IT Compliance Audit Checklist | Free Download | Petronella

CMMC 2.0 (Cybersecurity Maturity Model Certification) is required for DoD contractors handling CUI. Level 2 requires implementation of 110 NIST SP 800-171 practices with third-party assessment.

• Limit system access to authorized users, processes, and devices with documented access control policy
• Enforce separation of duties to reduce risk of malicious activity without collusion
• Implement least-privilege access and review user permissions quarterly
• Multi-factor authentication required for all network access to CUI systems
• Restrict remote access sessions and encrypt all remote connections to CUI environments

• Create and retain system audit logs sufficient to support security incident investigation
• Ensure individual accountability by tracing actions to unique users (no shared accounts)
• Review and analyze audit logs for indicators of compromise at least weekly
• Protect audit information and logging tools from unauthorized access and modification
• Correlate audit review and reporting processes across multiple systems and time zones

• Establish an incident response plan with roles, communication protocols, and escalation procedures
• Test incident response capability at least annually through tabletop or functional exercises
• Track, document, and report incidents to designated officials per DFARS 252.204-7012 (72 hours)
• Implement automated mechanisms to support incident handling and evidence collection
• Identify and report security incidents involving CUI to DIBCIS within required timeframe

NIST SP 800-171 protects Controlled Unclassified Information (CUI) in non-federal systems. It contains 110 security requirements across 14 families. Required for federal contractors and subcontractors.

• Monitor, control, and protect communications at system boundaries with firewalls and IDS/IPS
• Employ FIPS-validated encryption to protect CUI in transit across all network connections
• Separate user functionality from system management functionality in system design
• Prevent remote devices from simultaneously maintaining connections to internal and external networks (split tunneling)
• Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI at rest

• Establish and maintain baseline configurations and inventories of organizational systems
• Employ the principle of least functionality by restricting unnecessary functions, ports, and services
• Apply deny-by-exception policies for software execution on all endpoints
• Control and monitor user-installed software and enforce change management processes
• Track, review, and approve all changes to system configurations with documented change logs

• Ensure all users are aware of security risks associated with their activities and applicable policies
• Provide role-based security training for personnel with security responsibilities before granting access
• Document and maintain records of all security training completion with annual refresher requirements

SOC 2 (Service Organization Control 2) evaluates controls relevant to security, availability, processing integrity, confidentiality, and privacy. Required by many enterprise clients for vendor risk management.

• Logical and physical access controls with centralized identity management and SSO where possible
• Network and system monitoring with automated alerting for anomalous activity and unauthorized access
• Change management process with documented approval workflow, testing, and rollback procedures
• Risk assessment process conducted at least annually with formal risk register and treatment plans
• Vendor management program with risk assessment of third-party providers handling sensitive data

• Business continuity and disaster recovery plans documented, tested at least annually, and updated
• System performance monitoring with capacity planning and defined SLAs for uptime and response
• Data backup procedures with documented RPO/RTO targets and regular restoration testing
• Data classification policy identifying confidential, internal, and public data categories
• Encryption controls for confidential data at rest and in transit with key management procedures

• Privacy policy published and aligned with data collection, use, retention, and disposal practices
• Data processing controls ensuring completeness, accuracy, timeliness, and authorization of system processing
• Data retention and disposal schedule aligned with regulatory requirements and documented destruction records

PCI DSS 4.0 (Payment Card Industry Data Security Standard) is required for all organizations that store, process, or transmit cardholder data. Non-compliance can result in fines of $5,000 to $100,000 per month.

• Install and maintain network security controls (firewalls, WAF) between all CDE and untrusted networks
• Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment
• Network segmentation isolating the CDE from all other networks, validated at least annually
• Prohibit direct public access between the internet and any system in the cardholder data environment
• Inventory all authorized wireless access points and conduct quarterly rogue wireless detection scans

• Protect stored cardholder data with encryption, truncation, masking, or hashing with documented key management
• Do not store sensitive authentication data after authorization (full track, CVV, PIN)
• Encrypt transmission of cardholder data across open, public networks using strong cryptography (TLS 1.2+)
• Maintain a data flow diagram showing all cardholder data flows across systems, networks, and applications
• Implement a data retention and disposal policy with quarterly discovery scans for unauthorized cardholder data

• Deploy anti-malware solutions on all systems commonly affected by malware with automated updates
• Conduct quarterly internal and external vulnerability scans with ASV-approved scanning for external
• Establish a process for timely patching with critical patches applied within 30 days of release