean. In the first month you can move from worry to a clear, costed plan.
Specifically, confirm your level from your contract, scope where your sensitive information lives, then check what Microsoft 365 already covers. Score yourself honestly against the controls and log the gaps.
Notably, the goal of month one is clarity, not certification. You will not pass an assessment in thirty days, and that is fine. Aim to know your level, your gaps, and your budget.
Therefore, end the month with a one-page picture: your level, a short gap list with owners, and a realistic date for the assessment. That single page is what turns a vague worry into a plan you can fund.
In short, a focused first month does most of the heavy lifting. With your level confirmed and your gaps mapped to the tenant, the rest of the project becomes steady execution rather than guesswork.
Therefore, share that one-page plan with whoever signs the cheques. A costed, time-boxed plan is far easier to approve than a vague worry, and it gives you the green light to actually start.
๐ค Who faces a CMMC audit, and when
Of course, not every business faces a CMMC audit. So decide by your contracts, not by fear.
Specifically, if you sell or hope to sell to the Department of Defense, expect a CMMC requirement in the contract terms. The requirement also flows down: a prime passes it to its subcontractors, so a small shop two tiers down can be in scope.
Notably, the timing is set by the contract, and the rules are rolling out in phases. The safest move is to be ready before a bid asks for it, not after.
๐ When your CMMC audit clock starts
In short, let the contract decide. The moment a prospect or a prime mentions CMMC, the clock has started, and early preparation gives you a head start no scramble can match.
Therefore, watch your pipeline, not just your current work. A single new defense opportunity can make an assessment urgent overnight, and the ready contractors win the work the unprepared cannot bid for.
In short, the requirement is contract-driven, so your pipeline decides your timeline. The contractors who prepare ahead of a bid keep winning work that the unprepared simply cannot pursue.
๐ ๏ธ Do it yourself, or bring in help
So, should a small contractor prepare alone? For Level 1, many can. The self-assessment is basic, and most controls live in settings you already own.
However, Level 2 is harder, because the 110 controls, the evidence package, and the GCC High decision carry real consequences. A mistake there can mean a failed assessment or a costly migration.
Specifically, a good partner does not just hand you a tool. They map the controls to your tenant, tell you honestly what you already cover, and scope only the real gaps before the assessor arrives.
Above all, judge any partner by how plainly they explain what you already have. The goal is an honest evidence package, not a glossy report that impresses no assessor.
In short, match the route to your level and your time. A lean Level 1 shop can self-assess, while a Level 2 contractor usually gains from a guided readiness review that turns the tenant into a ready evidence set.
Above all, the goal is the same either way: an honest picture of your gaps and a clean set of evidence. Whether you self-assess or bring in help, judge the result by how easily an assessor could verify it.
โ Your CMMC audit recap
Condensed, here is the CMMC audit plan to keep on hand.
- Confirm your level from your contract before anything else.
- Level 1 is a self-assessment; Level 2 is a C3PAO assessment of all 110 controls.
- Scope tightly around where sensitive information lives.
- Map each control to its evidence in Microsoft 365.
- Write and maintain a System Security Plan.
- Log every gap in a POA&M with an owner and a date.
- Self-score honestly months before the assessment.
- Start early, because preparation, not the audit day, takes the time.
Ultimately, at Wintive we get US small contractors audit-ready on the Microsoft 365 they already run, as part of our managed security services. So we confirm your level, map the controls to your tenant, build the evidence, and show you the gaps and the budget. As a result, you walk into your CMMC audit with a plan you can defend, not a last-minute scramble. To get started, contact us for a free consultation. It is quick, and we do the rest.
📚 More for Growing Businesses
๐ See exactly where your Microsoft 365 stands for a CMMC audit
The M365 Master Audit is a full Microsoft 365 security audit for a US small contractor. Specifically it reviews your identity, email, device, and data controls, maps them to the CMMC and NIST 800-171 requirements, builds the evidence, and ranks the fixes by real risk. As a result you get a written report, a clear action plan, and the proof to show an assessor.
❓ Frequently Asked Questions
It is a structured check that a defense contractor meets the security controls its contract requires. At Level 1 you self-assess 17 practices; at Level 2 a certified third party reviews all 110 NIST 800-171 controls against evidence.
It depends on your level. Level 1 is a self-assessment you run and attest to once a year. Level 2 is performed by a C3PAO, a certified third-party assessor, every three years, with your evidence ready.
Confirm your level, scope where your sensitive information lives, map each control to its evidence in Microsoft 365, write a System Security Plan, and self-score honestly. Close the real gaps before the assessor arrives.
It varies widely. Level 1 is mostly your own time over a few weeks. Level 2 adds a certified assessor fee, evidence work, and any move to GCC High. Closing gaps early keeps the total down.
At Level 2 there are three outcomes. A conditional pass gives you a window to close minor gaps; a fail means key controls are missing, so you remediate and retest. A tracked plan usually turns a conditional into a pass.
Yes, a great deal. Most technical evidence, access, encryption, logging, and threat alerts, already lives in Entra ID, Purview, and Defender. The remaining gaps are usually policies and evidence rather than new tools.
๐งญ Your next step
Want to know exactly where your business stands before a CMMC audit? First, book a short call. Then we confirm your level, map the controls to your Microsoft 365, build the evidence, and show you the gaps and the budget. To start, contact Wintive. It is quick, and we do the rest.