CNSA 2.0 Compliance Audit Framework: A Checklist for Sub-Tier Defence Suppliers

This is the audit companion to the sub-tier supplier guide. That article answers "what do I need to do?" This one answers "have I done it?" The audience is the compliance officer, quality manager, or legal counsel who needs a structured instrument to record current state, identify gaps, and produce documentation a C3PAO assessor can review.

If you need the foundational context on what CNSA 2.0 changed from CNSA 1.0, read that first. This checklist assumes familiarity with the algorithm requirements and focuses on the seven audit domains that determine whether a sub-tier defence supplier is on track for CMMC Level 2 assessed compliance and CNSA 2.0 acquisition readiness.

A note before you begin. An audit confirms implementation. Working backwards from these questions to produce documentation without the underlying technical implementation is not compliance; CMMC third-party assessors are specifically trained to detect it. The checklist is a diagnostic instrument.

cnsa2-audit-framework.sh — CNSA 2.0 COMPLIANCE SELF-ASSESSMENT — 7 DOMAINS $ ./cnsa2-audit-framework --mode self-assessment --output table # Initialising CNSA 2.0 compliance audit | 7 domains | DFARS 252.204-7012 | CMMC v2.02 DOMAIN AUDIT ITEM CONTROL REF PASS / FAIL / N/A WEIGHT D1 CRYPTO ALGORITHM All new key encapsulation implementations use ML-KEM-1024 No RSA or ECC for new NSS-adjacent connections post-2025 NIST FIPS 203 | CNSA 2.0 Sec 3.1 [ PASS ] [ FAIL ] [ N/A ] CRITICAL D2 SIGNATURES Digital signatures use ML-DSA-87 or SLH-DSA for code signing Firmware, software, and document signing covered NIST FIPS 204 | FIPS 205 | CNSA 2.0 Sec 3.2 [ PASS ] [ FAIL ] [ N/A ] CRITICAL D3 FIPS MODULE Cryptographic modules are FIPS 140-3 validated (CMVP listed) CMVP certificate number documented for each module in use NIST SP 800-171 Rev 3 Prac 3.13.10 | FIPS 140-3 [ PASS ] [ FAIL ] [ N/A ] HIGH D4 CUI DATA CUI/CDI inventory documented: storage, processing, transit paths CAD files, firmware, design specs, test params classified correctly DFARS 252.204-7012(a) | DoD CUI Registry [ PASS ] [ FAIL ] [ N/A ] HIGH D5 CMMC PRACTICES CMMC Level 2: all 110 practices from NIST SP 800-171 Rev 3 addressed System Security Plan (SSP) and POAM current and maintained CMMC v2.02 | 32 CFR Part 170 (eff. 16 Dec 2024) [ PASS ] [ FAIL ] [ N/A ] MEDIUM D6 FLOWDOWN DFARS 252.204-7012 clause included in all sub-tier contracts COTS-only sub-tiers identified and documented for exemption DFARS 252.204-7012(m) mandatory flowdown [ PASS ] [ FAIL ] [ N/A ] MEDIUM D7 INCIDENT RPT Cyber incident reporting capability: 72-hour notification to DoD DIBNet Media preservation plan and contractor damage assessment procedure documented DFARS 252.204-7012(c)-(e) | DIBNet portal [ PASS ] [ FAIL ] [ N/A ] MEDIUM AUDIT SUMMARY OUTPUT Critical domains (D1, D2): must pass before CMMC C3PAO assessment High domains (D3, D4): gaps must have POAMs with remediation dates Medium domains (D5, D6, D7): track in SSP, close within 90 days N/A: document rationale — COTS exemption or no CDI in scope Confidence: assessment valid 90 days | Re-run on material change CNSA 2.0 TRANSITION TIMELINE 2025: New NSS contracts — ML-KEM/ML-DSA required for new implementations 2026: Software/firmware — PQC required in new software products 2030: Network systems — full migration, legacy phase-out begins 2033: All systems — RSA/ECC no longer accepted on NSS Source: NSA CNSA 2.0 Advisory, Sept 2022 $ audit complete | 7 domains assessed | export to /reports/cnsa2-audit-$(date +%Y%m%d).json ► Report written. Share with prime for supply chain risk review. QSECDEF | CNSA 2.0 COMPLIANCE AUDIT FRAMEWORK | DFARS 252.204-7012 | CMMC v2.02 | NIST SP 800-171 REV 3

The Seven Audit Domains

Domain Core Question Primary Verification Source Red-Flag Finding
1. Cryptographic Asset Inventory Is there a complete, current CBOM covering all CDI-touching systems? NIST SP 800-171 Rev 3, practice 3.13.10; NIST SP 800-161 Rev 1 No inventory exists or inventory is more than 12 months old
2. Algorithm Selection and FIPS 140-3 Validation Are ML-KEM-1024, ML-DSA-87, and SLH-DSA-SHA2-256s in use or on a validated roadmap? NSA CNSA 2.0 Advisory (September 2022); NIST CMVP Non-CNSA 2.0 parameter sets in use; no FIPS 140-3 validation in progress
3. Flowdown Verification Is DFARS 252.204-7012 in the prime contract, and is it flowed down to sub-sub-tiers? DFARS 252.204-7012(m) Clause absent from subcontract; no flowdown to sub-sub-tiers who handle CDI
4. CMMC Level 2/3 Control Mapping Is the organisation assessed (or in assessment) against all 110 SP 800-171 Rev 3 practices? CMMC v2.02 Assessment Model (DoD, 2022/2023; verify against DoD CMMC programme office for post-December 2024 revisions); NIST SP 800-171 Rev 3; 32 CFR Part 170 No gap assessment completed; CMMC assessment type misidentified (self-attestation vs C3PAO)
5. Migration Timeline Tracking Is there a roadmap with FIPS 140-3 validation milestones that closes before the 2027 acquisition gate? NSA CNSA 2.0 Advisory, Table 1; NIST CMVP No roadmap; no validation milestone; timeline gap cannot be closed before 2027
6. Procurement Language Is the SPRS score current, and do contract templates reflect CNSA 2.0 obligations? DFARS 252.204-7020; SPRS portal; NSA CNSA 2.0 Advisory No SPRS score; contract templates contain unverifiable cryptographic representations
7. Internal Documentation Are SSP, POAM, and residual-risk register current, version-controlled, and audit-ready? NIST SP 800-171 Rev 3, practices 3.12.2 and 3.12.4; CMMC v2.02 Assessment Guide Level 2 SSP outdated; POAM not maintained; 3.13.x items open with no target date

Domain 1: Cryptographic Asset Inventory

The cryptographic asset inventory is the prerequisite for every other domain. A supplier that cannot document which cryptographic algorithms are in use and where cannot make a compliance claim about any of them. NIST SP 800-171 Rev 3, practice 3.13.10, requires employment of FIPS-validated cryptographic mechanisms. Implicit in that requirement is knowing which mechanisms are deployed (NIST SP 800-171 Rev 3, May 2024).

The structured format for this inventory is a Cryptographic Bill of Materials (CBOM): a per-system list of cryptographic assets, analogous to the Software Bill of Materials concept in NIST SP 800-161 Rev 1 on supply chain risk management. Assessors will expect to see this document. A CBOM that was produced for a prior assessment and has not been updated since is a red-flag finding, not a mitigating document.

For a structured approach to identifying and prioritising which systems require migration, the QSECDEF Cryptographic Asset Prioritisation Matrix provides a risk-tiered sequencing framework aligned to the compliance stack below.

Audit questions for Domain 1:

  1. Has the organisation produced a complete inventory of all cryptographic algorithms in use across its covered systems? (Verification: NIST SP 800-171 Rev 3, practice 3.13.10)
  2. Does the inventory identify which algorithms are quantum-vulnerable (RSA, ECDH/ECDSA, DH)? (Verification: NSA CNSA 2.0 Advisory, September 2022)
  3. Does the inventory cover all CDI-touching systems, not only edge or perimeter components? (Verification: DFARS 252.204-7012, scope of "covered defence information")
  4. Is the inventory maintained and reviewed at least annually, with a documented owner? (Verification: NIST SP 800-171 Rev 3, practice 3.12.1)
  5. Has the inventory been structured as or mapped to a CBOM format that can be shared with the prime on request? (Verification: NIST SP 800-161 Rev 1, supply chain transparency)

Domain 2: Algorithm Selection and FIPS 140-3 Module Validation

NIST SP 800-171 Rev 3, practice 3.13.10, requires FIPS-validated cryptographic mechanisms, not merely FIPS-compliant ones. A library that claims FIPS compliance without a current CMVP validation certificate does not satisfy this practice. Under CNSA 2.0, the required post-quantum algorithm parameter sets for national security system-adjacent work are ML-KEM-1024 (FIPS 203), ML-DSA-87 (FIPS 204), and SLH-DSA-SHA2-256s (FIPS 205). The NIST Cryptographic Module Validation Programme (CMVP) maintains the validated modules list; check it directly before committing to a library (NSA CNSA 2.0 Advisory, September 2022, Table 1; NIST CMVP, https://csrc.nist.gov/projects/cryptographic-module-validation-program).

Audit questions for Domain 2:

  1. Has the organisation identified FIPS 140-3 validated (or in-validation) cryptographic modules for each CNSA 2.0 algorithm? (Verification: NIST CMVP validated modules list)
  2. For ML-KEM key encapsulation: is the implementation using ML-KEM-1024, not ML-KEM-512 or ML-KEM-768? (Verification: NSA CNSA 2.0 Advisory)
  3. For digital signatures: has the organisation confirmed use of ML-DSA-87, not ML-DSA-44 or ML-DSA-65, for code signing and authentication? (Verification: NSA CNSA 2.0 Advisory)
  4. For software and firmware signing specifically: is SLH-DSA-SHA2-256s or SLH-DSA-SHAKE-256s in use, not a lower parameter set? (Verification: NSA CNSA 2.0 Advisory)
  5. Is there a documented decision record for each algorithm selection, including the rationale for the parameter set and the validation status of the implementing module? (Verification: NIST SP 800-53 Rev 5, control SA-10)

Domain 3: Sub-Tier Flowdown Verification

DFARS 252.204-7012(m)(1) requires the prime to include the clause in all subcontracts where CDI will be processed (paraphrase of para (m)(1); verify text against https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm). A sub-tier supplier must verify that this clause is present in its own prime contract and must itself flow the obligation down to any sub-sub-tier suppliers who handle CDI.

Two parties benefit from confirming the clause is present: the prime, because a missing clause is their compliance gap; and the sub-tier, because the absence of the clause in the subcontract does not extinguish the sub-tier's underlying obligation. "Covered defence information" means unclassified CUI that has been identified in the contract as CDI. If uncertain, consult the contract's statement of work and the DoD CUI Registry (https://www.archives.gov/cui) (DFARS 252.204-7012(a); DFARS 252.204-7012(m)).

Audit questions for Domain 3:

  1. Does the organisation's prime contract include DFARS 252.204-7012? (Verification: review prime contract DFARS clauses in Section I or H)
  2. Does the organisation flow down DFARS 252.204-7012(m) to any sub-sub-tier suppliers who handle CDI? (Verification: review the organisation's own subcontract templates)
  3. Has the organisation identified all CDI it receives, processes, or transmits under covered contracts? (Verification: DoD CUI Registry; contract statement of work)
  4. Is there a documented CDI data map showing where CDI resides, who processes it, and which systems are in scope? (Verification: NIST SP 800-171 Rev 3, practice 3.12.4)

Domain 4: CMMC Level 2 and 3 Control Mapping

CMMC Level 2 maps directly to all 110 practices in NIST SP 800-171 Rev 3 on a 1:1 basis. CMMC Phase 2 applies to new solicitations issued after 16 December 2025; existing contracts awarded before that date are not immediately captured by Phase 2 assessment requirements (32 CFR Part 170.21). The key question at this domain is whether the organisation has correctly identified whether it requires self-attestation or C3PAO third-party assessment. The contract solicitation's CMMC designation specifies this. Assuming self-attestation is sufficient without checking the designation is an avoidable error.

The cryptographic requirements within CMMC Level 2 sit in the SP 800-171 Rev 3 practice family 3.13 (System and Communications Protection), specifically practices 3.13.8 (transmission encryption) and 3.13.10 (FIPS-validated mechanisms). These practices are the direct line from CMMC to CNSA 2.0 (NIST SP 800-171 Rev 3, practices 3.13.8 and 3.13.10; CMMC v2.02 Assessment Model, DoD, 2022/2023; readers should verify whether the assessment model has been revised following the 32 CFR Part 170 Final Rule, December 2024).

Audit questions for Domain 4:

  1. Has the organisation identified whether its contracts require CMMC Level 2 self-attestation or C3PAO third-party assessment? (Verification: contract solicitation CMMC requirements; https://dodcio.defense.gov/CMMC/)
  2. Has the organisation completed a gap assessment against all 110 NIST SP 800-171 Rev 3 practices with documented results? (Verification: NIST SP 800-171A Rev 3, self-assessment scoring methodology)
  3. Is there a current System Security Plan (SSP) documenting how each of the 110 practices is implemented? (Verification: NIST SP 800-171 Rev 3, practice 3.12.4)
  4. For any practices not yet implemented: is there a Plan of Action and Milestones (POAM) with target completion dates? (Verification: CMMC v2.02 Assessment Model; DFARS 252.204-7012(d)(1))
  5. If the organisation has sub-sub-tier suppliers: have those suppliers completed a CMMC Level 2 gap assessment? (Verification: DFARS 252.204-7012(m) flowdown)

Domain 5: Migration Timeline and 2027 Acquisition Deadline Tracker

The Phase 4 full-enforcement deadline (December 2027) is a procurement gate, not an operational cutover. NSA CNSA 2.0 specifies that programme managers should update acquisition requirements to mandate CNSA 2.0 support by 2027 for general NSS work, and that new software, firmware, and network equipment products should carry CNSA 2.0 capability from 2025 onwards. A supplier that cannot demonstrate CNSA 2.0 capability in 2027 will not qualify for new NSS-related contracts (NSA CNSA 2.0 Advisory, September 2022, Table 1).

FIPS 140-3 validation from submission to certificate typically takes 12 to 24 months, based on historical CMVP processing queue data (verify current turnaround at csrc.nist.gov/projects/cryptographic-module-validation-program/timeline). The development, integration, testing, and validation sequence for a typical embedded or server module is a practitioner estimate of 18 to 30 months from design decision to validated module. Suppliers without ML-KEM, ML-DSA, or SLH-DSA on their development roadmap in mid-2026 face a constrained window to reach validation before the Phase 4 deadline.

Audit questions for Domain 5:

  1. Does the organisation have a written migration roadmap for CNSA 2.0 implementation with milestone dates and a named programme owner? (Verification: NSA CNSA 2.0 Advisory)
  2. For each required algorithm implementation: is FIPS 140-3 validation in progress or on the roadmap with a target submission date? (Verification: NIST CMVP)
  3. Is the organisation tracking the 2027 acquisition deadline against its own product delivery timeline, with confirmation the gap is closeable? (Verification: NSA CNSA 2.0 Advisory, Table 1)
  4. Is there a documented record distinguishing which products are in scope for the 2025 new-product requirements versus the 2027 general NSS requirement? (Verification: NSA CNSA 2.0 Advisory, Table 1 category definitions)

Domain 6: Procurement Language

DFARS 252.204-7020 requires contractors to have a current NIST SP 800-171 self-assessment score in the Supplier Performance Risk System (SPRS) before an award can be made. A low SPRS score is visible to DoD programme managers at contract evaluation and is a competitive disadvantage even before CMMC certification is required (DFARS 252.204-7020; SPRS at https://www.sprs.csd.disa.mil/).

Audit questions for Domain 6:

  1. Does the organisation have a current NIST SP 800-171 self-assessment score registered in SPRS? (Verification: DFARS 252.204-7020)
  2. Has the organisation reviewed its proposal and contract templates to confirm they do not contain cryptographic security representations that cannot be substantiated? (Verification: internal contract review)
  3. If the organisation uses cloud services to process CDI: are those services FedRAMP Authorised at the appropriate baseline? (Verification: DFARS 252.239-7010; FedRAMP Marketplace at https://marketplace.fedramp.gov/)
  4. Is the organisation tracking CNSA 2.0 acquisition language in new solicitations in its target contract portfolio? (Verification: NSA CNSA 2.0 Advisory, Table 1)

Domain 7: Internal Documentation

CMMC assessors review the SSP and POAM as part of the assessment. A POAM item does not automatically disqualify a supplier. It demonstrates managed risk. Open POAM items for cryptographic practices in the 3.13.x family, however, attract heightened assessor scrutiny and are considered high-risk findings (CMMC v2.02 Assessment Guide Level 2; NIST SP 800-171 Rev 3, practices 3.12.2 and 3.12.4).

A residual-risk register is not explicitly required by SP 800-171 Rev 3 or CMMC v2.02, but is best practice for demonstrating risk governance to prime contractors, contracting officers, and assessors. It records accepted residual risks with a documented owner and acceptance date, aligned to NIST SP 800-37 Rev 2 risk acceptance principles.

Audit questions for Domain 7:

  1. Does the organisation have a current SSP covering all CDI-processing systems, written to NIST SP 800-171 Rev 3 scope? (Verification: NIST SP 800-171 Rev 3, practice 3.12.4)
  2. Is there a current POAM listing all unimplemented or partially implemented SP 800-171 practices, with target completion dates and named owners? (Verification: NIST SP 800-171 Rev 3, practice 3.12.2)
  3. Are cryptographic-practice POAM items (the 3.13.x family) tracked separately as high-priority items, with CNSA 2.0 algorithm implementation noted as a milestone? (Verification: CMMC v2.02 Assessment Guide Level 2)
  4. Is there a residual-risk register for accepted residual risks, with a documented owner and review date? (Verification: NIST SP 800-37 Rev 2)
  5. Are the SSP, POAM, and residual-risk register version-controlled, with previous versions retained for audit trail purposes? (Verification: NIST SP 800-171 Rev 3, practice 3.3.1)

Three Misconceptions Worth Addressing

"Self-assessment is enough for CMMC." The C3PAO vs. self-attestation determination is made per-contract by the contracting officer based on the CMMC level designation in the solicitation; it is not a fixed category that an organisation can self-assign. CMMC v2.02 distinguishes between Level 2 self-attestation for lower-sensitivity CUI contracts and Level 2 third-party assessment for higher-sensitivity contracts. Submitting a false attestation while knowingly lacking underlying implementation may constitute fraud under the False Claims Act (31 U.S.C. § 3729-3733); organisations should seek legal advice on their specific FCA exposure. Read the CMMC designation in each solicitation before assuming self-attestation suffices.

"CNSA 2.0 only applies to prime contractors." DFARS 252.204-7012(m) requires primes to flow the clause down to all subcontractors who handle CDI. A sub-tier supplier processing covered defence information is in scope regardless of whether it holds a direct DoD contract. Primes who fail to include the clause are in breach of their own contract obligations, but that does not release the sub-tier from its underlying obligation.

"This checklist replaces implementation." It does not. Every yes answer in this checklist is a yes because the organisation implemented the underlying control. The sequence runs implementation first, then documentation, then audit. Reversing that sequence produces documentation that does not survive a C3PAO assessment.

Starting Points and Next Steps

If Domain 1 returns gaps, nothing else in this checklist can be answered with confidence. The cryptographic inventory is the prerequisite. Suppliers beginning in mid-2026 have approximately 18 months before the Phase 4 full-enforcement deadline (December 2027), when CMMC Level 2 compliance evidence will be required across all applicable contracts. Sequence the work as: CBOM completion, FIPS 140-3 module selection, CMMC gap assessment, SSP and POAM preparation, and C3PAO engagement. The administrative and procurement sequence has more impact on whether the window is met than the technical complexity of implementing ML-KEM or ML-DSA. The algorithms are specified. The libraries exist. The documentation work and assessment queue are where the schedule risk lives.

QSECDEF members have access to practitioner-level CNSA 2.0 compliance documentation, CBOM methodology guides, and SP 800-171 Rev 3 implementation resources updated as the regulatory landscape evolves. QSECDEF professional membership provides the implementation framework behind each domain in this checklist.


Steven Vaile is Director at Quantum Security Defence. He advises defence programmes and government agencies on the transition to post-quantum cryptography, with a focus on supplier compliance and national security system readiness. He is a keynote speaker at the QSECDEF World Symposium and holds a Digital Marketing Strategy certification from Yale.

View on LinkedIn | View Team | QSecDef Events