CMMC Audit Guide: How to Detect Hidden or Forgotten Systems

Detecting Concealed, Forgotten, or “Conveniently Omitted” Systems During a CMMC Audit

Hidden assets—forgotten servers, unregistered devices, and unmonitored cloud instances—can derail a CMMC assessment. This practical guide helps you spot them early, align your scope with DoD rules, and prepare for a CMMC audit like a pro.

Why hidden systems matter for a CMMC Audit

In CMMC Level 2, your environment must meet the NIST SP 800‑171 requirements for systems that process, store, or transmit CUI—and certain systems that provide security services to those systems. If your scope misses assets, your controls won’t cover the real environment, which leads to findings. The DoD’s Final CMMC Rule formalizes verification, introduces annual affirmations of ongoing compliance, and ties certification status to contract award and performance—so accuracy isn’t optional. [cmmcaudit.org]

The CMMC Level 2 Scoping Guide defines asset categories—CUI assets, security protection assets, contractor risk‑managed assets, specialized assets, and out‑of‑scope assets—and explains how those categories set your assessment boundary. Use these categories to avoid pulling your entire enterprise into scope.

Inventory is foundational. NIST SP 800‑171 Rev. 3 includes 03.04.10: System Component Inventory, which requires a documented inventory that is reviewed, updated, and changed whenever components are installed, removed, or modified. [war.gov]

A Scope‑first Mindset (before you start hunting)

Scope sets the rules. Before discovery:

• Map CUI flow. Identify systems where CUI originates, moves, and rests. Include gateways like identity services, firewalls, SIEM, backup, and other tools that provide security functions to CUI assets. Categorize each asset per the Level 2 Scoping Guide.
• Document separation. If you isolate CUI in an enclave (e.g., segmented VLANs or a dedicated tenant), show how segmentation enforces separation and reduces scope. This approach is widely recommended to streamline assessments. [dowcio.war.gov]
• Prepare artifacts. Update the System Security Plan (SSP), data‑flow diagrams, and the inventory by CMMC categories. Assessors review documentation and test against NIST 800‑171A assessment objectives, not just the 110 requirements.

Pro tip: “If it’s not written, it didn’t happen.” Weak documentation causes more assessment failures than weak technology. [sands-mvcc.github.io]

External reconnaissance: the Attacker’s View

Bring a hunter’s mindset to scope validation. Your goal is to surface assets that should appear in your inventory:

• Public footprint review. Examine domains, subdomains, certificates, and netblocks. Certificate transparency and DNS enumeration can reveal forgotten web apps, test environments, or legacy services still exposed. Use findings to reconcile inventory and correct your scoping narrative.
• Third‑party exposure. Review partner portals and managed services footprints for references to systems you operate. Third‑party connections often illuminate assets you failed to include in scope documentation.

Capture: a list of externally visible hosts, unexpected ports, and any service that contradicts your stated boundary (e.g., “we have no public RDP”). Tie each item back to your inventory record. [tevora.com]

Internal Discovery for a CMMC Audit: Enumerate the Whole Environment

Now trust but verify internally with multiple, independent data sources:

• Credentialed network scans across all assigned ranges (HQ, branches, labs, DMZ, enclaves). Reconcile live IPs and open services with your inventory. Any device not inventoried indicates a scope problem.
• Directory exports (AD/Azure AD). Pull all computer objects; cross‑check for orphaned, disabled, or unknown systems.
• DHCP lease history (6–12 months). Every device that got an address should be accounted for—or justified.
• Network device tables. Switch/router MAC address tables expose “quiet” devices like lab boxes or dev servers that never hit your scanners
• SIEM and firewall logs. Query for source IPs not in inventory; look for internal traffic from unknown addresses; review VPN logs for connections from unmanaged endpoints. [cmmctraining.academy]

This aligns to NIST 800‑171 Rev. 3 inventory expectations and demonstrates that the inventory is current and accurate.

Cloud & SaaS verification for a CMMC Audit

Hidden assets aren’t just racks and PCs—cloud counts too:

• Cloud control plane. Enumerate AWS/Azure/GCP resources (VMs, containers, storage, serverless, databases) and reconcile against your inventory and SSP. Identify “stray” tenants, terminated instances with retained data, and shadow subscriptions. [dodcio.defense.gov]
• Identity & remote access. Map cloud identity controls to Access Control objectives—MFA, conditional access, and policies that control the flow of CUI from trusted locations/devices/apps. Align configurations to Microsoft’s CMMC Level 2 AC guidance.

Treat cloud services that store or protect CUI as part of your boundary. The Scoping Guide makes clear that security‑protection assets are in scope.

Process & documentation forensics

Paper‑trail inconsistencies frequently reveal hidden systems:

• Baselines & change management. Baselines and change logs must map to actual systems. NIST 800‑171 requires establishing and maintaining baseline configurations and inventories across the life cycle.
• Patch, backup, ticketing. If a hostname appears in backup jobs or patch reports but not in inventory, you’ve found a scope gap. Cross‑reference help‑desk tickets for mentions of IPs/hosts missing from your asset list.
• Procurement history. Tie POs for hardware/software to inventory entries. “We bought 50 servers” should equal 50 inventoried systems or a clear decommission trail.

Interviews & Physical Walk‑throughs

Human intel closes gaps that tools miss:

• Structured interviews. Talk separately with network admins, developers, help desk, and cloud teams. Ask about dev/test labs, “temporary” systems, and special subnets. The Level 2 Assessment Guide describes who assessors interview and what they examine/test.
• Server rooms and labs. Physically inspect racks, closets, labs, and branch offices. Unlabeled servers, SBCs (e.g., Raspberry Pi), or rogue Wi‑Fi suggest unmanaged assets that need to be inventoried and controlled.

Continuous Monitoring Proves You’d Catch the Next One

Assessors look for evidence that monitoring detects new or unauthorized systems:

• SIEM coverage. Show log ingest from critical devices and in‑scope systems; configure “new device detected” alerts.
• Vulnerability scanning schedules. Prove complete IP coverage; justify any reserved ranges (e.g., OT segments) and show separation controls.
• NAC policies. Demonstrate that unauthorized devices are blocked or quarantined.

Common Red Flags that Trigger Deeper Review

• Round‑number inventories (exactly “100 servers”)—assessors expect #101.
• “Air‑gapped” claims without proof—assessors examine for sneaker‑net paths, rogue wireless, or misconfigured VLANs.
• Overly complex diagrams—complexity often hides unmanaged segments or shadow services.
• “Temporary” exceptions older than 30 days—if it’s running, it needs to be inventoried and controlled.

Mapping to CMMC v2 and NIST 800‑171 Rev. 3

This CMMC audit guide avoids legacy CMMC v1 practice labels and points to current sources:

• The DoD Level 2 Scoping Guide defines assessment scope, categories, and boundary rules for Level 2.
• The DoD Level 2 Assessment Guide outlines assessment activities—interview, examine, and test—used by assessors.
• NIST SP 800‑171 Rev. 3 establishes inventory and configuration‑management requirements (e.g., 03.04.10 System Component Inventory) and emphasizes maintaining baselines and inventories across the life cycle. [csrc.nist.gov]

Synchronize inventory, change management, logging, and identity controls to these sources. Show evidence. That’s how your scope stands up to assessor scrutiny.

Legal reality check: Accuracy and Attestations

With the Final CMMC Rule, DoD emphasizes verification and annual affirmations. Misstating status can have real consequences. Separately, the False Claims Act (FCA) and DOJ’s Civil Cyber‑Fraud Initiative have been used to pursue contractors who submit false cybersecurity claims (e.g., inflated SPRS scores or inaccurate compliance statements). Public cases and commentary detail penalties and settlements tied to misrepresentation.[federalregister.gov]

Bottom line: Treat scope, inventory, and evidence as truth data. If you later discover hidden assets, update your SSP, POA&M, and SPRS entry promptly to avoid compliance and legal risk.

A Simple CMMC Audit Checklist You Can Start This Week

1. Refresh the inventory.
   Export AD/Azure AD device lists, pull DHCP lease history, collect MAC tables, and reconcile against a single, system‑component inventory. Mark assets by CMMC Level 2 categories.
2. Close the documentation gap.
   Update the SSP with scope boundary, CUI data flows, segmentation/enclave rationale, and evidence links. Align to NIST 800‑171A assessment objectives so documentation matches what assessors will test.
3. Eliminate shadow services.
   Fix discrepancies uncovered by scans and logs. Either bring assets into scope and secure them, or decommission and document removal. Update baselines and inventories per 03.04.10.
4. Harden identity & remote access.
   Enforce MFA, conditional access, and session controls mapped to Access Control objectives. Document how these controls prevent unauthorized CUI flow.
5. Prove monitoring coverage.
   Show SIEM ingest from critical devices, scanning coverage for all ranges, and NAC policies that block new/unknown devices. Keep reports ready for assessors.
6. Rehearse interviews.
   Run an internal “assessment rehearsal.” Have system owners explain every subnet, lab, and exception. If any answer surprises you, adjust scope and controls before the formal assessment.

FAQ on CMMC Audit and Scoping

Q1: Which assets are always in scope for CMMC Level 2?
Assets that process, store, or transmit CUI (CUI assets) and systems that provide security functions to those assets (security protection assets). Categorization and boundary rules are defined in the DoD Level 2 Scoping Guide.

Q2: Do cloud services count toward my scope?
Yes. If a cloud resource processes, stores, transmits, or protects CUI, it belongs in your assessment boundary. Use the provider control plane and identity settings to enumerate, secure, and document.

Q3: What inventory evidence do assessors expect?
A maintained system‑component inventory, updated as components change, plus baselines and change records that match reality. This comes from NIST 800‑171 Rev. 3 and related configuration‑management requirements.

About the Author

Connect with Daniel on LinkedIn for CMMC insights | www.techprognosis.com

Disclaimer