NIST SP 800-171 Internal Audit Playbook for Defense Contractors
A disciplined internal audit is the single most reliable predictor of CMMC Level 2 assessment success. Defense contractors that run a rigorous, evidence-based audit against the 110 controls in NIST SP 800-171 Rev 2 — using the NIST SP 800-171A assessment objectives that C3PAOs themselves use — almost always clear their certification on first attempt. This playbook walks through how to scope, execute, and close a full internal audit across all 14 NIST SP 800-171 control families, with the sampling, interview, and evidence practices that mirror the official C3PAO process.
Why an internal audit is non-negotiable before a C3PAO assessment
Under the CMMC final rule, a Level 2 certification assessment is unforgiving. Assessors use NIST SP 800-171A assessment objectives to test every one of the 110 controls. If the evidence isn't there, the finding is written. The organizations that fail are rarely those with weak technology — they are the ones that walked into the assessment without independently verifying their own claims. A structured internal audit is how you find and fix those gaps before they become assessor findings.
Internal audit also builds organizational muscle. The CMMC final rule requires re-assessment every three years and continuous monitoring in between. The audit cadence you build now is the cadence you will sustain for the life of every covered DoD contract.
Phase 1: Scope the audit against the CUI boundary
The audit scope is defined by the CUI boundary — every asset that creates, processes, stores, or transmits Controlled Unclassified Information, plus every asset that provides a security function to those CUI assets. Before any control testing, confirm:
- Data flow diagrams show where CUI enters, moves, and exits the environment
- Asset inventories distinguish CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets
- Enclave architecture is documented (GCC High, AWS GovCloud, on-prem, hybrid)
- Inheritance from cloud service providers (e.g., FedRAMP Moderate tenants) is explicit in the SSP
A scope that is too broad wastes audit hours. A scope that is too narrow misses in-scope assets and produces a false-positive readiness signal. Our Readiness Gap Assessments start here because scoping errors are the single most common root cause of assessment failure.
Phase 2: Plan the audit using NIST SP 800-171A
NIST SP 800-171A publishes the exact assessment objectives, examine/interview/test methods, and evidence expectations a C3PAO will apply. Your internal audit should mirror this document one-for-one. For each of the 110 controls, document: the assessment objectives, the evidence artifacts required, the sample size, the interview roles, and the test procedures. This is your audit program — and it becomes the dry run of the C3PAO's fieldwork.
Phase 3: Audit each of the 14 NIST SP 800-171 control families
The 110 controls are organized into 14 families. Audit each family as a coherent unit so you can identify systemic weaknesses, not just individual control gaps.
3.1 Access Control
Test identity lifecycle, role-based access, separation of duties, least privilege, session lock, and remote access restrictions. Sample user accounts, privileged accounts, service accounts, and terminated users. Evidence: IdP export, privileged access workflow, quarterly access reviews, session timeout configuration.
3.2 Awareness and Training
Validate role-based security training, insider threat training, and acknowledgment tracking. Sample personnel by role and confirm completion within the last 12 months. Evidence: LMS completion reports, insider threat training records, signed acknowledgments.
3.3 Audit and Accountability
Test audit logging coverage, log retention, log review, timestamps synchronization, and protection of audit information. Sample critical systems and confirm logs forward to the SIEM. Evidence: SIEM onboarding tickets, log retention policy, scheduled log reviews, NTP/PTP configuration.
3.4 Configuration Management
Test baseline configurations, change control, software inventory, least functionality, and blacklisting/whitelisting. Sample configuration baselines and compare to deployed systems. Evidence: CMDB export, change tickets, hardening baseline (DISA STIG, CIS Benchmark), software inventory.
3.5 Identification and Authentication
Test identification of users, devices, and services; multi-factor authentication (MFA) for privileged and network access; password complexity and reuse; and FIPS-validated cryptography for authenticators. Evidence: MFA policy, MFA enforcement configuration, FIPS 140-2/140-3 validation certificates.
3.6 Incident Response
Validate incident response plan, tabletop exercises, incident reporting to DoD via DIBNet within 72 hours, and post-incident analysis. Review the last 12 months of incidents. Evidence: IR plan, tabletop after-action reports, DIBNet submission procedure, post-incident reviews. See our DFARS 7012 action plan for incident reporting specifics.
3.7 Maintenance
Test controlled maintenance, media sanitization during maintenance, and escort/authorization of maintenance personnel. Evidence: maintenance logs, sanitization records, non-disclosure agreements for maintenance vendors.
3.8 Media Protection
Test marking of CUI media, access restrictions, transport protection, and cryptographic protection on media at rest. Evidence: media marking procedure, encryption configuration for removable media, courier manifests.
3.9 Personnel Security
Test screening before access to CUI and termination/transfer procedures. Evidence: background check attestations, offboarding checklists, access revocation tickets.
3.10 Physical Protection
Test physical access authorization, visitor logs, escort of visitors, monitoring of physical access, and alternate work site protections. Evidence: badge logs, visitor registers, camera coverage, work-from-home policy.
3.11 Risk Assessment
Test periodic risk assessments, vulnerability scanning, and risk response planning. Evidence: risk register, scan reports, vulnerability remediation SLAs.
3.12 Security Assessment
Test internal assessment, continuous monitoring, and the System Security Plan (SSP) / Plan of Action and Milestones (POA&M) lifecycle. Evidence: SSP version history, POA&M entries with milestones, continuous monitoring reports. See common SSP and POA&M mistakes.
3.13 System and Communications Protection
Test boundary protection, cryptographic protection, session termination, denial-of-service protection, and protection of CUI in transit using FIPS-validated cryptography. Evidence: firewall rules, TLS configuration, VPN cryptographic parameters.
3.14 System and Information Integrity
Test flaw remediation, malicious code protection, monitoring, and information input validation. Evidence: patch management reports, EDR deployment status, SIEM alert tuning, input validation in custom applications.
Phase 4: Execute examine, interview, and test procedures
For each control, the C3PAO uses up to three assessment methods: examine (review artifacts), interview (talk to personnel), and test (observe a live system behavior). Your internal audit must use the same three methods. Don't stop at examining documents — talk to the operators and watch them execute the procedure. Mismatch between what the policy says, what the operator knows, and what the system does is the #1 source of surprise findings.
Phase 5: Score findings and assign POA&M entries
Score each finding using the SPRS scoring methodology: the weighted deduction for each unmet requirement. Categorize findings as: fully implemented, partially implemented, or not implemented. Any finding that is not fully implemented generates a POA&M entry with a remediation owner, milestone dates within 180 days, and a risk statement. Our Policy & Evidence Preparation service rewrites findings into assessor-ready POA&M language.
Phase 6: Remediate, retest, and report
Within 30 days of the audit, build the remediation plan. Within 90 days, retest every high-severity finding. Within 180 days — the CMMC conditional window — close all findings. Report remediation progress to leadership monthly using the CMMC executive dashboard KPIs. See our guide to executive CMMC KPIs.
Building a sustainable annual audit cadence
After first-time certification, the cadence matures into: quarterly mini-audits covering one or two control families, a full internal audit annually, and a formal re-assessment every three years. Continuous monitoring artifacts — SIEM exports, vulnerability scans, access reviews — feed the audit continuously so nothing is retroactively reconstructed. Our Compliance Program Management service operates this cadence as a managed program.
Frequently asked questions about NIST SP 800-171 internal audit
What is a NIST SP 800-171 internal audit?
A NIST SP 800-171 internal audit is a structured, evidence-based review of an organization's implementation of the 110 security requirements defined in NIST SP 800-171 Rev 2. For defense contractors, the internal audit is the primary mechanism for validating CMMC Level 2 readiness before a C3PAO assessment. A rigorous internal audit tests policies, procedures, system configurations, and evidence artifacts across all 14 control families.
How often should defense contractors run an internal NIST 800-171 audit?
Most mature defense contractors run a full internal NIST SP 800-171 audit annually and targeted mini-audits quarterly. In the 12 months before a CMMC Level 2 C3PAO assessment, internal audit cadence should include a baseline audit, a mid-cycle remediation audit, and a full mock assessment 60-90 days before the official assessment window.
Who should lead a NIST SP 800-171 internal audit?
The internal audit should be led by an independent function that does not own control implementation. In smaller organizations, a Registered Practitioner (RP) or Certified CMMC Professional (CCP) contracted through a Registered Practitioner Organization (RPO) typically leads the audit. Larger contractors use internal audit, GRC, or compliance teams with NIST SP 800-171A assessment objective training. Independence matters because assessors expect the audit to be objective.
How long does a NIST SP 800-171 internal audit take?
A full internal audit of all 110 NIST SP 800-171 controls typically takes 4 to 8 weeks for a midsize defense contractor, depending on system complexity, the number of CUI enclaves, and evidence maturity. The audit includes scoping (1 week), control testing (2-4 weeks), interview and observation (1 week), and findings reporting (1-2 weeks). Mini-audits focused on a single control family can be completed in 3-5 business days.
How Andvio helps
Andvio connects defense contractors with vetted Registered Practitioner Organizations (RPOs), Certified CMMC Professionals (CCPs), and Certified CMMC Assessors (CCAs) who can design, run, and repeat your NIST SP 800-171 internal audit. Instead of evaluating audit firms one at a time, you receive a short list of matched partners aligned to your CUI scope, control maturity, and certification timeline.