TL;DR: CMMC 2.0 shifts file auditing from a logging task to evidence of controlled access across the defence supply chain, with Level 1 self-assessments, Level 2 third-party assessments every three years, and Level 3 government-led assessments aligned to NIST 800-53 and NIST-800-171, according to IS Decisions. The governance test is no longer whether access is visible, but whether logs are complete, centralised, tamper-resistant, and reviewable enough to support proof.
At a glance
What this is: This is an analysis of how CMMC 2.0 makes file auditing a compliance proof point rather than a background admin task.
Why it matters: It matters because IAM, PAM, and NHI programmes all depend on being able to prove who accessed what, when, and whether that access was controlled and reviewable.
By the numbers:
- Starting in November 2025, any organization bidding for contracts through or connected to the U.S. DoD supply chain must comply with CMMC 2.0.
👉 Read IS Decisions' guidance on FileAudit and CMMC 2.0 compliance
Context
CMMC 2.0 is a compliance regime for the defence supply chain that turns cybersecurity controls into evidence. For identity teams, that means file access governance has to be demonstrable, not just configured, because the framework expects organisations to prove who accessed sensitive data and how that access was monitored.
The practical challenge is that file auditing often becomes fragmented across servers, cloud platforms, and admin tools. That fragmentation creates blind spots in the exact evidence chain assessors need, which is why CMMC pushes teams toward centralised logs, tamper resistance, and reviewable access records. For related identity governance patterns, see the Ultimate Guide to NHIs , Regulatory and Audit Perspectives.
Key questions
Q: How should teams prove file access control for CMMC assessments?
A: They should produce a central, tamper-resistant audit trail that shows who accessed files, what actions they took, and when those actions occurred. The evidence must be reviewable across cloud and on-premises repositories, because assessors need proof of control, not isolated log fragments.
Q: Why do native file auditing tools often fail compliance review?
A: They usually fail because they create too much manual work, miss hybrid storage coverage, and lack centralized reporting. That combination makes it hard to reconstruct access events quickly enough for assessment or investigation, even if the raw logs exist somewhere in the environment.
Q: What breaks when file audit logs are fragmented across systems?
A: Fragmented logs create blind spots, make evidence harder to trust, and slow down review during assessments or incidents. In CMMC terms, that means the organisation may be unable to prove that access was consistently monitored and retained in a way that supports third-party validation.
Q: Who is accountable when file access evidence cannot be produced?
A: Accountability sits with the organisation holding the contract or pursuing it, because CMMC is a supply-chain requirement, not a tool-specific one. Security, IAM, and compliance teams must be able to demonstrate that file access controls were implemented and that the resulting evidence is defensible.
Technical breakdown
Why CMMC turns file access into audit evidence
CMMC 2.0 is not asking organisations to simply log activity. It expects them to preserve evidence that access to sensitive files was monitored, reviewable, and aligned to policy. In practice, this means the audit trail has to capture reads, writes, deletes, access denials, and the identity context behind those actions. The framework also raises the bar on log integrity, because evidence that can be altered or fragmented across systems does not survive assessment. For defence suppliers, file auditing becomes a control assurance function, not just an operations task.
Practical implication: treat file auditing as evidence collection and test whether logs are complete enough to stand up in assessment.
Why native Windows auditing breaks down at CMMC scale
Native Windows auditing can record events, but it does not solve the operational problem of scale, centralisation, or low-noise analysis. Manual review through Event Viewer or scripts quickly becomes unmanageable across large file estates, especially when cloud repositories are part of the scope. The result is not just more work, but weaker assurance, because important access events get lost in the volume and blind spots remain in hybrid environments. CMMC pushes organisations toward tooling that consolidates access data across platforms and makes it actionable for auditors and admins alike.
Practical implication: validate whether your current audit tooling can cover hybrid storage and produce one reviewable evidence trail.
How granular controls reduce audit noise and improve detection
Granular auditing matters because compliance data is only useful if humans can review it without drowning in noise. Filtering by user, AD group, IP address, machine name, executable, date range, and file action lets teams focus on abnormal access patterns such as mass deletion or off-hours activity. That is important under CMMC because the control objective is not simply logging every event, but being able to show that meaningful access patterns were identified, retained, and escalated when necessary. Precision is what turns logs into defensible evidence.
Practical implication: narrow audit scope to the identities, systems, and actions most likely to reveal policy breach or misuse.
NHI Mgmt Group analysis
CMMC converts file auditing from operational telemetry into compliance evidence. The framework is designed around proof, not intent, which means access logs have to be complete enough to answer assessor questions about who touched sensitive files and whether that access was acceptable. This is the point where many programmes discover that visibility and evidentiary quality are not the same thing. For practitioners, file auditing now sits at the intersection of IAM, PAM, and audit readiness.
Auditability, not logging volume, is the real control objective. A high-volume log stream that cannot be centralised, searched, or trusted adds little value under CMMC. The control expectation is that access activity can be reconstructed across internal and cloud systems without blind spots or tampering risk. That aligns closely with NIST Cybersecurity Framework 2.0 and NIST 800-53 style assurance thinking, where evidence quality matters as much as the underlying control. Practitioners should measure whether audit output is defensible, not just available.
File access governance now reflects broader identity governance maturity. Organisations that cannot prove access to files are usually showing the same weakness elsewhere: unclear entitlement ownership, weak review discipline, or fragmented logging across environments. This is why CMMC should be read as an identity governance signal, not only a compliance milestone. The better the organisation can connect identity, access, and file activity, the easier it becomes to support assessments and investigations. The implication is to treat file auditing as part of the identity control plane, not a separate tooling silo.
Granular audit scoping is the named concept that separates signal from noise. The article shows that user, group, IP, machine, executable, and time-based filters are not conveniences, they are what make reviewable evidence possible at scale. Without that filtering, organisations create logs that are technically rich but operationally unusable. For practitioners, the lesson is to design audit scope around assessor questions and incident triage needs from the start.
CMMC is pushing suppliers toward proof-based identity governance across the chain. The defence supply chain model assumes that downstream organisations can demonstrate control, not merely claim it. That shifts the burden onto smaller suppliers as well as prime contractors, and it makes access evidence a business continuity issue as much as a security issue. The practical conclusion is that file auditing must be planned as part of contract readiness.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- The same research found that enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
- For teams building stronger evidence chains, the NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding discipline supports auditability.
What this signals
Auditability will become a procurement discriminator, not just an audit-day concern. As compliance regimes increasingly ask suppliers to prove access control rather than describe it, identity teams need evidence paths that survive scrutiny across cloud, on-premises, and delegated admin workflows. The operational risk is no longer missing a log entry, but failing to reconstruct a defensible access story when a customer or assessor asks for it.
The strongest programmes will treat file auditing as part of the broader identity control plane, where entitlement review, privileged access, and evidence retention are managed together. That approach reduces the gap between security operations and compliance reporting, which is where many defence suppliers still lose time and assurance.
Practitioners should also expect audit requirements to pressure upstream governance choices, including how access is granted, who owns entitlement review, and how quickly logs can be exported for investigation. The organisations that can answer those questions quickly will be better positioned for CMMC and for the wider regulatory direction of travel.
For practitioners
- Map file systems to assessment scope Identify which repositories, cloud platforms, and endpoints fall under CMMC expectations, then verify that access events are captured consistently across all of them.
- Centralise logs before the next assessment cycle Move away from tool-by-tool review and ensure audit data is aggregated into one place where it can be searched, retained, and protected from tampering.
- Filter for high-signal access patterns Use identity, device, executable, and time filters to focus reviews on unusual reads, writes, deletions, and denied access events rather than raw event volume.
- Test whether evidence survives an assessor’s question Ask whether a reviewer could reconstruct access history for a sensitive file without stitching together multiple consoles, scripts, and manual exports.
Key takeaways
- CMMC 2.0 changes file auditing from a housekeeping function into proof that access to sensitive data is monitored and defensible.
- Native logging alone is not enough if teams cannot centralise, retain, and reconstruct evidence across hybrid file environments.
- The practical response is to design audit scope, log integrity, and review workflows around assessment questions before the next compliance cycle begins.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access logs must show who accessed sensitive files and whether access was appropriate. |
| NIST SP 800-63 | Identity assurance matters when file access evidence must tie actions back to accountable users. | |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Zero Trust requires continuous verification, which aligns with monitored file access. |
Ensure identity assertions used in logs are strong enough to support audit and investigation.
Key terms
- File Auditing: File auditing is the process of recording and reviewing access to files so organisations can see who did what, when, and from where. In CMMC contexts, it becomes evidence of control, not just an operational log, because the organisation must prove access was monitored and retained.
- Tamper-Resistant Logs: Tamper-resistant logs are audit records protected so they cannot be altered without detection. They matter because compliance evidence loses value if an administrator, attacker, or integration can rewrite the history of file access after the fact.
- Access Evidence: Access evidence is the set of records that proves a specific identity interacted with a specific resource under defined conditions. For defence suppliers, the quality of that evidence determines whether controls are merely claimed or can survive third-party assessment.
What's in the full article
IS Decisions' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how FileAudit maps access events to CMMC 2.0 requirements
- Platform coverage details for OneDrive, SharePoint, Google Drive, Dropbox Business, and Box
- Examples of alerting, reporting, and retention settings for audit-ready file governance
- Interface walkthrough of the Audit, Reports, and Tools panes for daily administration
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-09-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org