Not ready for a Complete Pen Test? How about finding out your Cyber Score in 2 mins? Click here for your Cyber Score
Facebook Youtube Linkedin Whatsapp
Capital Cyber Logo
What Happens During a CMMC Audit? A Walkthrough for Manufacturers

What Happens During a CMMC Audit? A Walkthrough for Manufacturers

Published by Capital Cyber | Leesburg, VA | (571) 410 3066

If you’ve never been through a CMMC audit before, the experience can look intimidating from the outside — especially for a defense manufacturer that has spent 30 years running a shop and never had an outside auditor walk the production floor asking for system logs.

Here’s the honest truth: a CMMC audit is not mysterious. It follows a defined phase-by-phase process, it uses a published assessment methodology (NIST SP 800-171A), and every piece of evidence the assessor will ask for is knowable in advance.

This guide is a practical walkthrough of what happens during a CMMC audit — specifically for defense manufacturers, CNC shops, aerospace suppliers, electronics producers, and DoD subcontractors preparing for their first C3PAO Level 2 certification.

What Is a CMMC Audit?

CMMC audit — officially called a Level 2 certification assessment — is a formal evaluation conducted by a Certified Third-Party Assessment Organization (C3PAO) to verify that your organization has implemented all 110 security requirements from NIST SP 800-171.

A few important things to understand upfront:

  • The C3PAO is not a consultant. They cannot advise you, help you fix gaps, or “guide” you to a passing score.
  • The audit measures evidence of implementation, not intent. “We’re planning to do this” is not a passing answer.
  • The full audit process typically spans 4 to 6 weeks, not the 5-day interview week most contractors picture.
  • You will have daily checkpoints during the on-site phase, giving you opportunities to present additional evidence before scores are finalized.

Let’s walk through the six phases of what actually happens.

Phase 1: Pre-Assessment (4–8 Weeks Before On-Site)

This is where the audit begins — long before any assessor shows up at your shop. The C3PAO works with you to finalize scope, schedule, and readiness.

What happens:

  • You and the C3PAO sign a formal engagement agreement
  • You submit your completed Pre-Assessment Form to be uploaded into CMMC eMASS
  • The lead assessor reviews your CMMC Assessment Scope — every asset that processes, stores, or transmits CUI
  • The C3PAO verifies your Customer Responsibility Matrix (CRM) for cloud and managed service providers
  • You identify key personnel who will be interviewed
  • The C3PAO delivers a detailed assessment plan with methodology, schedule, and evidence expectations

What you should have ready:

  • Your System Security Plan (SSP)
  • A documented inventory of all assets in scope
  • CUI asset category breakdown (CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets)
  • FedRAMP Moderate equivalency documentation for cloud services
  • Evidence library organized by control family

Critical warning: If the lead assessor determines you’re not ready, they can issue an Adverse Determination of Readiness and suspend or reschedule the assessment. You still pay. You still go to the back of the queue.

Phase 2: In-Brief and Opening Meeting (Day 1)

The on-site phase typically starts with a formal in-brief meeting that sets the tone for the engagement.

What happens:

  • Lead assessor reviews the scope, methodology, and schedule
  • Roles and responsibilities are reaffirmed
  • Daily checkpoint schedule is confirmed
  • Assessors outline how evidence will be evaluated: Examine, Interview, Test
  • Your team confirms access to systems, facilities, and personnel

Who should be in the room: CEO or senior executive, IT lead, designated CMMC point of contact, compliance lead, and any external RPO support you’ve engaged for coordination (not remediation).

This is not a kickoff meeting in the friendly-lunch sense. It’s a structured handoff. The assessors are now in evaluation mode and stay there until you get to the out-brief.

Phase 3: Evidence Examination and Testing (Days 2–5)

This is the meat of the audit. The assessment team works through all 110 security requirements and 320 assessment objectives using the three-method approach from NIST SP 800-171A:

Examine — Assessors review documents, policies, SSPs, logs, screenshots, configurations, and artifacts. They’re looking for evidence that a control is actually implemented, not just written about.

Interview — Assessors talk to people. IT admins, engineers, shop-floor managers, executives, end users. They want to know if the controls in your SSP match what people actually do every day. A policy that says “MFA is required” does not survive an interview with a CNC programmer who logs in without MFA.

Test — Assessors actively verify controls by observation or demonstration. Can you show MFA enforcing on a privileged account? Can you demonstrate a log search for a user accessing CUI? Can you produce an incident response tabletop result?

Evidence typically requested:

  • Screenshots of MFA enforcement on privileged and non-privileged accounts
  • Audit log samples showing user activity, system access, and CUI interactions
  • Vulnerability scan reports and remediation tracking
  • Network segmentation diagrams
  • Physical security documentation (visitor logs, access control lists)
  • Training records for all personnel with CUI access
  • Incident response plan and tabletop exercise results
  • Configuration baselines for all in-scope systems
  • Change management records
  • Media sanitization logs
  • Backup and recovery test evidence

The sampling approach is focused and non-statistical. Assessors pick the evidence they want to see. You cannot cherry-pick what they review.

Phase 4: Daily Checkpoints

This is the most underused feature of a CMMC audit. At the end of every assessment day, the lead assessor holds a daily checkpoint with your team to review preliminary findings.

What happens at checkpoints:

  • Assessors share what they observed and where evidence gaps exist
  • You have a chance to locate and present additional evidence that addresses the concern
  • Scores and findings can be updated based on supplemental evidence
  • You learn early where risks are building before final scoring

Why this matters for manufacturers: Shop-floor environments have hidden evidence. An engineer might have a screenshot folder. A controller might keep a logbook. A shift supervisor might have documentation the main IT team doesn’t know about. Daily checkpoints let you surface that before it costs you.

Do not waste these checkpoints. Treat them the way an attorney treats a discovery window. Every hour between checkpoints is a chance to find and present the evidence that moves a “Not Met” to a “Met.”

Phase 5: Scoring and Out-Brief (Final Day)

At the end of the on-site engagement, assessors score every one of the 110 requirements against three outcomes per 32 CFR § 170.24:

  • MET — Evidence confirms the control is implemented as required
  • NOT MET — Evidence does not confirm implementation
  • NOT APPLICABLE — Control genuinely does not apply to your environment (rare and carefully documented)

Scoring is point-based. You start at 110 points and lose 1, 3, or 5 points per unmet control depending on criticality.

Possible outcomes:

  • Final Level 2 (C3PAO) — All 110 controls MET. Certification valid for 3 years.
  • Conditional Level 2 (C3PAO) — Score ≥ 88 (80%), all six non-POA&M controls fully implemented, remaining gaps eligible for POA&M. You have 180 days to close every POA&M item.
  • Not Certified — Score below 88, or a non-POA&M-eligible control failed, or more than one 3-point control is open. You start over.

The out-brief meeting walks through the scoring, identifies every NOT MET finding, and explains the POA&M closeout requirements if applicable.

Phase 6: Reporting, eMASS Submission, and Certification (Weeks 5–6)

After the on-site phase ends, the C3PAO assessment team takes time to finalize the report.

What happens:

  • Assessors compile a detailed findings report covering every control and objective
  • CMMC Quality Assurance Professional (CQAP) reviews the findings for quality and consistency
  • Final results are uploaded to CMMC eMASS and transmitted to SPRS
  • The C3PAO submits the final package to the Cyber AB for certification decision
  • Upon Cyber AB approval, your certification is issued
  • Certificate is shared with your organization and posted in eMASS

This phase typically takes 2 to 3 weeks after the on-site assessment ends.

POA&M Closeout (If You Received Conditional Status)

If you received Conditional Level 2 status, the 180-day clock is now ticking.

What happens during closeout:

  • You close every POA&M item with documented evidence
  • You engage the same C3PAO to perform a POA&M closeout certification assessment
  • The closeout assessment only evaluates the controls originally marked NOT MET
  • If all POA&M items close successfully, you receive Final Level 2 (C3PAO) status
  • If you miss the 180-day window, your Conditional certification expires and you start over

Reality check: 180 days is not as much time as it sounds. Most manufacturers need 60 to 90 days just to procure, deploy, and test the tooling needed to close common POA&M items (logging, scanning, encryption). Waiting until Day 120 to start closeout is a fast way to lose certified status.

What the Audit Looks Like for a Real Manufacturer

To make this concrete, here’s a compressed timeline for a typical 50-person precision manufacturer going through Level 2 certification:

  • Week -8 to -4: Pre-assessment engagement, scoping, readiness verification
  • Day 1: In-brief at 8:00 AM, initial evidence handoff
  • Days 2–4: Assessors split into two tracks — technical controls (access, logging, encryption, network) and operational controls (training, physical security, incident response, configuration management)
  • Days 2–4 evenings: Daily checkpoints from 4:00 to 5:00 PM
  • Day 5: Final interviews, test validations, out-brief at 3:00 PM
  • Weeks 2–3 post-audit: Report drafting and CQAP review
  • Week 4: Report submitted to Cyber AB
  • Week 5–6: Certification decision issued, SPRS updated

Total engagement: roughly 30 to 45 days from on-site kickoff to certificate in hand.

Common Manufacturing-Specific Audit Pitfalls

Capital Cyber has seen these trip up defense manufacturers repeatedly:

Pitfall 1: Shop-floor systems not in the SSP. CNC controllers, CMMs, PLCs, and programming stations often get forgotten. Assessors find them during interviews. Points lost.

Pitfall 2: Engineering file flow not documented. Drawings move from email to network share to CAM station to machine controller. Every stop needs to be mapped. Undocumented paths create NOT MET findings.

Pitfall 3: Visitor logs that aren’t real. Paper logs that everyone ignores fail PE.L2-3.10.3. Assessors will check.

Pitfall 4: Encryption claims that aren’t FIPS-validated. Encryption exists but isn’t on the FIPS 140-2 validated module list. Points lost, or worse — a 3-point penalty.

Pitfall 5: MFA on admins but not end users. NIST 800-171 requires MFA for privileged and non-privileged network access. Half-deployed MFA is a 5-point failure.

Pitfall 6: Tabletop exercises never run. IR.L2-3.6.3 requires you to test incident response. If no tabletop has been conducted, you fail the control.

Pitfall 7: Missing Customer Responsibility Matrix. Cloud providers (GCC High, Azure Government, AWS GovCloud) have shared responsibility. Without a CRM mapped to your SSP, inherited controls are unsupported.

What to Do the Week Before Your Audit

If your audit is one week out, here’s the practical checklist:

  • Verify SSP reflects your actual current environment (not aspirational)
  • Run an internal mock assessment using 800-171A methodology
  • Confirm every in-scope user has documented CMMC training
  • Validate audit logs are active, retained, and queryable
  • Run a tabletop exercise and document the results
  • Confirm physical security controls work (try the badge reader, check the visitor log)
  • Verify MFA is enforced on every privileged and non-privileged account
  • Test your incident response plan end-to-end
  • Confirm your CRM is current and mapped to your SSP
  • Brief every interviewee on what’s in the SSP and what they do every day

The audit will not surprise you if you prepare for it. It will surprise you if you don’t.

Practical compliance. Real progress. Your path from gap to certification starts with one honest conversation.

Do not wait until you lose a contract to take action. Call (571) 410 3066 or visit capital-cyber.com for a free CMMC readiness consultation.

Capital Cyber | 1019B Edwards Ferry Rd. #1183, Leesburg, VA 20176

Security Obsessed. Service Driven.

Let Capital Cyber help you with Cybersecurity Services